Forum Discussion
AlexS_yb
Cirrocumulus
CirrocumulusF5 newbie - trying to work things out - help :)
Hi my current poc ( first stages – main bit) Web site https://demo.XYZ.com With these url test • /testsso/unprotected - No protection - just to check the SSO - there is no nee...
Nikoolayy1
MVP
MVPYou seem to be good with APM, I wouldn't call you junior with it.
For Local traffic policy redirect just see the example https://support.f5.com/csp/article/K26312346 and you can replace the iRule. It is with TCL command as you mentioned. If you redirecting to a static domain and there will be no variables used for the redirect like [HTTP::uri] or [HTTP::host] then just enter the static URL without using "tcl:" as "tcl:" is when you need to have access to tcl variables and for static URL this is not needed.
If you set two access profiles to global then if the user has authenticated to one, he will have access to the other as mentioned in https://devcentral.f5.com/s/question/0D51T00006j20Ce/v12-apm-profile-scope .
For the ASM VIP it could be that the ASM is blocking the SSO, so if possible test without an ASM policy out of working hours and check if that is the case and if needed check the articles I have given for ASM and APM integration. As if you followed https://support.f5.com/csp/article/K54217479 then ASM if before the APM (normally it is AFM > LTM > APM > ASM) but by following the article with layered VS then the ASM is first and maybe it could be blocking something if not configured corectly.
For the demo_default VS if you don't have access policy or profile then the SSO shouldn't work as even the global profiles will not work if there is no access profile under the VIP.
Just a note with irules you can dissable and enable the SSO https://clouddocs.f5.com/api/irules/WEBSSO__disable.html . Also with the variable assign agent you can modify the SSO as for example the user logs into the APM with username and password but the backend server wants other username (username with a domain attached and so on) https://support.f5.com/csp/article/K52926273 . If the SSO you use by default does not have an option you need check the variable assign agent.
%%%%%%%%%%%%%%%
Edit
Also check out:
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/27.html
and the below article as each access profile should have the SSO credential mapping (you may also use the variable assign macro) for SSO to work.
https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-assignment-items/about-sso-credential-mapping.html
AlexS_ybThanks.
okay, let me try this from a different angle then based on this
"
For the demo_default VS if you don't have access policy or profile then the SSO shouldn't work as even the global profiles will not work if there is no access profile under the VIP.
"
so lets say I want people to freely get to
demo.xyz.com/
but when they hit
demo.xyz.com/secret
I want them to login, especially I want them to use a global SSO (auth.xyz.com)
so from what I have read
I create a VS for
demo.xyz.com which is just a big switch to these vs and also has a ASM attached to the front
demo.xyz.com_secret << this has a APM
demo.xyz.com_default
You are saying to get SSO working properly, I need to attach a APM to demo.xyz.com_default vs
can I have a APM that just allows every one with out doing any checking ?
- Nikoolayy1
Can you check this post :
https://devcentral.f5.com/s/question/0D51T00006i7h0S/apm-sso-between-two-virtual-servers
The idea is to have demo.xyz.com_default with the same SSO object in Access profile and the access profile will do no more checks but just have the SSO.
You can use the multi domain to redirect from demo.xyz.com_default to demo.xyz.com_secret if no aythenticated but as you have the F5 ASM Login Page protection, you will simply block access to the other URL if the login page is not hit fitst.
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/27.html