WEBSSO::select¶
Description¶
This command causes APM to use specified SSO configuration object to
do SSO for the HTTP request. Admin should make sure that the selected
SSO method works for the specified request (and is enabled on backend
server request is going to). The scope of this iRule command is per
HTTP request. Admin needs to execute it for each HTTP request.
Starting with BIG-IP APM v13.0.0, dynamically switching between SSO
profiles can alternatively be accomplished by using a SSO
Configuration Select item in a Per-Request Access Policy.
Examples¶
when ACCESS_ACL_ALLOWED {
set req_uri [HTTP::uri]
if { $req_uri starts_with "/owa" } {
if { $req_uri eq "/owa/auth/logon.aspx?url=https://mysite.com/owa/&reason=0" } {
WEBSSO::select owa_form_base_sso
} elseif { $req_uri eq "/owa/auth/logon.aspx?url=https://mysite.com/ecp/&reason=0" } {
WEBSSO::select ecp_form_base_sso
}
}
unset req_uri
}
Bug¶
There is a bug related to this particular command. In the example above, the syntax is “
WEBSSO::select name
“. In many versions, this syntax does not work for “Forms - Client
Initiated” or “SAML” SSO objects. If you try to use that syntax and
directly reference the SSO object name, you will get an error from the
APM about not being able to find the object, even though you have
verified it exists. This bug has been verified to exist at least up to
version 11.5.3 HF2.
The workaround to this
bug
is to put your SSO name in a variable and reference the variable, like
this:
when HTTP_REQUEST {
set sso_obj my_forms_client_initiated_sso
WEBSSO::select $sso_obj
unset sso_obj
}