Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSO between multiples domains and vs

Hi,

We want to deploy these VS:

  • owa.company.org

  • support.company.org

  • intranet.company.org

Each one has a specific APM since it was all generated by iApps. We would like that an authentication to one of those apm gives SSO to all others apm. We understand that the best way to go would be 1 apm for all VS, but since we are using iApps generated APM, it's difficult.

As described in https://devcentral.f5.com/questions/using-sso-between-multiple-applications, we tried SSO on multiple domains for *.company.org, with one APM per VS. It didn't worked and each VS was still prompting for credentials.

So we wonder if our goal is achievable and how to do it...

Do you have any idea?

Thanks.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

hi,

You can use Multi-domain SSO but require to have only one APM Access profile for all VS.

You can also define F5 as SAML IDP and configure each Access profile as SP.

You can change the scope of your access profile. Here an extract from the APM Operation Guide :

In BIG-IP 11.x - 11.6, user session IDs are global to the BIG-IP system and can be presented to any BIG-IP APM
virtual server with an attached access profile.
In BIG-IP APM v. 12.0 and later, the configurable Profile Scope establishes additional criteria to ensure that a user
who has established a session on one virtual server or access profile cannot use that same session cookie to
access other virtual servers and the resources behind them.
There are three possible Profile Scope settings:
• Profile gives users access only to resources that are behind the same access profile on any virtual server.
(Default.)
• Virtual Server gives users access only to resources that are behind the same virtual server.
• Global gives users access to resources behind any access profile that has global scope. This setting is
equivalent to BIG-IP 11.x behavior.

Hope it helps

Yann

0