Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

f5learn_164388's avatar
f5learn_164388
Icon for Nimbostratus rankNimbostratus
Jul 27, 2014

Accessing SSO Credentials on a webtop link

Here is my setup in VPE Start->Logon Page->SSO Credential Mapping->Webtop and Links Assign ->Allow   In the SSO Credential Mapping I have the Variable Assign to get the username and token from log...
BIG-IP Access Policy Manager (APM)
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 27, 2014

Possibly a few misconceptions:

  1. A webtop link is going to generate an actual 302 redirect to the assigned URL. In a redirect, you can send HTTP headers to the client, but the client won't send them to the destination URL. The only appropriate way to send HTTP headers to an application is if proxied by the BIG-IP.

  2. The SSO credential mapping agent has basically two functions: a) to decrypt the password stored in the secure vault, and b) to generate the session variables used by the various SSO profiles. If you want to pass HTTP Basic, NTLM, or Form authentication data to an internal application, you should probably use the SSO methods. If you want to simply send the user/pass as HTTP headers, you can either use an iRule, or apply an SSO profile and apply the variables to the Header section. The iRule would look something like this:

    when ACCESS_ACL_ALLOWED {
    HTTP::header replace USER [ACCESS::session data get session.sso.token.last.username]
    HTTP::header replace PASS [ACCESS::session data get session.sso.token.last.password]
}