"Enable Match case" function doesn't work for "Custom Values" while creating authentication rules for the SSO Policy
search cancel

"Enable Match case" function doesn't work for "Custom Values" while creating authentication rules for the SSO Policy

book

Article ID: 392290

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • SSO policies are essential in mapping various authentication profiles like LDAP, SAML, or OAUTH to the Virtual Service (VS).
  • Authentication rules are a set of conditions used to validate client requests based on specific criteria such as client IP, host header, or path match
  • The "Enable Match Case" function does not work correctly when creating authentication rules under the SSO Policy.
  • Specifically, the issue occurs when "custom values" are used in authentication rules, such as those defining path matches (HTTP Path).
  • Despite selecting or deselecting the "Enable Match Case" option, the system still performs case-sensitive matching, even when it is not supposed to

Example Scenario:

  • Expected Behavior: You configure a rule to match HTTP paths that begin with /abc and leave "Enable Match Case" unchecked (disabled).
  • Client Traffic: Any client traffic with paths like /ABC, /Abc, or /abc should match this rule.
  • Actual Behavior: Even with the "Enable Match Case" option disabled, the rule does not match client requests that are case variations of /abc. Instead, you see the error: "None of the authentication policy rules matched."
  • This error can be seen under the significant logs of the VS as below

 

 

 

Resolution

Workaround:

As a temporary workaround to address this issue, use String Groups instead of custom values when configuring the authentication rules.

  • Navigate to Templates - String Group - Create a new string group and add the required custom value under strings

  • In the authentication rule, instead of selecting the custom value directly, point the rule to the newly created String Group

  • This configuration ensures that any client traffic, whether it uses  /ABC, /ABc, /abc, etc. will hit the authentication policy.

  • Permanent fix is planned for future releases, where support for the "Enable Match Case" function for custom values in path matching will be fully integrated and functional
Powered by Wolken Software