APM Cookbook: Multiple Domain Authentication ­
Part 1
Cody Green, 2014-20-06
From time to time I receive requests on how to make APM authenticate against multiple domains. These organizations
require unique domains for various user roles such as contractor versus employee or student versus faculty. There are
several ways to achieve this depending upon the required user interaction - manual versus automated.
In this series we will work through a few ways APM can help your achieve this requirement:
Domain drop down menu on the logon page
Home realm discovery / where are you from
Domain lookup
End-point inspection (certificate / registry settings)
Domain Drop Down Menu
For part 1 we’ll take a look at placing a domain drop down list on the APM logon page. This topic has previously been
covered by Jason Rahm on DevCentral but required advanced APM knowledge and heavy modifications of underlying
code. In BIG-IP TMOS version 11.5 additional login page input types were added: select and checkbox.
With the addition of these new input types F5 has significantly reduced the complexity of implementing this solution.
In this example I assume you already have an APM Access Policy created and we will modify it to add the domain drop
down feature.
Logon Page Modification
1. Open the APM Visual Policy Editor for your access policy
2. Make the following modifications:
Type
select
Post Variable Name
domain
Session Variable Name
domain
Values
In the pop-up window add values for Contractor
and Employee (see image below)
Logon Page Input Field #3
3. Click Save
Domain
Domain Decision Box
Now that we’ve customized the Logon Page we need to add logic to our Visual Policy Editor to choose the correct
domain based upon which domain was selected.
1. Add an empty action to the VPE after the Logon Page
2. Name the empty action Check Domain
3. Click the Branch Rules tab
4. Click the Add Branch Rule button
5. Name the new rule Contractor
6. Click the change link next to Expression: Empty
6. Click the change link next to Expression: Empty
7. Click the Advanced tab
8. Enter the following TCL expression:
expr { [mcget {session.logon.last.domain} ] eq “Contractor” } ​
expr { [mcget {session.logon.last.domain} ] eq “Contractor” } ​
9. Click Finished
10. Click Save
Final VPE Configuration
With the logon Page customized and the Check Domain decision box complete now you can add multiple AD
Authentication (or any other authentication types) to your Visual Policy Editor. The image blow provides an example of a
completed VPE.
End Results
The final result will provide a Domain drop down box on the APM logon page allowing users to select which domain they
belong to. Pretty easy!
In the next post we’ll add additional logic to select the correct domain without requiring the drop down box
belong to. Pretty easy!
In the next post we’ll add additional logic to select the correct domain without requiring the drop down box
F5 Networks, Inc. | 401 Elliot Avenue West, Seattle, WA 98119 | 888-882-4447 | f5.com
F5 Networks, Inc.
Corporate Headquarters
[email protected]
F5 Networks
Asia-Pacific
[email protected]
F5 Networks Ltd.
Europe/Middle-East/Africa
[email protected]
F5 Networks
Japan K.K.
[email protected]
©2016 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5
trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no
endorsement or affiliation, express or implied, claimed by F5. CS04-00015 0113