Forum Discussion

tminfw2's avatar
tminfw2
Icon for Nimbostratus rankNimbostratus
May 06, 2016

Client authentication methods versus Single Sign On methods

Currently, we mostly have the following structure for our APM profiles:   Present a logon page Verify entered username/password using any of these methods: LDAP, AD, Radius,... Map username and...
BIG-IP Access Policy Manager (APM)
security
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
May 06, 2016

Hello,

 

You are right, when choosing Kerberos, client certificate or ntlm authentication, you retrict your capabilities on the authentication mecanism supported on the backend for SSO.

 

When using authentication mecanism not prompting for password, you can only use kerberos delegation, saml or header based SSO.

 

  • tminfw2's avatar
    tminfw2
    Icon for Nimbostratus rankNimbostratus
    May 06, 2016
    In this case, server side SSO is ntlmv2. If I understand well, does this mean that I am limited to also using ntlm on the client side?
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 06, 2016
    If sso is ntlmv2, you have the options to use basic or forms based client auth because we need the password. Ntlmv2 client auth with ntlmv2 sso doesn't make sense and asaik is not supported through apm.
  • tminfw2's avatar
    tminfw2
    Icon for Nimbostratus rankNimbostratus
    May 06, 2016
    Just checked the ntlmv2 SSO config and indeed you need a password source for the SSO profile. I will take this up with my team next week.