Forum Discussion
NimbostratusMulti-Domain - Multi-SSO
Hello -
We have a external web portal that our external clients and internal users log into.. the external users are all part of a seperate domain - extDC and our internal users are part of another domain - intDC.. intDC has trust setup to query extDC but not the other way around..
We have a very basic APM policy - login page -> AD Auth -> SSO -> resources.. i just realised that the SSO is setup for intDC..
How would i be able setup the SSO so that based on the user logging in, i can assign the appropriate SSO profile??
1 Reply
- Kevin_Stewart
Employee
A few things to consider:
- You'd use the WEBSSO::select command to switch between SSO profiles:
https://devcentral.f5.com/wiki/iRules.WEBSSO__select.ashx
-
Which SSO profile you use depends on how you derive user membership. It could be as simple as a drop down box in the logon page, or gleaned from a client side Kerberos token.
-
Assuming you mean Kerberos SSO (from previous posts), you're no doubt aware that there's an issue with using multiple Kerberos SSO profiles in 11.3 and 11.4. There is an open case for this, and 11.2 does work.
-
Per Kerberos Protocol Transition and Constrained Delegation protocol requirements (not an APM limitation), a full two-way trust is required for KPT to work across domains. You're attempting to switch SSO profiles based on user membership, so that shouldn't be an issue, but an important consideration nonetheless.
