APM SSO method explainer
The eight SSO methods APM's own chapter defines, each card carrying the verdict that decides outages: a misconfigured SSO object for any non-form method can disable SSO for every method in that user's session; Form Based and Forms - Client Initiated are the only exempt ones. Kerberos ships its full prerequisite list, including the line worth framing: APM Kerberos SSO does not need or use a keytab file.
Identity & tokensRuns locally in your browser. Nothing you type leaves this page.
API endpointGEThttps://ronutz.com/api/v1/f5-apm-sso-explainerDocumented, not served. Opens the specification.
References
- BIG-IP APM: Authentication and Single Sign-On 14.0 - Single Sign-On Methods (the eight-method list; the isolation paragraph: a misconfigured object for Basic/NTLMv1/NTLMv2/Kerberos/OAuth Bearer/SAML can disable SSO for all methods in the session, the two form methods exempt; HTTP Basic's base64 header; the 225-character name bound)
- BIG-IP APM 12.1 - Single Sign-On Methods (the NTLMv2 quirk verbatim: more than one WWW-Authenticate: NTLM header in a 401 makes NTLMv2 SSO fail, expected behavior)
- BIG-IP APM 15.1 - Kerberos Single Sign-On Method (delegation account per server realm, SPN-format Account Name, uppercase realm, the no-keytab line verbatim, password-less front-door pairing; 17.1 adds the multi-realm RBCD guidance)
- BIG-IP APM Single Sign-On Configuration Guide (the Forms - Client Initiated flow: logon-page detection, inserted JavaScript, and the password parameter assigned a password token rather than the actual user password; NTLM Domain defaulting to session.logon.last.domain)