Multiple SSO in a Portal

Hi Amit,

Did you get this working? (I am running on BIG-IP 11.4.1.) I am facing the same case. My different webapp use a different SSO HTTP form pattern (all http form , but different form action, different username/password parameter name).

I understand one 'SSO form authentication' is attached to one 'Access profile'. Then, one 'access profile' is attached to one Virtual Server. So, I tried to use different VirtualServers, but I didn't get my redirection between virtual servers working.

I tried to use/mimick: [1]Single APM session across multiple FQDNs https://devcentral.f5.com/wiki/APM.ShareAccessCookies.ashx

[2]Multi-domain SSO using NTLM https://devcentral.f5.com/wiki/APM.MultipleNTLMSSO.ashx

but: for [1]: I didn't really get it working: my redirection in 'Authentication Virtual iRule' back to the Service virtual doesn't work (in 'set redirect_uri "$protocol://$domain/apm_session_handover_uri?protocol=$protocol&domain=$domain&uri=$uri&sid=$sid"' , I get 2 different values for '$domain') + I don't really like this idea of redirection in a reverse-proxy configuration...

for [2]: redirection between pool is not OK for me as my SSO http form follow a different pattern, I need to redirect between virtualServers, which I can't get to work...

Any idea, help, Thanks, David

This might shed some light link text

Hi kj07208,

Thank you for the answer. I spent a bit of time trying different techniques. I just give a brief summary as it might help people facing similar issues (sorry if appears a bit messy).

• SAML ended up not matching my needs (reminder: I have different web applications based on Spring security. Authentication is made through a form POST request. My webapps have different action form and parameters. I wanted to keep these applications untouched, so no SAML here).

• I explored then the 'Portal Access' functionality. On the paper, this matched my needs (you create a Webtop or a webapp can play this 'portal' role, you define resource items, you can assign specific SSO,...), but in practice, it takes too much control over your app (especially the patching, I ended up not being able to use relative URLs)

• finally, I realized that what I needed was really a reverse-proxy and I went back to the iRules way. I created a pool and a SSO HTTP form for each webapp. Then, I set a rule like:

when HTTP_REQUEST {
  if { [HTTP::path] equals "/" } { root context redirects to /webapp-portal
    HTTP::redirect "/webapp-portal/"

  } elseif { [string tolower [HTTP::path]] starts_with "/webapp-portal/" } {
    pool webapp-portal-pool

  } elseif { [HTTP::path] eq "/webapp-portal/login" } {
    WEBSSO::select sso-for-webapp-portal

  } elseif { [string tolower [HTTP::path]] starts_with "/webapp1/" || [HTTP::path] eq "/webapp1" } {
    pool pool-webapp1

  } elseif { [HTTP::path] eq "/webapp1/signin" } {
    WEBSSO::select sso-for-webapp1
}

I'm still a newbie on BIP-IP so I'm sure this is not best practice, but it helped me unblock so situations...

Hoping this can yelp someone,