Forum Discussion
Hi
Think I haven't explained to well.
Setting a cookie on a APM call. why I asked about this is because of the interaction between irules and APM, I can set it on http_request but that just sets it to the back end pool. I thnk I need to set it on http_response - how does that work on APM calls
Not sure where azule AD came up. All components are on F5 - different boxes
SAML login -> https://login.local
OAUTH server -> https://auth.local
resource server -> https://resource.local
The protected URL
https://resource.local/protectedURL
APM for VS that has https://resource.local protects the url with an OAuth client (VPE). then does the redirect. At this point the original URL is lost - its not part of the URL and it hasn't been saved as a URL.
I guess because I have lots of landing places for OAUTH I can't use client id and post back.
I notice a lot of other SSO's append the destiation URL to the url so
https://resource.local/protectedURL would turn into https://resource.local/login/protectedURL
and maybe https://auth.local/login/https://resource.local/protectedURL
presumably with url encode.
As I mentioned on my Azure AD intergration I do not see your issue, so this could be limited to your environment. Also for the cookie part there is really a lot of examples from F5 or in the commnity if you just search for them.
Examples. It is for portal access but you may test it to see if it works for you as well as your issue indicates that you may need to do a lot of testing. You may need to access the session variable for the landing URL in with "ACCESS::session data gest", save it to a normal irule variable as to use it in later events like HTTP_RESPONSE or HTTP_RESPONSE_RELEASE (this is when the F5 generates the response but as it is not the case with you maybe using portal access HTTP_RESPONSE could be the right event for you).
https://clouddocs.f5.com/api/irules/HTTP__cookie.html
You can trigger iRules in APM with an Agent but maybe this willl not be needed as when you want to add something to the the Response not Request then this means that the user should have passed the APM policy, but I am just sharing with you.
https://clouddocs.f5.com/api/irules/ACCESS_POLICY_AGENT_EVENT.html
Outside of that I can't suggest anything else as I am not familiar with your network environment like you are as you can see that F5 generates HTTP 301/302 redirect to the client (you can see with HTTP debuging on the client https://support.f5.com/csp/article/K35932460 ) and maybe not the cookie but as mentioned in previous messages changing the HTTP redirect could help. That is what I can share and hopefully it helps you to investigate your issue.
- AlexS_ybDec 30, 2022Cirrocumulus
You - well I haven't been able to set a cookie during the initial redirect to /my.policy
cookie going to the client not the back end.
- Nikoolayy1Dec 31, 2022MVP
Cookies go to the clients not the backend as this is just how they work. For backend just set http header as there are many ways for that, so you just need a server side event like HTTP-RESPONSE . Happy New Year from me as now is not the time to do F5 stuff but to celebrate 🤩