Inject client Authorization Header Into APM sso variables

Hi, I am trying to get the authorization header from a client request and inject the credentials into the APM SSO variables. (The client is a web server). I am pretty new to APM and its internals. I thought an iRule something like this would work:

when HTTP_REQUEST {
ACCESS::session data set "session.logon.last.username" [HTTP::username]
ACCESS::session data set "session.logon.last.password" [HTTP::password]
  }

But I see no username in the APM session report where I would expect to see one.

Here is the policy:

And the SSO piece of the policy where I think it should grab the injected session variables from:

The response back to the client is:

BIG-IP logout page "....Access was denied by the access policy.."

APM Session Report:

2014-05-28 08:34:11
Received User-Agent header: Mozilla%2f5.0%20(X11%3b%20Linux%20x86_64)%20AppleWebKit%2f537.36%20(KHTML%2c%20like%20Gecko)%20Chrome%2f35.0.1916.114%20Safari%2f537.36.

2014-05-28 08:34:11
Received client info - Type: Mozilla Version: 1 Platform: Linux CPU: unknown UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 1

2014-05-28 08:34:11
New session from client IP 10.x.x.x (ST=/CC=/C=) at VIP 10.x.x.x Listener /Common/vs_xxx-dev.xxx.org_HTTPS (Reputation=Unknown)

2014-05-28 08:34:11
Following rule 'fallback' from item 'AD Auth' to terminalout 'Failure'

2014-05-28 08:34:11
Following rule 'Failure' from item 'AD auth and resources' to ending 'Deny'

2014-05-28 08:34:11
Access policy result: Logon_Deny

2014-05-28 08:34:15
\N: Session deleted due to user logout request.

I would expect to see the username injected and logged even before the AD failure.