Symantec O3 Publishing challenge through F5 LTM

Prashant Bharadwaj 3/27/2014

About Wipo Ltd.
Wipro Ltd. (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company that delivers solutions to enable its clients do business better. Wipro
delivers winning business outcomes through its deep industry experience and a 360 degree view of "Business through Technology" - helping clients create successful and
adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner's approach to delivering innovation, and an organization wide
commitment to sustainability, Wipro has a workforce of 140,000 serving clients across 61 countries. For more information, please visit www.wipro.com
Problem Statement

An F5 Hosted Application integrated with Symantec SSO
may display Page Not found or times out. In some cases,
it may prompt for Username Password in through Basic
Authentication instead of Formed-based SAML.
Symptoms

The issue is observed when it is hosted only
through F5 and published to the internet.
When you press go back in History of the
Browser or reload the application by typing in
the Entry Page URL, the application works as
expected.
The issue is observed when SAML
authentication method in Symantec SSO.
The redirected page may be an internal server
with private IP (not published to the internet)
that acts as IWA for Symantec SSO.

Diagnostic Guide

Clearing cache and cookie will regenerate the
issue.
Running Packet capture on an Internet client
reveals HTTP redirection to a Private IP or
Hostname that could not be published.
If the internal Host is published, Symantec SSO
may use Basic Authentication instead of Form-
based SAML.
The redirected page may be an internal server
with private IP (not published to the internet)
that acts as IWA for Symantec SSO.
Browser Grabbing show a cookie injection from
Symantec SSO with the following parameters:
Name: Failed_type
Value: Integrated Windows Authentication
Domain: .sso.company.com
Cause

This is more likely because Symantec SSOs IWA agent is
not published to the internet. F5 LTM won't translated
an internal IP to public address during a redirection.
Symantec SSO lacks the ability to lookup if user is from
the internet and deploy SAML. It uses a failed methods.

Solution

Create an iRule in F5 and assign to SSO Virtual Server to
inject a cookie that will avoid the SSO to redirect to
internal authentication server(IWA Agent).

Benefits
Saves a lot of engineering effort in the
Application to make this working.
Keeps the environment simple.
Eliminates the need to publish IWA Agent to the
internet. Hence avoids exposure of IWA server
to the internet.
when HTTP_REQUEST {
HTTP::cookie insert name "failed_types"
value "\"Integrated Windows
Authentication\"" path "/" domain
".sso.company.com"
}