Forum Discussion
Gabriel_V_13146
Cirrus
CirrusSAML SLO request ignored on iRules
Hello all,
the F5 still doesn't pass the relay state on single logout (see https://devcentral.f5.com/questions/saml-logout-relaystate), I've tried to go around using an iRule (store the RelayState ...
You can define a layered VS that apply your irule :
-
Change the IP address of your current VS (for example: 1.1.1.1) and remove your irule
-
Create a new VS (with published IP) and add your irule.
-
just add
to the end of the HTTP_REQUEST event of your irule (where Internal_VS is your VS with IP 1.1.1.1)virtual /Common/Internal_VS
Thus, you will be able to manipulate REQUEST and RESPONSE (HTTP_RESPONSE) without any issues.
-
Yann_DesmarestCirrus
CirrusHello,
Can you retry by adding the following line of codes on your irule :
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
This peace of irule will allow you to manage with internal APM URIs.
Moreover, if you would be able to handle response coming from APM, you should change the HTTP_RESPONSE event by HTTP_RESPONSE_RELEASE.
Gabriel_V_13146Hello, you were right * command "ACCESS::restrict_irule_events disable" enabled most of the events * /saml/idp/profile/post/sls fires only the HTTP_RESPONSE_RELEASE event problem stays, that in the HTTP_RESPONSE_RELEASE event we have no means (or do we?) manipulate the response. Only thing I've managed was to inject data BEFORE the response ( HTTP::payload 0 0 ".....") however trying to change anything INSIDE failed (or I just don't know how to do that). Mostly I got an APM error in access_sanitize_portal_headers.c (Line: 11767) :( Apparently - modifying response would work having the HTTP_RESPONSE event too, where we could call HTTP::collect to fill the payload.. but HTTP_RESPONSE is not called. Any hint around that? Best regards Gabriel