F5 APM – SSO and Multi-Domain Auth

I’ve written about SSO via Kerberos and SSO via NTLM recently but I also wrote about SSO Authentication such as SSO for Terminal Services, AutoLaunch SAML Resources and OAuth with Facebook last year. I think Single Sign-On (SSO) is really useful for organization which have lots of applications. Users log in once and they have access to all the applications. However, there are companies which have several domains because they have still old domains in the company or they need several domains. Anyway, most of them would like to configure SSO for multi-domain authentication.

There are two mainly Multiple Domain Authentication methods which can be used along with Single Sign-On (SSO). On one hand, we can configure a drop down menu where we can choose what domain we are going to use for autentication. In addition, we can enable multi-domain support for SSO. This is a best configuration when there are several virtual servers and each of them in one domain.

Single Sign-On and Multi-Domain

The Visual Policy Editor (VPE) will have a Logon Page, which will be the Primary Auth Service, where there will be a drop down menu wich all domains. We will also add a Check Domain box to check what domain the user has choosen. Finally, there will be two AD Auth box to authenticate the user in the right domain. I think this is a really simple and powerful configuration which allow SSO for multi-domain authentication.

Domain drop down menu on the logon page - VPE

On the other hand, we can configure home realm discovery or where are you from for Multiple Domain Authentication which can also be used along with Single Sign-On (SSO). This second method prompt the user for their UPN, then their password and authenticate the user against the desired domain. We can also enable muti-domain support for SSO and we can associate the access profile with each of the virtual servers participating in the domain group.

Home realm discovery - where are you from

The Visual Policy Editor (VPE) will have a Logon Page like the first method but it only prompts the UPN. Since APM’s AD Auth action by default authenticates users by username and not the UPN we’ll need to extract the username from the UPN with a variable assign. Next we’ll need to examine the UPN and determine which domain to use for authentication. We’ll also need to create domain specific logon pages to request credentials. Finally, we can add an AD Auth action to each branch and configure the Server to the corresponding AAA object for the selected domain.

Home realm discovery - where are you from - VPE

Actually, there are a third method for Multiple Domain Authentication. This third method uses end-point inspection with Window Registry check or machine certificate authentication. However, this third method requires BIG-IP Edge Client installation in the user’s PC. Therefore, this third method is much difficult to configure and manage.

Thanks my friends!! Do you know any other method for Multi-Domain Authentication with SSO?