We would like a user to be able to login to any APM profile and be able go right into others as long as the session is alive. This seems to work fine for my SAML Profile, but OAuth is prompting for login every time for every client. The Profile session settings appear to be the same for the profiles and the Editor for both has the same flow. Login Page then LDAP Auth. Is there something different between SAML and OAuth profiles or am I missing something in the configs? Neither profile has an SSO Cookie set.

NTLM sounds more compicated to me to be honest and for sure more unsecure.You want to achieve is possible but maybe not the way you have imagine it.I have mulitple APM policies being federated to one main APM policy using SAML and the result is what exactly you want. Seamless SSO, get authenticated to one and have access to all.

BGill__CISSP__C seems that Global scope with domain cookie do work but not as expected with a policy that is used as IDP/ASSo with Global scope what you actually achieve is to bypass the policy, but if you bypass a policy that is being used as IDP/AS you will never receive the assertion/token. Again in such case SAML federation between those two policies would do the work.

Yeah.. I see what you are saying.. Step 9 is the assertion going back to the oauth policy.. I just had it cross wired in my head ;-)

Each Policy/Profile has its own session cookieSo how are you sharing SAML sessions now?Do you have a main policy acting as SAML IDP and others as SP?If you do, you only need to federated your oauth policy with this main policy too.If not you have to create one main policy and federate all the rest

Hi, Are both APM OAuth clients under the same SSO / Auth Domain in Access → Federation → SSO / Auth Domains? If APM is the AS, are the clients registered under the same tenant with Reuse Existing Session enabled? Please go though the below article to verify more about this https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-oauth-configuration/using-apm-as-an-oauth-2-server.html

SSO login for APM Profiles

40 Replies

Injeyan_Kostas
Nacreous
Oct 08, 2025
Each Policy/Profile has its own session cookie
So how are you sharing SAML sessions now?
Do you have a main policy acting as SAML IDP and others as SP?
If you do, you only need to federated your oauth policy with this main policy too.
If not you have to create one main policy and federate all the rest
- BGill__CISSP__C
  Cirrus
  Oct 09, 2025
  Thanks for the response. SAML is only 1 Policy/Profile with multiple IdP/SP Partnerships associated.
  We only act as an IdP
  I am not clear on how we would Federate our OAuth AS with our SAML Policy. Are you saying to Authenticate into OAuth using SAML?
  - Injeyan_Kostas
    Nacreous
    Oct 09, 2025
    Ok, so you have one Saml Policy and one OAuth policy right?
    
    One option is indeed to federate this Oauth Policy with the Saml one using Saml again. So Saml policy will actually be you main policy.
    
    Another one might be set Scope to Global in Both policies. Did you tried that?
    For this to work I guess, i have not tried this, you have to setup also domain cookie and of course serve both policies under the same domain
Aswin_mk
MVP
Oct 09, 2025
Hi,

Are both APM OAuth clients under the same SSO / Auth Domain in Access → Federation → SSO / Auth Domains?

If APM is the AS, are the clients registered under the same tenant with Reuse Existing Session enabled?

Please go though the below article to verify more about this

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-oauth-configuration/using-apm-as-an-oauth-2-server.html
- BGill__CISSP__C
  Cirrus
  Oct 09, 2025
  Thanks for the Response.. All of the clients are using the same Access Profile and same OAuth Profile. We are using single SSO Domain. I have attempted Changing the Profile Scope to Virtual Server and Global with no changes. APM is the AS, but I am not finding a setting for Reuse Existing Session.
  - Injeyan_Kostas
    Nacreous
    Oct 09, 2025
    So you have one single policy?
    Can you describe your Setup?
    On your first message you mentioned "any APM Profile" but now you say it's the same Profile for all