APM SSO Conf. help

I think what you might be looking for is the Multi-Domain option in APM. Here and Here are a couple links that should help explain what that is and how it might help in your situation.

Hope this helps.

one other solution is to define a domain cookie name.

By default, if you don't configure domain cookie, the cookie will be hostname per hostname.

if all VS share the same domain:

• mail.company.com
• intranet.company.com
• sharepoint.company.com

you can define for all access profile domain name is "company.com" and MHRSession cookie will be shared between all VS profiles.

In my case, i have different applications like exchange, sharepoint and so on ... Each application is served by a VS. all Virtual servers are linked to the same access profile. for a single user, he can access all applications using his Active Directory Credentials. So, i think multiple domain auth will not help in this case right ? we need to make this user access for example exchange using its VS after that when he tries to access all other applications Virtual servers, he will no more need to enter credentials again.

you can use multiple domain SSO feature with host and not domains...

the difference between both features is:

• with single domain SSO, you authenticate on one of URLs and the cookie is sent to browser for all the domain
  • when the user access every domain web sites, the cookie will be sent even if there is not APM.
• with multi domains SSO, you define one URL which is the authentication URL (ex : login.company.com)
  • when he user request sharepoint.company.com, he is redirected to https://login.company.com
  • the user authenticate on APM
  • after authentication, the user is redirected to sharepoint.company.com with sharepoint session cookie
  • when a user request exchange.company.com, is is already authenticated

be careful to not define SSO multi domains to test and roll back to single domain... as you can't remove the last multi domain item, it remains in configuration and can generate strange behavior...

I did it on one customer site and i needed to remote the last item with tmsh.

before testing multi domain profile, clone the profile and activate multi domain on clone.

i have tried session cookie caching. but it when i try to go through the second app. it redirects me to URL :

withe this message : your session could not be established (invalid session id. your session may have expired). any help ?

First understand that an access policy is, by default, defined by its associated host name (VIP FQDN). When you start an access policy, APM will generate a cookie to the client that is "scoped" to the host name that the client is using. And every time the client sends a new request it sends this cookie back to APM. The token inside that cookie maps to a session table entry in APM that stores all of the session information (ie. variables) for a given session. If you have three virtual servers, with three separate FQDNs, a client will have three separate APM session cookies, one for each host name, and these will be three separate session table entries. If you use a domain cookie you can effectively short circuit that by allowing the browser to send the same cookie to multiple host names that match a domain pattern. In this case you'll have ONE session table entry across three separate applications. SSO (ie. server side authentication) gets its inputs from stored variables within a given session, so in order to use the same SSO for multiple applications, and provide single sign-on, you'd generally need to do something like domain cookies or APM multi-domain mode to have all of the applications share a single session.

But, when i tried mutli domain SSO with different applications under the same Virtual server, it didn't work and this happened

You started by saying there were separate VIPs, so not sure what you mean here.