Forum Discussion

Nimbostratus

Jun 18, 2014

SSO failure should cause reject

hi out there I have a simple problem (probably) - defined a kerberos based sso where - if the sso fails - also connects the user to the webserver where i expected it to reject the client instead...

BIG-IP Access Policy Manager (APM)

design

security

kunjan

Nimbostratus

Jun 19, 2014

The result is flagged in this session variable:

session.logon.last.username.sso.state- This is set to 1 internally when Kerberos SSO fails. When this variable is set, all subsequent requests are passed to the application server without applying SSO for the remainder of the user session. The variable name is constructed by appending .sso.state to the name specified in Username Source.

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/24.html

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)