Applies To:

Show Versions Show Versions

Manual Chapter: Single Sign-On and Multi-Domain Support
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About multi-domain support for SSO

Access Policy Manager® (APM) provides a method to enable your users to use a single login or session across multiple virtual servers in separate domains. Users can access back-end applications either through multiple domains or through multiple hosts within a single domain, eliminating additional credential requests when they go through those multiple domains. With multi-domain support you have the option of applying different SSO methods across different domains.

Attention: To enable multi-domain support, all virtual servers must be on a single BIG-IP® system.

These are some of the benefits that using multi-domain support for SSO includes:

  • Enables a user to sign out from all the domains at once
  • Allows a user to move from one domain to another seamlessly. This eliminates the need re-run the access policy, and thus, maintains the established session for the user.
  • Enables different cookie settings (Secure, Host/Domain and Persistent) for different domains or for different hosts within same domain
  • Enables the use of multiple SSO configurations to sign users on to multiple back-end applications for a single APM™ session

How does multi-domain support work for SSO?

The configuration process in which you successfully set up multi-domain support for SSO requires the following elements.

  • An access profile that includes a set of participating domains.
  • An SSO configuration associated with each of the domains. Additionally, a designated URL that specifies the primary authentication service is included in the access profile.
    Note: The host name of the URL is a virtual server that provides an access policy to retrieve the credentials from the user. If an un-authenticated user reaches any domain specified in the domain group, a re-direct is first made to the primary authenticating service so that credentials are collected in order to establish a session.
  • A virtual server.
  • The access profile associated with each of the virtual servers participating in the domain group.
Configuration process for multi-domain support for SSOConfiguration process for multi-domain support for SSO
How multi-domain support for SSO worksHow multi-domain support for SSO works

Task summary for configuring domain support for SSO

Access Policy Manager SSO lets you configure either a single domain or multiple domains for SSO.

To set up this configuration, follow the procedures in the task list.

Task List

Configuring an access policy for SSO single domain support

These steps apply only if you are setting up your access policy for SSO single domain support.
  1. On the Main tab, click Access Policy > Access Profiles . The Access Profiles List screen opens.
  2. From the list, select an access profile in which you want to add SSO capability. The properties screen for that access profile opens.
  3. On the Access Profiles properties screen, under SSO across Authentication Domains, for Domain Mode, select Single Domain .
  4. For the SSO Configuration setting, select an available SSO configuration from the list to apply to your access policy.
  5. Click Finished.
  6. On the Access Profiles List screen, click the name of the access profile for which you want to edit the access policy. The Access Profile properties screen opens for the profile you want to edit.
  7. In the Access Policy column, click the Edit link for the profile you want to configure to launch the visual policy editor. The visual policy editor opens the access profile in a separate window or tab.
  8. Click the [+] sign anywhere in your access profile to add your new policy action item. An Add Item window opens.
  9. For Predefined Actions, under General Purpose, select SSO Credential Mapping, and click Add item.
  10. Click Save. You have now added SSO capability to your access policy.

Configuring an access policy for SSO multi-domain support

A user should be able to connect to any one of the virtual servers that participate in the domain group, and receive a request for credentials only once. Subsequent connections to other virtual servers within the domain group should not require the users to provide their credentials.
  1. On the Main tab, click Access Policy > Access Profiles . The Access Profiles List screen opens.
  2. From the list, select an access profile in which you want to add SSO capability. The properties screen for that access profile opens.
  3. On the Access Profiles properties screen, under SSO across Authentication Domains, for Domain Mode select Multiple Domain. When you select Multiple Domains, additional options appear. You should make configuration changes to only the Configure Authentication Domains and Primary Authentication URI settings. The other areas or options are designated for only single domain configuration.
  4. For Primary Authentication URI, type the URI the client is directed to, for example, http://login.com in order to receive an Access Policy Manager session. Each domain that you configure indicates the domain the Access Policy Manager session (established by the primary authentication URI) is bound to.
  5. For Configure Authentication Domains, click Add and select either Host or Domain from the list, and continue to click Add for each host or domain you want to add.
  6. From the SSO Config list, select the configuration that you want to associate to each host or domain.
  7. Click Update.

Creating a virtual server for SSO multi-domain support

For every domain, a virtual server should be configured.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. Type a unique name for the virtual server.
  4. From Access Profile, select the profile you wish to attach to the virtual server.
  5. Click Finished.
These steps should be repeated for every domain you specify in your access policy.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)