I have a webtop working for users to connect to various virtual servers, OWA, Citrix, Sharepoint, RDP. Management doesn't like the looks of this at all and had one of our developers create a webpage with links to OWA, Citrix, Sharepoint.
SSO works fine on my webtop but I need to configure SSO in the APM policy for the Dev webpage. I've looked at multidomain SSO but I'm not following.
Can I, how can I, configure SSO for an APM policy, on a VS hosting a single webpage with links.
How are you landing at the webtop replacement webpage?
The problem you have, is that with a webtop, the SSO configuration is assigned to the portal resource. When you provide links in a custom (non-APM) webtop, you loose the ability to apply a SSO profile.
I'm not even sure this would be possible as the developer produced webpage doesn't have the intelligence to populate the relevant fields. Someone on here may correct me.
Did you manager not like the webtop from an aesthetic point of view? It's possible to significantly customise the webtop if this is the case and retain functionality.
And I've seen a video on the same, I thought I could build a policy to access any VS behind APM.
Can this be done with hosted content, instead of a web page on a VS?
No, I don't believe so. APM will have no knowledge of each resource behind an externally hosted link.
The whole point of having SSO on a per-portal resource basis is that each resource can have different SSO requirements, HTTP Basic, SAML, Kerberos etc. Once you've left APM and arrived on a 3rd Party page there is no way to pass SSO credentials to each resource linked on that page.
...Unless each VIP is configured as a web application with it's own access policy and the external page references the URL of the VIP, this may work.. but in doing so you may trigger a new session for each VIP so SSO may not work in this instance.
Thanks Mr. Plastic. I found the answer here, I had the Profile Scope set to "Profile". To allow SSO to bridge Profiles I need this set to Global.
It would be nice to have something between global and profile, maybe "group" and then you need to configure each access policy to be part of that group.