SSO for Storefront and AAC in same domain

Question

Hi,&nbsp;
We have one domain (say www.myurl.com) but different backend services for different URL's. www.myurl.com/location1 takes you to a Storefront server and www.myurl.com/location2 takes you to a legacy Citrix AAC logon page (soon to be decommed but needed in the short term).&nbsp;
I have managed to get SSO working for both Storefront (form based) and AAC (forms client-initated) in isolation but I cannot work out how to have them both working at the same time. I have played with multi-domain SSO but had no joy there. Alternatively I then tried adding a second form to my client-initiated set-up for Storefront but could not get that working.&nbsp;
Would really appreciate it if someone could point me in the right direction with this please!&nbsp;
Is multi-domain SSO appropriate here? (given that I am actually only using one domain)
Can you use multiple forms with client-initated SSO for this kind of thing?
Is it possible to get Storefront working with client-initiated SSO?&nbsp;
Many thanks and Happy Xmas everyone!&nbsp;

vinocalk · Answer

Found this  - https://devcentral.f5.com/wiki/iRules.WEBSSO__select.ashx. Seems to be the answer but have not quite got my irule working yet. Will try again in the new year. Any other feedback on the above still greatly appreciated though!

vinocalk · Answer

Using WEBSSO::select fixed this. But I ran into the bug where by you cannot select a client-initiated form using WEBSSO::select (still not fixed in 11.4.1 HF1 build 625)&nbsp;
I spent ages playing with my client-initiated form as the default SSO object (defined in the access profile) and using WEBSSO::select to select my forms-based SSO object but could not get it to work (Kevin Stuart has got this working though - https://devcentral.f5.com/questions?pid=28) I think in my case this is something to do with the way Storefronts logon page works. It sends a lot of POST's whilst generating the logon page and I found that my browser would get stuck in a loop re-submitting the POST for the URI that was being matched by my SS)::select iRule. &nbsp;
I eventually found the workaround to the WEBSSO::select bug and this worked for me (ie. I made the forms based SSO the default and used to WEBSSO::select to select by client-initiated SSO as described below) -&nbsp;
399696Selecting an SSO configuration with WEBSSO::select does not work for form-based client initiated and SAML configurations. You can work around the problem by using a variable to assign the configuration object name. For example: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config&nbsp;

Forum Discussion

SSO for Storefront and AAC in same domain

2 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Enriching AFM with public domain Threat Intelligence

F5 StoreFront XML Broker Monitor

Smart Card Authentication to Citrix StoreFront Using F5 Access Policy Manager

domain blocking

Change cookie domain in HTTP::respond