Using different SSO methods for different portal applications through APM

There's actually a couple of ways to do this:

1. The prescribed way is to add the SSO profile to the portal resource itself, and not to the access policy. I have issues with this one from time to time, so I tend to prefer the next option.

    

2. You can point the Application URI field of a portal resource configuration to another (internal) VIP and then apply the access policy and SSO profile there. This is a type of "VIP targeting", but is actually a bit cooler because:

    

   • The session variables created in the outer portal policy are available to all of the inner policies, and
   • It makes your outer portal policy a lot cleaner.

It also makes for a few more VIPs, but the internal VIPs can be in internal address space and on ports not allowed through your firewall. The only other significant caveat to this method is that you can't really do anything inside the individual internal access policies, so if you have multiple portal resources with their own SSO configs, and potentially different credential information, you need to create all of these session variables in the outer policy and reference them from the internal SSO profiles.

There are actually a few other ways to do this stuff as well, but the above options are probably the easiest.