Forum Discussion

SV2022

Cirrus

Feb 10, 2024

Difference between SSO under access policy and SSO in VPE

Is that mandatory to have SSO credential mapping via VPE whenever we have SSO created under access policy. i need to understand the relation between these 2 sso configurations

apm sso

KeesvandenBos
Feb 12, 2024
The SSO profile attached to a access policy has 2 or 3 variables, session.sso.token.last.username and session.sso.token.last.password (and others, depending on the SSO profile).

These are not created by default in the VPE. The SSO credential mapping agent maps a username variable (most of the times session.logon.last.username, depending on what you select in the agent) into session.sso.token.last.username.
You could do the same in a variable assign agent, F5 has created the SSO credential mapping to help engineers and to show in the VPE your mapping SSO credentials.

So it is not mandatory.

I hope I makes it a bit more clear.

Cheers,

Kees

KeesvandenBos

MVP

The SSO profile attached to a access policy has 2 or 3 variables, session.sso.token.last.username and session.sso.token.last.password (and others, depending on the SSO profile).

These are not created by default in the VPE. The SSO credential mapping agent maps a username variable (most of the times session.logon.last.username, depending on what you select in the agent) into session.sso.token.last.username.
You could do the same in a variable assign agent, F5 has created the SSO credential mapping to help engineers and to show in the VPE your mapping SSO credentials.

So it is not mandatory.

I hope I makes it a bit more clear.

Cheers,

Kees

SV2022

Cirrus

Feb 12, 2024

thanks for crystal clear answer..

1 more question is that mandatory to have the VPE edited (not leaving to default) for all APM polcies ?.What if i directly assign the values in SSO profile instead of session.sso.token.last.username example uername :ABCD paswrd:efgh .do i need to configure VPE here (not leaving to default) as i already have the values.

KeesvandenBos
MVP
Feb 12, 2024
Your welcome.

I think it is best to have static variable values in the VPE. You could assign the username and password for session.sso.token.last.username and session.sso.token.last.password in a variable assign agent. Also setting the password to secure so it is not readable in logging.
- SV2022
  Cirrus
  Feb 12, 2024
  ok ..is that mandatory to have VPE modified from its default setting.
  will the access policy work only when the VPE is configured correctly . i remember VPE default setting is start--> deny.
  so if i create a access policy and leave the VPE untouched the policy will not work ?

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Difference between SSO under access policy and SSO in VPE

Recent Discussions

SSL bridging without SSL proxy forward

Client SSL Profile set to Require Client Certificate breaks RDP in APM

TS Declarations for DNS

APM file and registry key date check 8 days old

Should config via cli rather than gui?

Related Content

Copper SFP Differences

F5's Access Policy Manager the Access Proxy for Zero Trust Architectures

Unable to access GUI

Different ways Financial Services Institutions can deploy NGINX in Azure

Different policies same destination and pool

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS