Forum Discussion
CirrusDifference between SSO under access policy and SSO in VPE
Is that mandatory to have SSO credential mapping via VPE whenever we have SSO created under access policy.
i need to understand the relation between these 2 sso configurations
The SSO profile attached to a access policy has 2 or 3 variables, session.sso.token.last.username and session.sso.token.last.password (and others, depending on the SSO profile).
These are not created by default in the VPE. The SSO credential mapping agent maps a username variable (most of the times session.logon.last.username, depending on what you select in the agent) into session.sso.token.last.username.
You could do the same in a variable assign agent, F5 has created the SSO credential mapping to help engineers and to show in the VPE your mapping SSO credentials.
So it is not mandatory.
I hope I makes it a bit more clear.
Cheers,
Kees
5 Replies
Correct, you need to modify the VPE. Default is start-> deny. Minimum is start -> allow.
You could use an SSO polixy/profile for this.The SSO profile attached to a access policy has 2 or 3 variables, session.sso.token.last.username and session.sso.token.last.password (and others, depending on the SSO profile).
These are not created by default in the VPE. The SSO credential mapping agent maps a username variable (most of the times session.logon.last.username, depending on what you select in the agent) into session.sso.token.last.username.
You could do the same in a variable assign agent, F5 has created the SSO credential mapping to help engineers and to show in the VPE your mapping SSO credentials.
So it is not mandatory.
I hope I makes it a bit more clear.
Cheers,
Kees
SV2022thanks for crystal clear answer..
1 more question is that mandatory to have the VPE edited (not leaving to default) for all APM polcies ?.What if i directly assign the values in SSO profile instead of session.sso.token.last.username example uername :ABCD paswrd:efgh .do i need to configure VPE here (not leaving to default) as i already have the values.
Your welcome.
I think it is best to have static variable values in the VPE. You could assign the username and password for session.sso.token.last.username and session.sso.token.last.password in a variable assign agent. Also setting the password to secure so it is not readable in logging.
