I'm a newbie with F5, for a client I have to configure an OpenID Connect authentication, so I followed the F5 documentation and everything if working fine, except one thing.
The process :
The user go to the Virtual Server apptest.example.com (On the first F5) (Access profile just with OAuth Client), he is directly redirect to the virtual Server (On the second F5) appauth.example.com (Access Profile with OAuth Authorization), the user authenticate itself, if the authentication succeed he passed trough OAuth Authorization and he is redirected to the apptest.example.com, after that he is finally redirect to my website with the id_token.
The problem is : If the user go back to apptest.example.com, the Virtual Server stuck and after maybe 1 minute the user got the error : ERR_CONN_RESET (Chrome). But if I delete the active session of the user (With the first F5), it works, and the user can access apptest.example.com and do the all process.
What I was expecting is : When the user go back to apptest.example.com after successful process (authentication), he is directly redirected to my website with the id_token.
Thank you in advance.
The apptest.example.com is a with a Redirect ending to appauth.example.com or multydomain SSO config is used?
So how the redirect to appauth.example.com happens and what you mean by (On the second F5) ? Another F5 device?
No there is just 2 F5 ; One use as a client/resource server and the other as authorization server ; At the end of the Access Profile (Per-Session Policies), when the client passed trough the "OAuth client", the client is redirected to the website : website.example.com/ide_token=****** ;
can you share with us which F5 documentation / guide you followed? Just a link to it.
And can you share how your Resource Server (apptest.example.com (On the first F5)) is configured? Does it have an Access Profile (Per-Session Policy) and additionally a Per-Request Policy? How is it setup?
The behaviour of "delete the active session and after reload it works" makes me wonder if part of the config on the Resource Server is missing.
Hello and thank you,
You can find my reply below.
This is the doc I followed : https://support.f5.com/csp/article/K14391041 ; But I changed some settings, for example my client want to use OpenID Connect with it. On apptest.example.com there is just one Access Profile (Per-Session Policy). Like this :
When the user connects for the first time and pass it through, it works, but when he has an active session he can't connect to apptest.example.com, I have an error "Secure Connection Failed" ... An error occured during a connection to apptest.example.com. PR_CONNECT_RESET_ERROR
The only "workaround" I found for the moment is to delete the active session at the end of the Access Profile (when I redirect the user to the website). But it means that I can't see his session on the F5.
PS : I see nothing in the Access Profile logs, so it means (I think) that is related to the Virtual Server and not the Access Profile.
your answer is quite comprehensive, I will go through it...
Meanwhile, did you do a traffic capture on the F5 or on the client? On the F5 you can decrypt the SSL and you can also log the reset cause. It's definitely worth to investigate the reason for the connection reason.
Hello and thank you.
I will investigate.
F5 has a great article for this:
Also with httpwatch or fiddler you can check if you see a response but the blowser maybe has issues to show it as it said the the connection is reset by chrome maybe it is not the F5.
For OAuth to decode the answer if you think is need I found this tool. I have such tools to decode SAML messages. For Oauth message decode the F5 has an article for such things:
Also this can be used:
03-Apr-2021 08:50 - last edited on 24-Mar-2022 01:22 by li-migration
did you get any further with this? I managed to get it going following strictly https://support.f5.com/csp/article/K14391041.
I will adjust my setup throughout the weekend to add the configuration required for JWT and will test further.
Any results from taking a tcpdump or maybe you can change the Log profile to debug level for OAuth?
Just to clarify that I am not missing something important - you want to achieve the following:
Client goes to https://app.example.com (Resource Server).
Is redirected to https://auth.example.com (Authentication Server), client authenticates with <whatever>, receives token.
Is redirected back to https://app.example.com and authenticates there once with the token received from the Authentication Server.
The client then receives the APM cookies and no further token is required.
Is that correct? Because I got this working with your settings from above.
Only thing I have different is the cookie settings and some minor stuff like username instead of mail.
Anything obvious that might be off in your config? Like mixing http and https or IP and FQDN, or something off with your DNS config in apm-dns-resolver?
Sorry for the late reply, I was busy with other projects.
The process (for the moment) is :
The client is redirected to the IP of the website (webapp.example.com = 10.0.0.4) instead of a FQDN, but everything use HTTPS.
Thank you for your time.