Forum Discussion

Steffen_H's avatar
Icon for Nimbostratus rankNimbostratus
Jan 13, 2020


Hi All,

we'd like to secure the access to a backend portal with OAuth (F5 Authorization Server and F5 Client/Ressource Server).

We aleady configured 2 Virtual Servers and 2 Access Profiles

  • access profile 1 for the backend application (OAuth Client and Scope Agents)
  • access profile 2 for the OAuth AS (Logon Page, LDAP Auth and OAuth AS Agent)

The login and the OAuth (OIDC) works with the backend via id_token.


Idea was to ask the user ONCE for his LDAP Credentials and then authorize the user in subsequent authorization requests from client applications WITHOUT asking for entering his credentials again.

What we see in the session logs is, that the authorization server session always ends with "session deleted (oauth_finished)" once the authorization request has successfully ended, hence the users LDAP information is destroyed together with the "session deleted"

Is it possible to get some kind of SSO so that the users credentials is stored in the client for subsequent authorization requests and that the logon page can make use those credentials without prompting the user to login manually again?




3 Replies

  • Information from Support:

    [..] I fully agree that you are facing with the mentioned limitation rfe753518. From the limitation description itself:


    "Currently BIG-IP OpenID Connect AS does not persist user sessions, so users must log in each time they visit the AS. This is undesirable for some deployments, especially if they have multiple OIDC Client/RS federating to a single AS. The user would have to log in to each RS+AS separately rather than being SSO'd to all RSs."


    [...] What I'm going to do is to escalate your case in order to attach to the mentioned id. This way our product developers will understand that more and more Customers demand this functionality. [...]

  • Have there been any updates on this?


    We're doing a project with many applications and are facing these issues with v16.1 atm

  • Any solution identified for this issue? we are running 16.4.1 and facing similar issue.


    The users prompted to login sso again if traffic over F5 VS, direct server access can work without providing additional login. Thanks.