Forum Discussion
is it possible to apply SSO when login page and app run on different device?
I was wondering is it possible to apply a SSO when we using webtop login on BIGIP01 and the application on the BIGIP02?
I just tried to understand that the APM profile on webtop login is to collect and cache user identity (when using SSO Mapping) and APM profile on the application virtual server is to post the cache that been stored before. is it possible to pass this session on BIGIP01 to BIGIP02 to make sure the SSO working properly?
- Lucas_ThompsonEmployee
APM sessions contain all of the data gathered during session setup inside the BIG-IP's sessiondb. So in your scenario you have one BIG-IP that has both authorized and authenticated the user that's connecting. The other BIG-IP has not authorized or authenticated this user, so how do we make the second BIG-IP trust the first one's decisions about the user? There are a lot of potential ways,
- The first BIG-IP sends a JWT to the second one in the manner of an OpenID Connect Client talking to an OpenID Resource Server.
- The first BIG-IP is set up as a SAML IdP, and the second BIG-IP is set up as a SAML Resource Server.
- The first BIG-IP is set up to send not-federated SSO credentials to the second one
In both of those cases, APM is required on the second BIG-IP.
Some other ways that might work,
- The first BIG-IP has some unique L2 network path to the second one so only traffic can occur between the two via IP, Ethernet addressing, or VLANs
- Set up an IPsec tunnel between the two BIG-IPs and use irules to route APM user traffic to the remote box
- Set up iSession tunnels between the two BIG-IPs
Of course, if the second BIG-IP is just acting as a router or doesn't need to create its own SSO and you can rely on the first BIG-IP's SSO, then this is a non-issue. The first BIG-IP is capable to perform this SSO, and the second one will silently pass it through in the same way that a router would.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com