Forum Discussion
NimbostratusF5 APM with specific not all SAML SP initiated connection issue, cause iRule execution fail, TCP reset with F5 Version 12.1.2 HF1
NimbostratusHi Daniel,
I have tried with the irule below but it is throwing error while try to initiate a session in both IDP initiated and SP initiated.
when RULE_INIT { Change to "1" to enable debugging log statements, 0 to disable set static::debug_IDP 1 }
HTTP Request used provide IdP Initiated SAML for users that have logged inwhen HTTP_REQUEST priority 30 { if { "[ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid]" } { switch -glob [string tolower [HTTP::path]] { "/staples*" { if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to staples" } HTTP::respond 302 Location "/saml/idp/res?id=/Common/Staples_IDP" return }
"/concur*"
{
if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to concur" }
HTTP::respond 302 Location "/saml/idp/res?id=/Common/Concur_IDP"
return
}
"/healthfitness*"
{
if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to healthfitness" }
HTTP::respond 302 Location "/saml/idp/res?id=/Common/HealthFitness_IDP"
return
}
}
}
}
ACCESS Policy Response used to provide IdP Initiated SAML for users that have not logged in yetwhen ACCESS_POLICY_COMPLETED priority 30 { switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] { "/staples*" { if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to staples" } ACCESS::respond 302 Location "/saml/idp/res?id=/Common/Staples_IDP" return }
"/concur*"
{
if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to concur" }
ACCESS::respond 302 Location "/saml/idp/res?id=/Common/Concur_IDP"
return
}
"/healthfitness*"
{
if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to healthfitness" }
ACCESS::respond 302 Location "/saml/idp/res?id=/Common/HealthFitness_IDP"
return
}
}
}
Error:
Jul 6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm1[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm1[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm2[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:51 slot1/FDYEXLB01 err tmm2[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:52 slot1/FDYEXLB01 err tmm3[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid" Jul 6 08:44:52 slot1/FDYEXLB01 err tmm2[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4 - wrong args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] " while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Please let me know if I missed something. Please help here and also make sure that existing iRule is working for all IDP initiated and SP initiated except only one SP initiated connection getting drop due to the iRule
