Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Mar 26, 2018

APM with cookies - having issues with multiple sites

I am a little lost and hoping someone can shed some light.   I have an environment where we use an external IDP. We recently added a new site, and for some reason it's not working as other sites ...
application delivery
BIG-IP Access Policy Manager (APM)
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Mar 27, 2018

Hi,

 

You are pointing on the right direction.

 

when you are working with APM, make sure all access profiles domain cookie are working together.

 

with your configuration:

 

  • if the user first hit VS1 it will authenticate with SAML and receive a cookie for the whole test.com domain, then he browse VS2 --> The user is already authenticated because sharepoint.test.com is inside test.com domain. it will use test.com cookie, so will be accepted according to VS1 access policy

     

  • if the user first hit VS2 it will authenticate with SAML and receive a cookie for the whole sharepoint.test.com domain, then he browse VS2 --> must reauthenticate on VS1 (transparent auth because of SAML)

     

So if you want to authenticate users on SAML, never use a domain cookie (except if you want to save access sessions in license count), leave it blank which means the cookie is sent for the requested host.

 

For the sharepoint VS, it is recommended to use one of following Sharepoint irules

 

These irules add persistent cookie with smaller timeout than SSO domains does and check that only non browser can recover an existing session when browser was closed.