Forum Discussion

Nimbostratus

Jul 27, 2014

Accessing SSO Credentials on a webtop link

Here is my setup in VPE Start->Logon Page->SSO Credential Mapping->Webtop and Links Assign ->Allow In the SSO Credential Mapping I have the Variable Assign to get the username and token from log...

BIG-IP Access Policy Manager (APM)

security

Kevin_Stewart

Employee

Jul 28, 2014

Possibly a few misconceptions:

A webtop link is going to generate an actual 302 redirect to the assigned URL. In a redirect, you can send HTTP headers to the client, but the client won't send them to the destination URL. The only appropriate way to send HTTP headers to an application is if proxied by the BIG-IP.
The SSO credential mapping agent has basically two functions: a) to decrypt the password stored in the secure vault, and b) to generate the session variables used by the various SSO profiles. If you want to pass HTTP Basic, NTLM, or Form authentication data to an internal application, you should probably use the SSO methods. If you want to simply send the user/pass as HTTP headers, you can either use an iRule, or apply an SSO profile and apply the variables to the Header section. The iRule would look something like this:
```
when ACCESS_ACL_ALLOWED {
    HTTP::header replace USER [ACCESS::session data get session.sso.token.last.username]
    HTTP::header replace PASS [ACCESS::session data get session.sso.token.last.password]
}
```

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)