cancel
Showing results for 
Search instead for 
Did you mean: 

two VS, one APM and check AD group membership

Letendart
Nimbostratus
Nimbostratus

Bonjour,

I can't manage to fix this request about one web application (wordpress / sharepoint) :

  • two VS : one for wordpress, the other for sharepoint
  • one APM for the two VS in order to avoid users to be prompted for crendentials while switching from one VS to the other (wordpress / sharepoint)
  • need to check user AD group membership for the access to wordpress (vs1) or sharepoint (vs2)
  • pb is if user may access to vs2, as soon as he go back to vs1, the APM allow the traffic (allow is GLOBAL to the two VS ...)

 

How to do ???

I tried two separate APM but user is prompted when going from one vs to the other ...

merci pour votre aide et bonne fin de journée

cdlt, Patrick

4 REPLIES 4

SanjayP
MVP
MVP

You can create 2 APM policies and use SSO domain cookie. This will avoid authentication if user from app1 goes to app2 in same session or diffrent tab of same browser.

 

under domain cookie, type your site domain. e.g. example.com

 

0691T00000F87T6QAJ.jpg 

Letendart
Nimbostratus
Nimbostratus

Hi Sanjay

thank you for your help

that's ok for the authentication between the two VS, I managed to do it using one single APM policy and you're true the SSO domain cookie avoid user to be prompted

problem I can't fix is this one :

for one specific url on one of the two VS , and if user isn't member of a specific AD group,, I must reject the request but it has already been accepted by the APM ...

have a nice day

regards, Patrick

SanjayP
MVP
MVP

Okay. got it. yes, once user is already authenticated by APM, it won't evaluate APM policy for any other URL inside the application with default apm policy. You would need to use something like per request apm policy or step up authentication to re-evaluate for that one URL. You can also try with iRule to remove APM session ACCESS::session remove and then re-evulate.

 

to be honest, I haven't done this personally but following doc can provide some guidanace.

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-12-1-0/8.html

https://devcentral.f5.com/s/articles/apm-full-step-up-authentication-903

Letendart
Nimbostratus
Nimbostratus

will have a look at a such solution yes

will post my finding

thank you again Sanjay