VPE AD logon - why cant username = email address

AlexS_yb · ‎17-Apr-2021

Why is it so hard to setup MS AD auth for username => email address.

I have to set and then reset the username session variable to utillise the MS AD Auth module - seems silly

Nikoolayy1 · ‎19-Apr-2021

I see that others have the same complaint, so you are right 🙂

You can see this if it helps:

https://devcentral.f5.com/s/question/0D51T00006i7etx/apm-ldap-auth-using-email-address

Also with variable assign agent you can make the users just to type the name and then add "@domain.com":

https://devcentral.f5.com/s/question/0D51T00006i7cnk/how-to-add-domain-name-string-in-the-apm-variable-assign

AlexS_yb · ‎19-Apr-2021

Done some more work on this.

so the key bits seem to be

session.logon.last.username

session.logon.last.logonname

session.logon.last.domain

for examples presume my email is alex@example.com

now on the logon page, if use split domain

if you have split to true then you get

session.logon.last.username alex

session.logon.last.logonname alex@example.com

session.logon.last.domain example.com

if you have it set to no you get

session.logon.last.username alex@example.com

session.logon.last.logonname alex@example.com

session.logon.last.domain

notice domain is not set.

Why do f5 do this, why is the option there.... I think - i presume, its for MS AD Auth widget in VPE, they do a search on samaccount name which is usually just the short name ... sigh ..

now the session name seen in the gui is based on

session.logon.last.username

so I use split equals yes .. and then the next step i do is variable assign

session.logon.last.username = session.logon.last.logonname

and I have stopped using the MS AD auth and just use LDAP Auth against the AD servers. Makes life a lot simplier

DevCentral

VPE AD logon - why cant username = email address

MFA required on DevCentral