Forum Discussion

Samuel_Soulard's avatar
Samuel_Soulard
Icon for Nimbostratus rankNimbostratus
Jun 18, 2018

APM multi-domain primary authentication URI persistent cookie

Hello to all, (First time posting)

 

So, we need to set a persistent cookie for the primary authentication URI so that a person isn't prompted again when they visit the primary authentication URI again when they close the browser.

 

We have this scenario

 

  • User visits PortalA.contoso.com (Access profile is set the same as primary authentication uri)
  • They are directed to login.contosom.com (actual primary authentication URI virtual server with access policy multi-domain)
  • They login with their account, the authentication domains redirects to PortalA.contoso.com with the proper SSO Configuration
  • They close their browser
  • They open their browser
  • They visit PortalA.contoso.com (They're logged in automatically)
  • They visit PortalB.contoso.com (they're directed to the primary authentication URI for authentication)

Now if they don't close their browser, and they do go back to the authentication URI, they're issued a persistent cookie. If they now close their browser and re-open it, they'll be able to login to all websites in the multi-domain setup without having to login.

 

So our question is, how do we set this up or have an iRule generate a persistent cookie for the primary authentication URI

 

Thanks!

 

4 Replies

  • when I read your question and comment, I don't understand when you describe expected or current behavior.

     

    do you want to have persistent authentication on the primary authentication URI or only for PortalA.contoso.com ?

     

  • Hi Sam,

     

    It's a typical identity federation use-case you describe here.

     

    By using SAML you should solve this problem in a better way than using an irule. You can find information below to declare your authentication portal as an IDP and others portals as a SP.

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/2.html

     

    https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-saml-config-guide-11-3-0/4.html

     

  • Anesh's avatar
    Anesh
    Icon for Cirrostratus rankCirrostratus

    change the cookie scope to domain and cookie domain to be wide like ".contoso.com"

     

  • a_knight_380's avatar
    a_knight_380
    Historic F5 Account

    In this case, the cookie associated with the Primary Authentication URI is never set as persistent because the primary authentication URI is never requested after access policy evaluation has completed. This behavior is by-design and is noted in the on-line help, and not specific to primary authentication URIs.

     

    "When the session is first established, session cookies are not marked as persistent, but when the first response is sent to the client after the access policy completes successfully, the cookies are marked persistent."

     

    There was an RFE filed in the support case ID734677.