APM sessions contain all of the data gathered during session setup inside the BIG-IP's sessiondb. So in your scenario you have one BIG-IP that has both authorized and authenticated the user that's connecting. The other BIG-IP has not authorized or authenticated this user, so how do we make the second BIG-IP trust the first one's decisions about the user? There are a lot of potential ways,
- The first BIG-IP sends a JWT to the second one in the manner of an OpenID Connect Client talking to an OpenID Resource Server.
- The first BIG-IP is set up as a SAML IdP, and the second BIG-IP is set up as a SAML Resource Server.
- The first BIG-IP is set up to send not-federated SSO credentials to the second one
In both of those cases, APM is required on the second BIG-IP.
Some other ways that might work,
- The first BIG-IP has some unique L2 network path to the second one so only traffic can occur between the two via IP, Ethernet addressing, or VLANs
- Set up an IPsec tunnel between the two BIG-IPs and use irules to route APM user traffic to the remote box
- Set up iSession tunnels between the two BIG-IPs
Of course, if the second BIG-IP is just acting as a router or doesn't need to create its own SSO and you can rely on the first BIG-IP's SSO, then this is a non-issue. The first BIG-IP is capable to perform this SSO, and the second one will silently pass it through in the same way that a router would.
Nimbostratus
