Applies To:
Show VersionsBIG-IP APM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Common use cases for Single Sign-On deployment
You can deploy Single Sign-On in a variety of ways, depending on the needs within your networking environment. Deployment options include the following choices.
Use case deployment type | Description |
---|---|
For local traffic pool members | Deploy SSO for local traffic with pool members. The Web Application Access Management for Local Traffic Virtual Servers wizard can be used for this deployment. |
For web application access over network access | Deploy SSO through a network access tunnel with matching virtual servers enabled on the connectivity interface. |
For web applications | Deploy SSO so users can access their web applications. You can assign an SSO object as part of the web application resource item, such as a SAML resource or a portal acess resource item, or assign the object at the access profile level instead. |
Overview: Configuring SSO for web apps over network access
Without implementing single-sign on (SSO) for web applications, remote clients that try to access web services over a network access connection must supply credentials multiple times.
This implementation to support SSO includes a typical network access configuration with a secure connectivity (tunnel) interface. Additional configuration to support SSO is required for each web service.
The configuration for each web service includes a virtual server that is enabled on the tunnel and that specifies a destination address to match the web server. An SSO access profile type is required on the virtual server. An SSO access profile type specifies an SSO configuration; no access policy is associated with this profile type.
It is possible for a matching virtual server for a web application to match a resource specified in a portal access resource item. (Although not required, portal access resources can be assigned to the webtop in the network access configuration.) In this case, SSO configuration must be specified at the access profile level (in the virtual server) and not in the portal access resource item.
Task summary
Configuring a network access resource
Configuring network access properties
Creating a connectivity profile
Creating an access profile for remote access
Adding network access to an access policy
Configuring a virtual server for network access
Creating an SSO configuration
Creating an access profile for web app SSO
Configuring a virtual server for web app SSO
About SSO for portal access resources
An SSO configuration can be specified in a portal access resource item or in the access profile through which the portal access resource is assigned in the access policy.
If a portal access resource item and a virtual server that matches the resource populate the same session, an SSO configuration must be specified only once and at the access profile level. The SSO configuration must be specified in the access profile for the matching virtual server and not in the portal access resource item.