How to do an AD query sending UPN to AD, and have AD return the "short" name that I can use to authenticate against ldap with

Think of the objects in the Policy Editor separately, as basically like a flowchart. Each object (policy item) gets some session variables and/or sets some session variables, then evaluates the things in the "branch rules" tab. The session variables are the key. You can set them to whatever you like. Most Policy Items accept session variables as input using a format like %{session.mysessionvariable}. If you want to know what a session variable is set to at a particular point in the Access Policy, the easiest way to do it is to add a "Message Box" object and put your variables in there, like "My Username Is: %{session.logon.last.username}". Then the message will appear to the user. It also acts as a temporary stop, so you can run the Access Policy to the message box then use the sessiondump command to view all available variables while the user's session is sitting there. Branch rules are composed basically of TCL code. "mcget" is our command to retrieve session variable data. The TCL can be very simple like: expr { [mcget "session.logon.last.username"] contains "fred" } This would evaluate to True if the user's name (provided from a logon page usually) contained the string "fred". Or it can be much more complicated, using loops, conditional returns, etc. It's very flexible.