About Wipo Ltd. Wipro Ltd. (NYSE:WIT) is a leading Information Technology, Consulting and Outsourcing company that delivers solutions to enable its clients do business better. Wipro delivers winning business outcomes through its deep industry experience and a 360 degree view of "Business through Technology" - helping clients create successful and adaptive businesses. A company recognized globally for its comprehensive portfolio of services, a practitioner's approach to delivering innovation, and an organization wide commitment to sustainability, Wipro has a workforce of 140,000 serving clients across 61 countries. For more information, please visit www.wipro.com Problem Statement
An F5 Hosted Application integrated with Symantec SSO may display Page Not found or times out. In some cases, it may prompt for Username Password in through Basic Authentication instead of Formed-based SAML. Symptoms
The issue is observed when it is hosted only through F5 and published to the internet. When you press go back in History of the Browser or reload the application by typing in the Entry Page URL, the application works as expected. The issue is observed when SAML authentication method in Symantec SSO. The redirected page may be an internal server with private IP (not published to the internet) that acts as IWA for Symantec SSO.
Diagnostic Guide
Clearing cache and cookie will regenerate the issue. Running Packet capture on an Internet client reveals HTTP redirection to a Private IP or Hostname that could not be published. If the internal Host is published, Symantec SSO may use Basic Authentication instead of Form- based SAML. The redirected page may be an internal server with private IP (not published to the internet) that acts as IWA for Symantec SSO. Browser Grabbing show a cookie injection from Symantec SSO with the following parameters: Name: Failed_type Value: Integrated Windows Authentication Domain: .sso.company.com Cause
This is more likely because Symantec SSOs IWA agent is not published to the internet. F5 LTM won't translated an internal IP to public address during a redirection. Symantec SSO lacks the ability to lookup if user is from the internet and deploy SAML. It uses a failed methods.
Solution
Create an iRule in F5 and assign to SSO Virtual Server to inject a cookie that will avoid the SSO to redirect to internal authentication server(IWA Agent).
Benefits Saves a lot of engineering effort in the Application to make this working. Keeps the environment simple. Eliminates the need to publish IWA Agent to the internet. Hence avoids exposure of IWA server to the internet. when HTTP_REQUEST { HTTP::cookie insert name "failed_types" value "\"Integrated Windows Authentication\"" path "/" domain ".sso.company.com" }