Can the Federation Partnership have an AD search criteria with both UserPrincipalName and Mail?
search cancel

Can the Federation Partnership have an AD search criteria with both UserPrincipalName and Mail?

book

Article ID: 232015

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign-On

Issue/Introduction

AD search (&(objectClass=organizationalPerson)(userPrincipalName=%s))
AD search (&(objectClass=organizationalPerson)(mail=%s))

Currently the setting for AD search is set to "Mail" on Partnership "ABC-FED", when user login via Mail with ID [email protected] no issues.

But when a user logs in via "UserPrincipalName" they get the 500 error and it's because the search criteria is set to "Mail".

On the other partnership XYZ-FED, the AD search is set to "UserPrincipalName" so when a user logs in using ID [email protected] has no issues.

But when a user logs in via Mail they get the 500 error, and it's because the search criteria is set to UserPrincipalName.

- Question:

Is there an option in the AD search field to have both Mail and UserPrincipalName or only one can be used.

Environment

CA Policy Server 12.8 releases and/or applicable to other supported environments.

Resolution

We can use below search criteria to achieve the above mentioned use case requirement.

 (|(&(objectClass=organizationalPerson)(userPrincipalName=%s))(&(objectClass=organizationalPerson)(mail=%s)))
 
Kindly note that the above mentioned example is only applicable to this specific use case.

But we do support standard LDAP operators and here are some examples.

https://ldap.com/ldap-filters/

https://ldapwiki.com/wiki/LDAP%20filters%20Syntax%20and%20Choices

Powered by Wolken Software