Forum Discussion

Stef5's avatar
Stef5
Icon for Nimbostratus rankNimbostratus
Dec 06, 2021

Extracting Email value from user certificate during Access Policy Evaluation

Hi!   Maybe someone can help me with this - we changed our UPN to the e-mail address for all our users lately. In APM Policy I read the UPN from a users certificate like described in this article...
application delivery
BIG-IP Access Policy Manager (APM)
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Dec 06, 2021

Hi  ,

I think the german Antragsteller is the Subject of the certificate. You can use an iRule to extract the string after E =. Take a look the the X509::subject command, see here: https://clouddocs.f5.com/api/irules/X509__subject.html.

Without the ability to test it, I think this should work:

when ACCESS_SESSION_STARTED {
    set mailAddress [lindex [split [X509::subject [SSL::cert 0]] "E="] end]
    if { $mailAddress != "" }{
        log local0. "Client Certificate received: $mailAddress"
    }
    ACCESS::session data set session.logon.temp.mailAddress $mailAddress
}

This way you can access the custom session variable session.logon.temp.mailAddress during policy evaluation. Let me know if this helps.

KR

Daniel