Forum Discussion

SV2022

Cirrus

Feb 10, 2024

Difference between SSO under access policy and SSO in VPE

Is that mandatory to have SSO credential mapping via VPE whenever we have SSO created under access policy. i need to understand the relation between these 2 sso configurations

apm sso

KeesvandenBos
Feb 12, 2024
The SSO profile attached to a access policy has 2 or 3 variables, session.sso.token.last.username and session.sso.token.last.password (and others, depending on the SSO profile).

These are not created by default in the VPE. The SSO credential mapping agent maps a username variable (most of the times session.logon.last.username, depending on what you select in the agent) into session.sso.token.last.username.
You could do the same in a variable assign agent, F5 has created the SSO credential mapping to help engineers and to show in the VPE your mapping SSO credentials.

So it is not mandatory.

I hope I makes it a bit more clear.

Cheers,

Kees

KeesvandenBos

MVP

The SSO profile attached to a access policy has 2 or 3 variables, session.sso.token.last.username and session.sso.token.last.password (and others, depending on the SSO profile).

These are not created by default in the VPE. The SSO credential mapping agent maps a username variable (most of the times session.logon.last.username, depending on what you select in the agent) into session.sso.token.last.username.
You could do the same in a variable assign agent, F5 has created the SSO credential mapping to help engineers and to show in the VPE your mapping SSO credentials.

So it is not mandatory.

I hope I makes it a bit more clear.

Cheers,

Kees

SV2022

Cirrus

Feb 12, 2024

thanks for crystal clear answer..

1 more question is that mandatory to have the VPE edited (not leaving to default) for all APM polcies ?.What if i directly assign the values in SSO profile instead of session.sso.token.last.username example uername :ABCD paswrd:efgh .do i need to configure VPE here (not leaving to default) as i already have the values.

KeesvandenBos
MVP
Feb 12, 2024
Your welcome.

I think it is best to have static variable values in the VPE. You could assign the username and password for session.sso.token.last.username and session.sso.token.last.password in a variable assign agent. Also setting the password to secure so it is not readable in logging.
- SV2022
  Cirrus
  Feb 12, 2024
  ok ..is that mandatory to have VPE modified from its default setting.
  will the access policy work only when the VPE is configured correctly . i remember VPE default setting is start--> deny.
  so if i create a access policy and leave the VPE untouched the policy will not work ?

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Difference between SSO under access policy and SSO in VPE

Recent Discussions

loose login access when license expires

पेटीएम कस्टमर केयर नंबर

मैं शिकायत के लिए मीशो से कैसे संपर्क करूं?

Implementing Multi-Step Authentication with Separate Brute-Force Protections

IMAP-S External Health monitor

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Access Troubleshooting: BIG-IP APM OIDC integration

Copper SFP Differences

Overview of API Access Control and implementing API key access control with BIG-IP APM

OWASP Tactical Access Defense Series: Unrestricted Resource Consumption

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS