Manual Chapter : Single Sign-On and Multi-Domain Support

Applies To:

Show Versions Show Versions
Manual Chapter

Single Sign-On and Multi-Domain Support

About multi-domain support for SSO

Access Policy Manager (APM) provides a method to enable users to use a single login or session across multiple virtual servers in separate domains. Users can access back-end applications through multiple domains or through multiple hosts within a single domain, eliminating additional credential requests when they go through those multiple domains. With multi-domain support, you have the option of applying different SSO methods across different domains.

Important: To enable multi-domain support, all virtual servers must be on a single BIG-IP system.

These are some of the benefits that APM provides when you use it to set up multi-domain support for SSO.

  • Users can sign out from all domains at once.
  • Users can move from one domain to another seamlessly. This eliminates the need re-run the access policy, and thus maintains the established session for the user.
  • Administrators can configure different cookie settings (Secure, Host/Domain and Persistent) for different domains, and for different hosts within same domain
  • Administrators can set up multiple SSO configurations to sign users in to multiple back-end applications for a single APM session

How does multi-domain support work for SSO?

The configuration process in which you successfully set up multi-domain support for SSO requires the following elements.

  • An access profile that includes a set of participating domains.
  • An SSO configuration associated with each of the domains. Additionally, a designated URL that specifies the primary authentication service is included in the access profile.
    Note: The host name of the URL is a virtual server that provides an access policy to retrieve the credentials from the user. If an un-authenticated user reaches any domain specified in the domain group, a re-direct is first made to the primary authenticating service so that credentials are collected in order to establish a session.
  • A virtual server.
  • The access profile associated with each of the virtual servers participating in the domain group.
Configuration process for multi-domain support for SSO

Configuration process for multi-domain support for SSO

How multi-domain support for SSO works

How multi-domain support for SSO works

Task summary for configuring domain support for SSO

Access Policy Manager® SSO lets you configure either a single domain or multiple domains for SSO.

To set up this configuration, follow the procedures in the task list.

Task List

Configuring an access policy for SSO single domain support

These steps apply only if you are setting up your access policy for SSO single domain support.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. From the list, select an access profile in which you want to add SSO capability.
    The properties screen for that access profile opens.
  3. On the menu bar, click SSO/Auth Domains.
  4. For Domain Mode, select Single Domain.
  5. For the SSO Configuration setting, select an available SSO configuration from the list to apply to your access policy.
  6. Click Update.
  7. On the menu bar, click Access Policy.
  8. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  9. In the General Properties area, click the Edit Access Policy for Profile profile_name link.
    The visual policy editor opens the access policy in a separate screen.
  10. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  11. For Predefined Actions, under General Purpose, select SSO Credential Mapping, and click Add item.
  12. Click Save.
    You have now added SSO capability to your access policy.

Configuring an access policy for SSO multi-domain support

A user should be able to connect to any one of the virtual servers that participate in the domain group, and receive a request for credentials only once. Subsequent connections to other virtual servers within the domain group should not require the users to provide their credentials.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. From the list, select an access profile to which you want to add SSO capability.
    The properties screen for that access profile opens.
  3. On the menu bar, click SSO/Auth Domains.
  4. For the Domain Mode setting, select Multiple Domains.
  5. For Primary Authentication URI, type the URI the client is directed to, for example, http://login.com, in order to receive an Access Policy Manager session.
    Each domain that you configure indicates the domain the Access Policy Manager session (established by the primary authentication URI) is bound to.
  6. In the Authentication Domain Configuration area, configure the Cookie setting by selecting Host or Domain, and typing the IP address for the host or, for domain, typing the fully qualified domain name.
  7. Select Cookie Options. By default, Secure is selected.
  8. From the SSO Configuration list, select the configuration that you want to associate to each host or domain. (Defaults to None.)
  9. Click Update.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access > Overview > Event Log > Settings area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click Logs.
    The access profile log settings display.
  4. Move log settings between the Available and Selected lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note: Logging is disabled when the Selected list is empty.
  5. Click Update.
An access profile is in effect when it is assigned to a virtual server.

Creating a virtual server for SSO multi-domain support

For every domain, a virtual server should be configured.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click Create.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field:
    • If you want to specify a single IP address, confirm that the Host button is selected, and type the IP address in CIDR format.
    • If you want to specify multiple IP addresses, select the Address List button, and confirm that the address list that you previously created appears in the box.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: The IP address or addresses for this field must be on the same subnet as the external self-IP address.
  5. From Access Profile, select the profile you wish to attach to the virtual server.
  6. Click Finished.
These steps should be repeated for every domain you specify in your access policy.