offload IDP certificate authentication to external reverse proxy (SSL offloading) usage of sid parameter values

Dear All,

We are trying to offload the certificate authentication to our F5 Big IP proxy server and insert a specific header with certificate information in it, this is working fine more information on how we do that is explained here. However the solution is not stable as it seems the sid parameter seems to change in certain circumstances we dont understand at the moment.

https://community.f5.com/t5/technical-forum/request-client-cert-auth-based-on-url/td-p/294453

The way how we do that is to detect the application sending the SAML POST request to the IAM IDP URL /nidp/idff/sso?sid=1&sid=1 (in portal mode) and /nidp/idff/sso?sid=0&sid=0 (while accessing directly SP URL) and in the referer header we detect the SP application URL name, the F5 sends a cert auth popup then inserts this towards the IDP server. This way we are able to perform cert auth for certains application URLs and not for others.

We have seen that in some scenarios the sid value changes so we would like to clarify what exact sid values can there be and what is the purpose of each value?

sid=0 (we see this while accessing directly the SP URL)

sid=1 (we see this while accessing portal mode and click on the application)

sid=2 (I have seen this but not sure when this is used)

sid=? (maybe there are more values with different purpose?)


Could someone provide more details on this specific sid variable with values and their purpose and/or perhaps share experience with offloading cert authentication to reverse proxy solution?

Thanks a a lot!