F5 APM :- Single Sign-On and Multi-Domain Support

https://techdocs.f5.com/en-us/bigip-17-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration/single-sign-on-and-multi-domain-support.html

About multi-domain support for SSO
Access Policy Manager (APM) provides a method to enable users to use a single login or session across multiple virtual servers in separate domains. Users can access back-end applications through multiple domains or through multiple hosts within a single domain, eliminating additional credential requests when they go through those multiple domains. With multi-domain support, you have the option of applying different SSO methods across different domains.
To enable multi-domain support, all virtual servers must be on a single BIG-IP system and share the same access profile. All virtual servers must include all of the profiles that the access profile requires (for example, VDI, rewrite, server SSL, connectivity, and so on).
APM provides the following benefits when using multi-domain support with SSO.
Users can sign out from all domains at once.
Users can move from one domain to another seamlessly. This eliminates the need to re-run the access policy, and maintains the established session for the user.
Administrators can configure different cookie settings (Secure, Host/Domain, and Persistent) for different domains, and for different hosts within same domain.
Administrators can set up multiple SSO configurations for users signing in to multiple back-end applications within a single APM session.

How does multi-domain support work for SSO?
Setting up multi-domain support for SSO requires the following elements.
One BIG-IP system.
One or more virtual servers.
One access profile/policy that specifies the set of participating domains, and that profile is associated with each of the virtual servers participating in the domain group.
All virtual servers in this configuration must include all profiles that the access profile/policy requires (for example, VDI, rewrite, server SSL, connectivity, and so on).
In some situations, iRules can be used to disable unneeded profiles.
An SSO configuration that is associated with each of the domains. Additionally, a designated URL that specifies the primary authentication service is included in the access profile.
The host name of the URL is a virtual server that provides an access policy to retrieve the credentials from the user. If an un-authenticated user reaches any domain specified in the domain group, a re-direct is first made to the primary authenticating service so that credentials are collected to establish a session.
If the access profile/policy includes a webtop, the Primary Authentication URI in the SSO configuration must specify the portal FQDN.