APM: SSO between two virtual servers

Question

Hello,&nbsp;
Im having a hard time configuring SSO for multiple Virtual Server, i dont know the right way to work with Multi domain SSO, i need some advices on how multiple domain sso works.&nbsp;
I have two virtual servers with two APM policies, one policy for each Virtual server.&nbsp;
2) The client connects to the first virtual server (app1.domain.com) and authenticate via forms with the BIP-IP, the SSO its configure so any other links in the same domains carrys the authentication.&nbsp;
3) He then opens another application (app2.domain.com) via an shortcut in the webpage, its opens an iFrame and calls the other virtual server, it asks the user to authenticate again.&nbsp;
My question is, there are any way to carry the Authentication in the first virtual server to the other virtual server? The main problem is after the iFrame its called, and it calls the other Virtual server its opens an different session in APM. Multidomain SSO works with this configuration? &nbsp;

kevin_davies_40 · Accepted Answer

Hello Hugo,&nbsp;
Not sure why you are using multi domain SSO when from all accounts your domain is not changing. app1.domain.com/app2.domain.com&nbsp;
Just specify domain.com as your SSO domain and use single domain SSO. Then when you go to the second virtual server with its own policy include the same SSO object.&nbsp;

jberkers42_2403 · Answer

Hi Hugo,&nbsp;
To do Multi Domain SSO you need a separate resource to handle the sign-in.  The configuration results in app1 and app2 redirecting to the sign-in resource.&nbsp;
The problem may lie with how you need to do authentication to the servers.  If you need to post the entered username/password from the login page, you will be challenged to complete the authentication since the password is not presented to the web server.&nbsp;
If you are able to change the authentication method (Kerberos, SAML, etc), then you have options available to use the authentication token provided by the login resource.&nbsp;
We are in the unfortunate position of not being able to use seamless SSO for one app because it requires the username/password to be posted in a form, and no other options are currently available.  All of our other apps support either Kerberos or SAML for authentication.&nbsp;
The following section of the v12.0 documentation is relevant to what you are trying to do:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/27.html&nbsp;
Hope that helps.&nbsp;
Regards,&nbsp;
JohnB&nbsp;

jberkers42 · Answer

Hi Hugo,&nbsp;
To do Multi Domain SSO you need a separate resource to handle the sign-in.  The configuration results in app1 and app2 redirecting to the sign-in resource.&nbsp;
The problem may lie with how you need to do authentication to the servers.  If you need to post the entered username/password from the login page, you will be challenged to complete the authentication since the password is not presented to the web server.&nbsp;
If you are able to change the authentication method (Kerberos, SAML, etc), then you have options available to use the authentication token provided by the login resource.&nbsp;
We are in the unfortunate position of not being able to use seamless SSO for one app because it requires the username/password to be posted in a form, and no other options are currently available.  All of our other apps support either Kerberos or SAML for authentication.&nbsp;
The following section of the v12.0 documentation is relevant to what you are trying to do:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/27.html&nbsp;
Hope that helps.&nbsp;
Regards,&nbsp;
JohnB&nbsp;

hugo_frauches_2 · Answer

Hello John,&nbsp;
We are using the BIG-IP v13 here in the company, but i will see the reference link. Also i was thinking about someway to reuse the first session created by the APM, is this a possible solution?&nbsp;

hugo_frauches_2 · Answer

Hello John,&nbsp;
We are using the BIG-IP v13 here in the company, but i will see the reference link. Also i was thinking about someway to reuse the first session created by the APM, is this a possible solution?&nbsp;

jberkers42_2403 · Answer

Hi Hugo,&nbsp;
I've not yet had the opportunity to have a look at v13, perhaps I should create one soon.&nbsp;
From what I understand about APM, setting up the "Authentication resource" is what allows the session to be re-used in multi-domain SSO.  I am pretty sure that you cannot re-use the session from the first app (using Form POST?).  I did try this at one point, but could not get it to work.&nbsp;
If we could, that is what we would be using for ourselves.&nbsp;
I don't think that v13 changes any of this functionality, most of the changes are UI re-organisation from what the F5 SEs are telling me.&nbsp;
Hope that clears things up.&nbsp;
Regards,&nbsp;
JohnB&nbsp;

Forum Discussion

APM: SSO between two virtual servers

8 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

Check a Virtual Server's SSL Status

Virtual Server graphical App for F5 LTM

virtual server config

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire