Forum Discussion
Set your Access Profile to debug (v12) or Access to debug (v11) and look for "websso" in /var/log/apm. All of the logs are there.
WEBSSO::select needs the WEBSSO object name to work, these are usually something like '/Common/myssoconfig'. Client initiated SSO is kind of complicated to troubleshoot. APM Forms Client initiated SSO (aka SSOv2 aka form-basedv2) has two conditions to operate successfully in a default configuration:
-
"Form Detection": The client's request-URI must match the one configured In logging, this is called "Request match". In the GUI, this is called "Form Detection". In TMSH, this is called "request-value".
-
"Form Identification": The HTML of the page must match the input values configured In logging, this is called "Form detected". In the GUI, this is called "Form Identification".
Some forms don't work right with Client-Initiated SSO's default injected javascript. The two most common cases are when clientside encryption functions are called so that the POST data is not sent plainly, and also when some kind of onSubmit function is called when the form is submitted, or when the Submit button has an "onclick" event. In these cases, the so the JS must be modified to suit the particular page.
So before you worry about selecting the SSO with this irule (don't try to troubleshoot two things at once!), verify that the config works at all by setting it as the default WEBSSO type for your access profile.
- Rosieodonell_16Oct 22, 2015CirrusI have tested both sso profiles and they work fine. So now I just need to use the right one when needed. Is there a way to call the websso function from an ievent in the access policy vpe?