For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

CDG's avatar
CDG
Icon for Nimbostratus rankNimbostratus
May 17, 2016

SSO - multiple virtual servers

I have multiple virtual servers with their own Access policy/login page. I would like the user to have the ability to switch to any of these applications without the need to re-authenticate. These 3 ...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
SSO
CDG's avatar
CDG
Icon for Nimbostratus rankNimbostratus
Jun 13, 2016

Hi,

 

I`m in my testing phase now :)

 

  • All virtual server shares the same access policy.

     

  • In the access policy I have setup the SSO / Auth Domains to mutilple Domains

     

  • Set the Primary Authentication URI to https://www.intranet.com

     

  • Primari cookies option to Secure

     

  • SSO Configuration to NTLMV2 config

     

  • Created Authentification domain for intranet.com (secure, NTLV2 config) and mydomain.com (secure, NTLV2 config)

     

Result: I can login to https://www.intranet.com but if I try to reach directly email.mydomain.com or elearning.mydomain.com I get nothing (error 504, no login page) I also get error 504 event if I login properly to ht primary authentification uri.

 

Any help would be appreciated.

 

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 13, 2016
    Hi, you should have no SSO configured on the primary SSO settings
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 13, 2016
    Define the complete hostname, not the domain. So you have to define 3 Authentication Domain to have more granularity.
  • CDG's avatar
    CDG
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2016
    I removed the SSO configuration on the primary and defined the complete hostname. I still only reach the login page of the Primary Authentication URI. (others I get error 504 . This page can`t be displayed)
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 14, 2016
    Can you check the http exchanges between F5 and the client by using httpwatch or fiddler ?
  • CDG's avatar
    CDG
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2016
    Yes Fiddler return HTTP Result 504.
  • CDG's avatar
    CDG
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2016
    If I change the Primary Authentication URI to elearning.mydomain.com per exemple ... this one starts working and the other ones I get http 504.
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 14, 2016
    It's strange that the BIGIP send a 504 Gateway Timeout. Do you have a proxy configured ? Can you start a tcpdump on the bigip itself to check if the packets are coming to the bigip ?
  • CDG's avatar
    CDG
    Icon for Nimbostratus rankNimbostratus
    Jun 15, 2016
    No proxy... it seems that the big-ip does not redirect the client to the Primary Authentication URI. Thought.... When I'm connected and auhtenticated to the Primary Authentication URI.... I do have access to the other Virtual servers within the same domain but I still not able to access the other domain without logon page...which is the goal here. Should I dedicat a public IP and Virtual servers for each domain Primary Authentication URI?
  • CDG's avatar
    CDG
    Icon for Nimbostratus rankNimbostratus
    Jun 15, 2016
    Should I use an Irule to force the redirection to the Primary Authentication URI?
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 15, 2016
    You can log the session.server.landinguri to check the return uri