Manual Chapter : Single Sign-On and Multi-Domain Support

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

About multi-domain support for SSO

Access Policy Manager (APM) provides a method to enable users to use a single login or session across multiple virtual servers in separate domains. Users can access back-end applications through multiple domains or through multiple hosts within a single domain, eliminating additional credential requests when they go through those multiple domains. With multi-domain support, you have the option of applying different SSO methods across different domains.

Attention: To enable multi-domain support, all virtual servers must be on a single BIG-IP system.

These are some of the benefits that APM provides when you use it to set up multi-domain support for SSO.

  • Users can sign out from all domains at once.
  • Users can move from one domain to another seamlessly. This eliminates the need re-run the access policy, and thus maintains the established session for the user.
  • Administrators can configure different cookie settings (Secure, Host/Domain and Persistent) for different domains, and for different hosts within same domain
  • Administrators can set up multiple SSO configurations to sign users in to multiple back-end applications for a single APM session

How does multi-domain support work for SSO?

The configuration process in which you successfully set up multi-domain support for SSO requires the following elements.

  • An access profile that includes a set of participating domains.
  • An SSO configuration associated with each of the domains. Additionally, a designated URL that specifies the primary authentication service is included in the access profile.
    Note: The host name of the URL is a virtual server that provides an access policy to retrieve the credentials from the user. If an un-authenticated user reaches any domain specified in the domain group, a re-direct is first made to the primary authenticating service so that credentials are collected in order to establish a session.
  • A virtual server.
  • The access profile associated with each of the virtual servers participating in the domain group.
Configuration process for multi-domain support for SSO Configuration process for multi-domain support for SSO
How multi-domain support for SSO works How multi-domain support for SSO works

Task summary for configuring domain support for SSO

Access Policy Manager SSO lets you configure either a single domain or multiple domains for SSO.

To set up this configuration, follow the procedures in the task list.

Task List

Configuring an access policy for SSO single domain support

These steps apply only if you are setting up your access policy for SSO single domain support.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. From the list, select an access profile in which you want to add SSO capability. The properties screen for that access profile opens.
  3. On the menu bar, click SSO/Auth Domains.
  4. For Domain Mode, select Single Domain.
  5. For the SSO Configuration setting, select an available SSO configuration from the list to apply to your access policy.
  6. Click Update.
  7. On the menu bar, click Access Policy.
  8. Click the name of the access profile for which you want to edit the access policy. The properties screen opens for the profile you want to edit.
  9. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate screen.
  10. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  11. For Predefined Actions, under General Purpose, select SSO Credential Mapping, and click Add item.
  12. Click Save. You have now added SSO capability to your access policy.

Configuring an access policy for SSO multi-domain support

A user should be able to connect to any one of the virtual servers that participate in the domain group, and receive a request for credentials only once. Subsequent connections to other virtual servers within the domain group should not require the users to provide their credentials.
  1. On the Main tab, click Access Policy > Access Profiles. The Access Profiles List screen opens.
  2. From the list, select an access profile to which you want to add SSO capability. The properties screen for that access profile opens.
  3. On the menu bar, click SSO/Auth Domains.
  4. For the Domain Mode setting, select Multiple Domains.
  5. For Primary Authentication URI, type the URI the client is directed to, for example, http://login.com, in order to receive an Access Policy Manager session. Each domain that you configure indicates the domain the Access Policy Manager session (established by the primary authentication URI) is bound to.
  6. In the Authentication Domain Configuration area, configure the Cookie setting by selecting Host or Domain, and typing the IP address for the host or, for domain, typing the fully qualified domain name.
  7. Select Cookie Options. By default, Secure is selected.
  8. From the SSO Configuration list, select the configuration that you want to associate to each host or domain. (Defaults to None.)
  9. Click Update.

Creating a virtual server for SSO multi-domain support

For every domain, a virtual server should be configured.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address in CIDR format. The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
  5. From Access Profile, select the profile you wish to attach to the virtual server.
  6. Click Finished.
These steps should be repeated for every domain you specify in your access policy.