Forum Discussion

SteveVernau_132's avatar
SteveVernau_132
Icon for Nimbostratus rankNimbostratus
Aug 23, 2013

https redirect irule

We have an ADFS server that we can use to SSO into a third party application.

 

To hit the third party applciation we need to hit: https://adfs.mydomain.com.au/adfs/ls/IdpInitiatedsignOn.aspx?loginToRp=https://ppm.3rdparty.com

 

Now adfs.mydomain.com is actualy three servers load balanced by the f5, certificates are on the servers themselves not offloaded to the f5 due to technical issues.

 

Basically I would like users to be able to hit https://adfs.mydomain.com.au/ppm and get taken to https://adfs.mydomain.com.au/adfs/ls/IdpInitiatedsignOn.aspx?loginToRp=https://ppm.3rdparty.com so that they don't have to remember the long URL. I was thinking I could use the below, Can anyone validate?

 

when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/ppm" } { HTTP::uri [string map -nocase {"/ppm" "/adfs/ls/IdpInitiatedsignOn.aspx?loginToRp=https://ppm.3rdparty.com "} [HTTP::uri]] }}

 

application delivery
devops
iRules

1 Reply

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Aug 23, 2013

    First, you WILL need to offload the SSL to the BigIP before you can do this. That doens't mean you have to drop the SSL on the poolmembers, you can always re-encrypt. But without the offload, the BigIP can't see the content (And thus the URI) to do the redirect.

     

    The code

     

    when HTTP_REQUEST {
 if { [string tolower [HTTP::uri]] starts_with "/ppm" } { 
   HTTP::uri [string map -nocase {"/ppm" "/adfs/ls/IdpInitiatedsignOn.aspx?loginToRp=https://ppm.3rdparty.com "} [HTTP::uri]] }
   }
}

    Looks fine at first glance (Logically I dont' see an issue. I haven't verified any syntax or lexically 🙂

     

    Apart from the tolower bit of course... URI's are case sensitive by RFC... They're only case insensitive on windows really... So you're defeating the HTTP spec that says /PPM is a DIFFERENT URI from /ppm. (That's possibly being a bit pedantic of me. But it's how the standards are written. And I love standards).

     

    H