For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

CDG's avatar
CDG
Icon for Nimbostratus rankNimbostratus
May 17, 2016

SSO - multiple virtual servers

I have multiple virtual servers with their own Access policy/login page. I would like the user to have the ability to switch to any of these applications without the need to re-authenticate. These 3 ...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
SSO
Roflcopter's avatar
Roflcopter
Icon for Nimbostratus rankNimbostratus
Aug 17, 2017

I managed to get this working with the following method.

 

I have 3 virtual servers - main.company.com - app1.company.com - NTLM SSO - app2.company.com - FORMS SSO

 

I wanted users to only have to authenticate once no matter which one they went to.

 

I configured a main access policy for main.company.com put all my client checks, logon page to capture username and password etc in that one and had a resource assign which gave me web top links to app1.company.com and app2.company.com.

 

On the app1.company.com and app2.company.com I also created a new access policy for each virtual server. I didn't put anything in the access policy, it just ends in a deny.

 

So now I have 3 virtual servers and 3 access policies.

 

app1 and app2 access policy do nothing except end in deny.

 

On all 3 access policies I set the profile scope to global.

 

On app1 access policy I set the SSO/Auth Domains to Multiple, specified the Primary Authentication URI to https://main.company.com. Primary cookie option left as secure. SSO configuration was set to my NTLM SSO profile.

 

In authentication domains I added Cookie Host app1.company.com, secure and SSO configuration my NTLM SSO profile.

 

On app2 access policy I set the SSO/Auth Domains to Multiple, specified the Primary Authentication URI to https://main.company.com. Primary cookie option left as secure. SSO configuration was set to my FORMS SSO profile.

 

In authentication domains I added Cookie Host app2.company.com, secure and SSO configuration my FORMS SSO profile.

 

Now the access scenarios -

 

  1. User browses to main.company.com - clicks on webtop link to app1.company.com. User is logged in to app1.company.com using NTLM SSO.

     

  2. User User browses to main.company.com - clicks on webtop link to app2.company.com. User is logged in to app2.company.com using FORMS SSO.

     

  3. User browses to app1.company.com. They are redirected to main.company.com, they log in, and are then sent back to app1.company.com and SSO with NTLM.

     

  4. User browses to app2.company.com. They are redirected to main.company.com, they log in, and are then sent back to app2.company.com and FORMS with NTLM.