Showing results for 
Search instead for 
Did you mean: 

updating AD attributes via APM/irule




recently we switched all our externally reachable webapps behind a portal, that ensures 2F authentication.


Logging in to the portal (3rd party) requires you to either approve a push, or enter your OTP.

In the portal itself, you click on your application (e.g. OWA) and you are SSOed via SAML to the F5-listener.


The F5 then does KCD to SSO you to the Exchange.

Everything works fine so far, but:


Our problem in this whole constellation are inactive users.

  • The third party portal doesn't update the "LastLogonTimestamp" or any similar attributes in AD when authenticating via push
  • The F5 doesn't update the attribute when authenticating the user via SAML
  • The F5 doesn't update the attribute when getting a KCD token


So users from external partners may use their accounts regularly, but in AD they seem to be unused for months.

Our routines then disable/delete those accounts on a regular basis.


The idea would be now, to let the F5 execute an irule during the KCD, which updates the LastLogonTimestamp for this user - or any other AD attribute for this specific user, that can be checked by our routines in order to know, that this user was active in the last 3 months.


Any ideas?