Forum Discussion

rbmcnicholas's avatar
rbmcnicholas
Icon for Nimbostratus rankNimbostratus
Apr 03, 2019

APM Webtop VIP with Multiple Private Applications Configuration

I am working on a project that needs to have a APM Webtop/Portal that links to multiple backend applications. I am running into issues configuring the routing once the users are authenticated to the APM Webtop. To get to the webtop, users present their PIV card and PIN, an AD LDAP query is done to confirm they are a user and to store session variables with that information, and they are presented a list of Webtop resources based on that. These Webtop resources are relying on SSO from F5 (currently working on SAML). I have explored multiple options for the applications on the Webtop.

 

  1. The first that I explored was the Portal Access Resource with Rewrite profile. This worked fine for the application without SAML. The issue I am running into is that there are routing issues with the IdP/SP communication in that Portal Access Resource session. I am not sure how to get the AuthN to F5 and then the Assertion back to the Portal Access Resource session, or if this is even possible without huge iRules. In this scenario, I was using the same Virtual Server for the Webtop and F5 IdP.

     

  2. The second option I am trying is using multiple F5 Virtual Servers, one for the initial Webtop APM, one for the applications, and one for the IdP itself. I am using a Public IP for each Virtual Server. The application is setup as a standard Webtop Link (not Portal Access) pointing to the Virtual Server of the application, which has it's default pool as the app itself. The application has the name of the Virtual Server of the IdP itself, with a return URL of the Virtual Server of the application. The problem here is that it seems to log out the initial Webtop session once you click the link to the application. The application also has a problem with the assertion.

     

Being very new to F5/APM in general, I am wondering if either of these options are the right way to do things. If there is a way to do everything I am mentioning with one Virtual Server, I would think that would be best.

 

Any and all advice is greatly appreciated.

 

No RepliesBe the first to reply