Bug ID 479348: Multidomain SSO conflicts with redirect ending

Last Modified: Mar 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Sep 15, 2014
Severity: 3-Major
Related AskF5 Article:
K17422

Symptoms

Multidomain SSO works by running the policy on the primary authentication virtual server and redirecting the request back to the virtual server that it landed on. While running the policy on the primary virtual server, if there is a redirect ending that does redirect to some URI, it seems to be ignored. Multidomain SSO then redirects to the secondary virtual server.

Impact

The impact of this issue is that the user is unable to redirect Access sessions to a desired external location, such as, Access session redirected to external website based on some Access Policy logic.

Conditions

Access policy with Multiple Domains enabled and where Primary Authentication URI is set to some URI, for example, https://login.site.com, and add auth domain site.com. In the visual policy editor of the same Access policy, configure a Redirect ending to some external resource. Create a virtual server for the start URI and one for the login URI. For example, you will have a virtual server for login.site.com and one for start.site.com, and add the above Access Profile/Policy to the two virtual servers.

Workaround

iRule workaround steps: 1. Change ending Redirect to ending Allow. 2. Create a custom variable using Variable Assign action just before the ending Allow (that used to be ending Redirect) and assign value 1; for example, session.ending.redirect return 1 3. Implement the following iRule on the primary authentication virtual server: when ACCESS_POLICY_COMPLETED { set ending "[ACCESS::session data get session.ending.redirect]" if { $ending eq 1 } { after 2000 { ACCESS::session remove } ACCESS::respond 302 Location [external address] } unset ending }

Fix Information

None

Behavior Change