cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple SAML SP access profile MRH cookie issue

Marvin
Cirrostratus
Cirrostratus

Dear all,

 

I am trying to configure the F5 Big IP as both SP and IDP using seperate access profiles configured on scope level profile (isolated). The IDP will then assure the SSO across all the SP applications, this is already working in version 15.1.3 but in version 16.0/16.1 the MRH cookie behavior seems to have changed.

 

 

0691T00000F6RmnQAF.jpg 

 

All SP share the same parent domain, the difference between 15.1 and 16 is the following:

 

In version 15.1 for each domain name a specific cookie is created and F5 does not include the domain option in the response, on the clientside we see specific cookie entries for the complete domain with the respective MRH cookie.

when connection to /my.policy the F5 responds with the MRH session cookie witout domain so the browser saves it as the specific host name / domain.

 

In version 16 APM is responding with a wildcard domain *.example.com this results in issues when connection to the same domain for example idp.example.com the client sends the old MRH cookie and APM session are restarted/deleted.

 

Is there a fix so that the per specific domain can be maintained when using SAML auth in access profiles? Perhaps an Irule that will remove the domain in response?

2 REPLIES 2

Marvin
Cirrostratus
Cirrostratus

Good comparison is domain cookie (domain in cookie response v16) vs host cookie (full host name in v15.1 no domain specified)

 

https://medium.com/datamindedbe/a-summary-of-cookies-645beed9fd9

 

Host-only cookies match domains that exactly correspond with the domain attribute of the cookie. When setting cookies server-side, host-only is the default in the sense that cookies are host-only unless you specify a cookie’s Domain-attribute; the domain of such cookies is derived from the Host request header. (typically the behavior in vesrion 15.1 and not in 16)

it seems that if the access profile was configured with the domain value in SSO and later removed it will still be working on domain level (*.example.com), to solve this remove the access profile and recreate it then by default it is host cookie (weird but truth)