Forum Discussion
NimbostratusSet APM Domain Cookie with an iRule
I am trying to set the MRHSession and LastMRH_Session cookies to be Domain Cookies via an Irule rather than hard coding these into the APM Policy configuration. We are using the same APM policy to service multiple domains so what I want to do is the following:
https://apmportal.abc.com -> Sets domain cookie for abc.com https://app.abc.com -> uses domain cookie for abc.com and doesn't require authentication again.
then (and this is where I'm getting stuck) https://apmportal.def.com -> Sets domain cookie for def.com https://app.def.com -> uses domain cookie for def.com and doesn't require authentication again.
Now - I could easily update the APM Access Policy->SSO Across Authentication Domains to set the Domain cookie to abc.com, but then I would need to create another totally separate APM Access Access policy for def.com which I don't want to do.
I have looked at many threads about multiple domains and separate authentication domains that don't really fit this use-case. This one for example: https://devcentral.f5.com/wiki/APM.ShareAccessCookies.ashx I thought would work but this code is buggy and I was unable to get it to work.
Any help would be appreciated.
2 Replies
Cody_GreenEmployee
Dan, any option to use SAML authentication? This might simplify your issue without having to use iRules. http://www.f5.com/pdf/white-papers/apm-saml-solution-whitepaper.pdf
Andrew_HuskingCirrus
What version are you running?
In 11.5 you can use multi-domain cookies which allow you to have abc.com as the primary, then def.com ghi.com etc list also.
We ran into an issue however where we had two domains (test.domain.com and domain.com) that we needed in the profile, while the sub domain was the primary, when you went to the higher level domain, APM didn't handle it at all. I believe this issue has been fixed in 11.6, but i haven't upgraded in order to test.
