APM ClientCert to Kerberos Transition - parsing SubjectAlternateName in Variable assign

This is what I typically do.

1. iRule event agent in the visual policy directly after the On-Demand Cert Auth agent.
2. Add this iRule to the VIP:

when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::session data get session.ssl.cert.x509extension] contains "othername:UPN<" } {
        ACCESS::session data set session.logon.last.username [lindex [split [findstr [ACCESS::session data get session.ssl.cert.x509extension] "othername:UPN<" 14 ">"] "@"] 0]
        ACCESS::session data set session.logon.last.domain [lindex [split [findstr [ACCESS::session data get session.ssl.cert.x509extension] "othername:UPN<" 14 ">"] "@"] 1]
    }
}

The UPN will usually be in user@domain form, so I split on the "@" sign and assign session.logon.last.username to the first half and session.logon.last.domain to the last.half. The session variables created here are the ones you have identified in the Kerberos SSO profile.

This also assumes that the cert UPN is the same as the domain UPN. This may be true for you, because it isn't always the case; and because APM doesn't (yet) support enterprise canonical cross-realm referrals, I'll typically save the UPN to a temporary session variable first, perform an LDAP query to get the sAMAccountName from AD, and then use that (and the realm domain realm) in the two Kerberos SSO profile session variables.

I should also add that you can technically do all of this directly in the VPE, but I like the iRule version because I believe it's easier to manage.