For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Richard_Jones's avatar
Richard_Jones
Icon for Nimbostratus rankNimbostratus
Nov 25, 2013

Configuring SSO for multiple hostnames pointing at the same VIP

I have three applications (app1, app2, and app3) all running as virtual hosts on one web server. I have an LTM virtual server configured to point to this web server (via a pool), and everything works with all three applications. All three hostnames resolve to this same virtual server. I am trying to configure APM so that once a user logs into APM for one of the applications, requests to the other applications will use the same APM session for the user and not prompt for authentication again. I have tried to configure the SSO/Auth Domains section of the Access Profile (both Single Domain and Multiple Domain), along with the SSO Credential Mapping (is it even needed in this case??) in the policy, but I can't seem to get it to work.

 

Any ideas? Thanks!

 

BIG-IP Access Policy Manager (APM)
deployment
security

2 Replies

  • tiny_cloud_ninj's avatar
    tiny_cloud_ninj
    Historic F5 Account
    Nov 26, 2013

    Access Policy Manager has a feature named Domain Cookie. Domain Cookie is a configuration option that allows an administrator to link or SSO two or more APM access Profiles. If two APM Access Profiles share the same Domain Cookie value. One APM Access Profile will access a valid user session from another. Meaning if a user successfully authentications to one APM Access Profile. They will not be required to authenticate to the second web application. When the client attempts to access the second web application the APM will send the Username and Password to the defined SSO configuration object. If configured correctly the user should automatically be logged into the second web application.

     

    http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-4-0/5.htmlconceptid

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 26, 2013

    I might also add that using a domain cookie for multiple APM VIPs, and/or the APM multi-domain configuration, prevents the use of any access policy evaluations in subsequent VIPs. In other words, if you authenticate to one APM VIP and get a domain session cookie, then hit another APM VIP, the access policy applied to that VIP will basically be ignored. Further, of you simply use a domain cookie to share an access session across VIPs, you might necessarily have to apply the same access policy authentication mechanisms to all of the VIPs (duplicated effort), unless you can guarantee a user will go to a single VIP before touching the others. The multi-domain option at least forces all authentication to happen on one VIP. If you want to force any kind of policy evaluation at each VIP, not just authentication, but lookups, etc., then SAML is another option. Federating access across a single IdP and multiple SPs would allow you to provide SSO to all, but still allow you the freedom to perform separate access session evaluations at each.