Enabling SSO on Aperture requires information from your IDP. The following section provides details on how to add Aperture as an Application on your IDP and then using information from your IDP to configure SSO on Aperture. Okta is used as IDP.
Issue: In a topology with two Virtual Routers, VR1 and VR2, sharing a subnet, VR1 has a public interface on Ethernet 1/1 (22.214.171.124/24) and VR2 has a public interface on Ethernet 1/2 ( 126.96.36.199/24). Both use the same ISP Gateway, 188.8.131.52/24. Users need to access a server on a public IP 100.100.100.100, which resides in a DMZ interface conected to VR2. The private IP of the server is 10.10.10.10. Sessions are seen as "incomplete" because Ethernet 1/1 is responding to the ARP requests for 100.100.100.100. Resolution: NAT rules are defined based on the zone configured. If the untrust zone is shared between two different Virtual Routers, either of them will respond to the ARP request for 100.100.100.100. In this case, only VR2 should respond to the ARP request. Do not use the same Untrust Zone for both of the public interfaces residing on different Virtual Routers. Create a new Untrust Zone, for example "Untrust-VR2", and add the public interface of VR2 to that zone. Configure a Bi-Directional NAT: Source Zone: DMZ Destination Zone: Untrust-VR2 Source Address: 10.10.10.10 Destination Address: Any Destination Interface: Ethernet 1/2 Source Translation: Static IP "100.100.100.100" Bi-Directional: Yes Create the security policy accordingly. Based on this configuration, only VR2 will respond to the ARP request. Owner: kalavi