Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

APM Portal Links SSO with Azure AD

David_Wanna
Nimbostratus
Nimbostratus

‎14-Nov-2023 14:20

Hi,

   We have an APM portal using AD authentication.  We recently transitioned to using Azure AD MFA to log into it.  This was done by following the solution to integrate APM with Azure AD using the bigIP as a SAML SP and works without issue.  However, after logging into the portal and clicking on any of the links for the the various apps (which are also Azure AD integrated) the user must go through the login process with Azure AD all over again which is anyoing.  Is there a way to somehow use the original SAML authentication from loging into the portal to seemlessly be logged into the various apps?  Interestingly, once the user clicks on subsequent apps after the second login, they are logged in automatically so I believe it's able to use the session tokens stored in the browser for subsequent logins after the second login (but not after the initial log in to the portal).

 

Labels:
0 Kudos
1 REPLY 1

Lucas_Thompson
F5 Employee
F5 Employee

‎14-Nov-2023 14:41

Once APM receives a SAML assertion from an IdP, it should usually finish authentication and the user's session should be in "Allow" state.

Upon the first network request without a cookie, APM creates a session ID and sends it to the client in an "MRHSession" cookie. Upon each subsequent network request, the client should transmit this cookie and to tie the request to the user's session. It sounds like for whatever reason, your login session isn't following this pattern.

To see why, use your browser's dev tools to examine the cookies sent and recieved by your user's browser. It might be that you're using multi-domain mode (when you visit a host with no MRHSession cookie, the APM will redirect you to the "Primary Authentication URI" for login, then redirect back to the original URI and use some HTTP redirect tricks to share the MRHSession cookie between the domains specified in the config). This is where that multi-domain mode is set up:

Lucas_Thompson_0-1700001491153.png

The problem could also be something else, but in any case looking at the network requests and cookies in your browser dev tools will get you closer to an answer.

0 Kudos
Copyright © 2023 Khoros, LLC