Forum Discussion

Eric_Raff_11012's avatar
Icon for Nimbostratus rankNimbostratus
Sep 24, 2014

Multiple Domains SSO with APM and SAML

Hoping to get some ideas on this issue. I have an "overlay" vip working well with multiple host names point to it and it routing to an APM enabled "internal" VIP that does SAML client side and Kerberos server side as talked about in this thread. So far all my host names have been in the same domain ( but now there is a new host name that is in another root domain ( I have been using a domain cookie for all the hosts and it works well (I am fine that APM is not fired client side once I have a session and go to other hosts under I now need to get going and I need SSO between domain1 and domain2. So on the APM policy associated to my VIP, I have a couple questions on this.


1) For the primary authentication URI should I point to a host name under


2) If yes, then when I use a host name that resolves to my overlay vip on I get redirected to /my.logout.php3?errorcode=22 with an error "Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration" in the browser an in the apm log file I get "No matching domain found for request host: So that makes me wonder what I should use for the Primary Authentication URI. I want/need it to be a SAML enabled authentication VIP, so why cannot I use a host name on my overlay vip?


3) Should my primary authentication uri be a specific authentication end point / VIP in that is NOT my overlay VIP that is used just to establish a session in and get my domain scoped cookied for


Basically I need to get SSO going between and where both have overlay VIPS for multiple host names under each domain and route to internal vips that have an APM policy applied with SAML client side auth setup to an external IdP.


Thanks in advance for any input or perspective on this one.


  • Can you please clarify a bit what you mean by the "overlay" VIP? What functionality does it perform today, and how is everything setup? Need a bit more details here to give you the best advice.