For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 24, 2015

First understand that an access policy is, by default, defined by its associated host name (VIP FQDN). When you start an access policy, APM will generate a cookie to the client that is "scoped" to the host name that the client is using. And every time the client sends a new request it sends this cookie back to APM. The token inside that cookie maps to a session table entry in APM that stores all of the session information (ie. variables) for a given session. If you have three virtual servers, with three separate FQDNs, a client will have three separate APM session cookies, one for each host name, and these will be three separate session table entries. If you use a domain cookie you can effectively short circuit that by allowing the browser to send the same cookie to multiple host names that match a domain pattern. In this case you'll have ONE session table entry across three separate applications. SSO (ie. server side authentication) gets its inputs from stored variables within a given session, so in order to use the same SSO for multiple applications, and provide single sign-on, you'd generally need to do something like domain cookies or APM multi-domain mode to have all of the applications share a single session.

 

But, when i tried mutli domain SSO with different applications under the same Virtual server, it didn't work and this happened

 

You started by saying there were separate VIPs, so not sure what you mean here.