Forum Discussion

jtlampe's avatar
Icon for Cirrus rankCirrus
Dec 02, 2020

SSO credential mapping with Symantec

We are trying to build an APM policy that uses Symantec push authentication. I need to still be able to do SSO credential mapping to the backend application. However with Symantec appending a set of characters to the end of the user's password before it is set as the session.logon.last.password variable is breaking any SSO credential mapping we can without having two separate login pages. Is there an iRule that I can write that would take the users password and remove the added characters and make a new variable that I call in the mappings?

2 Replies

  • We found the solution. We had to work inside the policy to assign session variables and remove the additional code that Symantec was adding to the password. This allowed us to take the full password (with symantec code) and send it to radius as a named variable, and have the last.password be the actual user's password to check it against AD since you cannot name the variable to be used for AD auth.

  • The String Range can help you accomplish what you're looking for. Sample below!

    when RULE_INIT {
        set user_password "password123456"
        log local0. "User Input Password: $user_password"
        set clean_password [string range $user_password 0 end-6 ]
        log local0. "Cleaned Password: $clean_password"

    Dec 7 08:30:04 bigip info tmm5[31075]: Rule /Common/password_length_rule <RULE_INIT>: User Input Password: password123456

    Dec 7 08:30:04 bigip info tmm5[31075]: Rule /Common/password_length_rule <RULE_INIT>: Cleaned Password: password