Support Article

SAML: F5 level SSL offloading causing login attempt looping.

SA-37247

Summary



When testing our SAML authentication the processing is going in an endless loop and users never get logged in.The second time pySAMLWebSSOAuthneticationActivtiy is called the Param.SAMLResponse sent from the PRPC AssertionConsumerService is blank. This triggers the sending of the SAMLRequest again to IDP causing the looping.

Error Messages



Not Applicable


Steps to Reproduce



Standard SAML Authentication.

Root Cause



A defect or configuration issue in the operating environment:

At the F5 load balancer level SSL offloading is occurring. This means that PRPC is receiving "http" requests instead of "https" request. When we generate the URL at the AssertionConsumerService level we are using "http" because that is the method in which we were accessed from the load balancer. This causes an http URL to be used in the POST request back for the AssertionConsumerService response:

POST: http://f5_prpc_url/prweb/sso

Since the F5 is not allowing HTTP it redirects to HTTPS:

GET: https://f5_prpc_url/prweb/sso

This is a GET request so the POSTed data is lost. The SAML Login activity doesn't get a SAMLResponse and sends out the SAMLRequest again.



Resolution



Make the following change to the operating environment:

When using F5 SSL offloading an iRule is required so that we intern build URL's using the proper HTTPS protocol.

Example iRule: (Sample only)

when HTTP_REQUEST {
HTTP::header insert PegaRULES-SetContextURIhttps://f5_prpc_url/prweb/
}

This will send in the PegaRULES-SetContextURI header with the proper URL for us to parse/use for subsequent URL generation.

This requires a prconfig.xml or DSS setting to tell PRPC to use the URL header PegaRULES-SetContextURI header when present:


prconfig.xml:

<env name="initialization/ContextRewriteEnabled" value="true"/>

or

DSS: (setting DSS still requires JVM restart - "initialization")

Owning Ruleset: Pega-Engine
Setting Purpose: prconfig/initialization/ContextRewriteEnabled/default
Value: true

Note: When this setting is enabled the URL parsing will use the value in PegaRULES-SetContextURI header ONLY when present. If the header is not present in the request(s) standard processing is used. So, this will not affect standard PRPC logins bypassing F5 load balancing.

Published April 28, 2017 - Updated April 29, 2017


100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.