How to perform Permitted Group checks across multiple Virtual Services with ESP SSO enabled
When using Client Certificate or Form Based authentication using the Edge Security Pack (ESP) and Permitted Groups, you might run into a scenario where you have two Virtual Services using Client Certificate authentication, one will have a Permitted Group and one will not have any Permitted Groups configured.
If a client connects to your Virtual Service that has no Permitted Groups, and is successfully Authenticated, they will have automatic access to your Virtual Services that has a Permitted Group configured, even though the client is not a member of that group.
This behavior occurs because both Virtual Services are using the same SSO Domain configuration. So, when a client successfully authenticates, they receive an Authentication Cookie. When they make a new connection to another Virtual Service with a Permitted Group and they present this Authentication Cookie, the LoadMaster will first check its SSO Domain Table for that Authentication Cookie. If found, they will be instantly allowed access and the LoadMaster will not do any LDAP check.
Configure a second or third Client Side Single Sign On Configuration on the LoadMaster using the same configuration details as your original SSO Domain configuration, and assign it either to your Virtual Service with a Permitted Group, or to the Virtual Service without the Permitted Group.
Navigate to Virtual Services > Manage SSO.
Configure the SSO Domain:
Assign the SSO Domain to the Virtual Service: