Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

two VS, one APM and check AD group membership

Letendart
Nimbostratus
Nimbostratus

‎14-Dec-2021 06:28

Bonjour,

I can't manage to fix this request about one web application (wordpress / sharepoint) :

  • two VS : one for wordpress, the other for sharepoint
  • one APM for the two VS in order to avoid users to be prompted for crendentials while switching from one VS to the other (wordpress / sharepoint)
  • need to check user AD group membership for the access to wordpress (vs1) or sharepoint (vs2)
  • pb is if user may access to vs2, as soon as he go back to vs1, the APM allow the traffic (allow is GLOBAL to the two VS ...)

 

How to do ???

I tried two separate APM but user is prompted when going from one vs to the other ...

merci pour votre aide et bonne fin de journée

cdlt, Patrick

Labels:
0 Kudos
4 REPLIES 4

SanjayP
MVP
MVP

‎15-Dec-2021 02:47

You can create 2 APM policies and use SSO domain cookie. This will avoid authentication if user from app1 goes to app2 in same session or diffrent tab of same browser.

 

under domain cookie, type your site domain. e.g. example.com

 

0691T00000F87T6QAJ.jpg 

0 Kudos

Letendart
Nimbostratus
Nimbostratus

‎15-Dec-2021 03:09

Hi Sanjay

thank you for your help

that's ok for the authentication between the two VS, I managed to do it using one single APM policy and you're true the SSO domain cookie avoid user to be prompted

problem I can't fix is this one :

for one specific url on one of the two VS , and if user isn't member of a specific AD group,, I must reject the request but it has already been accepted by the APM ...

have a nice day

regards, Patrick

0 Kudos

SanjayP
MVP
MVP

‎15-Dec-2021 03:27

Okay. got it. yes, once user is already authenticated by APM, it won't evaluate APM policy for any other URL inside the application with default apm policy. You would need to use something like per request apm policy or step up authentication to re-evaluate for that one URL. You can also try with iRule to remove APM session ACCESS::session remove and then re-evulate.

 

to be honest, I haven't done this personally but following doc can provide some guidanace.

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-12-1-0/8.html

https://devcentral.f5.com/s/articles/apm-full-step-up-authentication-903

0 Kudos

Letendart
Nimbostratus
Nimbostratus

‎15-Dec-2021 03:29

will have a look at a such solution yes

will post my finding

thank you again Sanjay

0 Kudos
Copyright © 2023 Khoros, LLC