Forum Discussion

Deman's avatar
Deman
Icon for Nimbostratus rankNimbostratus
Mar 02, 2015

SSO between ADFS and Webtop sites

Hey all.

 

We're currently creating a proof of concept with 3 sites, controlled by 2 APE policy's.

 

  • test_universal_policy. (login form, AD auth, SSO)
  • test_webtop_policy. (similar to above but includes a full webtop for some RDP/Vmware links)

The 2 policies are configured in single-domain mode

 

We would like to use single sign on between ADFS/Integrated auth sites and Webtop. If I access the webtop first, SSO will work across the other 2 test sites (an ADFS and integrated auth site). However if I go to say Office 365 first (which uses ADFS) and login, I'm unable to access the Webtop later.

 

Is there any way to configure (or have an iRule) so that the Webtop is available should it not be the first site visited?

 

I've currently been playing about with iRule session creation, policy evaluation and overriding the "load Webtop" portion when the universal policy briefly included advance resource assignment but have not had much luck

 

Any ideas?

 

APM
application delivery
devops
iRules
security

2 Replies

Sort By
  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Mar 02, 2015

    We've had the same issue in our environment, short of logging it to F5, i'm not sure there is any solution.

     

    I'd be keen to know if you get this solved though.

     

  • Deman's avatar
    Deman
    Icon for Nimbostratus rankNimbostratus
    Mar 03, 2015

    Hey Andrew, I may have found a solution for us. Might be a bit untidy but so far it seems to work

    Here's what I did

    • Added "Advanced Resource Assignment" back to the test_universal_policy
    • Changed the sso to use multi-domain (with the only entry being the companies domain, no host entries)
    • Set both ADFS and Webtop to use the universal policy
    • Created an irule and attached it to the test webtop vs, which has the following
    when HTTP_REQUEST { 
    if { [ACCESS::session data get session.logon.last.result] == 1 } {
          
        if { not ([HTTP::uri] starts_with "/vdesk/") } {
            set thiswebtop [ACCESS::session data get "session.assigned.webtop"]         
            HTTP::redirect "https://webtop.example.com/vdesk/webtop.eui?webtop=$thiswebtop&webtop_type=webtop_full"
     }
   }
}

    I haven't added our external login form yet (just using the built in F5 one)

    Give that a whirl.