Ignore domain cookie for specific sub domains?
Hello All, I am trying to figure out a way to exclude domain cookie SSO for a list of specific sub domains but still allow domain cookie to work on a few others. Current configuration We are a single domain and are using a wildcard cert for SSL to all related sites. I currently use an access profile per virtual server as I like to keep them separate to keep the configuration as linier as possible. I have 3 access policies that I use the domain cookie for SSO all of which are working the way I want. we are running 13.1.07 Issue: If I go to one of the sites (that I have domain cookie enabled) then in another tab try to go to a site that is in the same domain but not using domain cookie, it will fail to run the access policy associated with that site. I will then get an error your session could not be established invalid session ID. I know this is because it is trying to use the domain cookie and the access policy that is tied to that virtual server is not configured for domain cookie and global scope. example: site.domain.com (domain cookie enabled) site1.domain.com (domain cookie enabled) site2.domain.com (don't want to use domain cookie) I have a list of about 8 other sub domains in the same domain that I want to exclude from using domain cookie but retain it for site and site1. What I have tried In my research people say to use multiple domain SSO config which allows me to add a host cookie and allows me to access site2 when going to site but it then breaks domain cookie SSO so not sure how to do both. I also read that you should use one access policy but that seems over complex and to many variables when troubleshooting to have all branches in one large access policy. I have tried a few irules but they seem to be very inconsistent and causing browser to hang so not sure the ones I found are working for me. Thank you for any help you can provide. when HTTP_REQUEST { if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } { log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI" HTTP::close here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over HTTP::respond 302 Location "/my.logout.php3" } }Multiple Domain Authentication SSO Doesn't work with Domain Cookie
Hello. I have an implementation where we have three virtual servers on one Big IP VE. The first virtual server is webtop.domain.com where the user first authenticates to and is presented with webtop links to the second virtual servers, app1.domain.com and app2.domain.com. Each virtual server has the same APM Profile attached, with a Global scope and Mutliple Domain Auth. Previously, I had each virtual server using the public IPs as the hostname. IE, users would go to 1.1.1.1 for webtop, 2.2.2.2 for app1, and 3.3.3.3 for app2. I had assigned a Cookie for each hostname and the SSO worked flawlessly. After navigating to the webtop and clicking the webtop links, the user would be sent to the applications without having to go through the APM access policy again. Now, I have the actual domain names registered with DNS. I have tried using Single Domain and Multiple Domain with the domain.com cookie set. Each time the user clicks the webtop link, they get sent back to the Access Policy of webtop.domain.com. Even when I put the Cookie for each hostname (webtop.domain.com, app1.domain.com, and app2.domain.com) in the SSO/Auth settings, I get the same result. How can I prevent the users from being prompted to reauthenticate and share the session variables across Virtual Servers using the same domain name, like I was successfully doing for the public IPs of the Virtual Servers? Thank you!