Bug ID 642080: Portal Access plus Multidomain SSO may incorrectly redirect to an internal address

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3

Opened: Jan 28, 2017
Severity: 3-Major
Related Article:
K41080344

Symptoms

When an application is behind the portal, it looks like this: https://apmvip/f5-w-xxxx/resetpassword.jsp When used with multidomain SSO, after the client is authenticated we should get redirected back to a portal-ized URL. Instead the client is redirected to an internal URL.

Impact

Redirects are sent that lose the portal.

Conditions

Multidomain SSO for a portal access resource.

Workaround

Use an iRule similar to the following: when HTTP_REQUEST { if { [string tolower [HTTP::path]] contains "f5-w-" && ([HTTP::cookie value MRHSession] == "" || !([ACCESS::session exists -state_allow -sid [HTTP::cookie value MRHSession]])) } { set http_path [HTTP::path] log local0. "Found request for [URI::path $http_path 1 2]" set end [string first "$" [URI::path $http_path 1 2]] set end [expr { $end - 1 }] set myf5 [string range [URI::path $http_path 1 2] 6 $end ] log local0. "PATH $myf5" HTTP::path "/-w-f5${myf5}$$[URI::path $http_path 2][URI::basename $http_path]" } if { [string tolower [HTTP::path]] contains "-w-f5" && ([ACCESS::session exists -state_allow -sid [HTTP::cookie value MRHSession]]) }{ set http_path [HTTP::path] log local0. "Found request for [URI::path $http_path 1 2]" set end [string first "$" [URI::path $http_path 1 2]] set end [expr { $end - 1 }] set myf5 [string range [URI::path $http_path 1 2] 6 $end ] log local0. "PATH $myf5" HTTP::redirect "/f5-w-${myf5}$$[URI::path $http_path 2][URI::basename $http_path]" } }

Fix Information

None

Behavior Change