Forum Discussion

xRes's avatar
xRes
Icon for Cirrus rankCirrus
Mar 01, 2022

APM - translating group SIDs extracted from Kerberos token

Hi community, I am trying to "translate" group SIDs extracted from Kerberos token in APM policy (SWG authentication policy). My authentication logic uses KerberosAuth agent which collects SIDs and p...
  • xRes's avatar
    Mar 09, 2022

    Should anyone need solution - it appears to be quite simple: there is bult-in agent "AD Group SID Resolver", I am pretty sure it wasn't there a few BIG-IP versions before... or maybe I simply didn't pay enough attention...

    Anyway - once you have configured Kerberos Auth agent and set Extract Group SIDs as "enabled", you should add AD Group SID Resolver agent - it will translate Group SIDs into Group Names and store it in session.ad.last.attr.memberOf variable. Then it is easy to inject them into HTTP headers via iRule.