RSA Product Set: SecurID Access
RSA Product/Service Type: SecurID Access Prime, Self Service Portal (SSP)

In environments where the RSA Prime Self-Service Portal (SSP) is deployed behind both an Akamai Web Application Firewall (WAF) and an F5 Load Balancer, users may experience an issue where, after entering valid credentials and logging in, they are immediately redirected back to the login page, as if the session was never established.

This behavior creates a login loop, making it appear that authentication is failing, even though the credentials are correct. The issue occurs due to improper session persistence between the load balancer and the origin servers, which prevents the user session from being maintained across HTTP requests.

This issue is caused by a lack of proper session persistence at the load balancer layer. When Akamai forwards traffic to the origin, and the F5 Load Balancer distributes requests to the backend RSA SSP servers, a new TCP connection may be created for each request.

Without OneConnect enabled on the F5 Load Balancer, the F5 may open separate connections to different backend servers for each request, even within the same user session. This breaks the continuity of the session, causing the RSA Self-Service Portal to treat each request as a new unauthenticated session, hence redirecting the user back to the login page.

To resolve this issue, enable OneConnect on the F5 Load Balancer for the virtual server handling RSA SSP traffic.

OneConnect ensures that multiple HTTP requests from the same client (even if they are separate TCP connections) are forwarded to the same backend server. This allows the user session to be properly maintained and eliminates the login loop issue.

For more details on configuring OneConnect in environments using Akamai, refer to Akamai’s documentation:
Configuring a Load Balancer on the Origin to Properly Work with Akamai