SSO

Question

I am.beginner with APMI could see same access profile is mapped to 2 different VS.1.my understanding is they have mapped same access profile to make sso work between virtual servers..is that right?&nbsp;2.when sso has been generated in first vs it will be passed to user browser right?and when the same user access the 2nd VS how does the second vs validate credentials?&nbsp;&nbsp;&nbsp;&nbsp;

keesvandenbos · Accepted Answer

Read this article for more clarification: https://my.f5.com/manage/s/article/K15387
Search for "Session cookie design"

keesvandenbos · Answer

Hi beginner 😉,

Yes. Attaching the same APM policy to two virtual servers will result in SSO. So user is logged-in to VS 1 will result in SSO to the second.
It doesn't validate credentials, F5 is using an APM session cookie for this. Since the user has this cookie and an active session the second virtual server doesn't need valid credentials.

There are 3 options for this when you create a new policy/profile.
From the&nbsp;Profile Scope&nbsp;list, retain the default value or select another.

Profile: Gives a user access only to resources that are behind the same access profile. This is the default value.
Virtual Server: Gives a user access only to resources that are behind the same virtual server.
Global: Gives a user access to resources behind any access profile that has global scope.

keesvandenbos · Answer

The second VS will validate the cookie against the APM session table.It is a session cookie, it doesn't have a timeout value.
Session cookies expire once you log off or close the browser. They are only stored temporarily and are destroyed after leaving the page. They are also known as&nbsp;transient cookies,&nbsp;non-persistent cookies,&nbsp;or&nbsp;temporary cookies.
If you have to log in to a website every time you open your browser and visit it, then it is using a session cookie to store your login credentials. This is unlike a&nbsp;persistent cookie, which contains an expiration date.

sv2022 · Answer

"Since the user has this cookie and an active session the second virtual server doesn't need valid credentials."

Does that mean the cookie generated with first VS will be sent again to second VS and there wont be any validation. In that case anyone can insert a cookie to second VS right and get access to the servers right ?

sv2022 · Answer

thanks got clarified.So when the second VS receives the connection with same cookie f5 will validate this cookie with APM session cookies right ?so the timeout value will be reset now by second VS?

sv2022 · Answer

1.so the cookie will be same for both VS.where can i find that specific cookie in APM that has been used between these VS?

2.when i open active sessions in APM and when i click the + sign i could see "No subsessions " what does that mean.

Forum Discussion

SSO

9 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Enhanced Modern Applications and MicroServices SSO with NGINX

Secure Modern Applications and MicroServices SSO with NGINX

WebEX SSO integration

Difference between SSO under access policy and SSO in VPE

APM Cookbook: Single Sign On (SSO) using Kerberos