Applying client initiated form-based SSO actions to multiple Portal Access resources in APM 11.6
I am using BIG-IP APM 11.6.0.
I have a full web-top that is assigned to users via an APM Access Policy.
Remote users are assigned different, multiple, Portal Access resources depending on LDAP group membership.
These Portal Access objects point to internal web-based applications which are configured for full patching, allowing Big-IP APM to intermediate requests to these services.
I am struggling to understand the object level to which I need to apply client-initiated form-based SSO configuration such that when a user follows a web-top link to such a resource, SSO session username & password details are posted to the various, different login forms.
SSO profiles can be applied at Access Policy level and also at Portal Access list level, if a resource item is created.
I have followed the documentation in;
... and I have also read most of the posts here on DevCentral that are in any way relevant.
e.g.
https://devcentral.f5.com/questions/sso-in-https-portal-access-resource-items https://devcentral.f5.com/questions/using-different-sso-methods-for-different-portal-applications-through-apm
I have tried adding SSO profiles to Portal resource items and to the Access Policy as well as combinations of one or the other. As far as I understand it, the SSO profiles determine whether the HTTP streams are monitored by the SSO agent and what determines a matching URI pattern required to trigger the form-based authentication.
I did manage to get SSO matches to work once for a single resource and by tailing the live APM logs I was able to see that the SSO agent was initialised and monitor match successes, but after editing profiles and playing around with assignment combinations this no longer works and I have not been able to re-produce this setup.
I don't think I have overlooked a conclusive answer here on DevCentral but I apologise if I have.
It would really help to have a simple high-level example of where the SSO profiles need to be assigned in 11.6.0 for such a scenario as the documentation is lacking in that area but implies that it is possible without the need to custom iRules.
All help/advice welcome.