F5 configured SP initiated SAML Authentication causing multiple Redirects
F5 configured (source-ip based) to talk to 2 IBM HTTP Servers and webservers are loadbalancing using Traditional loadbalancing (Round-Robin) and routing requests to 8 JVMs of a Websphere ND Cluster. 2 Applications are deployed with context root /maximo and /saml/acs on the same cluster. When SAML Authentication is triggered via F5. We have 2 scenarios to take care F5 :- HTTPSOFFLOAD is enabled with end to end validation using HTTPS only 1. https://abc.com/maximo URL loads successfully. No issues in Authentication to SAML. When loaded follows below path 1) Incognito Browser(User) requests resource from Service Provider (SP). 2) SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). 3) Since it is first login, User gives the (IdP) his/her valid credentials. 4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page. 5) User receives the landing page. THIS IS WORKING 2. https://abc.com/maximo/ui/?event=loadapp&value=asset&changetab=viewtab&uniquid=123455 1) Incognito Browser(User) requests resource from Service Provider (SP). 2) SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). 3) Since it is first login, User gives the (IdP) his/her valid credentials. 4) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page. 5) Cannot find the resource and SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). 6) IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page. 7) Cannot find the resource and SP Redirects (with SAML Request) to Identity Provider (microsoft-entra). Keeps redirecting multiple times and Finally timeout is hit and doesnot respond at all. It keeps redirecting when long URL is challenged. Do we need to have special irules to retain JSESSIONID state or WAS - I see this is an issue with respect to Cookie persistence
Multiple jsessionid cookies on VS
Hi all, We are in the process of replacing our IBM webseal by F5. Basically we have multiple Websphere containers behind our F5 with APM. We use one landing VS where we check uri, ACL, some custom logic in irule and then forward the client accrdingly. If all is OK we will send them to the correct vs. Current setup is: client > F5 > VS-to-cherry-pick-APM-enabled > VS > node-1 (websphere) [jsessionid-1] > VS > node-2 (websphere) [jsessionid-2] > VS > node-n (websphere) [jsessionid-n] All these containers rely on their own JSESSIONID cookie for session management. In order to differentiate these cookies between the containers the webseal uses a cookiejar. With this it can differentiate the inserted cookie based on container selected (see square brackets in example above). Is there a similar technology available on F5 or is this something that should be coded in an irule? Thanks in advance, JorenHow to use literals starting with "$" in iRule
Hi, I need to pass client certificate to WebSphere so the application can perform SSL based authentication. I following this article https://support.f5.com/csp/article/K95338243 However in WebSphere App Server the headed for client certificate is $WSCC. But if I code iRule like this when HTTP_REQUEST { HTTP::header insert $WSCC [b64encode [SSL::cert 0]] } $WSCC is treated as a variable WCSS and the rule is broken How do I get around this issue? Thanks Genna