Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Nov 28, 2022

F5 SSO - OAuth with SAML - how to preserve the original protect URL

Hi So I have login -> This is my login server - I have APM protecting it auth -> this is my oauth server it talks to login to get login its a saml call Lets say I have https://uat/<some protecte...
APM SSO SAML OAuth
security
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Nov 28, 2022

I admit I do not follow the text as the way you have written it is not very clear at least for me and maybe a picture can help. About sharing session variables can't you insert a session variable an an HTTP header between the F5 devices?

 

https://support.f5.com/csp/article/K74392192

 

 

Also for Oauth just you can use F5 Oauth SSO in "Passthrough" with a JWT token if possible and I think you are not using the F5 devices as Authorization servers and the first f5 APM is Oauth Client/Resource Server then you can make the second F5 with the SAML just resource server and use the info in the token.

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/big-ip-access-policy-manager-single-sign-on-concepts-configuration-14-1-0/04.html

 

https://support.f5.com/csp/article/K42333110

 

If I got it wrong and the F5 APM is authorization server with claims and JWT Access token you can share info like session variables between the F5 APM AS and the F5 that is Client/Resource server.

 

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-oauth-configuration/using-apm-as-an-oauth-2-server.html

If the customer first accesses the first F5 APM oauth device and then the customer accesses the second F5 SAML device with Browser URL redirection you may need to share the session varibles by inserting them in a cookie and then reading from them.

 

https://clouddocs.f5.com/api/irules/HTTP__cookie.html

https://community.f5.com/t5/technical-forum/assign-cookie-value-to-apm-custom-variable/td-p/292298

 

Still why you are using Oauth and SAML is strange as Oauth can do anything SAML can do but better with the authorization codes that Oauth uses and for now there is no way to exchange SAML token for an Oauth or vice versa or to use the same token for SAML and Oauth to make life easier 😀

 

  • AlexS_yb's avatar
    AlexS_yb
    Icon for Cirrocumulus rankCirrocumulus
    Nov 28, 2022

    Hi

     

    Thanks for the input, see if i can try again

    https://uat/some/protected/url << APM policy that use oauth client - client/resource

    If I don't have a APM session the first response is a 302 to /my.policy

    I don't get to run any code - how do I insert a cookie at this stage don't think i can ?

    https://uat/my.policy does the redirect to https://auth/someOAuth URL    (<< this is the oauth server ) it doesn't know what the original URL was.

     

     

     

     

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP
      Dec 01, 2022

      About the cookie it is in the links I shared with you that you can take a look at 🙂

       

      Stange from what I have seen after you are returned from the Azure AD you get the url you tried to open.  The issue you mentioned I have only when playing for example with the https://petstore.swagger.io/ as a pool member test app as to when I do not send a specific correct request the F5 APM just can't fetch the page. The issue was resolved when I attached URI rewrite profile so that when I send the http traffic to the pool members to change the URI to the real one that that the pool members use so I do not see this issue as it is normal when F5 can't resolve the HTTP request will the backend servers to give you a hint like in my case it was""" xxxx/oauth/login.jsp """  and the below message.

       

       

      Outside of that it could be a bug so I am on 16.1.3.2 so upgrade to it or you may try URI redirec in the policy as the your landing URI is saved to variable session.server.landinguri , so you may to use something like the link below or an iRule  as given in the next Links to "get" the session variable and then to use it for an redirect event.

       

      https://community.f5.com/t5/technical-forum/landing-uri-irule-http-redirection/td-p/34919

       

      https://clouddocs.f5.com/api/irules/ACCESS_POLICY_COMPLETED.html

       

      https://clouddocs.f5.com/api/irules/ACCESS__session.html

       

      That are all my ideas.

      • AlexS_yb's avatar
        AlexS_yb
        Icon for Cirrocumulus rankCirrocumulus
        Dec 01, 2022

        Hi

         

        Think I haven't explained to well.

        Setting a cookie on a APM call. why I asked about this is because of the interaction between irules and APM, I can set it on http_request but that just sets it to the back end pool. I thnk I need to set it on http_response - how does that work on APM calls

         

        Not sure where azule AD came up. All components are on F5 - different boxes

        SAML login -> https://login.local

        OAUTH server -> https://auth.local

        resource server -> https://resource.local

        The protected URL

        https://resource.local/protectedURL 

        APM for VS that has https://resource.local protects the url with an OAuth client (VPE). then does the redirect. At this point the original URL is lost - its not part of the URL and it hasn't been saved as a URL.

         

        I guess because I have lots of landing places for OAUTH I can't use client id and post back.

         

        I notice a lot of other SSO's append the destiation URL to the url so

        https://resource.local/protectedURL  would turn into https://resource.local/login/protectedURL 

        and maybe https://auth.local/login/https://resource.local/protectedURL 

        presumably with url encode.