F5 configured SP initiated SAML Authentication causing multiple Redirects
F5 configured (source-ip based) to talk to 2 IBM HTTP Servers and webservers are loadbalancing using Traditional loadbalancing (Round-Robin) and routing requests to 8 JVMs of a Websphere ND Cluster. 2 Applications are deployed with context root /maximo and /saml/acs on the same cluster. When SAML Authentication is triggered via F5. We have 2 scenarios to take care F5 :- HTTPSOFFLOAD is enabled with end to end validation using HTTPS only 1. https://abc.com/maximo URL loads successfully. No issues in Authentication to SAML. When loaded follows below path 1) Incognito Browser(User) requests resource from Service Provider (SP). 2) SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). 3) Since it is first login, User gives the (IdP) his/her valid credentials. 4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page. 5) User receives the landing page. THIS IS WORKING 2. https://abc.com/maximo/ui/?event=loadapp&value=asset&changetab=viewtab&uniquid=123455 1) Incognito Browser(User) requests resource from Service Provider (SP). 2) SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). 3) Since it is first login, User gives the (IdP) his/her valid credentials. 4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page. 5) Cannot find the resource and SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). 6) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page. 7) Cannot find the resource and SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). Keeps redirecting multiple times and Finally timeout is hit and doesnot respond at all. It keeps redirecting when long URL is challenged. Do we need to have special irules to retain JSESSIONID state or WAS - I see this is an issue with respect to Cookie persistence
Redirect iRule differences...
We have a situation where we need to redirect users from one domain to another and had been using Method 1 ( shown below ) of redirection via iRule. It was recently brought to our attention by our web team that the way we were doing the redirects for one of their sites in particular was "really bad" for SEO and we ended up making them happy with doing it via Method 2 ( shown below ). While my team officially maintains our BIG-IP's, we are not network/web savvy and don't really understand the difference here. We have a new site that needs to be redirected and we are not sure which method to use. Would someone please explain in what cases you would use one over the other. Thanks. Method 1 when HTTP_REQUEST { if { [HTTP::host] eq "website1.com" } { HTTP::redirect https://websitesite2.com } } Method 2 when HTTP_REQUEST { if { ([string tolower [HTTP::host]] eq "website1.com")} { HTTP::respond 301 Location "http://website2.com" return } }iRule resulting in too many redirects
I have two requirements with my virtual server. 1. A redirect to /pc/service/SSOLogin 2. 24 hour persistence based on the JSESSIONID cookie in the request header. The first one was accomplished early on with a policy that redirects to location '/pc/service/SSOLogin' at request time. This has worked without any issues until I tried to implement the JSESSIONID persistence. To accomplish the second, I created an iRule to be used with the Universal persistence profile. When I implemented this persistence profile, the redirect policy no longer worked. My assumption was that the iRule and the policy were conflicting with each other. To resolve this, I created a single iRule to handle both of these requirements. Now, I am getting too many redirects. The iRule is below. when HTTP_RESPONSE { ## PERSISTENCE # If the JSESSIONID exists, we'll pass the cookie along if { [HTTP::cookie exists "JSESSIONID"] } { persist add uie [HTTP::cookie "JSESSIONID"] 86400 } } when HTTP_REQUEST { ## PERSISTENCE # If the JSESSIONID exists, we'll maintain that persistence if { [HTTP::cookie exists "JSESSIONID"] } { persist uie [HTTP::cookie "JSESSIONID"] } ## REDIRECT # This grabs the base url from the incoming request # For Example, https://my.site.com/some/path the base_url is set to https://my.site.com set base_url "https://[HTTP::host]" # Defining the new path set new_path "/pc/service/SSOLogin" # Construct the new URL # For example, https://my.site.com/pc/service/SSOLogin set new_url "$base_url$new_path" # Redirect to the new URL HTTP::redirect $new_url }
Missing Certificate after redirect
We have a requirement for any calls coming into https://abc.com to be redirected to Azure APIM https://apim-xyz.com/api A simple following rule has been setup in F5 for calls coming into https://abc.com when HTTP_REQUEST { HTTP::respond 307 Location "https://apim-xyz.com/api" } But the problem we are facing is with client certificate. After the redirect, the client certificate is no longer available and new URL "https://apim-xyz.com/api" is not able to validate the request. We have no control over the client. We can control F5, redirect and server. Any help would be greatly appreciated.F5 redirect
Hi! I have 2 F5s active standby cluster BIG-IP 16.1.3 build 0.0.12 and I have a VServer called: xyz.acme.com:443. It's public internet facing, with public cert imported as a server profile - works fine. Now I got a request to have this VServer under 2 urls: xyz.acme.com z.acme.com We did DNS alias - this works fine but I have cert only for the first one. The business does not want to buy another cert for the 2nd url if possible (let's encrypt, and other like this are out of the question). Is it possible to do redirect from z.acme.com to xyz.acme.com without buying new cert?
ProxyPass Appending "/" to URI 404 Error
Hey All, Need a bit of assistance here, thinking this should be an easy fix but I can't figure it out. Testing out the ProxyPass iRule so that when the end users enters a URL they get redirected but the URL remains the same from their perspective. ProxyPass is working but it's appending a "/" at the end of the URI and that path isn't on the server. Here are the debug logs: Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : devpasswordreset.environment.dev_443: 10.10.10.10:55759 -> 172.30.25.84:443 Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Found Rule, Client Host=devpasswordreset.environment.dev, Client Path=, Server Host=devpasswordreset.environment.dev, Server Path=/rdweb/pages/en-us/devpassword.aspx Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Using default pool devpasswordreset.environment.dev_80 Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: New Host=devpasswordreset.environment.dev, New Path=/rdweb/pages/en-us/devpassword.aspx/ Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Removed Accept-Encoding header Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: 404 response from devpasswordreset.environment.dev_80 172.30.26.98 80 Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: $stream_expression_cmd: STREAM::expression "@devpasswordreset.environment.dev/rdweb/pages/en-us/devpassword.aspx@devpasswordreset.environment.dev@ @/rdweb/pages/en-us/devpassword.aspx@@", $stream_enable_cmd: STREAM::enable Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Successfully configured and enabled stream filter Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Checking Location=, $protocol= Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Checking Content-Location=, $protocol= Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Checking URI=, $protocol= Here's a packet capture of the server side: Is there anything I need to tweak to keep this from happening? Thanks, BrianSimple Logout redirect irule
I have some sites that I need to redirect to an external URL. I have figured that out with an irule when HTTP_REQUEST { HTTP::redirect "https://OTHERSITE.com[HTTP::uri]" } On the external sites there is a "logout" button and that needs to hit a static web page that I have set up on the BIG-IP. So if a user goes to www.example.com they get redirected to www.othersite.com. While on www.othersite.com if they click logout it sends them back to www.example.com/Logout.html. I setup an irule and applied it to the same virtual server above the first redirect iRule. My thought is that the "www.example.com/Logout.html" is a specific URL so if the F5 sees that then to redirect it to the apology page, but if it sees anything else to just send it to the "OTHERSITE.COM" url. I'm sure I'm missing something but here's my other irule. when HTTP_REQUEST { if { ([HTTP::host] equals "http://example.com/Logout.html") } { "/generic_apology_pic.jpg" { HTTP::respond 200 content [ifile get "generic_apology_pic.jpg"] } default { HTTP::respond 200 content [ifile get "generic_apology.htm"] } } } } I probably wrote this as confusing as possible, but very simply I need to redirect all traffic to www.example.com to www.othersite.com, unless it's going to www.example.com/Logout.html, at which point I need to display a page that is hosted on the F5. Thanks in advance, David301 Redirect Using Data Group External File
This should be easy...and I see some posts on it, but I can't seem to get it to work. We were given a list of hundreds of URL's that need 301 redirects. The host and URI in most cases is entirely different and unique so I can't just wildcard a redirect for everything to a single destination. example: https://oldsite.com/pdf/111 --> http://newsite.com/doc/222 https://oldsite.com/jpg/222 --> http://newsite.com/bmp/111 etc. I have all of the old site to new site mappings and I read another post that said I should create an external data group as a string that has := as the separator, so I have a datagroup called "testuri" and it looks like this: "; := "; And I have an irule that says: when HTTP_REQUEST { if {[set code_url [class match -value -- [string tolower [HTTP::host][HTTP::uri]] equals testuri]] ne ""}{ HTTP::respond [getfield code_url " " 1] Location [getfield code_url " " 2] } } ...but it doesn't work. In the end all I need is an irule that looks for the inbound request and if it's in the data group then returns the new value that it should be mapped to. This seems simple, but it's turning not to be as simple as I had hoped.
