Kerberos SSO to IIS Web Application
We are trying to implement a clientless solution in which a user which is part of the domain, and accessing a web application from a machine in the same domain, would automatically be authenticated without user intervention. I know there are lots of articles out there and I have read some tremendous write-ups on how this all works from Kevin Stewart and we believe we have most of the framework in place. What is happening, it seems, is that a 401 authentication dialog is appearing to the user instead of the client requesting a kerberos ticket from AD and presenting it to the F5 APM to decrypt and process with the installed keytab file. Specifically this is what I have for configuration: Web site: This hostname is represented in DNS and can be resolved both forward/reverse. Client side accounts: bill@synacktek.local - my AD domain account logged into a domain machine for testing. HTTP/sso-test.synacktek.local - account used for keytab file creation, imported to the F5, do I need to set kerberos delegation for this? SSO Side account: HOST/kerberos-server.synacktek.local - SSO account for kerberos. Performed setspn and assigned delegation in AD for this to access web service WINDNS1 (this is where web server is located). F5 SSO configuration which uses this account: APM Policy: Has 401 configured for negotiate, with branch feeding kerberos authentication (client side?) After this I have a couple of message boxes, the kerberos OK feeds a variable assign to help populate the sso side of the proxy configuation. When connecting to the web URL I always get prompted with the 401 authentication. I am certainly missing something here but do not know what it is. Appreciate any help! Thx BillIgnore domain cookie for specific sub domains?
Hello All, I am trying to figure out a way to exclude domain cookie SSO for a list of specific sub domains but still allow domain cookie to work on a few others. Current configuration We are a single domain and are using a wildcard cert for SSL to all related sites. I currently use an access profile per virtual server as I like to keep them separate to keep the configuration as linier as possible. I have 3 access policies that I use the domain cookie for SSO all of which are working the way I want. we are running 13.1.07 Issue: If I go to one of the sites (that I have domain cookie enabled) then in another tab try to go to a site that is in the same domain but not using domain cookie, it will fail to run the access policy associated with that site. I will then get an error your session could not be established invalid session ID. I know this is because it is trying to use the domain cookie and the access policy that is tied to that virtual server is not configured for domain cookie and global scope. example: site.domain.com (domain cookie enabled) site1.domain.com (domain cookie enabled) site2.domain.com (don't want to use domain cookie) I have a list of about 8 other sub domains in the same domain that I want to exclude from using domain cookie but retain it for site and site1. What I have tried In my research people say to use multiple domain SSO config which allows me to add a host cookie and allows me to access site2 when going to site but it then breaks domain cookie SSO so not sure how to do both. I also read that you should use one access policy but that seems over complex and to many variables when troubleshooting to have all branches in one large access policy. I have tried a few irules but they seem to be very inconsistent and causing browser to hang so not sure the ones I found are working for me. Thank you for any help you can provide. when HTTP_REQUEST { if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } { log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI" HTTP::close here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over HTTP::respond 302 Location "/my.logout.php3" } }
Sending specific active directory groups as SAML attributes
This is a two part question. We are building out SSO with a new Service Provider (SP). The SP is looking for specific Active Directory group(s) that they will use to determine the user's role. The attribute we are passing is named "RoleName" and the value is %{session.ldap.last.attr.memberOf}. Is there a way we can send just the groups they need instead of sending all groups the user is a member of? How can everything after the first CN be stripped off? For example, if member of returns CN=abc group,CN=Users,DC=company,DC=com and you want to return just "abc group". We are running F5 Big-IP LTM and APM version 12.1.2.
SSO HTTP Forms with variably uri
Hello, I have an application which does not make SSO SAML and I would like to be able to set up SSO HTTP Forms. However my URI is variable. POST /idp/4NnB0_xVb0A/resumeSAML20/idp/SSO.ping HTTP/1.1 apm sso form-based /Common/LMT_test_auth { form-action "/resumeSAML20/idp/SSO.ping HTTP/1.1" form-field " " form-password password form-username username start-uri /resumeSAML20/idp/SSO.ping How are you to do for this? Thanks for helpAPM SSO session disables after one use
I created a Webtop with 2 portal access resources. Each portal access resource has an SSO forms resource associated with it. When I log on and click on either of the portal access links, I'm successfully authenticated. In the same session when I click on the other portal link I'm not authenticated but presented with the logon page. In the APM logs I noticed that after I click on a portal resource, I get the following message "SSO disabled for this session" So how do I keep the SSO session open so I can log into several portal resources after authenticating once to the Webtop? Note: I'm using this to learn how different SSO resources work. I'm also confused how someone would use SSO resources configured on the Webtop itself as opposed to individual portal access since each portal access would have its own unique hidden fields.
Hot-Hot Datacenters with DNS LTM APM SSO
We are getting ready to undertake a major change to our Application Delivery architecture to help improve our DR positioning. Right now we have an HA pair of BIG-IP units running LTM and controlling access to web resources with APM using various WEBSSO methods. We are going to be adding a pair of BIG-IP DNS nodes, one in each of our data centers, as well as another LTM/APM node in our DR data center. We intend to have the LTM/APM pair in our primary site still in a HA failover pair, but the LTM/APM node in our DR site independent. One of the DR goals from leadership is to actually have applications that support it run in a hot-hot configuration, where traffic would be load-balanced (via BIG-IP DNS) between the main and DR sites. One question I've been unable to pin down is how that will play with our use of APM. Is there a way to have APM sessions sync between the main site and DR site without the rest of the configuration synching?
APM: SAML-SP Reverse Proxy
Hi all, Is it possible to use the APM as a SAML-SP Reverse Proxy as described here: Single Sign-on to Web Applications Using the Reverse Proxy ? For security reasons the customer don't want to give full access to the App where the SAML-SP is located, he asked for the feature above to have some sort of a SAML-SP Reverse Proxy in front of the App. As an alternative it would be an idea to have an ASM in front of the SAML-SP App which protects the Backend-App. Has anyone done this already and is maybe sharing some config help? Thank you for any information...
SAML SSO - IDP INITIATED CONNECTION DETAILS
Hi Experts , I have a simple query , I am building a IDP initiated SSO for a cloud service. In the IDP entity ID , I configure as this : https://idp-xxx.com. Do I need to add /saml/idp/profile/redirectorpost/sso also in the IDP entity ID for a IDP initiated connection? for example : https://idp-xxx.com/saml/idp/profile/redirectorpost/sso I am building an IDP initiated connection . thanks in advance.
