Preserving Session Variables after a redirect

Question

Hi All,&nbsp;
I have a LAB BIG-IP (11.6) set up which has the following: 2 Virtual servers, 2 access policies.&nbsp;
The BIG-IP is being used as a perimeter device and allows external access to our network. Both my virtual servers have externally accessible IP addresses.&nbsp;
One of the virtual servers is used to load balance and front-end a Citrix farm. This works great as long as we log in to the virtual server directly. Users are directed to the Citrix Web Interface server, and are presented with their applications and everything works the way it should, SSO works, applications launch, everything is great.&nbsp;
The problem is that I would like to not have the requirement for people to log directly into the virtual server for Citrix. We have a primary external facing interface and we just want people to log into that, and then get redirected to the Citrix Virtual server if they are in certain AD groups or if their machines fail certain client configuration checks. The idea here is to hand out one external url to all our users and then have them be redirected based on AD queries and machine checks.&nbsp;
My main access policy (tied to the preffered external facing Virtual Server) does an "allow and redirect" if a person is in a particular AD Group or meets other requirements. This works fine and passes the user directly to the Citrix virtual server if the results of the queries and client checks warrant that they only be allowed Citrix (as opposed to full VPN access).&nbsp;
My problem is that once I do the redirect, all the session variables from the initial logon are lost and the users need to re-authenticate either on the Citrix virtual server, or at the Web Interface. We don’t want this to happen; we are trying to keep SSO working.&nbsp;
I have tried simply doing an RDP resource for the Citrix users, but it is fairly awkward and doesn’t seem to work very well.&nbsp;
So (after all that) here’s my questions:&nbsp;

Is there any way to keep session variables such as “Session.Logon.Last.Username” and “session.logon.last.password” active after a re-direct ?&nbsp;
If that’s not possible, is there a way to create custom variables containing the values of the “Session.Logon.Last.Username” and “session.logon.last.password” variables and have those custom variables persist after the redirect?&nbsp;
Thanks in advance for reading this and attempting to answer.&nbsp;
Also, if you need to see my access policies or any other configurations of my lab config I’ll post them here on request.&nbsp;
-John&nbsp;

nobby_67786 · Answer

Hi John,&nbsp;
The best way to do this would be to setup SAML federation between your VIPs &amp; Access Policies. Configure your primary access policy to act as an IDP and all your others to be SP's. If you've got variables you capture like (username &amp; password) you can pass them as attributes in the SAML payload. The great thing about that solution is that your VIPs don't even need to be on the same device so if you needed to scale or distribute services your authentication architecture will already support it.&nbsp;
Hope this helps point you in the right direction.&nbsp;
Nobby

john_t__morgan_ · Answer

Thank you. &nbsp;
That sounds like an excellent solution. &nbsp;
Now I just have to familiarize myself with saml. :-)&nbsp;
I'll try tomorrow and report back. &nbsp;
-John&nbsp;

walter_kacynski · Answer

Are you doing a redirect with close session or a redirect with allow?&nbsp;

john_t__morgan_ · Answer

Hi Nobby,

Would I still need to do an "Allow and Redirect" or would there be a beter method than that?

-John

nobby_67786 · Answer

So you have several options. 
- If the user you're authenticating only has access to one app/service (which you might determine via AD groups for example) then you could have an ending Redirect action and send them just to that service. The act of redirecting the user to the app would then generate an SP initiated SAML transaction which would actually redirect the user back to the first VIP (to get the SAML assertion) and as the user is already authenticated, APM would just hand them the assertion and direct them back to the app.
- You also have the option to present the user a webtop with links to apps they have access too. In this scenario the links can include SAML resources for which APM can generate an IDP initiated assertion (no bouncing around between VIPs).

Either way works, and the extra redirects aren't so noticeable unless you've got massively latent links (like satellite). I'm based in Australia and the ~200ms from here to Seattle where lots of my APM sessions terminated didn't cause any significant delays even for SP initiated sessions.

Forum Discussion

Preserving Session Variables after a redirect

5 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Software Downgrade from version 17.x.x to 15.x.x

Error diskmonitor

CPU utilization of F5OS on r2600

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Hardware replacement i2800 to r2600

Related Content

HTTP POST redirect preserving POST data

F5 HTTPS Redirect 2025

APM variable assign examples

Getting Started with iRules: Variables

redirect with variable uri

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS