updating AD attributes via APM/irule

Hi,

recently we switched all our externally reachable webapps behind a portal, that ensures 2F authentication.

Logging in to the portal (3rd party) requires you to either approve a push, or enter your OTP.

In the portal itself, you click on your application (e.g. OWA) and you are SSOed via SAML to the F5-listener.

The F5 then does KCD to SSO you to the Exchange.

Everything works fine so far, but:

Our problem in this whole constellation are inactive users.

The third party portal doesn't update the "LastLogonTimestamp" or any similar attributes in AD when authenticating via push
The F5 doesn't update the attribute when authenticating the user via SAML
The F5 doesn't update the attribute when getting a KCD token

So users from external partners may use their accounts regularly, but in AD they seem to be unused for months.

Our routines then disable/delete those accounts on a regular basis.

The idea would be now, to let the F5 execute an irule during the KCD, which updates the LastLogonTimestamp for this user - or any other AD attribute for this specific user, that can be checked by our routines in order to know, that this user was active in the last 3 months.

Any ideas?

APM

application delivery

iRules

Forum Discussion

updating AD attributes via APM/irule

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Auditing Security Policy Updates

APM Configuration to Support Duo MFA using iRule

Update your DevCentral user profile

Add SameSite attribute to APM Cookies

Lightboard Lessons: HTTP Cookie SameSite Attribute