You can deploy Single Sign-On in a variety of ways, depending on the needs within your networking environment. Deployment options include the following choices.
|Use case deployment type||Description|
|For local traffic pool members||Deploy SSO for local traffic with pool members. The Web Application Access Management for Local Traffic Virtual Servers wizard can be used for this deployment.|
|For web application access over network access||Deploy SSO through a network access tunnel with matching virtual servers enabled on the connectivity interface.|
|For web applications||Deploy SSO so users can access their web applications. You can assign an SSO object as part of the web application resource item, such as a SAML resource or a portal acess resource item, or assign the object at the access profile level instead.|
Without implementing single-sign on (SSO) for web applications, remote clients that try to access web services over a network access connection must supply credentials multiple times.
This implementation to support SSO includes a typical network access configuration with a secure connectivity (tunnel) interface. Additional configuration to support SSO is required for each web service.
The configuration for each web service includes a virtual server that is enabled on the tunnel and that specifies a destination address to match the web server. An SSO access profile type is required on the virtual server. An SSO access profile type specifies an SSO configuration; no access policy is associated with this profile type.
It is possible for a matching virtual server for a web application to match a resource specified in a portal access resource item. (Although not required, portal access resources can be assigned to the webtop in the network access configuration.) In this case, SSO configuration must be specified at the access profile level (in the virtual server) and not in the portal access resource item.
An SSO configuration can be specified in a portal access resource item or in the access profile through which the portal access resource is assigned in the access policy.
If a portal access resource item and a virtual server that matches the resource populate the same session, an SSO configuration must be specified only once and at the access profile level. The SSO configuration must be specified in the access profile for the matching virtual server and not in the portal access resource item.