For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JDL_53476's avatar
JDL_53476
Icon for Nimbostratus rankNimbostratus
Jun 03, 2014

Using an irule to rewrite content in a SAML response

I am using our F5 as a SAML IdP and I have an issue that requires me to alter the SAML response before sending it back to the SP. The SP's system is balking at the usage of a plain & instead of a & in the response but that & is part of the ACS URL and if I change it in the SP configuration then the F5 cannot find a matching connector. This is because when it parses the SAML request with this string in the ACS URL: "awr=1&realm=HHMI-T" it parses it as "awr=1&realm=HHMI-T". The problem is that when it sends the SAML response back it does not properly encode "awr=1&realm=HHMI-T" into a legal XML format "awr=1&realm=HHMI-T" and the SP rejects it as bad XML. So my solution is to apply a blank Stream profile and the following irule:

'

when HTTP_REQUEST {
      Disable for client requests
          STREAM::disable


}
when HTTP_RESPONSE {
   Disable other responses
   STREAM::disable
if {[HTTP::header value Content-Type] contains    "application/x-www-form-urlencoded"}{
     STREAM::expression {@awr=1&realm=HHMI-T@awr=1&realm=HHMI-T@}
       Enable Stream for this response
      STREAM::enable
   }
}
'
My question is that since the SAML response is base64 encoded, do I need to use the b64decode function to read the SAML response before using a replace function with the STREAM::expression command?
Thanks
application delivery
BIG-IP Access Policy Manager (APM)
cloud
deployment
devops
iRules
security

6 Replies

  • JDL_53476's avatar
    JDL_53476
    Icon for Nimbostratus rankNimbostratus
    Jun 09, 2014
    LOL. I can't even post the syntax mistake in the forum because it converts it...what I was trying convey is the difference between "&" and "&(nospace)amp(nospace);" but the forum just converts both of those to ampersands.
  • JDL_53476's avatar
    JDL_53476
    Icon for Nimbostratus rankNimbostratus
    Jun 09, 2014

    Thanks for your response. Unfortunately, yes I've tried that and the F5 will give me an error that no SP external connector match can be found and it will not generate the response.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 09, 2014

    Can you provide the original ACS URL and that configured under SP connector?

     

  • JDL_53476's avatar
    JDL_53476
    Icon for Nimbostratus rankNimbostratus
    Jun 09, 2014

    Here it is:

     

    https://s1.ariba.com/Buyer/Main/ad/samlAuth/SSOActions?awr=1&realm=HHMI-T

     

    When I use that work around and use the reference entity it errors with no match found. When I take that work around out it works and it responds but the SP errors out with invalid user and in their logs there is an error about bad XML characters.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Jun 09, 2014

    The SP reject with invalid user should be due to the XML parse error as '&' it is not XML encoded as 

    '&'
    in the SAML response

    In the AuthReponse, the 'Destination' and 'Recipient' the values got to be

    https://s1.ariba.com/Buyer/Main/ad/samlAuth/SSOActions?awr=1&realm=HHMI-T

    I think if you try to XML format the SAML response now coming from APM you might get the same error http://www.freeformatter.com/xml-formatter.html

    Now, I guess you can try to fix it at the source. Since this is SP initiated SAML, modify the ACS at SP and correspondingly modify the APM SP connector with 

    &
    But I'm not too sure SP will have issue with 
    &
    in the URL when APM POST back.