Problem with stream iRule and SAML idp redirect
Running into following issue here. We have a sharepoint site with web servers listening on some high port and using internal hostname. On the SharePoint virtual server I am applying fallowing iRule to do the html parsing and host header translation:
when HTTP_REQUEST_RELEASE {
Disable the stream filter for all requests by default
STREAM::disable
LTM does not uncompress response content, so if the server has compression enabled
and it cannot be disabled on the server, we can prevent the server from
sending a compressed response by removing the compression offerings from the client
HTTP::header remove "Accept-Encoding"
if {[info exists stream_expr]}{ unset stream_expr }
This we want replace
set stream_expr "@http://sharepoint.something.somedomain.root:14775@https://sharepoint.somedomain.com@"
make sure we have a var to crosscheck before we enable the rewrite in the response
set SPresponse 1
}
when HTTP_RESPONSE { nable the rewrite to fix the hostnames if {[info exists SPresponse]}{
Check if response type is ...
if {[HTTP::header value Content-Type] contains "application/json" || [HTTP::header value Content-Type] contains "text/html" || [HTTP::header value Content-Type] contains "text/xml"} {
if {[info exists stream_expr]} {
STREAM::expression $stream_expr
STREAM::enable}}}}
When SP initiated, SAML IDP process request and redirect me back to my SharePoint Site. However, it seems like before the redirect from IDP gets processed by SAML SP, it gets translated by the irule and SAML authentication process never comes to the completion resulting in 404. When iRule is not being applied it seems like SAML authentication comes to completion but of course the site would not work.
Any idea how to work around this issue.
Hi Alex,
For for the VIP targeting VIP solution to get around APM-Stream Profile conflicts, below is a basic view of what the config would look like:
ltm virtual vs_external { destination 1.1.1.1:443 ip-protocol tcp mask 255.255.255.255 profiles { clientssl_profile { context clientside } stream_profile { } http { } tcp { } } rules { forward_internal_virtual saml_stream_expression } } ltm virtual vs_internal { destination 2.2.2.2:80 enabled ip-protocol tcp mask 255.255.255.255 profiles { example_accesspolicy { } http { } rba { } tcp { } websso { } } } ltm rule forward_internal_virtual { when HTTP_REQUEST { virtual vs_internal } }