WEBSSO profile selection in LTM Policy

Problem this snippet solves:

Starting with version 11.4, HTTPClass is replaced by Local traffic policies which allow to replace complex iRules by a organized list of rules.

When we configure a long list of rules in one policy, there is always one irule feature which is not available in Policies. The first solution is to keep the irule to manage all Pool selection.

The problem is lots of customers are migrating from Microsoft ForeFront TMG to F5 and convert TMG rules to irule can be very difficult. In such migration, customers share one IP for several URLs which require dedicated SSO (OWA with form based authentication, IIS with NTLM, tomcat with basic...)

As Policy event REQUEST is executed before iRule event HTTP_REQUEST and "tcl set-variable" action allow to define a variable, we can combine Policies for Human readable rules and irule to execute irules features.

The following code allow to change WebSSO profile by assigning the SSO profile name in a dedicated variable.

How to use this snippet:

In Local traffic policy rule, add the action (Variable name and expression are case sensitive):

tcl set-variable name WebSSO expression [Name of SSO Profile]

In the virtual server, enable the following irule:

Code :

    if {([info exists "WebSSO"])} {
        WEBSSO::select $WebSSO

Tested this on version:

Updated Jun 06, 2023
Version 2.0

Was this article helpful?


  • Thank you for posting this! This seems to be a solution to a challenge we are having as well (setting APM SSO profile with policy logic).


    Is there a more elegant / updated (iRule-less) way achieve this in 12.1?