Forum Discussion
Kevin_Stewart
Oct 09, 2018Employee
Don't use an SSO Credential Mapping agent for Kerberos SSO. You don't need it. The SSO profile has two session variable inputs, session.sso.token.last.username, and session.logon.last.domain. You simply need to make sure these session variables are populated before the end of the policy, and the domain variable is usually statically set.
session.logon.last.domain = expr { "INTERNAL.COM" }
And your username variable can either be the sAMAccountName (preferred) or UPN.
session.sso.token.last.username = expr { "bob" }
In fact you can isolate SSO for testing by simply assigning these values statically in the VPE.