Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Jul 03, 2023

How to get SSO information from 1 vcmp to another

Hi

My setup I have a cluster 2 nodes called vcmp1

on here I have 2 VS

login (saml idP)

auth (saml SP and a OAuth server)

 

I have vcmp2 cluster and it has VS

test - it uses oauth client - so links back to auth and auth to login

 

What this means is people log into the login server - think username and password.

I can get username to transfer from login -> oauth -> test   using saml and claim for userid in the OAuth token

 

But I don't want to put the password in there - even if its encrypted (do others do this, just seems bad)

On the test VS i need the users password to log into a backend app that doesn't take oauth or saml (think atlassian server)

 

My understanding is I can extend an APM session from 1 vcmp to another (bigip to another).

I was thinking to do a sideband call to login filter that to only be allowed to be called by the F5's and grab an excrypted password that way

so

client call test/uriForJira
In a irule if i don't have a password, I 302 to login/getMySession

login/getMySession return via 302 say test/uriForJira?MySession=<sessionid - basically MRHSession>

then vcmp2 makes a sideband call to login/FROMVCMP2?MRHSession - which would return the password encrypted with AES 256.

 

Does that seam reasonable

Do i do it in irules or irules.lx (node.js)

Or is there another way to do this ?

 

 

 

 

    • AlexS_yb's avatar
      AlexS_yb
      Icon for Cirrocumulus rankCirrocumulus

      Hi

       

      Sorry not well described on my part

      so I have a cluster - A/P a-vcmp1 & b-vcmp1

      I have those syncing

      Then I have another cluster another A/P

      a-vcmp2 & b-vcmp2 those re sync

       

      I wanted multidomian SSO capabilities

      so lets say login & auth VS exist on vcmp1 cluster

      and i have test VS on vcmp2

      I would like to have SSO capabilities of login into login and then with those credentials log into test

       

      I have that right now but using OAuth between test and auth and using auth as a SP and login as a Idp

       

      But I though I would recheck to see if there was a way to just us MRHSession for my domain and basically get the APM Session table replicated between cluster vcmp1 & vcmp2