APM redirect to /my.policy stripping POST data

Question

I have a condition where an unauthenticated user sends a POST request to a F5 virtual server running Access Policy. As part of the authentication process, the F5 redirects the original POST to /my.policy which, in turn, responds with HTML that contains a

tjp · Answer

Some of the question was truncated.

The question was:

I have a condition where an unauthenticated user sends a POST request to a F5 virtual server running Access Policy. As part of the authentication process, the F5 redirects the original POST to /my.policy which, in turn, responds with HTML that contains a HTML form that gets automatically submitted requesting the original content. This time without the POST data! Has anyone encountered this?

max_q_factor · Answer

That is a feature. Lots of people have issues like that with SAML and APM.&nbsp;

andy_turner · Answer

I have this exact same issue with our Shibboleth IdP. The SAMLRequest is in the POST data section of the HTTP request prior to redirect and log in to APM. After log in to APM, it's gone.

Users who already have an APM session prior to visiting the SAML protected site get in fine since the POST data is never stripped.

Has anyone managed to fix this or found a workaround that still uses the POST data e.g. capturing it pre APM page and injecting it back in afterwards?

I've just raised a support call anyway to try and get a resolution.

thi · Answer

When an unauthenticated user is requesting a page protected by APM, say GET / , then APM sets up a session (sets session cookies etc) and does a 302 redirect to /my.policy, where the interactive authentication occurs. After successful authentication there is another 302 redirect to the requested page or whatever is in the APM Policy flow. Now in this scenario, if the user initially sends a POST request with form data (in the payload), the initial 302 redirect does not preserve it. &nbsp;
Losing POST data is normal behaviour for 302 redirects, 302 also changes the http method to GET. A 307 redirect would preserve method and the POST data. I believe the 302 redirect is built in by design for the interactive authentication.&nbsp;
There is a way to avoid the 302 redirects using clientless-mode header in the request. But this is typically used with a non-browser client like a client application. There the request needs to have clientless-mode: 1 header. I believe the authentication needs to be done by other than interactive means in this case. I have only used 401 to invoke the client to send the credentials in Authorization header to APM in clientless mode. The credentials are stored in session variables for further use towards the server if needed, like in normal interactive authentication.&nbsp;

vinne73_96575 · Answer

Andy, did you get any answer to your support call?&nbsp;
Same problem here: initial POST to an unauthenticated user, and all POST data is lost forever.&nbsp;

Forum Discussion

APM redirect to /my.policy stripping POST data

8 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Anchor Link Redirect

url redirect

APM login process /my.policy

iRule redirection

Rewriting Redirects