Forum Discussion

Cirrus

Dec 03, 2015

Using Certificate Subject Name To Authenticate Users

Quick question in regards to using a certificate attribute to authenticate a user. Users have been issued a soft cert with a subject name that represents the users CN. The F5 compares the subject n...

BIG-IP Access Policy Manager (APM)

security

MichaelatF5

Employee

Dec 04, 2015

You can use FindStr in order to pull out the specific value that you want to compare to whichever AD/LDAP attribute works best for your environment, predominantly userPrincipalName or sAMAccountName.

https://devcentral.f5.com/wiki/iRules.findstr.ashx

For example:

if { [ACCESS::session data get session.ssl.cert.x509extension] contains "CN:" } {                
  set tmpupn [findstr [ACCESS::session data get session.ssl.cert.x509extension] 
    "CN:" [Arbitrary number of characters] ""]                
  ACCESS::session data set session.custom.certcn $tmpcn                    
log local0. "Extracted OtherName Field: $tmpcn"            
}

You would then use the %{session.custom.certcn} in an LDAP/AD query to validate the user.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)