Forum Discussion
Nimbostratussplitting domain name from UPN session variable
Kerberos authentication for domain joined machine is working fine. Session variable, I am getting after successful authentication, is a session.logon.last.username. That contains username@domainname. It is a user principle name. when I use sAMAccountName=%{session.logon.last.username} as search filter in AD query. it fails AD module: query with 'sAMAccountName=' failed: no matching user found with filter sAMAccountName= (-1) so I have to split username in the session.logon.last.username session variable to make AD query work. I tried the following irule which I got it from the latest Citrix -vdi-iapp deployment guide. Policy does not contain logon page - to enable split username from Domain option when RULE_INIT {
set static::citrix_sf25_DEBUG 1 to enable logging
set static::citrix_sf25_DEBUG 1 } when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "CERTPROC" { ACCESS::session data set session.logon.last.logonname [lindex [split [findstr [ACCESS::session data get session.logon.last.username]"@" 0] "@"] 0] ACCESS::session data set session.logon.last.domain [lindex [split [findstr [ACCESS::session data get session.logon.last.username]"@" 1] "@"] 1] if {$static::citrix_sf25_DEBUG} {log local0. "Event CERTPROC, Certificate extension equals: [ACCESS::session data get session.logon.last.username]"} if {$static::citrix_sf25_DEBUG} {log local0. "Event CERTPROC, User name set as: [ACCESS::session data get session.logon.last.logonname]"} if {$static::citrix_sf25_DEBUG} {log local0. "Event CERTPROC, Domain name set as: [ACCESS::session data get session.logon.last.domain]"} } } } Session Variable Value
session.logon.last.username ----------------------------------- User1@domain.XX
when I apply this irule , I got no value for logonname and domain variable LTM LOG Tue Jan 13 19:20:56 GST 2015 info emaarhoapm1 tmm1[10733] Rule /Common/CERTPROC : Event CERTPROC, Domain name set as:
Tue Jan 13 19:20:56 GST 2015 info emaarhoapm1 tmm1[10733] Rule /Common/CERTPROC : Event CERTPROC, User name set as:
Tue Jan 13 19:20:56 GST 2015 info emaarhoapm1 tmm1[10733] Rule /Common/CERTPROC : Event CERTPROC, Certificate extension equals: user1@domain.XX
Service-Now SAML assertion requires - email address. If AD query succeeds, I will get this value from session.ad.last.attr.mail variable. Customer has multiple child domains. Each child domains have a different name. But all users email address contain parent domain example user1@domain.xx - his domain domain.xx - UPN ----------user1@domain.xx ehg.emaar.ae ----------- child domain ------- user principle name user2@child.domain.xx - emaill address -------- user2@domain.xx. That is the reason I have to get the session.ad.last.attr.mail vaule from AD I require your expert help on the above irule to make it works Regards
Thasin
3 Replies
THASINwhen RULE_INIT {
set static::citrix_sf25_DEBUG 1 to enable loggingset static::citrix_sf25_DEBUG 1 } when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { "CERTPROC" { ACCESS::session data set session.logon.last.logonname [lindex [split [findstr [ACCESS::session data get session.logon.last.username]"@" 0] "@"] 0] ACCESS::session data set session.logon.last.domain [lindex [split [findstr [ACCESS::session data get session.logon.last.username]"@" 1] "@"] 1] if {$static::citrix_sf25_DEBUG} {log local0. "Event CERTPROC, Certificate extension equals: [ACCESS::session data get session.logon.last.username]"} if {$static::citrix_sf25_DEBUG} {log local0. "Event CERTPROC, User name set as: [ACCESS::session data get session.logon.last.logonname]"} if {$static::citrix_sf25_DEBUG} {log local0. "Event CERTPROC, Domain name set as: [ACCESS::session data get session.logon.last.domain]"} } } }
- THASIN
I got the solution from Kevin Stewart.
Thanks kevin for timely help Irule worked perfectly after doing the below changes.
His very good explanation and fix in the irule as mentioned below Two ACCESS::session commands should be: ACCESS::session data set session.logon.last.logonname [lindex [split [ACCESS::session data get session.logon.last.username] "@"] 0] ACCESS::session data set session.logon.last.domain [lindex [split [ACCESS::session data get session.logon.last.username] "@"] 1]
So just to clarify what’s going on in the iRule, let’s look at a simplified version of the original:
set var [lindex [split [findstr $username "@" 0] "@"] 0]
where $username is the user@realam value returned from client side APM Kerberos. The findstr command takes the input string ($username), looks for the matching string (@), and then optionally skips a number of characters from that starting point before it starts collecting. There’s a 4th optional parameter that is a string indicating where to stop collection. This is a blank space if not otherwise specified. So what you’re doing in the above command is looking for the “@” in the $username string, skipping 0 characters, and then collecting all of the characters from that point to the first blank space. If the username is “user@realm”, the above command should return “@realm”.
The fix was to completely remove this section and rely first on the split command to separate the string, delimited by the “@” character, into two list values, and then the lindex command to take the first element of that list, the 0 element.
set var [lindex [split $username "@"] 0]
Regards thasin
You can achieve the same result with a Variable Assign action in the Access Policy configured with the following values:
session.logon.last.domain = expr { [lindex [split [mcget {session_variable_with_user@domain}] "@"] 1] }
session.logon.last.username = expr { [lindex [split [mcget {session_variable_with_user@domain}] "@"] 0] }
In my case I wanted to populate the Username and Domain session variables from the "session.saml.last.identity" session variable which is created on the APM SAML SP after completing IdP authentication. The above syntaxes in a Variable Assign populated the Username and Domain session variables with the desired information.
- Jason
