Forum Discussion

Amit_4251's avatar
Icon for Nimbostratus rankNimbostratus
Dec 22, 2011

Multiple SSO in a Portal

I am trying to create a Portal with links to multiple SSOs. I am not sure if this is possible. So the user logs into the Portal and can click on the links and would not have to enter the credentials again and again. I am not sure if this is even possible. I have tried webtop links but the problem is that I cannot pass user credentials in the links.



Please let me know if anyone is using it or you know how to get this done.






Happy Holidays

7 Replies

  • Yes, it's definitely possible - it's best to use v11+ for that. Which version are you using?
  • GaryZ_31658's avatar
    Historic F5 Account
    Can we get a little more information on how SSO will be used in this design?


    Are the links internal using the same authentication store?


    Where are the links located? Are they presented on a page hosted by an internal web server or APM Webtop (V11)?


    Will they "proxy" through APM using "Portal Access" or will the links take you to a different VIP?



    APM can perform this function however it is important to understand the details around how the user is authenticated to the other applications, where they terminate, and to understand the overall design.


  • There are past links [1][2] for multiple domain SSO. But if you will to take a look at recent release of v11.1 SSO configuration guide, it now support inherently (w/o iRules) multi-domain support and also section talking about common use cases for SSO in APM (e.g. for LTM, thru network access with layered VS, access web appl directly) [0]. May be useful to take a look at it.



    [0] BIG-IP® Access Policy Manager® Single Sign-On Configuration Guide




    [1]Single APM session across multiple FQDNs




    [2]Multi-domain SSO using NTLM

  • Hi Amit,


    Did you get this working? (I am running on BIG-IP 11.4.1.) I am facing the same case. My different webapp use a different SSO HTTP form pattern (all http form , but different form action, different username/password parameter name).


    I understand one 'SSO form authentication' is attached to one 'Access profile'. Then, one 'access profile' is attached to one Virtual Server. So, I tried to use different VirtualServers, but I didn't get my redirection between virtual servers working.


    I tried to use/mimick: [1]Single APM session across multiple FQDNs


    [2]Multi-domain SSO using NTLM


    but: for [1]: I didn't really get it working: my redirection in 'Authentication Virtual iRule' back to the Service virtual doesn't work (in 'set redirect_uri "$protocol://$domain/apm_session_handover_uri?protocol=$protocol&domain=$domain&uri=$uri&sid=$sid"' , I get 2 different values for '$domain') + I don't really like this idea of redirection in a reverse-proxy configuration...


    for [2]: redirection between pool is not OK for me as my SSO http form follow a different pattern, I need to redirect between virtualServers, which I can't get to work...


    Any idea, help, Thanks, David


  • Hi kj07208,

    Thank you for the answer. I spent a bit of time trying different techniques. I just give a brief summary as it might help people facing similar issues (sorry if appears a bit messy).

    • SAML ended up not matching my needs (reminder: I have different web applications based on Spring security. Authentication is made through a form POST request. My webapps have different action form and parameters. I wanted to keep these applications untouched, so no SAML here).

    • I explored then the 'Portal Access' functionality. On the paper, this matched my needs (you create a Webtop or a webapp can play this 'portal' role, you define resource items, you can assign specific SSO,...), but in practice, it takes too much control over your app (especially the patching, I ended up not being able to use relative URLs)

    • finally, I realized that what I needed was really a reverse-proxy and I went back to the iRules way. I created a pool and a SSO HTTP form for each webapp. Then, I set a rule like:

    when HTTP_REQUEST {
      if { [HTTP::path] equals "/" } { root context redirects to /webapp-portal
        HTTP::redirect "/webapp-portal/"
      } elseif { [string tolower [HTTP::path]] starts_with "/webapp-portal/" } {
        pool webapp-portal-pool
      } elseif { [HTTP::path] eq "/webapp-portal/login" } {
        WEBSSO::select sso-for-webapp-portal
      } elseif { [string tolower [HTTP::path]] starts_with "/webapp1/" || [HTTP::path] eq "/webapp1" } {
        pool pool-webapp1
      } elseif { [HTTP::path] eq "/webapp1/signin" } {
        WEBSSO::select sso-for-webapp1

    I'm still a newbie on BIP-IP so I'm sure this is not best practice, but it helped me unblock so situations...

    Hoping this can yelp someone,

    • Geronimo_Martin's avatar
      Icon for Nimbostratus rankNimbostratus
      DavidS. Hi, could you tell me what kind of SSO config do you use for Web Apps with Spring security?. I´m trying to set a SSO for web app that use j_spring_security_check, j_username and j_passwrod. And I can not make it work.. :s