Hello All, I am trying to figure out why sso using a domain cookie is not working for just one of my applications. I am running 12.1.2 and have domain cookie working for other applications so not sure why this one is not cooperating. Current configuration I have a webtop (webtop.test.com) with application that is not allowing SSO at the moment (app1.test.com) Webtop.test.com Access policy that uses Logon page > AD Auth > SSO Credential Mapping > Advanced Resource assignAdvanced resource assign has portal access, few SAML, webtop, and webtop linksAccess Policy is set to Global for Profile ScopeSSO/Auth Domains has domain cookie test.com and Secure flag checked app1.test.com textapp1.test.com is a virtual server on the BIGIPaccess policy Logon page > AD Auth > SSO Credential MappingAccess Policy is set to Global for Profile ScopeSSO/Auth Domains has domain cookie test.com and Secure flag checked Issue When I login to the webtop and click on the link to app1 I am getting prompted to login again via the app1 access policy login page. Troubleshooting I can see using sso tracer that the cookie that is created when logging in to webtop is not being used by app1 because it creates a new LastMRH Session id.I have tried to add persistent to sso/Auth domains I have another app app2 that is configured the same way but this one works as I would expect.If I login directly to app2 then open a new tab and go to app1 domain cookie is working as I am not prompted to login again.I have enabled debug on webtop and app1 but the apm log doesn't show anything useful for app1 since it doesn't login.I have tested on Chrome, Firefox, Edge and IE11 all have same issue for sso to app1 from webtop. Any ideas would be greatly appreciated. Thanks

Your question is not that clear , Domain Cookie is used to bypass multiple login prompt to different access profiles' login pages for a user that already been authenticated to one of the access profiles , what am getting from your question is that SSO for app1 is not working . right ?

Thanks for the response. You are correct SSO for app1 is not working when I have first authenticated to the webtop that I have configured. Both app1 and webtop are configured to use AD authentication and I can get SSO to work when authenticating to another virtual server just not when authenticating to a webtop. However sso from webtop to app2 works without any issues.

What type of SSO is used for aap1 ? if it's a form based , please post a snapshots of your configuration and any http proxy's capture showing the authentication process of that application.

Maybe that is where I am doing something wrong. I am not using an SSO profile since I am only trying to take the username and password from the webtop access policy and apply those to the app1 access policy login. Where it is throwing me off is I can authenticate to app2 (this app has access policy applied to it that will ask for username and password) and open a new tab and go to app1 one without being prompted by the access policy for login. However if I go to webtop and authenticate first and try to go to app1 I will be prompted for username and password again.

In order to perform SSO , you need to define the login form parameters for app1 under the SSO tab in Access policy part .This way , after the user enters his username/password in APM login page , the APM will map this data and push it to the app1 login page as if the user entered it himself .You can assign different SSO profiles to differen Portal Access resources . is this clear to you ?

Forum Discussion

Nolan_Jensen_23

Nimbostratus

Jan 17, 2018

Domain Cookie SSO

Hello All,

I am trying to figure out why sso using a domain cookie is not working for just one of my applications. I am running 12.1.2 and have domain cookie working for other applications so not sure why this one is not cooperating.

Current configuration I have a webtop (webtop.test.com) with application that is not allowing SSO at the moment (app1.test.com)

Webtop.test.com

Access policy that uses Logon page > AD Auth > SSO Credential Mapping > Advanced Resource assign
Advanced resource assign has portal access, few SAML, webtop, and webtop links
Access Policy is set to Global for Profile Scope
SSO/Auth Domains has domain cookie test.com and Secure flag checked

app1.test.com

textapp1.test.com is a virtual server on the BIGIP
access policy Logon page > AD Auth > SSO Credential Mapping
Access Policy is set to Global for Profile Scope
SSO/Auth Domains has domain cookie test.com and Secure flag checked

Issue

When I login to the webtop and click on the link to app1 I am getting prompted to login again via the app1 access policy login page.

Troubleshooting

I can see using sso tracer that the cookie that is created when logging in to webtop is not being used by app1 because it creates a new LastMRH Session id.
I have tried to add persistent to sso/Auth domains
I have another app app2 that is configured the same way but this one works as I would expect.
If I login directly to app2 then open a new tab and go to app1 domain cookie is working as I am not prompted to login again.
I have enabled debug on webtop and app1 but the apm log doesn't show anything useful for app1 since it doesn't login.
I have tested on Chrome, Firefox, Edge and IE11 all have same issue for sso to app1 from webtop.

Any ideas would be greatly appreciated.

Thanks

application delivery

BIG-IP Access Policy Manager (APM)

domain cookie

full webtop

SSO

kolom
Altostratus
Jan 22, 2018
What type of SSO is used for aap1 ? if it's a form based , please post a snapshots of your configuration and any http proxy's capture showing the authentication process of that application.
Nolan_Jensen
Cirrostratus
Jan 22, 2018
Thanks for the response.

You are correct SSO for app1 is not working when I have first authenticated to the webtop that I have configured.

Both app1 and webtop are configured to use AD authentication and I can get SSO to work when authenticating to another virtual server just not when authenticating to a webtop.

However sso from webtop to app2 works without any issues.
kolom
Altostratus
Jan 22, 2018
Your question is not that clear , Domain Cookie is used to bypass multiple login prompt to different access profiles' login pages for a user that already been authenticated to one of the access profiles , what am getting from your question is that SSO for app1 is not working . right ?