Forum Discussion

Marvin's avatar
Marvin
Icon for Cirrocumulus rankCirrocumulus
Jun 03, 2020

Native APP does not share MRH cookie with F5 SAML IDP

Dear all,

We have an particular issue where serveral APPs have been integrated with the F5 IDP SAML and that is working fine, however with a specific native APP on mobile phone which prevents sharing the MRH cookie with browser so this way causes SSO issues.

I was thinking to implement a workaround and that is to look into the SAML SSO request header and to check if there is an active session for the particular client IP present to retreive the sid session value and to insert the MRH cookie into the SAML SSO request. This way F5 will be able to match the session because now it sees the MRH cookie and will then respond with SAML and the client browser will then automatically receive the cookie and store it in the browser cache.

I was looking into this article and I wonder if I can use either one if the following commands to read the session sid value by only using the client IP, is that possible?

So basically look into HTTP request contains saml/idp/profile/redirectorpost/sso and no MRH cookie is present then:

>> check if for the client IP an active session is present search it in the F5 session database and then:

insert HTTP::header with the MRH value then:

return

ACCESS::session sid
ACCESS::session exists 

https://clouddocs.f5.com/api/irules/ACCESS__session.html