NimbostratusMultiple Domains SSO with APM and SAML
Hoping to get some ideas on this issue. I have an "overlay" vip working well with multiple host names point to it and it routing to an APM enabled "internal" VIP that does SAML client side and Kerberos server side as talked about in this thread. So far all my host names have been in the same domain (domain1.com) but now there is a new host name that is in another root domain (domain2.com) I have been using a domain cookie for all the domain1.com hosts and it works well (I am fine that APM is not fired client side once I have a session and go to other hosts under domain1.com). I now need to get domain2.com going and I need SSO between domain1 and domain2. So on the APM policy associated to my domain2.com VIP, I have a couple questions on this.
1) For the primary authentication URI should I point to a host name under domain1.com?
2) If yes, then when I use a host name that resolves to my overlay vip on domain1.com I get redirected to /my.logout.php3?errorcode=22 with an error "Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration" in the browser an in the apm log file I get "No matching domain found for request host: host.domain2.com. So that makes me wonder what I should use for the Primary Authentication URI. I want/need it to be a SAML enabled authentication VIP, so why cannot I use a host name on my overlay vip?
3) Should my primary authentication uri be a specific authentication end point / VIP in domain1.com that is NOT my overlay VIP that is used just to establish a session in domain1.com and get my domain scoped cookied for domain1.com?
Basically I need to get SSO going between domain1.com and domain2.com where both have overlay VIPS for multiple host names under each domain and route to internal vips that have an APM policy applied with SAML client side auth setup to an external IdP.
Thanks in advance for any input or perspective on this one.
