Is SSO from LTM+APM VS to Webtop w/Advanced Resource Assignment possible?
Hello, I am attempting to get SSO working between Access Profiles and I have hit a road block. Here is the behavior I am experiencing (as summarized by support):
1) Client connects to LTM+APM VS, authenticates to APM and is granted access to the Sharepoint Pool.
2) While the LTM+APM session is still valid, client initiates connection to a third party SP which redirects the user to BIG-IP as IdP for auth.
3) When Client sends request to BIG-IP as IdP, it provides the LastMRH_Session cookie that it received from the LTM+APM VS. This is because the LTM+APM VS is configured with an SSO Domain of company.com and the APM VS hostname is in that domain (portal.company.com).
4) Because the Session Cookie provided to the APM VS is already valid/authenticated it doesn't process through the Access Policy and as a result the user is never assigned the Webtop and SAML Resources, and then receives a connection reset.
You should be able to prevent the same session cookie being provided to both Virtual Servers by removing the SSO Domain in both Access Profiles.
While it did fix the issue, it broke SSO between VSs on the same Access Profile. I’ve thought about using a multi-domain SSO profile for the LTM+APM VS, which would resolve that issue. But I would still be unable to SSO from the LTM+APM VS to the APM VS.
So here is my question:
Is there any way to accomplish SSO between an LTM+APM VS and an APM (Webtop w/advanced resource assignment) VS? Or is my only option to switch the SAML IdP with Webtop configuration to a SAML IdP without Webtop configuration (https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/29.html)? Please let me know.
The primary reason why we went with a Webtop was to limit who could access which SAML resources. It appears to me that we have to choose between SSO and dynamic assignment of resources.
Thanks for taking the time to read this. Please let me know if you have any questions.