Forum Discussion
Multiple SSO in a Portal
Please let me know if anyone is using it or you know how to get this done.
Thanks
Happy Holidays
- Yes, it's definitely possible - it's best to use v11+ for that. Which version are you using?
- GaryZ_31658Historic F5 AccountCan we get a little more information on how SSO will be used in this design?
- BT_90520
Nimbostratus
There are past links [1][2] for multiple domain SSO. But if you will to take a look at recent release of v11.1 SSO configuration guide, it now support inherently (w/o iRules) multi-domain support and also section talking about common use cases for SSO in APM (e.g. for LTM, thru network access with layered VS, access web appl directly) [0]. May be useful to take a look at it. - DavidS_01_14559
Nimbostratus
Hi Amit,
Did you get this working? (I am running on BIG-IP 11.4.1.) I am facing the same case. My different webapp use a different SSO HTTP form pattern (all http form , but different form action, different username/password parameter name).
I understand one 'SSO form authentication' is attached to one 'Access profile'. Then, one 'access profile' is attached to one Virtual Server. So, I tried to use different VirtualServers, but I didn't get my redirection between virtual servers working.
I tried to use/mimick: [1]Single APM session across multiple FQDNs https://devcentral.f5.com/wiki/APM.ShareAccessCookies.ashx
[2]Multi-domain SSO using NTLM https://devcentral.f5.com/wiki/APM.MultipleNTLMSSO.ashx
but: for [1]: I didn't really get it working: my redirection in 'Authentication Virtual iRule' back to the Service virtual doesn't work (in 'set redirect_uri "$protocol://$domain/apm_session_handover_uri?protocol=$protocol&domain=$domain&uri=$uri&sid=$sid"' , I get 2 different values for '$domain') + I don't really like this idea of redirection in a reverse-proxy configuration...
for [2]: redirection between pool is not OK for me as my SSO http form follow a different pattern, I need to redirect between virtualServers, which I can't get to work...
Any idea, help, Thanks, David
This might shed some light link text
- DavidS_01_14559
Nimbostratus
Hi kj07208,
Thank you for the answer. I spent a bit of time trying different techniques. I just give a brief summary as it might help people facing similar issues (sorry if appears a bit messy).
-
SAML ended up not matching my needs (reminder: I have different web applications based on Spring security. Authentication is made through a form POST request. My webapps have different action form and parameters. I wanted to keep these applications untouched, so no SAML here).
-
I explored then the 'Portal Access' functionality. On the paper, this matched my needs (you create a Webtop or a webapp can play this 'portal' role, you define resource items, you can assign specific SSO,...), but in practice, it takes too much control over your app (especially the patching, I ended up not being able to use relative URLs)
-
finally, I realized that what I needed was really a reverse-proxy and I went back to the iRules way. I created a pool and a SSO HTTP form for each webapp. Then, I set a rule like:
when HTTP_REQUEST { if { [HTTP::path] equals "/" } { root context redirects to /webapp-portal HTTP::redirect "/webapp-portal/" } elseif { [string tolower [HTTP::path]] starts_with "/webapp-portal/" } { pool webapp-portal-pool } elseif { [HTTP::path] eq "/webapp-portal/login" } { WEBSSO::select sso-for-webapp-portal } elseif { [string tolower [HTTP::path]] starts_with "/webapp1/" || [HTTP::path] eq "/webapp1" } { pool pool-webapp1 } elseif { [HTTP::path] eq "/webapp1/signin" } { WEBSSO::select sso-for-webapp1 }
I'm still a newbie on BIP-IP so I'm sure this is not best practice, but it helped me unblock so situations...
Hoping this can yelp someone,
David- Geronimo_Martin
Nimbostratus
DavidS. Hi, could you tell me what kind of SSO config do you use for Web Apps with Spring security?. I´m trying to set a SSO for web app that use j_spring_security_check, j_username and j_passwrod. And I can not make it work.. :s
-
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com