Configuring Smart Card Authentication and Kerberos Constrained Delegation in F5 Access Policy Manager (APM)

In previous articles, we have discussed the use of F5 BIG-IP as a SSL VPN and then followed up by adding endpoint security to the same Access Profile configuration we used for VPN access. I now wante...
Published Jul 10, 2018
Version 1.0
application delivery
BIG-IP Access Policy Manager (APM)
security
Joe_Lupo_283884's avatar
Joe_Lupo_283884
Icon for Nimbostratus rankNimbostratus
Feb 26, 2019

Steve,

 

Question on the SSO Credential Mapping. I see that you specified "sAMAccountName from LDAP Directory" as the SSO Token Username, but left the SSO Token Password as "Password from Logon Page". How does this work with a DoD Common Acces Card (CAC) smartcard?

 

Without going on for too long, I need to get external users (reverse proxy) to actually authenticate against AD or LDAP and have their "lastLogonTimestamp" attribute get updated with their successful access to our SharePoint site.

 

Will the SSO Credential Mapping work with LDAP or AD, and will this trigger an update to this AD attribute?

 

My setup looks nearly identical to your above setup except that I have "AD Query" with the same lookup (userPrincipalName=%{session.logon.last.upn}), and no SSO Credential Mapping.

 

We have found that the AD Query (or LDAP Query) alone is not updating the "lastLogonTimestamp" attribute which is a problem, as we disable accounts after a certain amount of time since the last "lastLogonTimestamp".

 

Any insight that you could provide would be appreciated.