Forum Discussion

Nolan_Jensen_23's avatar
Nolan_Jensen_23
Icon for Nimbostratus rankNimbostratus
Jan 17, 2018

Domain Cookie SSO

Hello All,

 

I am trying to figure out why sso using a domain cookie is not working for just one of my applications. I am running 12.1.2 and have domain cookie working for other applications so not sure why this one is not cooperating.

 

Current configuration I have a webtop (webtop.test.com) with application that is not allowing SSO at the moment (app1.test.com)

 

Webtop.test.com

 

  • Access policy that uses Logon page > AD Auth > SSO Credential Mapping > Advanced Resource assign
  • Advanced resource assign has portal access, few SAML, webtop, and webtop links
  • Access Policy is set to Global for Profile Scope
  • SSO/Auth Domains has domain cookie test.com and Secure flag checked

app1.test.com

 

  • textapp1.test.com is a virtual server on the BIGIP
  • access policy Logon page > AD Auth > SSO Credential Mapping
  • Access Policy is set to Global for Profile Scope
  • SSO/Auth Domains has domain cookie test.com and Secure flag checked

Issue

 

When I login to the webtop and click on the link to app1 I am getting prompted to login again via the app1 access policy login page.

 

Troubleshooting

 

  • I can see using sso tracer that the cookie that is created when logging in to webtop is not being used by app1 because it creates a new LastMRH Session id.
  • I have tried to add persistent to sso/Auth domains
  • I have another app app2 that is configured the same way but this one works as I would expect.
  • If I login directly to app2 then open a new tab and go to app1 domain cookie is working as I am not prompted to login again.
  • I have enabled debug on webtop and app1 but the apm log doesn't show anything useful for app1 since it doesn't login.
  • I have tested on Chrome, Firefox, Edge and IE11 all have same issue for sso to app1 from webtop.

Any ideas would be greatly appreciated.

 

Thanks

 

  • Without having access to the actual configuration , i'll not be able to identify the issue , but you can use iRules to insert a specific cookie in the response from the login page in the first access policy and match on the same to bypass the login page in the second access policy .

     

  • Without having access to the actual configuration , i'll not be able to identify the issue , but you can use iRules to insert a specific cookie in the response from the login page in the first access policy and match on the same to bypass the login page in the second access policy .

     

  • Hi,

     

    For such configuration, i recommend to use multi domain sso instead of single domain sso.

     

    In your configuration, you have to configure multiple policies, customization.... and the user is able to authenticate on multiple URLs.

     

    With multi domain sso, you can configure login.test.com as primary URL.

     

    when the user authenticate on this URL, display a webtop with links.

     

    When the user first request app1.test.com, he is redirected to login.test.com to authenticate then redirected to app1.test.com

     

    This mode allow to set different sso profiles based on the host.