Bug ID 479348: Multidomain SSO conflicts with redirect ending

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3,,,,, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:

Opened: Sep 15, 2014
Severity: 3-Major
Related AskF5 Article:


Multidomain SSO works by running the policy on the primary authentication virtual server and redirecting the request back to the virtual server that it landed on. While running the policy on the primary virtual server, if there is a redirect ending that does redirect to some URI, it seems to be ignored. Multidomain SSO then redirects to the secondary virtual server.


The impact of this issue is that the user is unable to redirect Access sessions to a desired external location, such as, Access session redirected to external website based on some Access Policy logic.


Access policy with Multiple Domains enabled and where Primary Authentication URI is set to some URI, for example, https://login.site.com, and add auth domain site.com. In the visual policy editor of the same Access policy, configure a Redirect ending to some external resource. Create a virtual server for the start URI and one for the login URI. For example, you will have a virtual server for login.site.com and one for start.site.com, and add the above Access Profile/Policy to the two virtual servers.


iRule workaround steps: 1. Change ending Redirect to ending Allow. 2. Create a custom variable using Variable Assign action just before the ending Allow (that used to be ending Redirect) and assign value 1; for example, session.ending.redirect return 1 3. Implement the following iRule on the primary authentication virtual server: when ACCESS_POLICY_COMPLETED { set ending "[ACCESS::session data get session.ending.redirect]" if { $ending eq 1 } { after 2000 { ACCESS::session remove } ACCESS::respond 302 Location [external address] } unset ending }

Fix Information


Behavior Change