APM session-variable reference
The Session Variables chapter as a pattern-aware lookup: paste session.ad.last.attr.memberOf and it resolves against the chapter's own templates, paste an mcget expression and every reference inside is explained with the secure audit riding along, the classic empty-value trap named exactly: a bare mcget on session.logon.last.password reads back empty, because secure variables require -secure.
Identity & tokensRuns locally in your browser. Nothing you paste leaves this page.
API endpointGEThttps://ronutz.com/api/v1/f5-apm-session-variable-referenceDocumented, not served. Opens the specification.
References
- BIG-IP APM Visual Policy Editor 13.1 - Session Variables chapter (the vendored table: policy results, session management and client variables, AD/LDAP/RADIUS families with the each-attribute-becomes-a-variable rule, the full session.ssl.cert family, endpoint checks including the always-zero hd.state quirk, OTP with the official percent-expansion example, resource assignment; the naming anatomy figure; the sessiondump command)
- F5 Access Solutions lab, VPE and Session Variables module (the secure contract verbatim: encrypted in the session db, hidden from the session report and the logging agent, -secure required for both mcget and access::session data get/set; the session.custom auto-container behavior; the active-sessions-only report note and the message-box pause trick; the mcget session.user.clientip and session.logon.last.upn examples)
- BIG-IP APM Visual Policy Editor 12.1 - Per-Request Policy Reference (the official branch-rule expressions: expr { [mcget {session.ad.last.attr.primaryGroupID}] == 100 } and the memberOf shape; populated-by actions per family: AD Query, LDAP Query, RADIUS Auth/Acct, Local Database with session.localdb.groups)
- BIG-IP APM Single Sign-On Configuration Guide 17.1 (the plumbing rows: NTLM Domain defaulting to session.logon.last.domain, the Form Based password source defaulting to session.sso.token.last.password, SSO Credential Mapping feeding session.sso.token.last.* from session.logon.last.*)