Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Extracting Email value from user certificate during Access Policy Evaluation

Stef5
Nimbostratus
Nimbostratus

Hi!

 

Maybe someone can help me with this - we changed our UPN to the e-mail address for all our users lately. In APM Policy I read the UPN from a users certificate like described in this article https://support.f5.com/csp/article/K17063, which was working perfectly. Because of the change of the UPN it now dependens, if the user has an updated or an old user certificate.

 

To make the authentication work for everyone (old or new certificate), I would need the e-mail value from the certificate rather than the UPN.

I can see the value in the certificate "Applicant" field after E = xxx@xyz.com

0691T00000F7lYYQAZ.png

 

How can I extract that value?

 

Thanks for any help,

BR, Stef

1 REPLY 1

Hi  ,

 

I think the german Antragsteller is the Subject of the certificate. You can use an iRule to extract the string after E =. Take a look the the X509::subject command, see here: https://clouddocs.f5.com/api/irules/X509__subject.html.

Without the ability to test it, I think this should work:

when ACCESS_SESSION_STARTED { set mailAddress [lindex [split [X509::subject [SSL::cert 0]] "E="] end] if { $mailAddress != "" }{ log local0. "Client Certificate received: $mailAddress" } ACCESS::session data set session.logon.temp.mailAddress $mailAddress }

This way you can access the custom session variable session.logon.temp.mailAddress during policy evaluation. Let me know if this helps.

 

KR

Daniel