Problem with stream iRule and SAML idp redirect

Question

Running into following issue here. We have a sharepoint site with web servers listening on some high port and using internal hostname. On the SharePoint virtual server I am applying fallowing iRule to do the html parsing and host header translation:
    when HTTP_REQUEST_RELEASE {

Disable the stream filter for all requests by default
   STREAM::disable

LTM does not uncompress response content, so if the server has compression enabled
    and it cannot be disabled on the server, we can prevent the server from 
    sending a compressed response by removing the compression offerings from the client
   HTTP::header remove "Accept-Encoding"

if {[info exists stream_expr]}{ unset stream_expr }
         This we want replace 
        set stream_expr "@http://sharepoint.something.somedomain.root:14775@https://sharepoint.somedomain.com@"
         make sure we have a var to crosscheck before we enable the rewrite in the response
        set SPresponse 1
        }
    when HTTP_RESPONSE {                                                                                                         nable the rewrite to fix the hostnames                                                                                                if {[info exists SPresponse]}{

Check if response type is ...
   if {[HTTP::header value Content-Type] contains "application/json" || [HTTP::header value Content-Type] contains "text/html" || [HTTP::header value Content-Type] contains "text/xml"} {

if {[info exists stream_expr]} { 
         STREAM::expression $stream_expr 
         STREAM::enable}}}}

When SP initiated, SAML IDP process request and redirect me back to my SharePoint Site. However, it seems like before the redirect from IDP gets processed by SAML SP, it gets translated by the irule and SAML authentication process never comes to the completion resulting in 404. When iRule is not being applied it seems like SAML authentication comes to completion but of course the site would not work. 
Any idea how to work around this issue.

andrew_4752 · Accepted Answer

Hi Alex,
For for the VIP targeting VIP solution to get around APM-Stream Profile conflicts, below is a basic view of what the config would look like:
ltm virtual vs_external {
destination 1.1.1.1:443
ip-protocol tcp
mask 255.255.255.255
profiles {
    clientssl_profile {
        context clientside
    }
    stream_profile { }
    http { }
    tcp { }
}
rules {
    forward_internal_virtual
    saml_stream_expression
  }
}
ltm virtual vs_internal {
destination 2.2.2.2:80
enabled
ip-protocol tcp
mask 255.255.255.255
profiles {
    example_accesspolicy { }
    http { }
    rba { }
    tcp { }
    websso { }
}
}
ltm rule forward_internal_virtual {
when HTTP_REQUEST {
virtual vs_internal
}
}

ap · Answer

Hi Alex,

So, does this same Virtual Server that you have applied the above iRule to also have an APM Policy with an SP Resource (SAML Auth)?

A few points in the meantime, although I can't say that they will solve your issue. The 404 error sounds like your requesting an invalid resource/uri. Have you performed any captures?

I notice you're using HTTP_REQUEST_RELEASE. I think you also need to use HTTP_RESPONSE_RELEASE with APM instead of HTTP_RESPONSE.

I've had varying results when using Stream Profiles on Virtual Servers with APM as a SAML IDP or SP. Have you noticed any errors in the logs? In those cases I had to create an external VS with the Stream Profile and target another VS with the APM Policy.

ap · Answer

Sorry for the blob of text, seems comments don't get the same formatting tools as Answers...

kai_wilke · Answer

Hi Alex,
Don't know if this fixes your problem, but you should keep in mind that [STREAM::enable] translates HTTP responses and HTTP requests. So if you don't require HTTP request stream replacements, then better move STREAM::disable into HTTP_REQUEST event. Otherwise it may have unintentional side effects on post data...
when HTTP_REQUEST {
    STREAM::disable
}

In addition, you could use a HTTP-Compression profile instead of the HTTP::header remove "Accept-Encoding" command. This would allow you to still remove the Accept-Encoding header on the server side (its a default setting) but without losing client side compression.
Cheers, Kai

alex100_194614 · Answer

In LTM log I am seen this:
TCL error: /Common/irulename_link_rewrite  - Operation not supported (line 1)     invoked from within "STREAM::disable"
 In APM Log:
Mar  3 18:06:59 QC-BIGIP-03 err apd[12434]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 209 Msg: error while reading from socket Connection reset by peer

Mar  3 18:06:59 QC-BIGIP-03 err apd[12434]: 01490000:3: AccessPolicyD.cpp func: "process_request()" line: 765 Msg: EXCEPTION AccessPolicyD.cpp line:676  function: process_request - error 2 reading/parsing response from socket
Mar  3 18:06:59 QC-BIGIP-03 debug apd[12434]: 01490000:7: AccessPolicyD.cpp func: "sendAccessPolicyResponse()" line: 1835 Msg: send 'error' code
Mar  3 18:06:59 QC-BIGIP-03 err apd[12434]: 01490085:3: : Response could not be sent to remote client. Socket error: Broken pipe
Mar  3 18:06:59 QC-BIGIP-03 debug apd[12434]: 01490000:7: AccessPolicyD.cpp func: "process_request()" line: 776 Msg:   ** done with the request processing **
Mar  3 18:06:59 QC-BIGIP-03 warning tmm[16831]: 01490531:4: d3ae9f1d: Detected invalid host header ().
Mar  3 18:06:59 QC-BIGIP-03 notice tmm[16831]: 01490501:5: d3ae9f1d: Session deleted due to user logout request.

If I remove the APM policy the iRule doesn't seem to triger anything in the log and it works. 
Also it seems that changing HTTP_RESPONSE to HTTP_RESPONSE_RELEASE breaks the irule in my case...

I wonder if there is a way to exclude a specific uri from being translated...

I am new to stream profile. Thanks for the help..

ap · Answer

Hi Alex,
That error is what I also experienced and should be caused by a conflict with APM's use of Stream under the hood. You can try the VIP targeting VIP solution I mentioned earlier. I'll put together an example VS config for you shortly.

Forum Discussion

Problem with stream iRule and SAML idp redirect

11 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Setting up F5 Telemetry Streaming with Splunk Cloud

Secure your gRPC Bidirectional Streaming APIs with F5 NGINX

Anchor Link Redirect

Automation Toolchain - Telemetry Streaming - Grafana StatsD Graphite

Redirect iRule problem