VIP targeting VIP, access policy on subordinate VIP causes problem

Hi  ,

I'm setting this up with a customer this week. To provide different SSO methods to different virtual servers, we are using a single APM policy with Multiple Domain SSO. The way this works is that each virtual server is assigned to the main policy. The host names for those virtual servers are added to the main policy SSO/Auth Tab with the SSO appropriate to them. The different SSO policies get their credentials from the main policy's cached AUTH credentials.

If a user signs in through app1, their cached credentials will be used for app2, app3, etc. Likewise, if a user signs in through app2, their cached credentials will work for app1, app3, etc.

Here's a link for BIG-IP v.11.6.x, but the same principle works for newer versions as well. We're using v.13.x for our config. https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/25.html.

We are using Kerberos for our AUTH, and using the SSO ASSIGN VARIABLE to store username and password for the different SSO methods. Apps use a variety of SSO (NTLM, Kerberos, Forms, etc..), but only one profile per host name or domain.

Regards,

Keith