F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

AngryCat_52750's avatar
AngryCat_52750
Icon for Nimbostratus rankNimbostratus
Dec 11, 2013

username AD variable field change

I believe that when we setup a APM login page, the username field is associated with the sAMAccountName field in AD.. is there a way to make that associated with another field like say - userPrincipalName??

 

We have a policy that is login page -> AD auth -> SS0...

 

BIG-IP Access Policy Manager (APM)
design
security

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 11, 2013

    The AD Auth agent will actually work with both, as the underlying Kerberos mechanism will also work with both. For a UPN value you'll need to split the username and domain into their respective session.logon.last.username and session.logon.last.domain session variables, or just use the username variable and first half of the UPN if the users are all in the same domain.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 11, 2013

    This all depends on how you collect the user credentials on the logon form. If you check the "Split domain from full name" in the logon page properties, then entries with domain\user and user@domain will get automatically split into separate username and domain variables. If, for example. a user's UPN is 1234567890@domain.com, and their sAMAccountName is Simon, then the following would work in the logon form:

    simon
domain\simon
simon@domain.com
1234567890
1234567890@domain.com
domain\1234567890

    Because any combination will apparently work, it'll be a trick to figure out which is which (sAMAccountName or userPrincipalName), but then you may not have to.