Configuring SSO for multiple hostnames pointing at the same VIP

I might also add that using a domain cookie for multiple APM VIPs, and/or the APM multi-domain configuration, prevents the use of any access policy evaluations in subsequent VIPs. In other words, if you authenticate to one APM VIP and get a domain session cookie, then hit another APM VIP, the access policy applied to that VIP will basically be ignored. Further, of you simply use a domain cookie to share an access session across VIPs, you might necessarily have to apply the same access policy authentication mechanisms to all of the VIPs (duplicated effort), unless you can guarantee a user will go to a single VIP before touching the others. The multi-domain option at least forces all authentication to happen on one VIP. If you want to force any kind of policy evaluation at each VIP, not just authentication, but lookups, etc., then SAML is another option. Federating access across a single IdP and multiple SPs would allow you to provide SSO to all, but still allow you the freedom to perform separate access session evaluations at each.