Forum Discussion
John_T__Morgan_
Nimbostratus
NimbostratusPreserving Session Variables after a redirect
Hi All,
I have a LAB BIG-IP (11.6) set up which has the following: 2 Virtual servers, 2 access policies.
The BIG-IP is being used as a perimeter device and allows external access to our net...
Nobby_67786Nimbostratus
NimbostratusHi John,
The best way to do this would be to setup SAML federation between your VIPs & Access Policies. Configure your primary access policy to act as an IDP and all your others to be SP's. If you've got variables you capture like (username & password) you can pass them as attributes in the SAML payload. The great thing about that solution is that your VIPs don't even need to be on the same device so if you needed to scale or distribute services your authentication architecture will already support it.
Hope this helps point you in the right direction.
- Nobby
Nobby_67786Nimbostratus
NimbostratusSo you have several options.
- If the user you're authenticating only has access to one app/service (which you might determine via AD groups for example) then you could have an ending Redirect action and send them just to that service. The act of redirecting the user to the app would then generate an SP initiated SAML transaction which would actually redirect the user back to the first VIP (to get the SAML assertion) and as the user is already authenticated, APM would just hand them the assertion and direct them back to the app.
- You also have the option to present the user a webtop with links to apps they have access too. In this scenario the links can include SAML resources for which APM can generate an IDP initiated assertion (no bouncing around between VIPs).
Either way works, and the extra redirects aren't so noticeable unless you've got massively latent links (like satellite). I'm based in Australia and the ~200ms from here to Seattle where lots of my APM sessions terminated didn't cause any significant delays even for SP initiated sessions.
