Domain Cookie SSO

Hi,

For such configuration, i recommend to use multi domain sso instead of single domain sso.

In your configuration, you have to configure multiple policies, customization.... and the user is able to authenticate on multiple URLs.

With multi domain sso, you can configure login.test.com as primary URL.

when the user authenticate on this URL, display a webtop with links.

When the user first request app1.test.com, he is redirected to login.test.com to authenticate then redirected to app1.test.com

This mode allow to set different sso profiles based on the host.

Without having access to the actual configuration , i'll not be able to identify the issue , but you can use iRules to insert a specific cookie in the response from the login page in the first access policy and match on the same to bypass the login page in the second access policy .

Without having access to the actual configuration , i'll not be able to identify the issue , but you can use iRules to insert a specific cookie in the response from the login page in the first access policy and match on the same to bypass the login page in the second access policy .

Thanks for the video. Yes I have domain cookie set on WebTop access profile and app1 access profile. Also new to version 12 they added a profile scope to the properties page of the access profile and I have that set to global.

The strange thing is if I don't use the webtop and I just login to app1 then open link to app2 it works as it should. It also works if I login to app2 then open a new tab to app1 so it appears it is configured correct just not when accessing from webtop.

Try watching this video and make sure that you're following the same.if still not working , mostly i'll try to use an iRule to perform the same function.

Yes that is correct. Sorry for the confusion.

Maybe i didn't get your question .You have a webtop with multiple resources ( app1 , app2) . app1 is not a direct server , it's hosted on another virtual server on the same BIGIP with another Access Policy , and the second login page is actually APM login page from the second VS . is that correct !

Thank you for taking the time to help on this. I understand that but I am only trying to sso past the APM login page I am not concerned with sso to the application because the application is not integrated with Active Directory. We put APM on app1 to make sure externally no one can access the apps login page if they go directly to the app1.test.com instead of going through webtop.test.com and clicking the link without first having an AD account.

After some further testing I discovered some new information.

From the webtop when I click on the link to app1 it ends my session so for all other links on the webtop I will get Access Policy evaluation is already in progress for the current session as it waits for login to app1.

In order to perform SSO , you need to define the login form parameters for app1 under the SSO tab in Access policy part .This way , after the user enters his username/password in APM login page , the APM will map this data and push it to the app1 login page as if the user entered it himself .You can assign different SSO profiles to differen Portal Access resources . is this clear to you ?

Maybe that is where I am doing something wrong. I am not using an SSO profile since I am only trying to take the username and password from the webtop access policy and apply those to the app1 access policy login.

Where it is throwing me off is I can authenticate to app2 (this app has access policy applied to it that will ask for username and password) and open a new tab and go to app1 one without being prompted by the access policy for login.

However if I go to webtop and authenticate first and try to go to app1 I will be prompted for username and password again.