Difference between SSO under access policy and SSO in VPE

Question

Is that mandatory to have SSO credential mapping via VPE whenever we have SSO created under access policy.i need to understand the relation between these 2 sso configurations&nbsp;&nbsp;

keesvandenbos · Accepted Answer

The SSO profile attached to a access policy has 2 or 3 variables, session.sso.token.last.username and session.sso.token.last.password (and others, depending on the SSO profile).

These are not created by default in the VPE. The SSO credential mapping agent maps a username variable (most of the times session.logon.last.username, depending on what you select in the agent) into session.sso.token.last.username.
You could do the same in a variable assign agent, F5 has created the SSO credential mapping to help engineers and to show in the VPE your mapping SSO credentials.

So it is not mandatory.

I hope I makes it a bit more clear.

Cheers,

Kees

keesvandenbos · Answer

Your welcome.I think it is best to have static variable values in the VPE. You could assign the username and password for session.sso.token.last.username and session.sso.token.last.password in a variable assign agent. Also setting the password to secure so it is not readable in logging.

keesvandenbos · Answer

Correct, you need to modify the VPE. Default is start-&gt; deny. Minimum is start -&gt; allow.You could use an SSO polixy/profile for this.

sv2022 · Answer

thanks for crystal clear answer..&nbsp;1 more question is that mandatory to have the VPE edited (not leaving to default) for all APM polcies ?.What if i directly assign the values in SSO profile instead of session.sso.token.last.username example uername :ABCD paswrd:efgh .do i need to configure VPE here (not leaving to default) as i already have the values.

sv2022 · Answer

ok ..is that mandatory to have VPE modified from its default setting.will the access policy work only when the VPE is configured correctly . i remember VPE default setting is start--&gt; deny.so if i create a access policy and leave the VPE untouched the policy will not work ?&nbsp;

Forum Discussion

Difference between SSO under access policy and SSO in VPE

5 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Copper SFP Differences

API Security: How to implement API Access Control with F5

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows