Forum Discussion

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 16, 2019

    Hi,

     

    you simply create an assign variable before the end of your VPE and you set it as follows:

     

    You can do IT manually, this means that whatever the user enters as URL, he will be redirected to the desired URL at the end of the authentication process.

     

    Custom variables:

    session.policy.result.redirect.url

     

    custom Expression:

    return "/myurl/"

     

    otherwise the APM does it automatically. with the landing URI.

    keep me in touch if you need more details. and if I answer to your need.

    regards

  • mohammed1's avatar
    mohammed1
    Icon for Nimbostratus rankNimbostratus
    Sep 16, 2019

    Thank you for your fast response.

     

    This is our expected behavior:

    • An internal application generates a link to an internal ressource (e.g. a downloadable PDF, etc.) and sends it by email to various recepients.
    • From the internet, when the user follows the recieved link, and is promted to authenticate via APM.
    • After successful authentication, the user needs to see the intended ressource. I.e. download the PDF.

     

    Current behaviror:

    • After successful authentication, the user is redirected to the homepage of the web app. He needs extra navigation steps to get to the desired resource.
  • Sajid's avatar
    Sajid
    Icon for Cirrostratus rankCirrostratus
    Sep 16, 2019

    Hi Mohammed,

     

    Yes, I have achieved this for ezproxy (SaaS) application with SAML.

     

    You need irule for landinguri

     

    when ACCESS_POLICY_COMPLETED {

      switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] {

      

     

    ***************************************************************************

    1. when HTTP_REQUEST {
    2. if { ( [HTTP::cookie exists MRHSession] ) and not ( [ACCESS::session exists -state_allow [HTTP::cookie value MRHSession]] ) } {
    3. if { ( [HTTP::uri] ne [ACCESS::session data get session.server.landinguri] ) and not ( [ACCESS::session data get session.server.landinguri] eq "" ) } {
    4. HTTP::redirect [ACCESS::session data get session.server.landinguri]
    5. }
    6. }
    7. }

    from: https://devcentral.f5.com/s/question/0D51T00006i7PLA/access-policy-evaluation-is-already-in-progress-for-your-current-session

     

    https://clouddocs.f5.com/api/irules/ACCESS_POLICY_COMPLETED.html

     

    K91940158: How to auto-launch SAML SP resources

     

    https://support.f5.com/csp/article/K91940158

     

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 16, 2019

    Hi,

    You have a strange behaviour.

    By design, APM redirect the user to the session.server.landinguri after APM policy completed.

    The session.server.landinguri is filled with the very first request the user do to your application. So, this var should be good for your need.

    Can you test this irule by the way:

    when ACCESS_POLICY_COMPLETED {
  set mylandinguri [ACCESS::session data get "session.server.landinguri"]
  ACCESS::respond 302 "Location" "$mylandinguri" "Connection" "Close"
}

    It will respond to your need.

    regards

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP
      Jun 30, 2023

      Have you tested this irule as on 16.1.3.5 this breaks the web page and there are TCL errors? I think that ACCESS:respond works well to return a custom page if the auth fails or the access policy is successfull but not for redirection.