Forum Discussion

ottleydamian's avatar
ottleydamian
Icon for Cirrus rankCirrus
Dec 26, 2017

APM SSO session disables after one use

I created a Webtop with 2 portal access resources. Each portal access resource has an SSO forms resource associated with it. When I log on and click on either of the portal access links, I'm successfully authenticated. In the same session when I click on the other portal link I'm not authenticated but presented with the logon page.

 

In the APM logs I noticed that after I click on a portal resource, I get the following message "SSO disabled for this session" So how do I keep the SSO session open so I can log into several portal resources after authenticating once to the Webtop?

 

Note: I'm using this to learn how different SSO resources work. I'm also confused how someone would use SSO resources configured on the Webtop itself as opposed to individual portal access since each portal access would have its own unique hidden fields.

 

APM
apm sso
security

2 Replies

Sort By
  • wonsoo_41223's avatar
    wonsoo_41223
    Historic F5 Account
    Dec 28, 2017

    I am not sure what is cause of the issue without log, but one possible issue is SSO successful logon detection. Form-based SSO has successful logon detection field and wrong configuration of this field can cause disabling SSO in the APM session even the SSO is successful.

     

    Enable the SSO debug log and review the SSO debug log to find out any SSO failure event.

     

    • ottleydamian's avatar
      ottleydamian
      Icon for Cirrus rankCirrus
      Dec 28, 2017

      Thanks wonsoo,

       

      Since I'm new to APM I didn't know about the great treasure chest of info when debug is turned on. I was just looking at the logs as-is which was just notice level (novice mistake).

       

      I learned that both my Start URI and probably more importantly my Successful logon Detection was not exact. That fixed the issue. Then I noticed that the only resource item in my SSO configs that were actually being used is the '/*' not my attempt for more specific URI path info (not sure why as yet).

       

      The F5 APM class made SSO appear to be so easy. That is why I always wish I could do a class after using the product for a few months so I can ask better questions but it doesn't always work out that way :-(