Forum Discussion

Nifford's avatar
Nifford
Icon for Nimbostratus rankNimbostratus
Sep 07, 2016

Is SSO from LTM+APM VS to Webtop w/Advanced Resource Assignment possible?

Hello, I am attempting to get SSO working between Access Profiles and I have hit a road block. Here is the behavior I am experiencing (as summarized by support):

 

1) Client connects to LTM+APM VS, authenticates to APM and is granted access to the Sharepoint Pool.

 

2) While the LTM+APM session is still valid, client initiates connection to a third party SP which redirects the user to BIG-IP as IdP for auth.

 

3) When Client sends request to BIG-IP as IdP, it provides the LastMRH_Session cookie that it received from the LTM+APM VS. This is because the LTM+APM VS is configured with an SSO Domain of company.com and the APM VS hostname is in that domain (portal.company.com).

 

4) Because the Session Cookie provided to the APM VS is already valid/authenticated it doesn't process through the Access Policy and as a result the user is never assigned the Webtop and SAML Resources, and then receives a connection reset.

 

You should be able to prevent the same session cookie being provided to both Virtual Servers by removing the SSO Domain in both Access Profiles.

 

While it did fix the issue, it broke SSO between VSs on the same Access Profile. I’ve thought about using a multi-domain SSO profile for the LTM+APM VS, which would resolve that issue. But I would still be unable to SSO from the LTM+APM VS to the APM VS.

 

So here is my question:

 

Is there any way to accomplish SSO between an LTM+APM VS and an APM (Webtop w/advanced resource assignment) VS? Or is my only option to switch the SAML IdP with Webtop configuration to a SAML IdP without Webtop configuration (https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/29.html)? Please let me know.

 

The primary reason why we went with a Webtop was to limit who could access which SAML resources. It appears to me that we have to choose between SSO and dynamic assignment of resources.

 

Thanks for taking the time to read this. Please let me know if you have any questions.

 

access profile
APM
application delivery
cloud
idp
saml
SSO

2 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Sep 08, 2016

    Unfortunately APM always uses the same session cookie name.

     

    And for IdP configuration, you must run the access policy from an SP auth request.

     

    I can think of two solutions:

     

    1- you can assign the SAML SP resource to your users webtop. Then users can start it be having them click a link, and IdP will work. You can catch an authentication request in an Irule and transform it into an assertion (just redirect the user to the same URI as the resource click from the full webtop) also this way.

     

    2- use multidomain mode but exclude your IDP vip's hostname.

     

    • Nifford's avatar
      Nifford
      Icon for Nimbostratus rankNimbostratus
      Sep 09, 2016

      Thanks for your response.

       

      I just tried multidomain mode for the LTM+APM VS (NTLM AP). Unfortunately I still receive the same error message I was.

       

      When looking at my browser cookies, I see two MRHSession and two LastMRHSession cookies. One set is for sharepoint.company.com, and the other is for company.com. But in the multidomain settings, company.com isn't used. The primary Auth URI is https://sso.company.com.

       

      Any ideas why that would be happening?

       

      Thanks.