Forum Discussion
NimbostratusAPM - SSO login using creds from windows login
Hey,
I have a client who wants APM for front ending different applicatnions, some using SAML some hosted internally. What the company wants is to have the clients inside the network to be able to login into these applicaitons without a login page. Outside the network they want the users to have a login page. Is this even possible?
I know the F5 can check for certificates, but I am not aware of any way for the F5 to query locally stored credentials (like how Internet Exporer is able to via its SSO).
Thank you for your time.
10 Replies
- Kevin_Stewart
Employee
You can use any number of options for client side authentication, including certificates, user/pass logon form, RSA, and Kerberos. It would definitely be conceivable to present a logon page to external users and a 401/Kerberos challenge to internal (AD domain-joined) users, assuming you can differentiate the users on initial request. Are external and internal users coming from different source address subnets?
blwavg_10621To the best of my knowledge all internal users would be coming from RFC 1918 addresses. Any external users would be coming from non-RFC 1918 addresses.
In my mindset, the APM flow would allow domain authenticated machines connect to to the resouce and if it fails, they would be presented with a logon page.
I am currently looking up information on 401/Kerberos challange right now to see if this can fit my needs. Please let me know if you have any (or can point me to) any documentaion on how it work.
I am currently reviewing this: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-4-0/3.html
It looks very promising
Thomas_GobetHi,
Is the internal traffic passing through the APM mechanism ?
In other words, do you need to filter anything with APM when your client is inside the network ?Because what you can have is a direct access for your internal clients, and a Access Policy applied on the other virtual server. This kind of configuration can be based on source ip filters.
- blwavg_10621For some applicatons yes, internal users will go through APM as well as external user. This is becasue the client wants to use SSO so the user does not have to go through a login screen after they have already logged in (both the login and application tie back to the same authenticaiton mechanism) if they are on the network. If they are not on a domain machine externally or lets say their password has expired, they need a mechanism such as a login page to authenticate the user.. So for this reason, I do not belive source filters or split brain DNS should be used to differentiate internal and external users. There are also some SAML based resources that are hosted externally that they want the client to be able to connect to without a login page while on the network. That I want to see if see if the they can use the same method for interal users being able to access those reouces without a login page. This is not an example of the work I am doing, but being able to login into sales force via SSO from your machines login credentials.
Thomas_Gobet_91Cirrostratus
Hi,
Is the internal traffic passing through the APM mechanism ?
In other words, do you need to filter anything with APM when your client is inside the network ?Because what you can have is a direct access for your internal clients, and a Access Policy applied on the other virtual server. This kind of configuration can be based on source ip filters.
- blwavg_10621For some applicatons yes, internal users will go through APM as well as external user. This is becasue the client wants to use SSO so the user does not have to go through a login screen after they have already logged in (both the login and application tie back to the same authenticaiton mechanism) if they are on the network. If they are not on a domain machine externally or lets say their password has expired, they need a mechanism such as a login page to authenticate the user.. So for this reason, I do not belive source filters or split brain DNS should be used to differentiate internal and external users. There are also some SAML based resources that are hosted externally that they want the client to be able to connect to without a login page while on the network. That I want to see if see if the they can use the same method for interal users being able to access those reouces without a login page. This is not an example of the work I am doing, but being able to login into sales force via SSO from your machines login credentials.
- blwavg_10621
Wow you guys. Thank you for all of the information. I am going to review the information and see what works. I will follow up with a detailed response today or tomorrow.
- blwavg_10621I am waiting on some required resources so I can finish building this. It is taking time, but I will post what I find. Sorry for the late response.
- blwavg_10621
This works awesome. Thank you Michael and Kevin.
- Michael_Koyfma1
Cirrus
Glad to hear!
