Environment
Situation
When users hit a protected resource <ProtRetURL> and are not authenticated to the AG, they are redirected to the ESP with a URL that looks like this:
<ESP-URL>/nesp/app/plogin?c=<contract>&"<ProtRetURL>"
ProtRetURL in this case is a parameter, and the WAF doesn't like this. The problem the customer has is that they would have to enter all of their Protected Resource URLs as parameters in the WAF, and since this is a parameter, the WAF won't accept wildcards. This also means that all possible deep links would have to be entered, so that is not a possible solution.
This is not what you would call best practice, and that there should be a real parameter like RelayState or something similar that a WAF could be configured to key off.
Some WAFs may be able to handle this with regex but this one cannot.
// AG response towards ESP
<amLogEntry> 2016-05-13T10:05:09Z VERBOSE NIDS IDFF: Processing ProxyLoginProfile login agAppNa=formfill-pbmh-proxy-srvc&c=/uri/anyauthentication&%22https://nam42sba.lab.novell.com/formfill/phpinfo.php%22 </amLogEntry>
// ESP processes request and generates AuthnRequest to /nidp/idff/sso
RequestID=idQbHZwNcu43axHMAzG2kbY2p-uNM&MajorVersion=1&MinorVersion=2&IssueInstant=2016-05-13T10%3A05%3A09Z
&ProviderID=https%3A%2F%2Fnam42sba.lab.novell.com%3A443%2Fnesp%2Fidff%2Fmetadata&RelayState=NQ%3D%3D&consen
t=urn%3Aliberty%3Aconsent%3Aunavailable&agAppNa=formfill-pbmh-proxy-srvc&ForceAuthn=false&IsPassive=false&N
ameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&target=https%3A%2
F%2Fnam42sba.lab.novell.com%2Fformfill%2Fphpinfo.php&AuthnContextStatementRef=%2Furi%2Fanyauthentication