SAML SSO for SPs on separate devices

Scenario: We have two SAML SPs configured on two different F5 APMs (located on two different sites). Let's call them sp1.example.com and sp2.example.com. They authenticate from a third party IdP, following standard SAML method: client connects to SP, SP redirects the client to IdP, IdP presents login page, user enters credentials, IdP authenticates, then redirects back to the SP, SP allows access based on the SAML token. Individually both work as expected, the users can log in and access the services behind the SPs.

 

The issue is, after login, sp1.example.com initiates 2 API calls to sp2.example.com. And since the two SPs are on separate boxes, they have separate access policies and while the client is authenticated to sp1, it does not have an active session on the other box to sp2. So the APM on site2 tries to redirect the client /my.policy. All this happens in the background on the client machine, so the user does not have any chance to supply credentials, so the API calls are failing and the user gets an error popup.

 

If the user logs in to sp2.example.com first then goes back to sp1.example.com and logs in then everything is working, as the client will have an active session on the APM on site2.

 

The 2 SP is authenticating from the same user base on the same IdP. What we would need is some sort of SSO here, so the API calls would use the credentials/token from the session of sp1.example.com. I tried to research this, but couldn't find a useful answer so far. The only thing I i found might be helpful is the Multiple Domains option in the access profile. But that requires the 2 VIPs to be on the same box and as far as I understand even with that redirects still would happen. So I'm afraid that too wont solve the problem.

 

Does anyone have any idea how to solve this? Any help is appreciated.

 

Thanks, Ferenc