ESP SSO Across Virtual Services with Permitted Groups

Scope

When using Client Certificate or Form Based authentication using the Edge Security Pack (ESP) and Permitted Groups, you might run into a scenario where you have two Virtual Services using Client Certificate authentication, one will have a Permitted Group and one will not have any Permitted Groups configured. 

If a client connects to your Virtual Service that has no Permitted Groups, and is successfully Authenticated, they will have automatic access to your Virtual Services that has a Permitted Group configured, even though the client is not a member of that group.

This behavior occurs because both Virtual Services are using the same SSO Domain configuration. So, when a client successfully authenticates, they receive an Authentication Cookie. When they make a new connection to another Virtual Service with a Permitted Group and they present this Authentication Cookie, the LoadMaster will first check its SSO Domain Table for that Authentication Cookie. If found, they will be instantly allowed access and the LoadMaster will not do any LDAP check. 

Solution

Configure a second or third Client Side Single Sign On Configuration on the LoadMaster using the same configuration details as your original SSO Domain configuration, and assign it either to your Virtual Service with a Permitted Group, or to the Virtual Service without the Permitted Group.

Configuration

Navigate to Virtual Services > Manage SSO.

Configure the SSO Domain:

 

Assign the SSO Domain to the Virtual Service:

Was this article helpful?

0 out of 0 found this helpful

Comments