Well I do not see why you are wanting this type in the protected configuration. Let me explain.
You create a variable labeled Test and the value is firepass. You can not put in a protected configuration session.bla == Test.....
Like the above poster:
session.ssl.cert.email == "%session.asv.myemail%"
session.ssl.cert.email == %session.asv.myemail%
session.user.username == "%session.avs.certuser%"
session.user.username == %session.avs.certuser%
You can not put in a protected configuration session.ssl.cert.email =="%session.asv.myemail%" Because that will and can be any value depending on the user or how you set it up. It has to be like this.
session.asv.myemail == "SPECIFIC VALUE ALWAYS GENERATED". How does firepass know to trust a changing variable? Firepass needs to be told to always look for instance number 1. The configuration will not work.
Protected configuarions must always meet a value criteria. You can not have it going and saying "any username + any domain name". It has to be equal to check for Mike + check for domain test.
This is like me putting a check for a computer name and putting a protected cofinguration on it. Three thousand laptops and desktops have a unique name, how do you expect it to protect against an ever changing value? A protected configuration will work if you designated the computer domain name must be in the test domain. That variable will not change.