Inconsistent results for IDP's hidden input field of TARGET, depending on if the AG cluster that redirects the browser to the IDP has just one Reverse Proxy definition or multiple.
If the AG cluster that redirects the user has only a single Reverse Proxy definition (plus any number of Proxy Services defined within it), when a browser accesses any one of those Proxy Services -- say, https://mail.company.com/somepath/somefile -- once they have been redirected to the IDP, if you "View Source" on that login form you can see that within the hidden input field called TARGET that the contents of the field are precisely the URL you had originally requested: https://mail.company.com/somepath/somefile
However, if you add two or more Reverse Proxy definitions to that same AG cluster (plus any number of Proxy Services defined for each Reverse Proxy), then when a browser accesses that same "https://mail.company.com/somepath/somefile" protected resource, once they have been redirected to the IDP, if you "View Source" on that login form you can see that within the hidden input field called TARGET that the contents of the field now is mangled with a cryptic LAGBroker from the ESP URL:
https://beta-esp.company.com/LAGBroker?%22https://mail.mycompany.com/somepath/somefile%22
Obviously, this manipulation of the TARGET is not required for the IDP or the AG's ESP to successfully continue this session authentication, because I can edit that TARGET to strip out all of that LAGBroker "junk" and in its place put just the simple "https://mail.company.com/somepath/somefile" URL -- and after authentication I am sent straight there without issue.
Needless inconsistency of behavior.
- Stefan
If the AG cluster that redirects the user has only a single Reverse Proxy definition (plus any number of Proxy Services defined within it), when a browser accesses any one of those Proxy Services -- say, https://mail.company.com/somepath/somefile -- once they have been redirected to the IDP, if you "View Source" on that login form you can see that within the hidden input field called TARGET that the contents of the field are precisely the URL you had originally requested: https://mail.company.com/somepath/somefile
However, if you add two or more Reverse Proxy definitions to that same AG cluster (plus any number of Proxy Services defined for each Reverse Proxy), then when a browser accesses that same "https://mail.company.com/somepath/somefile" protected resource, once they have been redirected to the IDP, if you "View Source" on that login form you can see that within the hidden input field called TARGET that the contents of the field now is mangled with a cryptic LAGBroker from the ESP URL:
https://beta-esp.company.com/LAGBroker?%22https://mail.mycompany.com/somepath/somefile%22
Obviously, this manipulation of the TARGET is not required for the IDP or the AG's ESP to successfully continue this session authentication, because I can edit that TARGET to strip out all of that LAGBroker "junk" and in its place put just the simple "https://mail.company.com/somepath/somefile" URL -- and after authentication I am sent straight there without issue.
Needless inconsistency of behavior.
- Stefan