Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Feb 26, 2020

how to combine two irules and trigger the latter only when the first does not

I have two irules, one to do user id injection( for an IDP auth user using our access policy ) and the other one to do a logout-call to the IDP server.       Now, the requirement is to do user in...
application delivery
BIG-IP Access Policy Manager (APM)
if
LTM
set
NAG's avatar
NAG
Icon for Cirrostratus rankCirrostratus
Feb 26, 2020

Hi

You cannot choose between iRules applied to a Virtual Server as they are executed based on the events.

 

As you are using the event HTTP_REQUEST event in both the rules, I have combined them into one iRule used if and and else logic. Code in the last else block is run only if first two conditions dint match

when HTTP_REQUEST {
 
set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
 
	if { [HTTP::uri] contains "/logout-apm" and $tid contains "xxxxxxx-xxxxxx-xxxx-xxxxxxxxxxxxxx"} {
			if { [HTTP::uri] contains "post_logout_redirect_uri" } {
				set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
				# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
				HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
			} else {
				# log local0. "logout uri not contains post_logout_redirect_uri parameter"
 
				HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
 
			}
 
	} elseif  { [HTTP::uri] contains "/logout-apm" and $tid contains "yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy"} {
 
			if { [HTTP::uri] contains "post_logout_redirect_uri" } {
					set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
					# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
					HTTP::redirect "https://login-test.wecenergygroup.com/yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&amp&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
			} else {
					# log local0. "logout uri not contains post_logout_redirect_uri parameter"
					HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
			}
	} else {
		#If already exists ,consider it malicious attempt and remove the headers
		HTTP::header remove F5-auth-User-Id
		HTTP::header remove F5-auth-Tenant-Id
		#set variables from access policy and insert headers to send to backend
		set OID [ACCESS::session data get "session.oauth.jwt.payload.last.oid"]
		set TID [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
		set user2 [ACCESS::session data get "session.oauth.scope./Common/pps_act_oauth_scope_1_ag.UserInfo.email"]
		set uri [string tolower [HTTP::uri]]
		HTTP::header insert "F5-auth-User-Id" $OID
		HTTP::header insert "F5-auth-OID" $OID
		HTTP::header insert "F5-auth-Tenant-Id" $TID
		HTTP::header insert "F5-auth-User-email" $user2
		log local0. "$OID: [HTTP::header value $OID]"
		log local0. "$TID: [HTTP::header value $TID]"
		log local0. "$user2: [HTTP::header value $user2]"
		log local0. "LOG INFO: $OID"
		log local0. "LOG INFO2: $TID"
		log local0. "LOG INFO3: $user2"
	}
	
}

Hope this helps,

Nag