Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Bypassing the Webtop to directly access a Portal Access resource via URI

I am having an issue with accessing a Portal Access resource using a URI. I have set this up for other SAML resources before and it works flawlessly, however, when attempting it with a Portal Access resource, it only works if i do not have an open session. If I close the window and attempt to go back in, I get a connection error and have to wait for my current session to time out (or manually kill it). I need to be able to access the Portal Access resource anytime, whether I have a current session or not.

Here is the iRule i am using:

when ACCESS_POLICY_COMPLETED {
if {[ACCESS::session data get "session.server.landinguri"] eq "/mydefineduri"}{
    log local0. "Policy Completed"
        switch -glob [ACCESS::session data get session.server.network.name] {
                        "myproductionAPMPolicy.com"
                                        {
                                        ACCESS::respond 302 Location "/f5-w-687474703a2f2f31302e312e332e36$$"
                                        }
                        }
                }
                    }
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Are you basically trying to always force a redirect when the host is myproductionAPMPolicy.com and uri is /mydefineduri?

One thing to note is that the ACCESS_POLICY_COMPLETED event is only executed at the end of the access policy, which happens once during a session. This would explain why you only see the redirect initially and not on any subsequent requests.

If you want to always check for that pre-defined uri (and/or host), you can also use the HTTP_REQUEST event. Something like this:

when HTTP_REQUEST {
    switch -glob [string tolower "[HTTP::host][HTTP::uri]"] {
        "myproductionapmpolicy.com/mydefineduri*" {
            HTTP::respond 302 Location "/f5-w-687474703a2f2f31302e312e332e36$$"
            # You could use this instead too: HTTP::redirect "/f5-w-687474703a2f2f31302e312e332e36$$"

            # If you have other iRules on this VIP the use HTTP::respond or HTTP::redirect, you may need a couple additional commands to mitigate a multiple redirects error.
            return
        }
    }
}

If you only want to perform the redirect after a session has been successfully completed, you might add an conditional before the switch to check for that. Something like this:

if {[ACCESS::policy result] -eq 'allow'} {
    # Processing code here
}

Hope this helps.

0
Comments on this Answer
Comment made 22-Jul-2016 by mike.drennen 268

Thanks Michael, that was exactly what i needed. Just for reference and hopefully help someone else, here's what my iRule ended up as:

when HTTP_REQUEST {
    if {[HTTP::uri] eq "/definedURI"}{
switch -glob [string tolower "[HTTP::host][HTTP::uri]"] {
    "productionAPM.com/definedURI*" {
        HTTP::respond 302 Location "/f5-w-687474703a2f2f31302e312e332e36$$"
        return
    }
}}}
0
Comment made 22-Jul-2016 by Michael Jenkins 4171

One thing to note: since the switch is doing a [string tolower], make sure all your checks are lowercase as well or you'll be beating your head on the wall wondering why it's not working (spoken from much experience).

If you had a bunch of redirects to do, I'd recommend looking into using a datagroup instead. Simplifies the iRule and allows easier management of the conditions.

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

One bug I have run into this solution is that if there not currently a session for the user, this rule will stop at the webtop. If there is a session (or once a session is created) it works every time.

0
Comments on this Answer
Comment made 28-Jul-2016 by Michael Jenkins 4171

Yea, I've noticed that in the past. An encoded URL doesn't seem to work properly without an APM session. the way I get around that is by decoding the url (see Kevin's answer to this question for an example), saving it to a session variable and then redirecting the user after they log in (sounds a lot easier than it is :/)

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Mike..i am trying to bypass webtop for a SAML Resource. You mentioned you have done that many times...Can you please help me for that?

0