SSL Termination issue

Assuming the UniPass is a typical X.509-based client certificate, it gets handed to the server side (the BIG-IP in this case) during the SSL handshake. Neither that certificate information, nor the certificate itself, is forwarded on to the backend servers. Option 1 in my previous post talked about using a different authentication scheme on the server side. For example, with client side client cert (PKI), APM can do Kerberos on the server side. I'm guessing the client doesn't also present a username and password in this transaction, so you couldn't do something like HTTP Basic or NTLM on the server side (which require a password). You could also simply configure the application to consume an HTTP header sent from the BIG-IP, a header that might contain information from the client certificate.