For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

East_Coast_1151's avatar
East_Coast_1151
Icon for Nimbostratus rankNimbostratus
Mar 19, 2013

Kerberos SSO with two realms

I am working on a solution depicted in the attached file.     Clients are expected to authenticate with a Form-Based front-end provided by F5 APM and using a back-end Active Directory forest ...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Mar 19, 2013
SSO credential mapping is not necessarily required for Kerberos SSO. The credential mapping agent simply plugs the required username and password values into the right session (token) variables for things like form-based SSO. As long as you're populating the correct session variables in the access policy (as determined by the username and domain source fields in the Kerberos SSO profile), you should be good to go. For testing purposes you can also arbitrarily set the session.logon.last.username and session.logon.last.domain to known good user and domain values to bypass everything but the SSO.

 

 

But I would agree that DNS is absolutely critical. APM must be able to resolve (forward and reverse) each of the domains.

 

 

I would also not that while the APM Kerberos SSO username source defaults to session.sso.token.last.username (what the credential mapping agent would use), I typically reset it to session.logon.last.username (as East Coast has also apparently done).