I'm trying to work on a fallback solution to where instead of a UPN being presented by a user certificate for on-demand cert auth, we can pull the email address similar to this article: https://devcentral.f5.com/s/articles/How-to-Extract-the-UPN-from-a-Digital-Certificate-on-a-CAC-card-using-F5-APM
When I view the x509extensions, I can see the field "email:" and then the email address but unfortunately, I don't think I'm getting it. I'm using the logic from the link above to try and pull that value into a variable assign within APM. Has anyone had any success with it? The x509extension field shows as "email:firstname.lastname@domain". Just curious if anyone has configured this.
Thanks in advance!
Solved! Go to Solution.
you are doing on-demand cert auth right? because a cert is required to have those session.ssl.cert.x509extension filled.
when you look at your APM session variables after authentication can you find the session.ssl.cert.x509extension variable with any content?
Yeah. I think I figured it out. I just needed to adjust the logic within the original link I specified. Now I'm onto trying to do a search filter with either value in a AD Query.
great it works, on to the next challenge indeed.