Forum Discussion
NimbostratusSSO between multiples domains and vs
Hi,
We want to deploy these VS:
-
owa.company.org
-
support.company.org
-
intranet.company.org
Each one has a specific APM since it was all generated by iApps. We would like that an authentication to one of those apm gives SSO to all others apm. We understand that the best way to go would be 1 apm for all VS, but since we are using iApps generated APM, it's difficult.
As described in https://devcentral.f5.com/questions/using-sso-between-multiple-applications, we tried SSO on multiple domains for *.company.org, with one APM per VS. It didn't worked and each VS was still prompting for credentials.
So we wonder if our goal is achievable and how to do it...
Do you have any idea?
Thanks.
Yann_DesmarestCirrus
hi,
You can use Multi-domain SSO but require to have only one APM Access profile for all VS.
You can also define F5 as SAML IDP and configure each Access profile as SP.
You can change the scope of your access profile. Here an extract from the APM Operation Guide :
In BIG-IP 11.x - 11.6, user session IDs are global to the BIG-IP system and can be presented to any BIG-IP APM virtual server with an attached access profile. In BIG-IP APM v. 12.0 and later, the configurable Profile Scope establishes additional criteria to ensure that a user who has established a session on one virtual server or access profile cannot use that same session cookie to access other virtual servers and the resources behind them. There are three possible Profile Scope settings: • Profile gives users access only to resources that are behind the same access profile on any virtual server. (Default.) • Virtual Server gives users access only to resources that are behind the same virtual server. • Global gives users access to resources behind any access profile that has global scope. This setting is equivalent to BIG-IP 11.x behavior.Hope it helps
Yann