For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Michael_Koyfma1's avatar
Michael_Koyfma1
Icon for Cirrus rankCirrus
Oct 08, 2015

I think I am going to hazard a guess what's going on wrong here. If the user navigates away from the webtop, and hits the virtual again, they will be sent to the login page even if they present a valid MRHSession cookie. You can control that behavior using an irule as well:

when HTTP_REQUEST {
   if { ( [HTTP::cookie exists MRHSession] ) and ( [ACCESS::session exists -state_allow [HTTP::cookie value MRHSession]] )  and ( [HTTP::uri] equals "/" ) } {
     HTTP::redirect "https://[HTTP::host]/vdesk/webtop.eui?webtop=/Common/portal_webtop&webtop_type=webtop_full"
   }
}
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Oct 08, 2015
    I probably should add that you need to replace /Common/portal_webtop with the name of the webtop object in your APM configuration
  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Oct 08, 2015
    I will give that a try thanks. I suppose seeing as we dont want to present a webtop that redirect action can go directly to the saml resource URI? Based ofcourse on requesting HTTP::host
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Oct 08, 2015
    Yes, same logic applies.
  • Rabbit23_116296's avatar
    Rabbit23_116296
    Icon for Nimbostratus rankNimbostratus
    Oct 14, 2015
    Thank you both very very much. Understanding the ACCESS::session methods was the key here that I clearly didn't have. Steak dinners on me! if the URI isn't a redirect to an SP resource, and it's an active session - redirect to the SAML SP resource if { ( [HTTP::cookie exists MRHSession] ) and ( [ACCESS::session exists -state_allow [HTTP::cookie value MRHSession]] ) and ( [HTTP::uri] equals "/" ) } { switch [string tolower [HTTP::host]] { "learning.pseudo.com" { log local0.notice "~~~~~~~~~~~~~~Cookie matches and allowed for LEARNING: Looks like we found an IDP initiated with URI: [HTTP::uri]" HTTP::redirect "https://learning.pseudo.com/saml/idp/res?id=/SSO/kallidus" } "bluetube.pseudo.com" { log local0.notice "~~~~~~~~~~~~~~Cookie matches and allowed for BLUETUBE: Looks like we found an IDP initiated with URI: [HTTP::uri]" HTTP::redirect "https://bluetube.pseudo.com/saml/idp/res?id=/SSO/Kaltura" } "recruitment.pseudo.com.com" { log local0.notice "~~~~~~~~~~~~~~Cookie matches and allowed for RECRUITMENT: Looks like we found an IDP initiated with URI: [HTTP::uri]" HTTP::redirect "https://recruitment.pseudo.com/saml/idp/res?id=/SSO/recruitment" } } }
  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    Apr 21, 2016
    i found that code would present the user with their webtop.. but we are avoiding presenting the user with the webtop, so i send them to the same location as was done in the ACCESS_POLICY_COMPLETED with the ACCESS::respond 302 Location but in the HTTP_REQUEST it would be a HTTP::respond 302 Location It allows the user who, for whatever reason, is still authenticated, to return to the service provider as long as the cookies are valid.