Forum Discussion
CirrusAPM: SSO between two virtual servers
Hello,
Im having a hard time configuring SSO for multiple Virtual Server, i dont know the right way to work with Multi domain SSO, i need some advices on how multiple domain sso works.
I have two virtual servers with two APM policies, one policy for each Virtual server.
2) The client connects to the first virtual server (app1.domain.com) and authenticate via forms with the BIP-IP, the SSO its configure so any other links in the same domains carrys the authentication.
3) He then opens another application (app2.domain.com) via an shortcut in the webpage, its opens an iFrame and calls the other virtual server, it asks the user to authenticate again.
My question is, there are any way to carry the Authentication in the first virtual server to the other virtual server? The main problem is after the iFrame its called, and it calls the other Virtual server its opens an different session in APM. Multidomain SSO works with this configuration?
Hello Hugo,
Not sure why you are using multi domain SSO when from all accounts your domain is not changing. app1.domain.com/app2.domain.com
Just specify domain.com as your SSO domain and use single domain SSO. Then when you go to the second virtual server with its own policy include the same SSO object.
jberkers42_2403Nimbostratus
Hi Hugo,
To do Multi Domain SSO you need a separate resource to handle the sign-in. The configuration results in app1 and app2 redirecting to the sign-in resource.
The problem may lie with how you need to do authentication to the servers. If you need to post the entered username/password from the login page, you will be challenged to complete the authentication since the password is not presented to the web server.
If you are able to change the authentication method (Kerberos, SAML, etc), then you have options available to use the authentication token provided by the login resource.
We are in the unfortunate position of not being able to use seamless SSO for one app because it requires the username/password to be posted in a form, and no other options are currently available. All of our other apps support either Kerberos or SAML for authentication.
The following section of the v12.0 documentation is relevant to what you are trying to do:
Hope that helps.
Regards,
JohnB
Hugo_Frauches_2Hello John,
We are using the BIG-IP v13 here in the company, but i will see the reference link. Also i was thinking about someway to reuse the first session created by the APM, is this a possible solution?
- jberkers42_2403
Hi Hugo,
I've not yet had the opportunity to have a look at v13, perhaps I should create one soon.
From what I understand about APM, setting up the "Authentication resource" is what allows the session to be re-used in multi-domain SSO. I am pretty sure that you cannot re-use the session from the first app (using Form POST?). I did try this at one point, but could not get it to work.
If we could, that is what we would be using for ourselves.
I don't think that v13 changes any of this functionality, most of the changes are UI re-organisation from what the F5 SEs are telling me.
Hope that clears things up.
Regards,
JohnB
jberkers42Altostratus
Hi Hugo,
To do Multi Domain SSO you need a separate resource to handle the sign-in. The configuration results in app1 and app2 redirecting to the sign-in resource.
The problem may lie with how you need to do authentication to the servers. If you need to post the entered username/password from the login page, you will be challenged to complete the authentication since the password is not presented to the web server.
If you are able to change the authentication method (Kerberos, SAML, etc), then you have options available to use the authentication token provided by the login resource.
We are in the unfortunate position of not being able to use seamless SSO for one app because it requires the username/password to be posted in a form, and no other options are currently available. All of our other apps support either Kerberos or SAML for authentication.
The following section of the v12.0 documentation is relevant to what you are trying to do:
Hope that helps.
Regards,
JohnB
- Hugo_Frauches_2
Hello John,
We are using the BIG-IP v13 here in the company, but i will see the reference link. Also i was thinking about someway to reuse the first session created by the APM, is this a possible solution?
- jberkers42
Hi Hugo,
I've not yet had the opportunity to have a look at v13, perhaps I should create one soon.
From what I understand about APM, setting up the "Authentication resource" is what allows the session to be re-used in multi-domain SSO. I am pretty sure that you cannot re-use the session from the first app (using Form POST?). I did try this at one point, but could not get it to work.
If we could, that is what we would be using for ourselves.
I don't think that v13 changes any of this functionality, most of the changes are UI re-organisation from what the F5 SEs are telling me.
Hope that clears things up.
Regards,
JohnB
Kevin_Davies_40Nacreous
Hello Hugo,
Not sure why you are using multi domain SSO when from all accounts your domain is not changing. app1.domain.com/app2.domain.com
Just specify domain.com as your SSO domain and use single domain SSO. Then when you go to the second virtual server with its own policy include the same SSO object.
- Hugo_Frauches_2
Dear Kevin,
Thanks for the reply, i tried to use the single SSO Domain configured in the Virtual Servers APM policies but didnt worked with separed policies, so i had to make some changes, i setup a single APM Session Policy for both Virtual Servers but i have created different Per-Request APM policy for each Virtual Server and it worked! When the user click on the link and open the iFrame its calls the other virtual server and it uses the Cookie Domain Auth for SSO, but the autorization its made in the Per-Request Policies.