Forum Discussion

kirkpabk's avatar
kirkpabk
Icon for Altostratus rankAltostratus
Sep 19, 2023

Redirect/Rewrite to Same Host URL different Host with App AD FS Authentication

So say we have a redirect/rewrite in place which performs a redirect for https://myapp.site.com/  (in VM host) to  https://myapp.site.com/ (in kubernetes container host) The new location is also ...
application delivery
devops
whisperer's avatar
whisperer
Icon for MVP rankMVP
Sep 20, 2023

Interesting issue. I would put in a support case with Microsoft, and find out how we can 'trick' it or rather 'make it work'. At that point, we can figure out how to perform trickery in terms of a) redirection, b) rewriting, c) header manipulation, d) cookie modifaction, e) different cert selection, etc. or anything else that is needed. I usually approach such a problem as 'what do we need to do to make it work'. Then I decide if it is possible to hack it with the F5 and the tools at my disposal, or do I fling my hands in the air and tell the application team 'unsupported, you figure it out'.

In your case, we need to understand what ADFS is unhappy about.

kirkpabk's avatar
kirkpabk
Icon for Altostratus rankAltostratus
Sep 22, 2023

Thanks whisperer, so it's basically fixing what any federated identity provider would perceive as a "man-in-the-middle" attack.  However, in this case, it is "an approved" [known] and intended workflow.  

So, when we go from https://myapp.site.com/login to F5 to  https://identityProvider.site.com/  (only knows myapp.apps.site.com at this point) to https://myapp.site.com the token no longer matches because myapp.apps.site.com was the referrer.   

Hopefully that clarifies the problem domain a bit more.