Forum Discussion

fabiblack_18546's avatar
fabiblack_18546
Icon for Nimbostratus rankNimbostratus
Feb 05, 2015

Race Condition in SSO Logon Page

Hey there,

I have a big problem with one of our ASPX Web Apps and the F5 SSO. I cant get it to work properly, i have 3 possible outcomes that happen at random and I don't know how to solve this mess...

Case1: User types Credentials into Logon Page-> 2 URL Changes and everything works as intended.

Case2: User types Credentials into Logon Page-> 2 URL Changes and the User gets a Blank Screen, if he now Refreshes the Page, he will be loged in and it will work fine.

Case3: User types Credentials into Logon Page-> 1 URL Change and the User is presented with the ASPX Form.

As for my Configuration I mostly took Table15 from https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-2-0/3.html and changed it to my needs.

The JavaScript injection looks as follow(EXTRA):

WebForm_DoPostBackWithOptions(new WebForm_DoPostBackWithOptions("LoginVariable","",true,"","",false,false));
__f5form.enctype = 'application/x-www-form-urlencoded'; 
__f5form.encoding = 'application/x-www-form-urlencoded';

Is there anything I can do to fix this? This Random Race Condition is driving me crazy...

BIG-IP Access Policy Manager (APM)
deployment
race condition
security
SSO
  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Feb 05, 2015

    Forms2 SSO has many issues. The one that I have encountered is that it fails to properly perform HTTP re-chunking causing corrupted content to be sent to the client.

    I use the following irules to selectively force re-chunking for requests that use Forms2 SSO. Alternatively, you could change the HTTP profile to rechunk ALL content. But that might not be suitable if you have multiple applications running under a single VS.

    when ACCESS_ACL_ALLOWED {
    switch -glob [HTTP::uri] {
        "/app1/*" {
            set sso_config /Common/APP1-SSOFormsV2
            WEBSSO::select $sso_config
            unset sso_config
            set rechunk_required 1
        }
    }
}

when HTTP_RESPONSE {
     Fix for Case C1746889 and Bug 383341
     This is needed for when Forms SSO V2 interferes with HTTP Chunking under the "Selective" mode of the HTTP Profile
    if { [info exists rechunk_required] } {
        if { [HTTP::header exists "Transfer-encoding"] } {
            HTTP::payload rechunk
        }
        unset rechunk_required
    }
}

    I would also suggest that you are certain Forms based SSO will not work in your situation.

  • fabiblack_18546's avatar
    fabiblack_18546
    Icon for Nimbostratus rankNimbostratus
    Feb 05, 2015

    Unfortunately I get the same behaviour with the Irule applied and/or enabling rechunking. When i rechunk too much(Request Chunking), i get a page error.