I am trying to figure out why sso using a domain cookie is not working for just one of my applications. I am running 12.1.2 and have domain cookie working for other applications so not sure why this one is not cooperating.
Current configuration
I have a webtop (webtop.test.com) with application that is not allowing SSO at the moment (app1.test.com)
Webtop.test.com
Access policy that uses Logon page > AD Auth > SSO Credential Mapping > Advanced Resource assign
Advanced resource assign has portal access, few SAML, webtop, and webtop links
Access Policy is set to Global for Profile Scope
SSO/Auth Domains has domain cookie test.com and Secure flag checked
app1.test.com
textapp1.test.com is a virtual server on the BIGIP
SSO/Auth Domains has domain cookie test.com and Secure flag checked
Issue
When I login to the webtop and click on the link to app1 I am getting prompted to login again via the app1 access policy login page.
Troubleshooting
I can see using sso tracer that the cookie that is created when logging in to webtop is not being used by app1 because it creates a new LastMRH Session id.
I have tried to add persistent to sso/Auth domains
I have another app app2 that is configured the same way but this one works as I would expect.
If I login directly to app2 then open a new tab and go to app1 domain cookie is working as I am not prompted to login again.
I have enabled debug on webtop and app1 but the apm log doesn't show anything useful for app1 since it doesn't login.
I have tested on Chrome, Firefox, Edge and IE11 all have same issue for sso to app1 from webtop.
Your question is not that clear , Domain Cookie is used to bypass multiple login prompt to different access profiles' login pages for a user that already been authenticated to one of the access profiles , what am getting from your question is that SSO for app1 is not working . right ?
You are correct SSO for app1 is not working when I have first authenticated to the webtop that I have configured.
Both app1 and webtop are configured to use AD authentication and I can get SSO to work when authenticating to another virtual server just not when authenticating to a webtop.
However sso from webtop to app2 works without any issues.
What type of SSO is used for aap1 ? if it's a form based , please post a snapshots of your configuration and any http proxy's capture showing the authentication process of that application.
Maybe that is where I am doing something wrong. I am not using an SSO profile since I am only trying to take the username and password from the webtop access policy and apply those to the app1 access policy login.
Where it is throwing me off is I can authenticate to app2 (this app has access policy applied to it that will ask for username and password) and open a new tab and go to app1 one without being prompted by the access policy for login.
However if I go to webtop and authenticate first and try to go to app1 I will be prompted for username and password again.
In order to perform SSO , you need to define the login form parameters for app1 under the SSO tab in Access policy part .This way , after the user enters his username/password in APM login page , the APM will map this data and push it to the app1 login page as if the user entered it himself .You can assign different SSO profiles to differen Portal Access resources . is this clear to you ?
Thank you for taking the time to help on this. I understand that but I am only trying to sso past the APM login page I am not concerned with sso to the application because the application is not integrated with Active Directory. We put APM on app1 to make sure externally no one can access the apps login page if they go directly to the app1.test.com instead of going through webtop.test.com and clicking the link without first having an AD account.
After some further testing I discovered some new information.
From the webtop when I click on the link to app1 it ends my session so for all other links on the webtop I will get Access Policy evaluation is already in progress for the current session as it waits for login to app1.
Maybe i didn't get your question .You have a webtop with multiple resources ( app1 , app2) . app1 is not a direct server , it's hosted on another virtual server on the same BIGIP with another Access Policy , and the second login page is actually APM login page from the second VS . is that correct !
Try watching this video and make sure that you're following the same.if still not working , mostly i'll try to use an iRule to perform the same function.
Thanks for the video. Yes I have domain cookie set on WebTop access profile and app1 access profile. Also new to version 12 they added a profile scope to the properties page of the access profile and I have that set to global.
The strange thing is if I don't use the webtop and I just login to app1 then open link to app2 it works as it should. It also works if I login to app2 then open a new tab to app1 so it appears it is configured correct just not when accessing from webtop.
Without having access to the actual configuration , i'll not be able to identify the issue , but you can use iRules to insert a specific cookie in the response from the login page in the first access policy and match on the same to bypass the login page in the second access policy .
Without having access to the actual configuration , i'll not be able to identify the issue , but you can use iRules to insert a specific cookie in the response from the login page in the first access policy and match on the same to bypass the login page in the second access policy .
