For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kumarchamp's avatar
Kumarchamp
Icon for Nimbostratus rankNimbostratus
Jun 29, 2015

APM SSO re-authenticates after Inactivity timeout 900 seconds.

Hello All,

 

I am a newbie to F5 and kindly bear with me if my queries are basics in F5. But I did googled a lot before posting this.

 

We have two applications A & B with same domain cookie abc.xyz.com. APM configured with SSO NTLMV2. Cookie option – secure & persistent.

 

When accessing the first application via browser, APM presents the logon page>entered credentials> successfully logged in.

 

When accessed the second application via same browser, the APM allows to login directly without weblog page, provided the Access profile inactivity timeout is not expired default 900 seconds.

 

The problem comes if I access the second application after the inactivity timeout 900 seconds, then APM logon page is presented and needs to enter the credentials again.

 

I understood that setting the inactivity timeout to 24 hours may fix the issue but it will result in another problem of sessions get stacked for these 24 hours which will raise maximum concurrent session limitation.

 

Is there any other ways such as irule to avail the feature of Single signon for minimum 24 hours without changing the default inactivity timeout 900 seconds? Am I missing any SSO related config in APM?

 

Thanks in advance for your help !

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
design
devops
iRules
LTM
security

3 Replies

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Jun 29, 2015

    We had a requirement to modify the session timeout based on IP subnet, and found that we could change a session variable during logon to handle this.

    We added an access policy event in the VPE and then used the 

    ACCESS::session data set session.inactivity_timeout 99999
    command within the 
    ACCESS_POLICY_AGENT_EVENT
    event to update the session timeout.

    Hope this helps.

    (Other option would be getting the application to poll the server every so often while the page is open, or use the stream rewriter to inject some custom javascript to do something similar. Wouldn't necessarily recommend it without solid testing as it can be tricky to inject javascript only where you want it sometimes, but I have done something similar to it)

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jul 02, 2015

    Hi,

     

    As the APM use the same session ID for both applications, if you change the variable session.inactivity_timeout, it is the same behavior as changing the Access profile inactivity timeout.

     

    Since inactivity timeout is reached, the session is deleted from APM session table... If you want to allow SSO for 24H, you must configure inactivity timeout as 24H.

     

    If you use LTM+APM profiles, users limit is not APM CCU license but Access Session license which is a limit of the appliance model and not upgradable with an addon license (except 7000 and 10000 appliances)...

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jul 02, 2015

    I think your need is SAML...

     

    a SAML IdP server (Not F5 APM, search for shibboleth) which authenticate users for 24h a SAML SP server (F5 APM) which redirect users to IdP sever if session is not present.

     

    If IdP server receive a request for an existing user session, it will redirect user to the APM with the SAML assertion allowing APM to create a session seamlessly.

     

    This allow you to manage user authentication timeout on IdP to 24h and on SP to 900 seconds...

     

    The only one limitation is APM does not know user password, NTLM SSO is not available in this case and must be replace by Kerberos Contraint Delegation (Kerberos SSO)