Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

SAML: F5 level SSL offloading causing login attempt looping.

SA-37247

Summary



When testing our SAML authentication the processing is going in an endless loop and users never get logged in.The second time pySAMLWebSSOAuthneticationActivtiy is called the Param.SAMLResponse sent from the PRPC AssertionConsumerService is blank. This triggers the sending of the SAMLRequest again to IDP causing the looping.

Error Messages



Not Applicable


Steps to Reproduce



Standard SAML Authentication.

Root Cause



A defect or configuration issue in the operating environment:

At the F5 load balancer level SSL offloading is occurring. This means that PRPC is receiving "http" requests instead of "https" request. When we generate the URL at the AssertionConsumerService level we are using "http" because that is the method in which we were accessed from the load balancer. This causes an http URL to be used in the POST request back for the AssertionConsumerService response:

POST: http://f5_prpc_url/prweb/sso

Since the F5 is not allowing HTTP it redirects to HTTPS:

GET: https://f5_prpc_url/prweb/sso

This is a GET request so the POSTed data is lost. The SAML Login activity doesn't get a SAMLResponse and sends out the SAMLRequest again.


Resolution



Make the following change to the operating environment:

When using F5 SSL offloading an iRule is required so that we intern build URL's using the proper HTTPS protocol.

Example iRule: (Sample only)

when HTTP_REQUEST {
HTTP::header insert PegaRULES-SetContextURI https://f5_prpc_url/prweb/
}

This will send in the PegaRULES-SetContextURI header with the proper URL for us to parse/use for subsequent URL generation.

This requires a prconfig.xml or DSS setting to tell PRPC to use the URL header PegaRULES-SetContextURI header when present:


prconfig.xml:

<env name="initialization/ContextRewriteEnabled" value="true"/>

or

DSS: (setting DSS still requires JVM restart - "initialization")

Owning Ruleset: Pega-Engine
Setting Purpose: prconfig/initialization/ContextRewriteEnabled/default
Value: true

Note: When this setting is enabled the URL parsing will use the value in PegaRULES-SetContextURI header ONLY when present. If the header is not present in the request(s) standard processing is used. So, this will not affect standard PRPC logins bypassing F5 load balancing.

Tags:

Pega Platform Pega Platform 7.1.8 Data Integration

Published April 30, 2017 - Updated October 8, 2020

Was this useful?

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us