For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 12, 2014

But I don't know how to use the results from the "userPrincipalName=%{session.ssl.cert.upn}" query to put that variable directly inside the username source value of the Kerberos SSO profile

Simply assign this session variable (session.ssl.cert.upn) as the Kerberos SSO username source value. But wait, you're not going to be able to use the userPrincipalName (SAN UPN) from the CAC directly. You must query the AD (LDAP or AD query) and retrieve the user's sAMAccountName and use THAT value in the username source field of the Kerberos SSO. You can test Kerberos SSO directly simply by adding a variable assignment at the very end of the policy, just before the Allow block, and statically assign a value to the username source variable:

session.ssl.cert.upn = expr { "bob.user" }
Related Content