Forum Discussion

Sheigh_65772's avatar
May 17, 2012

One APM session, Multiple VIPS





I have what I hope is an easy question but in my testing I haven't been able to find a solution.



Accross all my virtuals I want maintain a single APM session. One VIP would be used to validate PKI certicates and when applicable authenticate users to the necessary LDAP or orther services. The other VIPs would have their own APM logic which would handle a forms based login, show a banner consent page, utilize PKI info in some way etc.



What I have found is that the initial App Virtual to PKI Virtual redirection works however upon redirecting back to the original App Virtual it will log the user in (SSO config) successfully using the authentication gathered from the PKI Virtual but it wont run it's indivudal APM logic.



I found and have played around with this awsome bit of code but no luck there:



In short I want to know if there is a way to force APM to rerun or initiate the logic that its been configured with when certain conditions are met.






8 Replies

  • Hello, Did you ever get an answer or assistance with his request? I have a similar requirement. Thanks.
  • If nappanwo is talking about the native "multi-domain" auth in APM, then that's the expected behavior. Once authenticated to the "logon" VIP, the redirected client would skip over the app VIP's policy. If you want something a bit more robust and flexible, if highly recommend using SAML in 11.3.


  • A little confused by your question. Do you want to have everything in a single VIP and process different policy evaluations based on what the user is accessing, or will the user touch multiple VIPs and you want to share the information obtained from another APM session?


  • We would have multiple VIPs to backend applications, but use cert-based auth as the initial user authentication. Then each VIP may have different authorization requirements that we want to automate using APM (AD check, LDAP query, NTLM, etc.). So it would be the later use case where session information is being shared across.


  • Still sounds like SAML. ;)


    You'd basically have n+1 VIPs: one VIP is the "IdP" - the one responsible for requesting client cert, and then separate "SP" VIPs for each application. A user accesses an app VIP the first time, gets redirected to the IdP for cert authentication, and that VIP redirects back to the SP with an assertion that can contain arbitrary information that the SP's policy can use for additional evaluation (queries, SSO, etc.). When the user accesses a different app VIP, they're again redirected to the IdP, but this time they have an existing session so it's immediately redirected back with appropriate assertion without re-challenging the user.


    Does that sound like it'll work for you?


  • Yes, SAML IdP-SP would work if all the apps supported it. That is the planned migration strategy. In the meantime, we were looking to integrate and still provide some level of SSO for enhanced user experience.


    Can the APP VIP's APM policy check for the existence of an existing APM session initiated by the Identity VIP on the behalf of that user? With that check, the APP VIP could move to it's next step in the authorization APM policy check.


  • APM would provide both SP and IdP services, so the apps don't have to support it.


  • That's correct. You can also configure the IdP to send different assertion information to different SPs.