Forum Discussion
NimbostratusSSO - multiple virtual servers
I have multiple virtual servers with their own Access policy/login page. I would like the user to have the ability to switch to any of these applications without the need to re-authenticate. These 3 applications are on different partition and 2 differents domain name. Sharepoint ( Outlook Web App (email.mydomain.com) eLearning (elearning.mydomain.com)
Any guideline on what should be the best practice to setup the SSO?
Thanks
26 Replies
Yann_DesmarestCirrus
Hello,
You can merge those policies onto one and use multi domain sso within your access profile.
You can add an external logon page instead of the standard logon page and manage sso on this zxternal content
Or you can transform your actual policies into SAML Service Provider that are all bound to the same IDP
CDGThanks for your answer. SAML is not an uption for now. What would be the best practice? External logon page or having one access policy for all? With the External logon page setup, does this mean that I need to setup a new dedicated VS/AP to host that external login page?- Yann_DesmarestHi, the built-in way stay thesingle policy with multidomain sso. For external logon, you will need an extra VS and AP setup. Moreover, you will need to have a custom login page on bigip using irules or on a third party web server. I suggest to try multidomain sso before
- CDGok thanks
Yann_Desmarest_Nacreous
Hello,
You can merge those policies onto one and use multi domain sso within your access profile.
You can add an external logon page instead of the standard logon page and manage sso on this zxternal content
Or you can transform your actual policies into SAML Service Provider that are all bound to the same IDP
- CDGThanks for your answer. SAML is not an uption for now. What would be the best practice? External logon page or having one access policy for all? With the External logon page setup, does this mean that I need to setup a new dedicated VS/AP to host that external login page?
- Yann_Desmarest_Hi, the built-in way stay thesingle policy with multidomain sso. For external logon, you will need an extra VS and AP setup. Moreover, you will need to have a custom login page on bigip using irules or on a third party web server. I suggest to try multidomain sso before
- CDGok thanks
- CDG
Hi,
I`m in my testing phase now :)
-
All virtual server shares the same access policy.
-
In the access policy I have setup the SSO / Auth Domains to mutilple Domains
-
Set the Primary Authentication URI to https://www.intranet.com
-
Primari cookies option to Secure
-
SSO Configuration to NTLMV2 config
-
Created Authentification domain for intranet.com (secure, NTLV2 config) and mydomain.com (secure, NTLV2 config)
Result: I can login to https://www.intranet.com but if I try to reach directly email.mydomain.com or elearning.mydomain.com I get nothing (error 504, no login page) I also get error 504 event if I login properly to ht primary authentification uri.
Any help would be appreciated.
- Yann_DesmarestHi, you should have no SSO configured on the primary SSO settings
- Yann_DesmarestDefine the complete hostname, not the domain. So you have to define 3 Authentication Domain to have more granularity.
- CDGI removed the SSO configuration on the primary and defined the complete hostname. I still only reach the login page of the Primary Authentication URI. (others I get error 504 . This page can`t be displayed)
-
- CDG
I’m still struggling with this.
As per this doc I should be redirected to the primary authenticated Uri. ***If an un-authenticated user reaches any domain specified in the domain group, a re-direct is first made to the primary authenticating service so that credentials are collected in order to establish a session.
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-1-0/4.html
But I’m not redirected. Any help would be appreciated.
- Roflcopter
I managed to get this working with the following method.
I have 3 virtual servers - main.company.com - app1.company.com - NTLM SSO - app2.company.com - FORMS SSO
I wanted users to only have to authenticate once no matter which one they went to.
I configured a main access policy for main.company.com put all my client checks, logon page to capture username and password etc in that one and had a resource assign which gave me web top links to app1.company.com and app2.company.com.
On the app1.company.com and app2.company.com I also created a new access policy for each virtual server. I didn't put anything in the access policy, it just ends in a deny.
So now I have 3 virtual servers and 3 access policies.
app1 and app2 access policy do nothing except end in deny.
On all 3 access policies I set the profile scope to global.
On app1 access policy I set the SSO/Auth Domains to Multiple, specified the Primary Authentication URI to https://main.company.com. Primary cookie option left as secure. SSO configuration was set to my NTLM SSO profile.
In authentication domains I added Cookie Host app1.company.com, secure and SSO configuration my NTLM SSO profile.
On app2 access policy I set the SSO/Auth Domains to Multiple, specified the Primary Authentication URI to https://main.company.com. Primary cookie option left as secure. SSO configuration was set to my FORMS SSO profile.
In authentication domains I added Cookie Host app2.company.com, secure and SSO configuration my FORMS SSO profile.
Now the access scenarios -
-
User browses to main.company.com - clicks on webtop link to app1.company.com. User is logged in to app1.company.com using NTLM SSO.
-
User User browses to main.company.com - clicks on webtop link to app2.company.com. User is logged in to app2.company.com using FORMS SSO.
-
User browses to app1.company.com. They are redirected to main.company.com, they log in, and are then sent back to app1.company.com and SSO with NTLM.
-
User browses to app2.company.com. They are redirected to main.company.com, they log in, and are then sent back to app2.company.com and FORMS with NTLM.
-
