Forum Discussion

Nolan_Jensen_23's avatar
Nolan_Jensen_23
Icon for Nimbostratus rankNimbostratus
Jun 26, 2018

Ignore domain cookie for specific sub domains?

Hello All,

I am trying to figure out a way to exclude domain cookie SSO for a list of specific sub domains but still allow domain cookie to work on a few others.

Current configuration

We are a single domain and are using a wildcard cert for SSL to all related sites. I currently use an access profile per virtual server as I like to keep them separate to keep the configuration as linier as possible.

I have 3 access policies that I use the domain cookie for SSO all of which are working the way I want.

we are running 13.1.07

Issue:

If I go to one of the sites (that I have domain cookie enabled) then in another tab try to go to a site that is in the same domain but not using domain cookie, it will fail to run the access policy associated with that site. I will then get an error your session could not be established invalid session ID. I know this is because it is trying to use the domain cookie and the access policy that is tied to that virtual server is not configured for domain cookie and global scope.

example: site.domain.com (domain cookie enabled) site1.domain.com (domain cookie enabled) site2.domain.com (don't want to use domain cookie) I have a list of about 8 other sub domains in the same domain that I want to exclude from using domain cookie but retain it for site and site1.

What I have tried

In my research people say to use multiple domain SSO config which allows me to add a host cookie and allows me to access site2 when going to site but it then breaks domain cookie SSO so not sure how to do both.

I also read that you should use one access policy but that seems over complex and to many variables when troubleshooting to have all branches in one large access policy.

I have tried a few irules but they seem to be very inconsistent and causing browser to hang so not sure the ones I found are working for me.

Thank you for any help you can provide. 

when HTTP_REQUEST {
  if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } {
    log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI"
    HTTP::close

     here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over
    HTTP::respond 302 Location "/my.logout.php3"
  }
}
apm sso
application delivery
BIG-IP Access Policy Manager (APM)
domain cookie
iRules
single domain
sub domains
No RepliesBe the first to reply