APM OWA 2010 webful/webreadyl

Okay, so let's trace through this config.

1. The user accesses the APM VIP and is presented with a logon form
2. The supplied credentials are used to perform an LDAP auth
3. If that's successful, you'll then need an LDAP query to get the user's membership info
4. Assuming the LDAP query is successful, use a modified form of the above iRule to select a pool and SSO profile based on the returned membership information

You may actually want to tackle this in two parts:

1. Create an access policy, assign an SSO profile, and statically assign the session variables needed for that SSO profile to work. This is simply to test the SSO profile. Assign this access policy to a VIP and statically assign the correct pool. Because you're statically assigning the session variables (ie. username and password), you shouldn't see a logon form - just SSO directly into the application. Do this for each SSO so that you know they work.

    

2. Now modify the above access policy:

    

   • Remove the static variable assignment
   • Add the logon form agent
   • Add the LDAP Auth agent
   • Add the LDAP Query agent

   • Add the SSO Credential Mapping agent (as required)

      

     Now test this with the pool and SSO profile still assigned. If it works, open the APM Reports and investigate what you get back from the LDAP query, specifically looking at the "membership" information. For AD that's probably going to be the session.ldap.last.attr.memberOf variable. Now remove the pool and SSO profile, add the iRule to the VIP, and then modify the iRule to accommodate the LDAP membership session variable and what you expect the value to be. If the LDAP query matches one of the values in the iRule, it should select the correct pool and SSO profile dynamically.