This command causes APM to use specified SSO configuration object to do SSO for the HTTP request. Admin should make sure that the selected SSO method works for the specified request (and is enabled on backend server request is going to). The scope of this iRule command is per HTTP request. Admin needs to execute it for each HTTP request.
Starting with BIG-IP APM v13.0.0, dynamically switching between SSO profiles can alternatively be accomplished by using a SSO Configuration Select item in a Per-Request Access Policy.


WEBSSO::select $sso_config_object_name


    set req_uri [HTTP::uri]
    if { $req_uri starts_with "/owa" } {
        if { $req_uri eq "/owa/auth/logon.aspx?url=https://mysite.com/owa/&reason=0" } {
            WEBSSO::select owa_form_base_sso
        } elseif { $req_uri eq "/owa/auth/logon.aspx?url=https://mysite.com/ecp/&reason=0" } {
            WEBSSO::select ecp_form_base_sso
    unset req_uri


There is a bug related to this particular command. In the example above, the syntax is “

WEBSSO::select name
“. In many versions, this syntax does not work for “Forms - Client Initiated” or “SAML” SSO objects. If you try to use that syntax and directly reference the SSO object name, you will get an error from the APM about not being able to find the object, even though you have verified it exists. This bug has been verified to exist at least up to version 11.5.3 HF2.
The workaround to this bug is to put your SSO name in a variable and reference the variable, like this:
     set sso_obj my_forms_client_initiated_sso

     WEBSSO::select $sso_obj

     unset sso_obj