cancel
Showing results for 
Search instead for 
Did you mean: 

Webpage not Webtop with sso

The-messenger_1
Nimbostratus
Nimbostratus

I have a webtop working for users to connect to various virtual servers, OWA, Citrix, Sharepoint, RDP. Management doesn't like the looks of this at all and had one of our developers create a webpage with links to OWA, Citrix, Sharepoint.

 

SSO works fine on my webtop but I need to configure SSO in the APM policy for the Dev webpage. I've looked at multidomain SSO but I'm not following.

 

Can I, how can I, configure SSO for an APM policy, on a VS hosting a single webpage with links.

 

6 REPLIES 6

Lee_Sutcliffe
Nacreous
Nacreous

How are you landing at the webtop replacement webpage?

 

The problem you have, is that with a webtop, the SSO configuration is assigned to the portal resource. When you provide links in a custom (non-APM) webtop, you loose the ability to apply a SSO profile.

 

I'm not even sure this would be possible as the developer produced webpage doesn't have the intelligence to populate the relevant fields. Someone on here may correct me.

 

Did you manager not like the webtop from an aesthetic point of view? It's possible to significantly customise the webtop if this is the case and retain functionality.

 

The-messenger
Cirrus
Cirrus

Reading this https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-sso-config-11-2-0/5.html

 

And I've seen a video on the same, I thought I could build a policy to access any VS behind APM.

 

Can this be done with hosted content, instead of a web page on a VS?

 

Lee_Sutcliffe
Nacreous
Nacreous

No, I don't believe so. APM will have no knowledge of each resource behind an externally hosted link.

 

The whole point of having SSO on a per-portal resource basis is that each resource can have different SSO requirements, HTTP Basic, SAML, Kerberos etc. Once you've left APM and arrived on a 3rd Party page there is no way to pass SSO credentials to each resource linked on that page.

 

Lee_Sutcliffe
Nacreous
Nacreous

...Unless each VIP is configured as a web application with it's own access policy and the external page references the URL of the VIP, this may work.. but in doing so you may trigger a new session for each VIP so SSO may not work in this instance.

 

The-messenger
Cirrus
Cirrus

Thanks Mr. Plastic. I found the answer here, I had the Profile Scope set to "Profile". To allow SSO to bridge Profiles I need this set to Global.

 

It would be nice to have something between global and profile, maybe "group" and then you need to configure each access policy to be part of that group.

 

The-messenger
Cirrus
Cirrus

To enable SSO on multiple VS you either need them to all use the same access policy or configure each access policy with the Global scope.