Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

APM 2-Factor Radius and AD Authentication user accounts sAMAccountName and UPN suffixes

Hello,

my question is, I have a apm scenario, landing page, Radius Auth. (SafeNet), the Radius Auth need the sAMAccountName for example doej than I give at the landing page the OTP (onetimepassword) and the AD Password which I switch which a variable assignment, but now I want to do a ldap auth and for the ldap auth we need the UserPrincipalName (email) for example john.doe(at)company.com. So my question would be now, how can I check maybe with a ldap query the UserPrincipalName to switch from doej -> john.doe(at)company.com that the ldap auth will not fail and the SSO is after this correct working, maybe someone have a idea, need I an iRule or just a ldap query the expressions and so on ? Please give some examples

THX Manu

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

As long as the user provides you with sAMAccountName you could perform a ldap query to fetch the UPN. Then you would have to perform variable assignments to be able to perform the ldap auth with session.logon.last.username by default. Then again you would need to check your sso credential mapping and possibly perform another variable assignment before, or check your SSO profile to use the correct username.

0
Comments on this Answer
Comment made 06-Nov-2017 by eLeCtRoN 251

Hi Henrik,

thank you for you answer, how can I fetch the UPN in the ldap query ? Yes I want to replace the sAMAccountName in session.logon.last.username with the UPN, could I get a config example what I have to do, for fetch the UPN for exapmle (UserPrincipalName=%{session.logon.last.username}) should I define a branch rule or should I define a Required Attributes (optional) in the ldap query ?

THX

0
Comment made 06-Nov-2017 by Henrik S 339

IIRC, you can set the sAMAccountname as the searchfilter for the LDAP query. the attributes would then be populated into session.ldap.last.attr.userprincipalname? https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html

I don't have an APM installation at hand right now :/

0
Comment made 06-Nov-2017 by eLeCtRoN 251

OKAY, so if I build a variable assignment after the ldap query with session.logon.last.username = Session Variable session.ldap.last.attr.userprincipalname it should work, or have I define something for the session.ldap.last.attr.userprincipalname in the ldap query as well ?

THX

0
Comment made 06-Nov-2017 by Henrik S 339

Check the variables that get populated for the session after the ldap query. As I stated I don't have a running APM installation at the moment, so I am unable to verify, but yes, that should work if the name of the attribute is correct.

0