updating AD attributes via APM/irule

Hi,

recently we switched all our externally reachable webapps behind a portal, that ensures 2F authentication.

Logging in to the portal (3rd party) requires you to either approve a push, or enter your OTP.

In the portal itself, you click on your application (e.g. OWA) and you are SSOed via SAML to the F5-listener.

The F5 then does KCD to SSO you to the Exchange.

Everything works fine so far, but:

Our problem in this whole constellation are inactive users.

• The third party portal doesn't update the "LastLogonTimestamp" or any similar attributes in AD when authenticating via push
• The F5 doesn't update the attribute when authenticating the user via SAML
• The F5 doesn't update the attribute when getting a KCD token

So users from external partners may use their accounts regularly, but in AD they seem to be unused for months.

Our routines then disable/delete those accounts on a regular basis.

The idea would be now, to let the F5 execute an irule during the KCD, which updates the LastLogonTimestamp for this user - or any other AD attribute for this specific user, that can be checked by our routines in order to know, that this user was active in the last 3 months.

Any ideas?