F5 SSO - OAuth with SAML - how to preserve the original protect URL

Question

HiSo I havelogin -&gt; This is my login server - I have APM protecting itauth -&gt; this is my oauth server it talks to login to get login its a saml callLets say I havehttps://uat/&lt;some protected URL&gt;, that I use a OAuth claim to protect it.So when i go to https://uat/&lt;some protected URL&gt; I getredirect to /my.policythen redirect to auth/oauth urlredirect to auth/my.policyredirect to login/saml end pointredirect to /my.policyredirect to /my.policy the login processredirect to auth/sam return end pointredirect to https://uat/Oauth return pointredirect back to https://uat/&lt;some protected URL&gt;&nbsp;When it works its okay, but what happens with a bad password or if a user takes to long to login and has to start a new login session any break from normal means that user ends up on https://login/I have noticed on other SSO work flows - the originating url is in the url passed around - that doesn't happen on F5I checked the landing on the inital entry to https://auth and the browser doesn't even send the referrer url ...&nbsp;How do poeple cope with this.&nbsp; Note my apm session are on different F5, so I can't share behind the scene variables !&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

nikoolayy1 · Answer

I admit I do not follow the text as the way you have written it is not very clear at least for me and maybe a picture can help. About sharing session variables can't you insert a session variable an an HTTP header between the F5 devices?
&nbsp;
https://support.f5.com/csp/article/K74392192
&nbsp;
&nbsp;
Also for Oauth just you can use F5 Oauth SSO in "Passthrough" with a JWT token if possible and I think you are not using the F5 devices as Authorization servers and the first f5 APM is Oauth Client/Resource Server then you can make the second F5 with the SAML just resource server and use the info in the token.
&nbsp;
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/big-ip-access-policy-manager-single-sign-on-concepts-configuration-14-1-0/04.html
&nbsp;
https://support.f5.com/csp/article/K42333110
&nbsp;
If I got it wrong and the F5 APM is authorization server with claims and JWT Access token you can share info like session variables between the F5 APM AS and the F5 that is Client/Resource server.
&nbsp;
https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-oauth-configuration/using-apm-as-an-oauth-2-server.html
If the customer first accesses the first F5 APM oauth device and then the customer accesses the second F5 SAML device with Browser URL redirection you may need to share the session varibles by inserting them in a cookie and then reading from them.
&nbsp;
https://clouddocs.f5.com/api/irules/HTTP__cookie.html
https://community.f5.com/t5/technical-forum/assign-cookie-value-to-apm-custom-variable/td-p/292298
&nbsp;
Still why you are using Oauth and SAML is strange as Oauth can do anything SAML can do but better with the authorization codes that Oauth uses and for now there is no way to exchange SAML token for an Oauth or vice versa or to use the same token for SAML and Oauth to make life easier 😀
&nbsp;

alexs_yb · Answer

Hi&nbsp;Thanks for the input, see if i can try againhttps://uat/some/protected/url &lt;&lt; APM policy that use oauth client - client/resourceIf I don't have a APM session the first response is a 302 to /my.policyI don't get to run any code - how do I insert a cookie at this stage don't think i can ?https://uat/my.policy does the redirect to https://auth/someOAuth URL&nbsp;&nbsp;&nbsp; (&lt;&lt; this is the oauth server ) it doesn't know what the original URL was.&nbsp;&nbsp;&nbsp;&nbsp;

nikoolayy1 · Answer

About the cookie it is in the links I shared with you that you can take a look at 🙂
&nbsp;
Stange from what I have seen after you are returned from the Azure AD you get the url you tried to open.&nbsp; The issue you mentioned I have only when playing for example with the https://petstore.swagger.io/ as a pool member test app as to when I do not send a specific correct request the F5 APM just can't fetch the page. The issue was resolved when I attached URI rewrite profile so that when I send the http traffic to the pool members to change the URI to the real one that that the pool members use so I do not see this issue as it is normal when F5 can't resolve the HTTP request will the backend servers to give you a hint like in my case it was""" xxxx/oauth/login.jsp """&nbsp; and the below message.
&nbsp;

&nbsp;
Outside of that it could be a bug so I am on 16.1.3.2 so upgrade to it or you may try URI redirec in the policy as the your landing URI is saved to variable session.server.landinguri , so you may to use something like the link below or an iRule&nbsp; as given in the next Links to "get" the session variable and then to use it for an redirect event.
&nbsp;
https://community.f5.com/t5/technical-forum/landing-uri-irule-http-redirection/td-p/34919
&nbsp;
https://clouddocs.f5.com/api/irules/ACCESS_POLICY_COMPLETED.html
&nbsp;
https://clouddocs.f5.com/api/irules/ACCESS__session.html
&nbsp;
That are all my ideas.

alexs_yb · Answer

Hi&nbsp;Think I haven't explained to well.Setting a cookie on a APM call. why I asked about this is because of the interaction between irules and APM, I can set it on http_request but that just sets it to the back end pool. I thnk I need to set it on http_response - how does that work on APM calls&nbsp;Not sure where azule AD came up. All components are on F5 - different boxesSAML login -&gt; https://login.localOAUTH server -&gt; https://auth.localresource server -&gt; https://resource.localThe protected URLhttps://resource.local/protectedURL&nbsp;APM for VS that has https://resource.local protects the url with an OAuth client (VPE). then does the redirect. At this point the original URL is lost - its not part of the URL and it hasn't been saved as a URL.&nbsp;I guess because I have lots of landing places for OAUTH I can't use client id and post back.&nbsp;I notice a lot of other SSO's append the destiation URL to the url sohttps://resource.local/protectedURL&nbsp; would turn into https://resource.local/login/protectedURL&nbsp;and maybe https://auth.local/login/https://resource.local/protectedURL&nbsp;presumably with url encode.&nbsp;&nbsp;

nikoolayy1 · Answer

As I mentioned on my Azure AD intergration I do&nbsp; not see your issue, so this could be limited to your environment. Also for the cookie part there is really a lot of examples from F5 or in the commnity if you just search for them.
&nbsp;
Examples.&nbsp; It is for portal access but you may test it to see if it works for you as well as your issue indicates that you may need to do a lot of testing. You may need to access the session variable for the landing URL in&nbsp; with "ACCESS::session data gest", save it to a normal irule variable as to use it in later events like HTTP_RESPONSE or HTTP_RESPONSE_RELEASE (this is when the F5 generates the response but as it is not the case with you maybe using portal access HTTP_RESPONSE could be the right event for you).
&nbsp;
https://community.f5.com/t5/technical-forum/insert-custom-cookie-on-response-with-apm-portal-access-resource/td-p/227259
&nbsp;
https://clouddocs.f5.com/api/irules/HTTP__cookie.html
&nbsp;
You can trigger iRules in APM with an Agent but maybe this willl not be needed as when you want to add something to the the Response not Request then this means that the user should have passed the APM policy, but I am just sharing with you.
&nbsp;
https://clouddocs.f5.com/api/irules/ACCESS_POLICY_AGENT_EVENT.html
&nbsp;
&nbsp;
Outside of that&nbsp; I can't suggest anything else as I am not familiar with your network environment like you are as you can see that F5 generates HTTP 301/302 redirect to the client&nbsp; (you can see with HTTP debuging on the client https://support.f5.com/csp/article/K35932460 ) and maybe not the cookie but as mentioned in previous messages changing the HTTP redirect could help. That is what I can share and hopefully it helps you to investigate your issue.

Forum Discussion

F5 SSO - OAuth with SAML - how to preserve the original protect URL

7 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

F5 Distributed Cloud Origin Server Subset Rules

Beyond REST: Protecting GraphQL

L7 DoS Protection with NGINX App Protect DoS

F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions

Managing NGINX App Protect WAF for Beginners