Forum Discussion
Cirrostratusdisable re-auth for NA accesses to internal resources protected by Access Policies (2FA)
Hi
I have this use-case: users connect to an APM (Network Access). No SNAT so the client virtual IP is then routed in the internal network. They must access some internal resources which are protected by the same APM (Access-Policy with authentication). Specifically for those VPN-SSL users we would like to avoid the authentication step. My idea was to check in the internal resource policy VPE if the user's source IP (the NA virtual IP) is from the LeasePool subnet and do not go through the standard authentication (2FA) for them. However, a session bound to a username is still required. Is there a way to check in the Access session table and perform a lookup based on the virtual client IP to get its SID, and from the the username bound to that SID?
Thanks
Alex
3 Replies
Evan_Champion_1Cirrus
You could use APM's SAML for this. The user would get a SAML claim as part of their connection to the VPN and then the SAML claim would be used for single sign-on to your additional resources.
- Evan_Champion_1
You could use APM's SAML for this. The user would get a SAML claim as part of their connection to the VPN and then the SAML claim would be used for single sign-on to your additional resources.
Alex, is the VPN a full tunnel? Or a split tunnel and the APM resources are inside the VPN? If the traffic comes through the VPN it shouldn't have to reauthenticate for those other VIPs. The only reason it would have to reauthenticate is if it didn't go through the tunnel and went directly to them, because it wouldn't send the session cookie. In that case, you could share the session cookie between the vips using a domain cookie.
