Forum Discussion

JustCooLpOOLe's avatar
JustCooLpOOLe
Icon for Cirrocumulus rankCirrocumulus
Mar 02, 2021
Solved

Pulling Email Address from CAC as opposed to UPN

Hi,

 

I'm trying to work on a fallback solution to where instead of a UPN being presented by a user certificate for on-demand cert auth, we can pull the email address similar to this article: https://devcentral.f5.com/s/articles/How-to-Extract-the-UPN-from-a-Digital-Certificate-on-a-CAC-card-using-F5-APM

 

When I view the x509extensions, I can see the field "email:" and then the email address but unfortunately, I don't think I'm getting it. I'm using the logic from the link above to try and pull that value into a variable assign within APM. Has anyone had any success with it? The x509extension field shows as "email:firstname.lastname@domain". Just curious if anyone has configured this.

 

Thanks in advance!

  • boneyard's avatar
    boneyard
    Mar 02, 2021

    great it works, on to the next challenge indeed.

3 Replies

  • you are doing on-demand cert auth right? because a cert is required to have those session.ssl.cert.x509extension filled.

     

    when you look at your APM session variables after authentication can you find the session.ssl.cert.x509extension variable with any content?

    • JustCooLpOOLe's avatar
      JustCooLpOOLe
      Icon for Cirrocumulus rankCirrocumulus

      Yeah. I think I figured it out. I just needed to adjust the logic within the original link I specified. Now I'm onto trying to do a search filter with either value in a AD Query.

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        great it works, on to the next challenge indeed.