cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Persist to same server from two different sources

DanielA0501
Nimbostratus
Nimbostratus

Greetings

The scenario that we are facing is that we have a user going through a portal, that when they click on a certain tab, it intiates a SAML authentication.  The SAML server then reaches out to the pool (using URL1), which is listening on all ports, on port 4243 and generates a ticket for the user, which is appended to the URI.  This is done on the backend and not apparent to the user.  The initial response is sent back to the SAML server, which then sends a redirect URL to the user with a different URL (URL2) and a unique URI appended to it.  The user then is sent to the pool on port 443, but needs to hit the same servers in the pool that the SAML server hit on port 4243 in order to validate the ticket to grant user access.  Please note that URL1 and URL2 use the same pool.

If the user hits a different server in the pool than the one that generated the ticket, then it will give an error because the second server does not know what that ticket represents.

Therefore, we are looking to pass persistence from the SAML server to the user.  We have an iRule to insert cookie persistence, and have asked the developers to pass that cookie along, but not sure if we need to add an iRule to look for that persistence cookie to use it.

Also, to complicate things further, this is set up in a shared VIP environment where all traffic is passed to the pools based on host headers.

 

1 REPLY 1

Hello DanielA0501.

You can use a simple persistence method combined with the "match across" option.

https://support.f5.com/csp/article/K5837

 

Regards,
Dario.