Forum Discussion

alex100_194614's avatar
alex100_194614
Icon for Nimbostratus rankNimbostratus
Mar 03, 2016

Problem with stream iRule and SAML idp redirect

Running into following issue here. We have a sharepoint site with web servers listening on some high port and using internal hostname. On the SharePoint virtual server I am applying fallowing iRule t...
application delivery
BIG-IP Access Policy Manager (APM)
irule
saml
SSO
  • Andrew_4752's avatar
    Andrew_4752
    Mar 03, 2016

    Hi Alex,

    For for the VIP targeting VIP solution to get around APM-Stream Profile conflicts, below is a basic view of what the config would look like:

    ltm virtual vs_external {
destination 1.1.1.1:443
ip-protocol tcp
mask 255.255.255.255
profiles {
    clientssl_profile {
        context clientside
    }
    stream_profile { }
    http { }
    tcp { }
}
rules {
    forward_internal_virtual
    saml_stream_expression
  }
}
ltm virtual vs_internal {
destination 2.2.2.2:80
enabled
ip-protocol tcp
mask 255.255.255.255
profiles {
    example_accesspolicy { }
    http { }
    rba { }
    tcp { }
    websso { }
}
}
ltm rule forward_internal_virtual {
when HTTP_REQUEST {
virtual vs_internal
}
}
AP's avatar
AP
Icon for Nimbostratus rankNimbostratus
Mar 03, 2016
Hi Alex, So, does this same Virtual Server that you have applied the above iRule to also have an APM Policy with an SP Resource (SAML Auth)? A few points in the meantime, although I can't say that they will solve your issue. The 404 error sounds like your requesting an invalid resource/uri. Have you performed any captures? I notice you're using HTTP_REQUEST_RELEASE. I think you also need to use HTTP_RESPONSE_RELEASE with APM instead of HTTP_RESPONSE. I've had varying results when using Stream Profiles on Virtual Servers with APM as a SAML IDP or SP. Have you noticed any errors in the logs? In those cases I had to create an external VS with the Stream Profile and target another VS with the APM Policy.