How to get SSO information from 1 vcmp to another

Hi

My setup I have a cluster 2 nodes called vcmp1

on here I have 2 VS

login (saml idP)

auth (saml SP and a OAuth server)

I have vcmp2 cluster and it has VS

test - it uses oauth client - so links back to auth and auth to login

What this means is people log into the login server - think username and password.

I can get username to transfer from login -> oauth -> test   using saml and claim for userid in the OAuth token

But I don't want to put the password in there - even if its encrypted (do others do this, just seems bad)

On the test VS i need the users password to log into a backend app that doesn't take oauth or saml (think atlassian server)

My understanding is I can extend an APM session from 1 vcmp to another (bigip to another).

I was thinking to do a sideband call to login filter that to only be allowed to be called by the F5's and grab an excrypted password that way

so

client call test/uriForJira
In a irule if i don't have a password, I 302 to login/getMySession

login/getMySession return via 302 say test/uriForJira?MySession=<sessionid - basically MRHSession>

then vcmp2 makes a sideband call to login/FROMVCMP2?MRHSession - which would return the password encrypted with AES 256.

Does that seam reasonable

Do i do it in irules or irules.lx (node.js)

Or is there another way to do this ?