Forum Discussion

C_Kim's avatar
C_Kim
Icon for Nimbostratus rankNimbostratus
Oct 10, 2017

Can a VIP belong to multiple SSO Multi-domain configurations?

For multi-domain support, is it possible for a VIP to belong in two separate multi-domain configurations?

 

I have one configuration with the following:

 

  1. apples.company.com (primary authentication service URL)
  2. grannysmith.company.com (participating domain)

Another configuration with the following:

 

  1. Oranges.company.com (primary authentication service URL)
  2. valencia.company.com (participating domain)

Now I want to add a third participating domain, Plants.company.com, to both configurations, so when a user logs into apples.company.com or oranges.company.com, they are automatically allowed into plants.company.com.

 

APM
application delivery
security

2 Replies

Sort By
  • Amresh008's avatar
    Amresh008
    Icon for Nimbostratus rankNimbostratus
    Oct 10, 2017

    It looks to be possible. Also, you can also try to change the isolation settings between the domains, in which case you will need to create the vip only once. Another method could be to create another domain and give its access on both of the existing domains.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 10, 2017

    Hi,

     

    The problem is how multi domain sso works!

     

    When connecting to grannysmith.company.com, the user is redirected to apples.company.com to request authentication cookie even if user is already authenticated to apples.company.com

     

    So, the multi domain url will be set by the access policy assigned to the vs managing plants.company.com

     

    One solution is to add an irule to force cookie insert to plants when login to apples or oranges.