For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gscholz's avatar
gscholz
Icon for Nimbostratus rankNimbostratus
Nov 11, 2019

VIP targeting VIP, access policy on subordinate VIP causes problem

Hello! I am trying to implement the following scenario: Users connect to server1.example.com using various URIs. Depending on the URI different authentication methods are supposed to be used, for e...
BIG-IP Access Policy Manager (APM)
LTM
security
keithhubb's avatar
keithhubb
Icon for Employee rankEmployee
Dec 04, 2019

Hi  ,

 

I'm setting this up with a customer this week. To provide different SSO methods to different virtual servers, we are using a single APM policy with Multiple Domain SSO. The way this works is that each virtual server is assigned to the main policy. The host names for those virtual servers are added to the main policy SSO/Auth Tab with the SSO appropriate to them. The different SSO policies get their credentials from the main policy's cached AUTH credentials.

 

If a user signs in through app1, their cached credentials will be used for app2, app3, etc. Likewise, if a user signs in through app2, their cached credentials will work for app1, app3, etc.

 

Here's a link for BIG-IP v.11.6.x, but the same principle works for newer versions as well. We're using v.13.x for our config. https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/25.html.

 

We are using Kerberos for our AUTH, and using the SSO ASSIGN VARIABLE to store username and password for the different SSO methods. Apps use a variety of SSO (NTLM, Kerberos, Forms, etc..), but only one profile per host name or domain.

 

Regards,

 

Keith