Forum Discussion
Hi Kevin,
I'm expecting to have top level/root directory access to the site open to anonymous users, and only apply the access policy to a select collection of sub sites (three sub directories at the moment).
For instance, www.intranet.com would be open access, but a request for www.intranet.com/secure would call forth the access policy, log the user in with a SSO mechanism of some description, and if not possible (ie, the user doesn't fillfil the SSO criteria, OR they aren't using a domain joined computer) present a standard F5 managed login page securing access to the resource...
Essentially, we want particular users within our organisation to be able to access the /secure sites without having to resubmit their AD credentials, and everyone else to be presented with the login page. This would mean that users with rights can log in to the resource using manually entered credentials when they are offsite, but when they are on-site, it's a seamless SSO experience.
We've had one engineer try to implement this solution, but efforts have been fruitless so far. I'm taking over and I want to go back to basics to see what sort of mechanisms support this functionality. I'm open to all ideas!
You say that the browser will attempt kerberos authentication on initial connection. Could an access policy be created to cach their credentials at that point, and store them to be used later on in the session, if they request one of the 'secure' URLs?
Cheers,
Gavin