Forum Discussion

AngryCat_52750's avatar
AngryCat_52750
Icon for Nimbostratus rankNimbostratus
Sep 25, 2013

Multi-Domain - Multi-SSO

Hello -   We have a external web portal that our external clients and internal users log into.. the external users are all part of a seperate domain - extDC and our internal users are part of ano...
BIG-IP Access Policy Manager (APM)
design
security
SSO
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 25, 2013

A few things to consider:

 

  1. You'd use the WEBSSO::select command to switch between SSO profiles:

https://devcentral.f5.com/wiki/iRules.WEBSSO__select.ashx

 

  1. Which SSO profile you use depends on how you derive user membership. It could be as simple as a drop down box in the logon page, or gleaned from a client side Kerberos token.

     

  2. Assuming you mean Kerberos SSO (from previous posts), you're no doubt aware that there's an issue with using multiple Kerberos SSO profiles in 11.3 and 11.4. There is an open case for this, and 11.2 does work.

     

  3. Per Kerberos Protocol Transition and Constrained Delegation protocol requirements (not an APM limitation), a full two-way trust is required for KPT to work across domains. You're attempting to switch SSO profiles based on user membership, so that shouldn't be an issue, but an important consideration nonetheless.