For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 14, 2016

In a multi-domain configuration, you MUST use the user's sAMAccountName as the SSO username source, and the user's real domain as the SSO domain name source. APM Kerberos SSO doesn't support referrals, so users in domain1 work because no referrals are needed there. So for example:

session.sso.token.last.username = expr { "bob" }    <--- sAMAccountName
session.logon.last.domain = expr { "DOMAIN1.DOMAIN.COM" }

Are you switching between SSO profiles in the VPE? You don't need to do that if the delegation account and web service are in the same domain.

You also don't need the SSO credential mapping agent in a Kerberos SSO. You just need to populate the above SSO input variables.