Bug ID 583477: In Multidomain SSO, primary auth virtual may fail as a resource

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9

Opened: Mar 28, 2016
Severity: 3-Major


Multidomain SSO use case with two virtuals: vs1 and vs2. Both virtuals are configured as APM+LTM pools. vs1 is designed as the primary auth virtual The expected result is that users can access resources on both virtuals. If they have not yet authenticated, they will be redirected to vs1 to authenticate. The reported result was that sometimes an already authenticated user would be able to access the resources on vs2. But their cookie would be rejected by vs1, and they would be asked to authenticate again.


Users may be asked to re-authenticate, even though they just did so.


It is not known what conditions cause this to occur.


Use an independent auth virtual that is not also a resource.

Fix Information


Behavior Change