Ignore domain cookie for specific sub domains?
Hello All, I am trying to figure out a way to exclude domain cookie SSO for a list of specific sub domains but still allow domain cookie to work on a few others. Current configuration We are a single domain and are using a wildcard cert for SSL to all related sites. I currently use an access profile per virtual server as I like to keep them separate to keep the configuration as linier as possible. I have 3 access policies that I use the domain cookie for SSO all of which are working the way I want. we are running 13.1.07 Issue: If I go to one of the sites (that I have domain cookie enabled) then in another tab try to go to a site that is in the same domain but not using domain cookie, it will fail to run the access policy associated with that site. I will then get an error your session could not be established invalid session ID. I know this is because it is trying to use the domain cookie and the access policy that is tied to that virtual server is not configured for domain cookie and global scope. example: site.domain.com (domain cookie enabled) site1.domain.com (domain cookie enabled) site2.domain.com (don't want to use domain cookie) I have a list of about 8 other sub domains in the same domain that I want to exclude from using domain cookie but retain it for site and site1. What I have tried In my research people say to use multiple domain SSO config which allows me to add a host cookie and allows me to access site2 when going to site but it then breaks domain cookie SSO so not sure how to do both. I also read that you should use one access policy but that seems over complex and to many variables when troubleshooting to have all branches in one large access policy. I have tried a few irules but they seem to be very inconsistent and causing browser to hang so not sure the ones I found are working for me. Thank you for any help you can provide. when HTTP_REQUEST { if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } { log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI" HTTP::close here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over HTTP::respond 302 Location "/my.logout.php3" } }APM Session deleted when following link Webtop Link to Application URI
Hi all, I have three virtuals: web1.mydomain.com web2.mydomain.com webtop.mydomain.com and each virtual has a separate APM Profile (Type: All, Scope: Global, Domain Cookie: mydomain.com, Login Page + AD Auth). The webtop has two Webtop Links (Type: Application URI) for web1 and web2 When I login to web1, I can switch to web2, no further auth is required. No matter if I open web2 in the same tab or in a different tab. This also works the other way round, authenticating first to web2 and then opening web1. But when I login to web1 and next I open webtop.mydomain.com, my session is deleted and I have to authenticate again to both (web1 and webtop). Also when I login to webtop and I click on the links to web1 or web2 the same happens. My access session for webtop is deleted and I have to login to webtop and web1/web2. I traced it so far, that the browser is sending the correct cookie to https://web1.mydomain.com/. But when it redirects to /my.policy the session is deleted. Is this the expected behaviour when mixing webtop and webtop links scenarios? Or am I hitting a bug? BIG-IP Version is 15.1.2.1 Thanks in advance & KR DanielDomain Cookie SSO
Hello All, I am trying to figure out why sso using a domain cookie is not working for just one of my applications. I am running 12.1.2 and have domain cookie working for other applications so not sure why this one is not cooperating. Current configuration I have a webtop (webtop.test.com) with application that is not allowing SSO at the moment (app1.test.com) Webtop.test.com Access policy that uses Logon page > AD Auth > SSO Credential Mapping > Advanced Resource assign Advanced resource assign has portal access, few SAML, webtop, and webtop links Access Policy is set to Global for Profile Scope SSO/Auth Domains has domain cookie test.com and Secure flag checked app1.test.com textapp1.test.com is a virtual server on the BIGIP access policy Logon page > AD Auth > SSO Credential Mapping Access Policy is set to Global for Profile Scope SSO/Auth Domains has domain cookie test.com and Secure flag checked Issue When I login to the webtop and click on the link to app1 I am getting prompted to login again via the app1 access policy login page. Troubleshooting I can see using sso tracer that the cookie that is created when logging in to webtop is not being used by app1 because it creates a new LastMRH Session id. I have tried to add persistent to sso/Auth domains I have another app app2 that is configured the same way but this one works as I would expect. If I login directly to app2 then open a new tab and go to app1 domain cookie is working as I am not prompted to login again. I have enabled debug on webtop and app1 but the apm log doesn't show anything useful for app1 since it doesn't login. I have tested on Chrome, Firefox, Edge and IE11 all have same issue for sso to app1 from webtop. Any ideas would be greatly appreciated. Thanks
APM SSO Domain Cookie Issue
Hi all, I am running into the issue with SSO domain cookie. Let's say we have several sites which all use SSO for single domain mycompany.com So, single sign on works fine between the sites which it's configured for: site1.mycompany.com, site2.mycompany.com and site3.mycompany.com. However, in the same domain we also have number of applications, for example mysite.mycompany.com which sit behind APM. When user is logged in to site1.mycompany.com and tries to access mysite.mycompany.com in new browser tab, he or she gets presented with error message informing that "Your session can not be established." Session reference number corresponding content of LastMRH_Session cookie is also displayed. So it seems like some session cookie clash resulting in broken session. Has anyone been able to find a work around it? Unfortunately, using different domains is not an option for me. Thanks
