Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Oct 27, 2021

Multiple SAML SP access profile MRH cookie issue

Dear all,

 

I am trying to configure the F5 Big IP as both SP and IDP using seperate access profiles configured on scope level profile (isolated). The IDP will then assure the SSO across all the SP applications, this is already working in version 15.1.3 but in version 16.0/16.1 the MRH cookie behavior seems to have changed.

 

 

 

 

All SP share the same parent domain, the difference between 15.1 and 16 is the following:

 

In version 15.1 for each domain name a specific cookie is created and F5 does not include the domain option in the response, on the clientside we see specific cookie entries for the complete domain with the respective MRH cookie.

when connection to /my.policy the F5 responds with the MRH session cookie witout domain so the browser saves it as the specific host name / domain.

 

In version 16 APM is responding with a wildcard domain *.example.com this results in issues when connection to the same domain for example idp.example.com the client sends the old MRH cookie and APM session are restarted/deleted.

 

Is there a fix so that the per specific domain can be maintained when using SAML auth in access profiles? Perhaps an Irule that will remove the domain in response?

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus

    Good comparison is domain cookie (domain in cookie response v16) vs host cookie (full host name in v15.1 no domain specified)

     

    https://medium.com/datamindedbe/a-summary-of-cookies-645beed9fd9

     

    Host-only cookies match domains that exactly correspond with the domain attribute of the cookie. When setting cookies server-side, host-only is the default in the sense that cookies are host-only unless you specify a cookie’s Domain-attribute; the domain of such cookies is derived from the Host request header. (typically the behavior in vesrion 15.1 and not in 16)

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus

      it seems that if the access profile was configured with the domain value in SSO and later removed it will still be working on domain level (*.example.com), to solve this remove the access profile and recreate it then by default it is host cookie (weird but truth)