Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

How to get SSO information from 1 vcmp to another

AlexS_yb
Cirrocumulus
Cirrocumulus

‎02-Jul-2023 22:25

Hi

My setup I have a cluster 2 nodes called vcmp1

on here I have 2 VS

login (saml idP)

auth (saml SP and a OAuth server)

 

I have vcmp2 cluster and it has VS

test - it uses oauth client - so links back to auth and auth to login

 

What this means is people log into the login server - think username and password.

I can get username to transfer from login -> oauth -> test   using saml and claim for userid in the OAuth token

 

But I don't want to put the password in there - even if its encrypted (do others do this, just seems bad)

On the test VS i need the users password to log into a backend app that doesn't take oauth or saml (think atlassian server)

 

My understanding is I can extend an APM session from 1 vcmp to another (bigip to another).

I was thinking to do a sideband call to login filter that to only be allowed to be called by the F5's and grab an excrypted password that way

so

client call test/uriForJira
In a irule if i don't have a password, I 302 to login/getMySession

login/getMySession return via 302 say test/uriForJira?MySession=<sessionid - basically MRHSession>

then vcmp2 makes a sideband call to login/FROMVCMP2?MRHSession - which would return the password encrypted with AES 256.

 

Does that seam reasonable

Do i do it in irules or irules.lx (node.js)

Or is there another way to do this ?

 

 

 

 

Labels:
0 Kudos
2 REPLIES 2

whisperer
Cumulonimbus
Cumulonimbus

‎03-Jul-2023 07:41

Are you syncing APM policies across the 2 F5 instances?

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-13-0-0/8.ht...

0 Kudos

AlexS_yb
Cirrocumulus
Cirrocumulus
In response to whisperer

‎03-Jul-2023 16:13

Hi

 

Sorry not well described on my part

so I have a cluster - A/P a-vcmp1 & b-vcmp1

I have those syncing

Then I have another cluster another A/P

a-vcmp2 & b-vcmp2 those re sync

 

I wanted multidomian SSO capabilities

so lets say login & auth VS exist on vcmp1 cluster

and i have test VS on vcmp2

I would like to have SSO capabilities of login into login and then with those credentials log into test

 

I have that right now but using OAuth between test and auth and using auth as a SP and login as a Idp

 

But I though I would recheck to see if there was a way to just us MRHSession for my domain and basically get the APM Session table replicated between cluster vcmp1 & vcmp2

 

 

 

 

0 Kudos
Copyright © 2023 Khoros, LLC