We have implemented nfactor authentication on the ADC (LDAP as the First Factor and then Radius as the Second Factor) and we are running into issues with Single Sign On.

There are 2 ways of making sure that the ADC uses LDAP credentials to accomplish the SSO:

• Navigate to the Login Schema to which the LDAP authentication policy is bound.
• Edit the Login Schema Profile bound to this Login Schema.
• Scroll to the bottom to enable the "Enable Single Sign On Credentials" option.

Note: This option is available from ADC version 11.0.49.x+.

• By using the traffic policy/ action, we can configure the username/ password Expression to be used for SSO. 
• When we set the -usercredentialIndex and -passwordCredentialIndex in a login schema, we store the username/ password from that authentication factor at the specified index in the session, which can then be used later for SSO using the expression http.req.user.attribute()
• So, on the First factor where the LDAP authentication policy is bound, we need to set the value for userCredentialIndex and passwordCredentialIndex under Configure Authentication Login Schema.
• Now, the value set for userCredentialIndex and passwordCredentialIndex needs to be defined in the traffic Profile to achieve the SSO. Make sure to bind the Traffic policy to the LB/ NG virtual server.

Problem Cause

The ADC would by default send the credentials out of the last Login Schema. In this case, since the Radius is the second factor authentication, so the credentials posted by the ADC to achieve the Single Sign On (SSO) would be through the Login Schema to which the Radius Authentication Policy is bound.