APM Ldap Query and SSO

hschlecht · ‎23-Feb-2021

Hello,

For authentication, the user use his email address, but after logging we use a SSO mapping to connect to backend server. The backend server doesn't allow the authentication with email address but they need to SAMAccountName. How can I retrive the SamAccount name with a LDAP Query and use the returned SamAccountName for the SSO Token Username in the SSO Mapping process ?

Many Thanks

Sajid · ‎23-Feb-2021

As per my knowledge, put this in the AD Query for samAccountName

(sAMAccountName=%{session.logon.last.username})

In the SSO you can pass this variable. (SSO Credential Mapping)

SSO Token Username

expr {"{session.ad.last.attr.sAMAccountName}"}

boneyard · ‎27-Feb-2021

i do believe your AD query filter would be

(UserPrincipalName=%{session.logon.last.username})

as the UserPrincipalName is what is available, assuming UserPrincipalName is the same as the email address, else you need to search on the email address. lookup the attribute name in AD for that.

before that you have to assign the UserPrincipalName to the session.logon.last.username from the returned SAML attribute. which you can lookup in your APM sessions. it probably is: session.saml.last.identity

what is your IdP? is that Azure AD, it can also return the sAMAccountName.

hschlecht · ‎27-Feb-2021

Hello, finally i have found a solution in mixing LDAP Query, If the final user use his email address, the result of the first LDAP Query after LDAP authentication I send give an an error, in this cas I format my LDAP Query in an other way to collect the samaccount name. After collecting the Samaccountname I push this information in the SSO maping. The problem work nice an solve my initial problem.

boneyard · ‎28-Feb-2021

nice, thanks for sharing.

DevCentral

APM Ldap Query and SSO