cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Pulling Email Address from CAC as opposed to UPN

JustCooLpOOLe
Cirrocumulus
Cirrocumulus

Hi,

 

I'm trying to work on a fallback solution to where instead of a UPN being presented by a user certificate for on-demand cert auth, we can pull the email address similar to this article: https://devcentral.f5.com/s/articles/How-to-Extract-the-UPN-from-a-Digital-Certificate-on-a-CAC-card-using-F5-APM

 

When I view the x509extensions, I can see the field "email:" and then the email address but unfortunately, I don't think I'm getting it. I'm using the logic from the link above to try and pull that value into a variable assign within APM. Has anyone had any success with it? The x509extension field shows as "email:firstname.lastname@domain". Just curious if anyone has configured this.

 

Thanks in advance!

1 ACCEPTED SOLUTION

great it works, on to the next challenge indeed.

View solution in original post

3 REPLIES 3

boneyard
MVP
MVP

you are doing on-demand cert auth right? because a cert is required to have those session.ssl.cert.x509extension filled.

 

when you look at your APM session variables after authentication can you find the session.ssl.cert.x509extension variable with any content?

Yeah. I think I figured it out. I just needed to adjust the logic within the original link I specified. Now I'm onto trying to do a search filter with either value in a AD Query.

great it works, on to the next challenge indeed.