Forum Discussion
Nobby_67786
Mar 29, 2015Nimbostratus
Hi John,
The best way to do this would be to setup SAML federation between your VIPs & Access Policies. Configure your primary access policy to act as an IDP and all your others to be SP's. If you've got variables you capture like (username & password) you can pass them as attributes in the SAML payload. The great thing about that solution is that your VIPs don't even need to be on the same device so if you needed to scale or distribute services your authentication architecture will already support it.
Hope this helps point you in the right direction.
- Nobby
- John_T__Morgan_Mar 30, 2015NimbostratusHi Nobby, Would I still need to do an "Allow and Redirect" or would there be a beter method than that? -John
- Nobby_67786Mar 31, 2015NimbostratusSo you have several options. - If the user you're authenticating only has access to one app/service (which you might determine via AD groups for example) then you could have an ending Redirect action and send them just to that service. The act of redirecting the user to the app would then generate an SP initiated SAML transaction which would actually redirect the user back to the first VIP (to get the SAML assertion) and as the user is already authenticated, APM would just hand them the assertion and direct them back to the app. - You also have the option to present the user a webtop with links to apps they have access too. In this scenario the links can include SAML resources for which APM can generate an IDP initiated assertion (no bouncing around between VIPs). Either way works, and the extra redirects aren't so noticeable unless you've got massively latent links (like satellite). I'm based in Australia and the ~200ms from here to Seattle where lots of my APM sessions terminated didn't cause any significant delays even for SP initiated sessions.