From time to time I receive requests on how to make APM authenticate against multiple domains. These organizations require unique domains for various user roles such as contractor versus employee or student versus faculty. There are several ways to achieve this depending upon the required user interaction - manual versus automated.

In this series we will work through a few ways APM can help your achieve this requirement:

  • Domain drop down menu on the logon page
  • Home realm discovery / where are you from
  • Domain lookup
  • End-point inspection (certificate / registry settings)

Domain Drop Down Menu

For part 1 we’ll take a look at placing a domain drop down list on the APM logon page. This topic has previously been covered by Jason Rahm on DevCentral but required advanced APM knowledge and heavy modifications of underlying code. In BIG-IP TMOS version 11.5 additional login page input types were added: select and checkbox.

Multidomain 1

 

 

 

 

 

 

 

 

 

 

 

 

With the addition of these new input types F5 has significantly reduced the complexity of implementing this solution.

In this example I assume you already have an APM Access Policy created and we will modify it to add the domain drop down feature.

Logon Page Modification

  1. Open the APM Visual Policy Editor for your access policy
  2. Make the following modifications:
    Type select
    Post Variable Name domain
    Session Variable Name domain
    Values In the pop-up window add values for Contractor and Employee (see image below)
    Logon Page Input Field #3 Domain
  3. Click Save

Multidomain 1b

 

Multidomain 2

 

 

 

 

 

 

 

 

 

 

 

 

  

 

 

 

 

 

 

Domain Decision Box

Now that we’ve customized the Logon Page we need to add logic to our Visual Policy Editor to choose the correct domain based upon which domain was selected.

  1. Add an empty action to the VPE after the Logon Page

Multidomain 3

  1. Name the empty action Check Domain
  2. Click the Branch Rules tab
  3. Click the Add Branch Rule button
  4. Name the new rule Contractor
  5. Click the change link next to Expression: Empty

Multidomain 5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. Click the Advanced tab
  2. Enter the following TCL expression:

expr { [mcget {session.logon.last.domain} ] eq “Contractor” } ​​

Multidomain 6

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. Click Finished
  2. Click Save

Final VPE Configuration

With the logon Page customized and the Check Domain decision box complete now you can add multiple AD Authentication (or any other authentication types) to your Visual Policy Editor. The image blow provides an example of a completed VPE.

Multidomain 7

End Results

The final result will provide a Domain drop down box on the APM logon page allowing users to select which domain they belong to. Pretty easy!

In the next post we’ll add additional logic to select the correct domain without requiring the drop down box

Multidomain 8