Forum Discussion
ktm_2000
Altostratus
Altostratusdifferent auth policies with different auth methods for different VIPs
Hi All,
I have one older set of apps that I want to isolate them as much as possible. Not all our users require the apps so I would like to only auth people if they need it. The primary apps use AD auth, older use novell edir auth.
Today we have one monolithic per session policy which does our primary auth, then takes care of the secondary auth. expecting that their PWs are in sync. I am trying to come up with a way to separate them out and am thinking of putting the older app behind separate VIPs and having a separate auth policy for those apps.
Concept
user logs into primary app on primary VIP. Gets session cookie and accesses primary apps. Later on in their session, they then need the older apps so they hit the VIP for the older app and process a different per session policy which then provides them the credentials for the older app.
The thought in my mind is APM would already have a session and if we cached the PW we could try to present that to novell, if PWs are in sync the user would auto auth in background and hit the resource. If PWs are not in sync, then pop a logon box and get their novell creds.
I'd like to try out this theory in my sandbox and am wondering how to go about . Would one create a secondary policy and make a test to look for an existing session? what would that session test look like?
It sounds like you need step up authentication.
Before step up authentication was added to APM, this could be achieved with use of an iRule. It shows how to pass the credentials to a new session. Maybe it's of use to you.
https://community.f5.com/t5/codeshare/apm-full-step-up-authentication/ta-p/290913
