F5 APM with specific not all SAML SP initiated connection issue, cause iRule execution fail, TCP reset with F5 Version 12.1.2 HF1

Question

We have a problem with a specific SP initiated SAML request. iRule execution fail&nbsp;
Problem details  
&nbsp;
We have F5 APM as a IDP setup. Single IDP with multiple SP. One of the specific SP initiated connection having reset by SAML IDP iRule but all the other SAML SP initiated connection is working fine with iRule execution. The SAML IDP irule is defined for IDP initiated connection and applied in SAML VIP. The TCL error capture when we got the failure of the specific SAML request.&nbsp;
Jun 22 12:39:38 slot1/FDYEXLB01 err tmm1[22774]: 01220001:3: TCL error: /Common/SAML_IDP_rule  - Illegal argument (line 1) (line 1) invoked from within "ACCESS::policy result"
Jun 22 12:39:38 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_rule  - Illegal argument (line 1) (line 1) invoked from within "ACCESS::policy result"
Jun 22 12:39:39 slot1/FDYEXLB01 err tmm1[22774]: 01220001:3: TCL error: /Common/SAML_IDP_rule  - Illegal argument (line 1) (line 1) invoked from within "ACCESS::policy result"
Jun 22 12:39:39 slot1/FDYEXLB01 err tmm3[22774]: 01220001:3: TCL error: /Common/SAML_IDP_rule  - Illegal argument (line 1) (line 1) invoked from within "ACCESS::policy result"&nbsp;

daniel_w_ · Answer

Hi,&nbsp;
can you post you irule so that we can check it?&nbsp;

jitu · Answer

Hi Daniel,
Thanks for looking into this. Below is the iRule applied.
when RULE_INIT {
   Change to "1" to enable debugging log statements, 0 to disable
  set static::debug_IDP 1
}
HTTP Request used provide IdP Initiated SAML for users that have logged in
when HTTP_REQUEST priority 30  {
log local0. "HTTP Path= [HTTP::path]"
log local0. "Access policy result= [ACCESS::policy result]"
          if {"[ACCESS::policy result]" eq "allow"}
          {
switch -glob [string tolower [HTTP::path]] {
"/staples*"
{
if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to staples" }
HTTP::respond 302 Location "/saml/idp/res?id=/Common/Staples_IDP"
return
}
    "/concur*"
        {
            if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to concur" }
            HTTP::respond 302 Location "/saml/idp/res?id=/Common/Concur_IDP"
            return
        }

"/healthfitness*"
        {
            if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to healthfitness" }
            HTTP::respond 302 Location "/saml/idp/res?id=/Common/HealthFitness_IDP"
            return
     }  
    }   
}

}
ACCESS Policy Response used to provide IdP Initiated SAML for users that have not logged in yet
when ACCESS_POLICY_COMPLETED priority 30 {
switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] {
"/staples*"
{
if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to staples" }
ACCESS::respond 302 Location "/saml/idp/res?id=/Common/Staples_IDP" 
return
}
            "/concur*"
        {
            if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to concur" }
            ACCESS::respond 302 Location "/saml/idp/res?id=/Common/Concur_IDP" 
            return
        }
             "/healthfitness*"
        {
            if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to healthfitness" }
            ACCESS::respond 302 Location "/saml/idp/res?id=/Common/HealthFitness_IDP" 
            return
        }
    }

}

daniel_varela · Answer

Hi, This can cause you problems
when HTTP_REQUEST priority 30  {
log local0. "HTTP Path= [HTTP::path]"
log local0. "Access policy result= [ACCESS::policy result]"
            &gt;&gt;&gt;&gt;&gt;&gt;if {"[ACCESS::policy result]" eq "allow"}

You should specify the sessionid from the MHRSession when using ACCESS commands in HTTP_REQUEST events (in general out of ACCESS events) otherwise you will get an error. Other option for you is do the same validation but within ACCESS_ACL_ALLOWED as it takes by default the session id evaluated in that request.
I used more this command: 
ACCESS::session exists -state_{allow|deny|redirect|inprogress} -sid

jitu · Answer

Hi Daniel,
I have tried with the irule below but it is throwing error while try to initiate a session in both IDP initiated and SP initiated.
when RULE_INIT {
   Change to "1" to enable debugging log statements, 0 to disable
  set static::debug_IDP 1
}
HTTP Request used provide IdP Initiated SAML for users that have logged in
when HTTP_REQUEST priority 30  {
          if { "[ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid]" }
             {
switch -glob [string tolower [HTTP::path]] {
"/staples*"
{
if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to staples" }
HTTP::respond 302 Location "/saml/idp/res?id=/Common/Staples_IDP"
return
}
    "/concur*"
        {
            if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to concur" }
            HTTP::respond 302 Location "/saml/idp/res?id=/Common/Concur_IDP"
            return
        }

"/healthfitness*"
        {
            if { $static::debug_IDP } { log local0. "HTTP_REQUEST: Setting SAML start uri to healthfitness" }
            HTTP::respond 302 Location "/saml/idp/res?id=/Common/HealthFitness_IDP"
            return
     }  
    }   
}

}
ACCESS Policy Response used to provide IdP Initiated SAML for users that have not logged in yet
when ACCESS_POLICY_COMPLETED priority 30 {
switch -glob [string tolower [ACCESS::session data get session.server.landinguri]] {
"/staples*"
{
if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to staples" }
ACCESS::respond 302 Location "/saml/idp/res?id=/Common/Staples_IDP" 
return
}
            "/concur*"
        {
            if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to concur" }
            ACCESS::respond 302 Location "/saml/idp/res?id=/Common/Concur_IDP" 
            return
        }
             "/healthfitness*"
        {
            if { $static::debug_IDP } { log local0. "ACCESS_POLICY_COMPLETED: Setting SAML start uri to healthfitness" }
            ACCESS::respond 302 Location "/saml/idp/res?id=/Common/HealthFitness_IDP" 
            return
        }
    }

}
Error:
Jul  6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4  - wrong  args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] "     while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Jul  6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4  - wrong  args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] "     while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Jul  6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4  - wrong  args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] "     while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Jul  6 08:44:51 slot1/FDYEXLB01 err tmm1[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4  - wrong  args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] "     while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Jul  6 08:44:51 slot1/FDYEXLB01 err tmm[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4  - wrong  args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] "     while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Jul  6 08:44:51 slot1/FDYEXLB01 err tmm1[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4  - wrong  args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] "     while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Jul  6 08:44:51 slot1/FDYEXLB01 err tmm2[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4  - wrong  args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] "     while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Jul  6 08:44:51 slot1/FDYEXLB01 err tmm2[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4  - wrong  args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] "     while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Jul  6 08:44:52 slot1/FDYEXLB01 err tmm3[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4  - wrong  args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] "     while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Jul  6 08:44:52 slot1/FDYEXLB01 err tmm2[22774]: 01220001:3: TCL error: /Common/SAML_IDP_V4  - wrong  args: should be "ACCESS::session exists [ -state_allow | -state_deny | -state_redirect | -state_inprogress ] [[-sid] ] "     while executing "ACCESS::session exists -{state_allow|-state_deny|-state_redirect|-state_inprogress} -sid"
Please let me know if I missed something. Please help here and also make sure that existing iRule is working for all IDP initiated and SP initiated except only one SP initiated connection getting drop due to the iRule

nag_54823 · Answer

Hi Jitu,&nbsp;
You need to use either state_allow or state_deny or state_redirect. You should not use all in one.&nbsp;
Example&nbsp;
when HTTP_REQUEST priority 30  {
set apm_cookie [HTTP::cookie value MRHSession]
          if { "[ACCESS::session exists -state_allow -sid $apm_cookie]" }
             {&nbsp;

Forum Discussion

F5 APM with specific not all SAML SP initiated connection issue, cause iRule execution fail, TCP reset with F5 Version 12.1.2 HF1

9 Replies

Recent Discussions

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

Related Content

F5 Partners join F5 executives at our Partner Connect event

F5 Partners join our F5 executive team at our first Partner Connect event

Proxy Protocol Initiator

Oracle WebLogic Deserialization Remote Code Execution

Logging/Audit Binary Execution?