For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hugo_Frauches_2's avatar
Hugo_Frauches_2
Icon for Cirrus rankCirrus
Sep 28, 2017
Solved

APM: SSO between two virtual servers

Hello,   Im having a hard time configuring SSO for multiple Virtual Server, i dont know the right way to work with Multi domain SSO, i need some advices on how multiple domain sso works.   I ha...
application delivery
BIG-IP Access Policy Manager (APM)
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Oct 03, 2017

    Hello Hugo,

     

    Not sure why you are using multi domain SSO when from all accounts your domain is not changing. app1.domain.com/app2.domain.com

     

    Just specify domain.com as your SSO domain and use single domain SSO. Then when you go to the second virtual server with its own policy include the same SSO object.

     

jberkers42_2403's avatar
jberkers42_2403
Icon for Nimbostratus rankNimbostratus
Oct 02, 2017

Hi Hugo,

 

To do Multi Domain SSO you need a separate resource to handle the sign-in. The configuration results in app1 and app2 redirecting to the sign-in resource.

 

The problem may lie with how you need to do authentication to the servers. If you need to post the entered username/password from the login page, you will be challenged to complete the authentication since the password is not presented to the web server.

 

If you are able to change the authentication method (Kerberos, SAML, etc), then you have options available to use the authentication token provided by the login resource.

 

We are in the unfortunate position of not being able to use seamless SSO for one app because it requires the username/password to be posted in a form, and no other options are currently available. All of our other apps support either Kerberos or SAML for authentication.

 

The following section of the v12.0 documentation is relevant to what you are trying to do:

 

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/27.html

 

Hope that helps.

 

Regards,

 

JohnB

 

  • Hugo_Frauches_2's avatar
    Hugo_Frauches_2
    Icon for Cirrus rankCirrus
    Oct 02, 2017

    Hello John,

     

    We are using the BIG-IP v13 here in the company, but i will see the reference link. Also i was thinking about someway to reuse the first session created by the APM, is this a possible solution?

     

  • jberkers42_2403's avatar
    jberkers42_2403
    Icon for Nimbostratus rankNimbostratus
    Oct 02, 2017

    Hi Hugo,

     

    I've not yet had the opportunity to have a look at v13, perhaps I should create one soon.

     

    From what I understand about APM, setting up the "Authentication resource" is what allows the session to be re-used in multi-domain SSO. I am pretty sure that you cannot re-use the session from the first app (using Form POST?). I did try this at one point, but could not get it to work.

     

    If we could, that is what we would be using for ourselves.

     

    I don't think that v13 changes any of this functionality, most of the changes are UI re-organisation from what the F5 SEs are telling me.

     

    Hope that clears things up.

     

    Regards,

     

    JohnB