Forum Discussion

Letendart's avatar
Letendart
Icon for Nimbostratus rankNimbostratus
Dec 14, 2021

two VS, one APM and check AD group membership

Bonjour,

I can't manage to fix this request about one web application (wordpress / sharepoint) :

  • two VS : one for wordpress, the other for sharepoint
  • one APM for the two VS in order to avoid users to be prompted for crendentials while switching from one VS to the other (wordpress / sharepoint)
  • need to check user AD group membership for the access to wordpress (vs1) or sharepoint (vs2)
  • pb is if user may access to vs2, as soon as he go back to vs1, the APM allow the traffic (allow is GLOBAL to the two VS ...)

 

How to do ???

I tried two separate APM but user is prompted when going from one vs to the other ...

merci pour votre aide et bonne fin de journée

cdlt, Patrick

4 Replies

  • You can create 2 APM policies and use SSO domain cookie. This will avoid authentication if user from app1 goes to app2 in same session or diffrent tab of same browser.

     

    under domain cookie, type your site domain. e.g. example.com

     

     

  • Hi Sanjay

    thank you for your help

    that's ok for the authentication between the two VS, I managed to do it using one single APM policy and you're true the SSO domain cookie avoid user to be prompted

    problem I can't fix is this one :

    for one specific url on one of the two VS , and if user isn't member of a specific AD group,, I must reject the request but it has already been accepted by the APM ...

    have a nice day

    regards, Patrick

  • Okay. got it. yes, once user is already authenticated by APM, it won't evaluate APM policy for any other URL inside the application with default apm policy. You would need to use something like per request apm policy or step up authentication to re-evaluate for that one URL. You can also try with iRule to remove APM session ACCESS::session remove and then re-evulate.

     

    to be honest, I haven't done this personally but following doc can provide some guidanace.

     

    https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-12-1-0/8.html

    https://devcentral.f5.com/s/articles/apm-full-step-up-authentication-903

  • will have a look at a such solution yes

    will post my finding

    thank you again Sanjay