Forum Discussion
CirrostratusAPM SSO Between NTLM and Forms Based
HI All,
I’ve been struggling to get this working and could use some insight. Here’s my setup: I have three applications under the same mycompany.com domain, each with its own virtual server and access policy, all in the same partition. All three currently use NTLM v2 authentication on the application side.
Two of them (APP1 and APP2) have full LTM+APM policies with login pages and AD authentication. The third (APP3) uses SSO only. Right now, they all share the same NTLM SSO profile, and everything runs perfectly. To access APP3, if there’s no active APM session, the user is redirected to APP1, logs in there, and then clicks a link to reach APP3 without reauthenticating.
Now, APP3 (which is SSO-only) is switching from NTLM to forms-based authentication. For my proof of concept, I replaced the NTLM SSO profile in APP3’s AP policy with a forms SSO profile. However, I can’t get the login to APP3 to work. Instead of getting logged in to the application I get forms authentication page presented to me. In fact, APP3’s web server logs don’t even show any POST requests from APM attempting to submit credentials.
APM log does not seem to reveal anything in debug mode. It only shown APP1 access policy being processed but the second you click on the app it records nothing SSO related.
Any advice is greatly appreciated.
Thanks,
Alex
4 Replies
- Injeyan_Kostas
Nacreous
Hello Alex,
So the redirect from App3 to App1 if there is no Apm session is happening from Apm policy or from the server?
If there is no login form in App3 APM policy how does it gets the credentials to construct the sso?
Is there a federation between App1 and App3 APM policies?
I believe that one single Apm policy with multidomain sso for both App1 and App 3 might fit better in your case.
- alex100
Redirect from APP3 to APP1 is facilitated by an iRule attached to APP3 VIP that checks for existing APM session. If no active session is found, redirect to APP1 virtual takes place. APP3 is using "SSO" type access policy profile. This type of profile does not have any front end elements but instead, it gets access to existing APM session and is able to pass existing APM session variables to another application. Also to mention, SSO between access policies is done using single authentication domain "mycompany.com".
- Injeyan_Kostas
Thanx for the info alex100
Never use SSO profile type before.
So if understand correct this type of policy needs an irule to work. But from which policy it gets variable from? Any active session? Is this also defined through irule?
Is there any documentation for this type?
- alex100
Update:
I was able to get SSO logging working by creating a new logging profile with SSO logs set to debug mode and attaching it to the Form-Based Configurations I had set up. This allowed APM logs to capture all SSO-related activity. After reviewing the logs, it looks like the issue may be related to how the forms page is designed. The page is driven by multiple JavaScript scripts, which also generate session-based request attributes for the ASP.NET framework on the server side. For some reason, after parsing the page it never submits a POST request as expected, though it’s not entirely clear why this happens.
