Security

 

New CPPM setup here... just kicking tires.

 

In our domain UPNs can be easily stripped to produce the base username.  So we can use either the Service username stripping rules, or change the filter to query both samlAccountName and userPrincipleName.

 

That allows users to log into a Guest Operator Application service whether they type just their username or (what they understand to be) their email address.

 

CPPM will adjust the Authentication:Username attribute to contain only their base username. However, the top level "Username" attribute seems to keep the UPN when the UPN is used.  Most critically, this is the value used to determine which devices an operator can see under a profile that has the "Only show accounts createdby the operator" option selected.

 

So the users would see one set of devices if they log in by base username, and another set if they log in by "email address", depending on how they logged in when they created the device.

 

Is there a way to update that attribute?

 

Username is always populated as entered. The strip is only used during lookups.

It is always recommended to reject short names (thus requiring fully qualified usernames) for all workflows.

 

Hrm, well... the backoff strategy that might best serve the users here would be to ban UPNs actually, recommendations be damned.

 

Can we emulate the behavior of the "operator filter" using the User account filter?  I was able to filter on sponsor_name but the freeRADIUS-style variable substitution does not seem to apply here... e.g.

 

sponsor_name=%{Authentication:Username}

...does not seem to do the trick.

 

Is there a different syntax or list of variables that can be injected into the user account filter and session filters?

 

 

No, you cannot.

The recommendation is to use your existing single sign on solution, which should be using fully qualified usernames.

 

Bummer.  I'll go wishlist that with my SE.