Forum Discussion

SV2022's avatar
SV2022
Icon for Cirrus rankCirrus
Feb 18, 2024

SSO

I am.beginner with APM

I could see same access profile is mapped to 2 different VS.

1.my understanding is they have mapped same access profile to make sso work between virtual servers..is that right?

 

2.when sso has been generated in first vs it will be passed to user browser right?and when the same user access the 2nd VS how does the second vs validate credentials?

  

 

 

  • i want to see  whether same cookie is used for both VS via logs.How /where can i verify this?.

    Note: i am not the end user..as this apm is very new to me i just want to see/verify the sso cookies (same cookie) that are used across VS.

    • You can use the development tools of your browser to check if the sso cookie is also send to the other VS.
      You can not see this in logging.

  • 1.so the cookie will be same for both VS.where can i find that specific cookie in APM that has been used between these VS?

    2.when i open active sessions in APM and when i click the + sign i could see "No subsessions " what does that mean.

     

    • Hi,

      This is the overview of all cookies being used by APM K15387

      Subsessions are part of a per request policy. About per request policies

      There are two types of policies in APM, per session and per request. The first is only executed at the first request of a user, the second every request a user sends to APM.

  • thanks got clarified.

    So when the second VS receives the connection with same cookie f5 will validate this cookie with APM session cookies right ?so the timeout value will be reset now by second VS?

    • The second VS will validate the cookie against the APM session table.
      It is a session cookie, it doesn't have a timeout value.

      Session cookies expire once you log off or close the browser. They are only stored temporarily and are destroyed after leaving the page. They are also known as transient cookiesnon-persistent cookies, or temporary cookies.

      If you have to log in to a website every time you open your browser and visit it, then it is using a session cookie to store your login credentials. This is unlike a persistent cookie, which contains an expiration date.

  • "Since the user has this cookie and an active session the second virtual server doesn't need valid credentials."

    Does that mean the cookie generated with first VS will be sent again to second VS and there wont be any validation. In that case anyone can insert a cookie to second VS right and get access to the servers right ?

  • Hi beginner 😉,

    1. Yes. Attaching the same APM policy to two virtual servers will result in SSO. So user is logged-in to VS 1 will result in SSO to the second.
    2. It doesn't validate credentials, F5 is using an APM session cookie for this. Since the user has this cookie and an active session the second virtual server doesn't need valid credentials.

    There are 3 options for this when you create a new policy/profile.

    From the Profile Scope list, retain the default value or select another.

      • Profile: Gives a user access only to resources that are behind the same access profile. This is the default value.
      • Virtual Server: Gives a user access only to resources that are behind the same virtual server.
      • Global: Gives a user access to resources behind any access profile that has global scope.
    • Brambre29's avatar
      Brambre29
      Icon for Nimbostratus rankNimbostratus

      Hi,

      I have another questions what if the application is outside of F5 is it possible to apply SSO with method like HTTP Basic, form-based and etc?