Forum Discussion
SAML Cookie Persistence after browser/system restart and across service providers
I am fairly new to the F5 world and in the beginning of setting up our LTM's as SAML IdP's for a variety of services. Our first use-case is Jive, which we have working and all the attributes are pulling across just fine, authentication is fine, everything is functional as is.
I'm having a hard time translating what we want the user experience to be into the next phase of the configuration. Our hope was that we could authenticate a user to the LTM, they would be provided a cookie that was set to expire in 24 hours, that cookie would provide SSO access to other services that we'll be adding, and once the 24 hours is up the user would be asked to authenticate again regardless of which service they are logging in to.
I've set the Maximum Session Timeout to 86400 seconds (24 hours) and set the cookie to persistent, but when I log in with a test account I don't see a new cookie created on the user system and closing the browser loses the session. In addition, I don't have another sandbox service provider to test with currently to ensure that the cookie we are hoping will be creating would be valid for that other service as well.
Am I wrong in thinking that the F5 can provide a persistent cookie that survives beyond browser or systems restarts? Can the F5 only provide SSO for that time period and across SAML partners as long as that browser session is open?
I presume I'm asking some pretty elementary stuff so forgive my lack of current knowledge. Any pointers on where I can read up on that or help managing my expectations would be appreciated.
I assume you are actually talking about leveraging F5 Access Policy Manager(APM) for this. If so, the cookie behavior is controlled under SSO/Auth Domains tab of the access policy. Check the Persistent checkbox, and it will be persistent across browser restarts.
- Micah_HaarbrinkNimbostratusHey Michael, Thanks for the response. I am indeed using APM. I did check that box and applied the policy but it didn't seem to have the intended effect. I was testing on a Mac (Safari and Chrome) and Windows 7 (Chrome and IE 9). I cleared cache and cookies on all browsers, logged in successfully, closed the browser and opened them again (definitely didn't clear cookies in that restart) and when I hit my web service it tosses me back to the F5 SSO logon again. Results were consistent across all browsers. I asked an F5 contact we have and he mentioned the same thing about the checkbox but thought maybe we were missing a step being in a newer version. We're running 11.4.1 HF2 but I haven't seen anything in the hotfix notes that might explain it. Should I expect to see a new cookie in the temp internet files directory to reflect the fact that I'm using a persistent cookie? I did keep an eye on that temp files directory and didn't see any cookie for "auth.mydomain.com" which I was kind of expecting as well.
- Michael_KoyfmanCirrocumulus
I assume you are actually talking about leveraging F5 Access Policy Manager(APM) for this. If so, the cookie behavior is controlled under SSO/Auth Domains tab of the access policy. Check the Persistent checkbox, and it will be persistent across browser restarts.
- Micah_HaarbrinkNimbostratusHey Michael, Thanks for the response. I am indeed using APM. I did check that box and applied the policy but it didn't seem to have the intended effect. I was testing on a Mac (Safari and Chrome) and Windows 7 (Chrome and IE 9). I cleared cache and cookies on all browsers, logged in successfully, closed the browser and opened them again (definitely didn't clear cookies in that restart) and when I hit my web service it tosses me back to the F5 SSO logon again. Results were consistent across all browsers. I asked an F5 contact we have and he mentioned the same thing about the checkbox but thought maybe we were missing a step being in a newer version. We're running 11.4.1 HF2 but I haven't seen anything in the hotfix notes that might explain it. Should I expect to see a new cookie in the temp internet files directory to reflect the fact that I'm using a persistent cookie? I did keep an eye on that temp files directory and didn't see any cookie for "auth.mydomain.com" which I was kind of expecting as well.
are you connecting to a hostname? or to an IP? is the domain correctly set in the SSO configuration?
when you connect for the first time, is a cookie set at all?
- Micah_HaarbrinkNimbostratus
For anyone curious, the response from F5 support is that cookie persistence is triggered in APM only when forwarding to a pool on the virtual server and the pool responds. Since we are configured as a SAML IdP the pool is really just a placeholder and there is nothing to respond. It was recommended we submit a feature request to add this in future updates so we're doing that.
In the meantime, they provided us with an iRule to cover the behavior and with that in place we are seeing the cookie persist beyond browser restarts and computer reboots.
- Dizzle_79606NimbostratusCan you update me with a case number or post the Irule for further inspection. We are seeing this behavior in 11.6 with Secureauth and APM for lastmrh and saml cookies
- Rabbit23_116296Nimbostratus
Hey Michah - I'm having the same issue, do you still have that iRule to share?
- Micah_HaarbrinkNimbostratus
Here is the rule. We apply this to each Virtual Server we create that has an SSO policy associated with it and in the SSO/Auth Domains section of the Access Policy put the same parent domain in the domain cookie field.
So we have auth.mycompany.com for one IdP, auth2.mycompany.com for another and each of those has it's own Access Policy and Virtual Server. Then they both have mycompany.com in the SSO/Auth Domains section of each of those Access Policies.
Oh and the session timer is stupid long because currently marketing is requiring that sessions remain active for 7 days. We'll see how long that lasts before it causes problems =/
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_RESPONSE_RELEASE { HTTP::cookie expires MRHSession 604800 HTTP::cookie expires LastMRH_Session 604800 }
- Rabbit23_116296Nimbostratus
Hi Micah
I have tested the above and I wanted to know what do you managed to achieve with the above? We have a service provider that has a short cookie and or saml session validity that constantly redirects users back to our idp. We want to work around this.
Does this provide a cookie authentication mechanism to the idp which does not require the user to re-enter credentials?
- Micah_HaarbrinkNimbostratusThis applies an expiration to the cookies that the F5 establishes. The number after MRHSession and LastMRH_Session is the number of seconds the cookie is good for. Without this iRule, the cookies were just left as a session cookie and would disappear when we closed the browser or restarted the system. Now the cookie stays valid on the system for that long. If the SP sends back an authentication request, the user hits the F5 logon page, the cookie is checked and if it's still good just sends the user back to the SP.
- Rabbit23_116296Nimbostratus
That's exactly what i have been trying to achieve. So under SSO auth settings which options do you use to set the cookie? Secure and persistent tick boxes? And then you just bind the irule to the virtual server?
Sorry for all the questions. Been trying to get this to work..
- Micah_HaarbrinkNimbostratusYep, I check both of those. I set the domain cookie as the parent domain (I have multiple Access Porifles sharing that cookie). I also set the Maximum Session Timeout to match the number of seconds in the iRule. The contractor I was working with suggested matching those, but I'm not sure if it's technically a requirement. We had a hard date to go live so I've been dealing with go-live issues and haven't been able to test and break additional policies to verify the bits and pieces that matter most. So essentially I have Virtual Server A Access Policy A Maximum Session Timeout (set to X seconds) SSO/Auth Domain Cookie set to parentdomain.com Secure checked Persistent checked Presistent iRule (set to X seconds) Virtual Server B Presistent iRule (set to X seconds) Access Policy B Maximum Session Timeout (set to X seconds) SSO/Auth Domain Cookie set to parentdomain.com Secure checked Persistent checked
- Micah_HaarbrinkNimbostratusOh and Access Policy A is set up for SP's that require lots of attributes to populate profiles. Access Policy B is set up with just authentication but no additional queries. Then I have an IdP for one of our SP's that needs all that info for profiles and another IdP that just uses email for the assertion and I have a few SP's using that. That way I don't need individual IdP's, Access Policies Virtual Servers for each SSO buddy.
- Micah_HaarbrinkNimbostratusComment formatting on here is awful. Sorry for the replies and deleting/adding the comments.
- Rabbit23_116296Nimbostratus
Thanks I'll test this today.
We use our Idps in a similar way, we have our a VS fpr each idp. i.e. dropbox.company.com and google.company.com. I have setup dropbox with a redirect irule "ACCESS::respond 302 Location https://dropbox.company.com/saml/idp/res?id=/SSO/dropbox"
So from my understanding the cookie should now be set for requests coming to dropbox.company.com - and subsequent service provider samlrequests should not challenge my idp for creds as I should pass the cookie header. Is your solution tested for IDP initiated SAML logon or is this something you don't use? Reason is, after implementing, when I close my browser and go back to my idp dropbox.company.com it presents me with the same logon form.
- Rabbit23_116296Nimbostratus
OK - In the access policy I assign a webtop which is why my cookie gets reset by the APM module even when I pass the persistent cookie when I refresh the browser.
I need the webtop to do IDP initiated SSO with an iRule. One for F5 support I think
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com