cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

updating AD attributes via APM/irule

am_gli
Altostratus
Altostratus

Hi,

 

recently we switched all our externally reachable webapps behind a portal, that ensures 2F authentication.

 

Logging in to the portal (3rd party) requires you to either approve a push, or enter your OTP.

In the portal itself, you click on your application (e.g. OWA) and you are SSOed via SAML to the F5-listener.

 

The F5 then does KCD to SSO you to the Exchange.

Everything works fine so far, but:

 

Our problem in this whole constellation are inactive users.

  • The third party portal doesn't update the "LastLogonTimestamp" or any similar attributes in AD when authenticating via push
  • The F5 doesn't update the attribute when authenticating the user via SAML
  • The F5 doesn't update the attribute when getting a KCD token

 

So users from external partners may use their accounts regularly, but in AD they seem to be unused for months.

Our routines then disable/delete those accounts on a regular basis.

 

The idea would be now, to let the F5 execute an irule during the KCD, which updates the LastLogonTimestamp for this user - or any other AD attribute for this specific user, that can be checked by our routines in order to know, that this user was active in the last 3 months.

 

Any ideas?

 

 

0 REPLIES 0