Forum Discussion

jclark53_145678's avatar
jclark53_145678
Icon for Nimbostratus rankNimbostratus
Feb 27, 2014

Pass variable through policy using iRule

We are setting up a relatively standard f5 deployment using SAML for SSO. Aside from a standard username/password logon, there are situations where users may click a link that points directly to a piece of content within the target resource. These users may not have a session started at the f5, but they should be prompted for credentials then fwd to the requested resource. Before SAML is applied to the policy (apparently this cannot be done without using a webtop), this works fine but as soon as SAML is applied, the original requested URL is lost since SAML is setup to fwd to a specific path to validate the assertion from the IdP. What we need is to pass a variable through the login process that contains the ID of the content, so:

 

https://example.com/consume.aspx?contentid=1234 gets truncated when /my.policy is applied at the login screen but needs to be preserved and passed through to the SP.

 

The contentid value will change, so how can the original URL be preserved, parsed and the contentid be included as a SAML attribute?

 

APM
application delivery
availability
design
devops
iRules
security

4 Replies

Sort By
  • kj07208_118528's avatar
    kj07208_118528
    Icon for Cirrus rankCirrus
    Feb 27, 2014

    Is https://example.com/consume.aspx?contentid=1234 your web application or a service provider?

     

    You'll have to check the code because I'm new to iRules as well but I have been play around for a couple of days and this is what I have gleemed some of the code came from the following pages: https://devcentral.f5.com/wiki/iRules.APM.ashx https://devcentral.f5.com/wiki/iRules.ACCESS_SESSION_STARTED.ashx https://devcentral.f5.com/wiki/iRules.HTTP.ashx Just a sample below also there's another article on using when ACCESS_SESSION_STARTED { ACCESS::session data set session.custom.uriValue "[HTTP::uri]" / The double quota might not be needed / Also you have to check how to get the right URI }

     

  • jclark53_145678's avatar
    jclark53_145678
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2014

    https://example.com/consume.aspx is the AssertionConsumerService but is also the app/relying party. The app then logs the user in unless contentid exists, in which case it should forward directly to that contentid (usually a document or video) without completely logging them in (but this occurs in the target application). The tricky part is getting the value into the response assertion if the custom session variable is set in an iRule. If I were to use a cookie would this work?:

    when RULE_INIT {
    set cookie_name "contentid"
}
when ACCESS_SESSION_STARTED { 
    set c_id [HTTP::query]

    if { $c_id ne "" } {
        HTTP::cookie insert name $::cookie_name value $c_id
    } else {
        HTTP::cookie remove $::cookie_name
    }   
}
    • jclark53_145678's avatar
      jclark53_145678
      Icon for Nimbostratus rankNimbostratus
      Feb 28, 2014
      This doesnt seem to be working.. the webtop seems to truncate everything after ? in the URL and I don't see a cookie being set. Is ACCESS_SESSION_STARTED the correct event to write the cookie?
  • jclark53_145678's avatar
    jclark53_145678
    Icon for Nimbostratus rankNimbostratus
    Mar 03, 2014

    The solution for this was to assign the [HTTP::uri] to a custom session var in the ACCESS_SESSION_STARTED event. Because SAML POST's the SamlResponse to the consumer service url, this session var must be passed through the assertion and can be done by adding name/value pair to the SAML Assertion attributes referencing the custom session var.