Bug ID 642080: Portal Access plus Multidomain SSO may incorrectly redirect to an internal address

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6

Opened: Jan 28, 2017

Severity: 3-Major

Related Article: K41080344

Symptoms

When an application is behind the portal, it looks like this: https://apmvip/f5-w-xxxx/resetpassword.jsp When used with multidomain SSO, after the client is authenticated we should get redirected back to a portal-ized URL. Instead the client is redirected to an internal URL.

Impact

Redirects are sent that lose the portal.

Conditions

Multidomain SSO for a portal access resource.

Workaround

Use an iRule similar to the following: when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "f5-w-" && ([HTTP::cookie value MRHSession] == "" || !([ACCESS::session exists -state_allow -sid [HTTP::cookie value MRHSession]])) } { set http_path [HTTP::path] log local0. "Found request for [URI::path $http_path 1 2]" set end [string first "$" [URI::path $http_path 1 2]] set end [expr { $end - 1 }] set myf5 [string range [URI::path $http_path 1 2] 6 $end ] log local0. "PATH $myf5" HTTP::path "/-w-f5${myf5}$$[URI::path $http_path 2][URI::basename $http_path]" } if { [string tolower [HTTP::path]] contains "-w-f5" && ([ACCESS::session exists -state_allow -sid [HTTP::cookie value MRHSession]]) }{ set http_path [HTTP::path] log local0. "Found request for [URI::path $http_path 1 2]" set end [string first "$" [URI::path $http_path 1 2]] set end [expr { $end - 1 }] set myf5 [string range [URI::path $http_path 1 2] 6 $end ] log local0. "PATH $myf5" HTTP::redirect "/f5-w-${myf5}$$[URI::path $http_path 2][URI::basename $http_path]" } }

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips