Is it possible to authenticate to a webtop seamlessly using the AD credentials our users are already logged onto their machines with? To qualify, we have a webtop, that when accessed, presents users with a list of applications determined by their AD Group Membership (if they are a member of a given group, they will be presented with a link to that application on their webtop). Currently though users are having to enter credentials (same active directory credentials as the ones they have already logged onto their machines with) on the login page of the webtop. Is there a configuration we can try that will allow seamless login to the Webtop and show all the applications the users has been granted?

The simplest way to do this is with client side (AAA) Kerberos authentication. In 11.4 and above you can also do native NTLM, but that configuration is a bit trickier.

Sure - you can use Kerberos or NTLM. Check out this article for details: https://devcentral.f5.com/articles/leveraging-big-ip-apm-for-seamless-client-ntlm-authentication

Thanks for the responses. I have had a look at that article and it goes into great depth for setting up seamless auth for domain joined machines where SAML resources are being accessed. I guess to prevent a double login and make the BigIP aware of the user trying to access the SAML resource (via NTLM) instead of prompting for credentials when the iDP is called? We dont access any SAML resources directly via SP links (although we could and some users do). They are presented as applications within our webtop, after an initial login to the webtop is made and the user is challenged for credentials. At that point when accessing SAML resources, it becomes seamless for us... What I cant figure out is how I would configure the Webtop for seamless login so the end user experience would be as follows: 1)User Logs into domain joined machine 2)User browses to web top 3)Seamless log in to webtop, as APM should know who the user is because the user has already authenticated to the domain 4)List of applications (Portal Access, SAML Resources, Webtop Links etc etc) presented to user automatically and dynamically via AD Group Membership as APM already knows who the user is 5)User clicks a SAML enabled applications, that is also seamless, as the APM already knows who the user is. Is this user journey possible?

Not sure when SAML was introduced to the conversation, but that shouldn't matter. You can very simply create a client side Kerberos AAA authentication (401 and Kerberos Auth) at the beginning of the access policy evaluation). The user contacts the APM VIP.The APM VIP responds with a 401 Unauthorized message and WWW-Authenticate Negotiate header.The domain-joined user contacts its local DC/KDC to get a ticket for this service, and then returns to the VIP with a Kerberos ticket.The Kerberos Auth agent validates the Kerberos ticket and allows access.The access policy assigns the webtop and additional resources to the user. You can do more or less the same thing with NTLM on the client side, but again it's a little more involved. Once the user is authenticated and has a webtop, there's also a session variable stored in the access policy, session.logon.last.logonname, that contains the user's AD UPN (ie. bill.user@mydomain.com). You can use this to do server side authentication, IdP-initiates SAML, etc.

Kevin, Thanks for the detailed response... it looks like this exactly what I need to achieve. Couple of questions: Would using NTLM or Kerberos both result in session.logon.last.logonname being stored as a session variable that can be used for SAML? I'm trying to find the steps to follow to set both of these methods up for testing... Should I look further at the document Michael linked me too, or do you know of any easier to follow document that covers this particular scenario?

Seamless athentication to Webtop

14 Replies

John_Reddington
Nimbostratus
Jul 28, 2014
"You could also technically perform the IdP functions in APM "

is exactly what I want to do! :)

The key here is the transparency...

Okay, I need to try and implement the Kerberos part, you caveated the official guide well :)
John_Reddington
Nimbostratus
Aug 01, 2014
Kevin,

As I try to implement this I've thought of a couple of more scenarios, that you might be able to confirm up for me:

"You're going to log in to the APM webtop seamlessly by virtue of Kerberos authentication from your domain-joind workstation."

This is exactly what I want to do. However would I also be able to have a fall back to the standard login page here if I accessed my webtop from a non corporate/non domain joined workstation, where attempting kerberos auth would fail?

And secondly (i might not be explaining this very well). Could I still access my SAML protected resources (SaaS based applications available over the Internet) seamlessly without having to seamlessly login to my webtop first (lets say I fired it straight from my browser favourites) from a domain joined machine? So the flow, I expect, would be from domain joined machine to Saas app, SaaS app redirects back to my iDP for auth, iDP does auth via Kerberos, SaaS app lets me in without requiring manual credential input. The next query would then be if I was on a non domain joined workstation accessing SaaS apps would that auth be able to failback to a login page, as the iDP is trying to do auth via Kerberos in the first instance?

Thanks for your help! I'm hoping I've come to the end of the road in terms of scenarios! :)
Kevin_Stewart
Employee
Aug 04, 2014
However would I also be able to have a fall back to the standard login page here if I accessed my webtop from a non corporate/non domain joined workstation, where attempting kerberos auth would fail?

In the visual policy for your IdP, you can configure the 401 agent to send Kerberos tickets to the Kerberos Auth agent, and anything else (fallback) to a standard logon page. The only thing you really have to worry about here is 1) the SAML trust between the IdP and SP(s), and 2) how you authenticate users at the IdP. Regardless of where the user is coming from, if he accesses a SAML-integrated application, he'll be redirected to the IdP for authentication. Once that happens and the user is properly authenticated, he'll be sent back to the SP with an assertion and access should be granted.
John_Reddington
Nimbostratus
Aug 04, 2014
so, correct me if I'm wrong then, the way I have currently set it up and its working (before looking into Kerberos at all) is that I get a Logon Page for my webtop (regardless of user location/domain joined). Once user logs into this, he's good to go with all currently assigned SAML based resources. The same "logon page" credentials he inputted pass him through without a secondary login required at the iDP (also hosted on the same F5 device hosting the webtop) when authenticating SAML based resources clicked off of the webtop presented to the user.

Now, when I hopefully get Kerberos working to seamlessly authenticate the webtop for domain joined machine, or fall back to a login page for non domain joined machines, my SAML resources (either directly accessed or accessed via Webtop) should continue to allow seamless access I'm assuming either by virtue of Kerberos Auth or by the User being authenticated by the F5 logon page? I'm hoping both methods will authenticate the resource properly to not throw up a login to the iDP when currently configured SAML resources are being accessed

Forum Discussion

Seamless athentication to Webtop

14 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

2026 301a exam

F5OS login with admin/root failed via console

UCS Encryption Question

Unblock Request WAF

Related Content

Secure and Seamless Cloud Application Migration with F5 Distributed Cloud and Nutanix

Seamless Application Migration to OpenShift Virtualization with F5 Distributed Cloud

Seamless App Connectivity with F5 and Nutanix Cloud Services

Seamless Upgrade of F5 BIG-IP SSL Orchestrator (SSLO) L3 HA Cluster Without Downtime

IdP Routing With BIG-IP APM To Enable Seamless SSO User Experience

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS