Hi, I am not sure if I really understood your problem but let me try... There is more than one option to build a variable for the UPN. Normally your different LDAP server have a name (In this case I use AuthServername as an example ->"under Auth.Server on the Authentication area.....) If you have more than one Authentication Server it might be a good idea to build your variable for the UPN like this if there is more than LDAP Authentication Server: <[email protected]
> instead of <userAttr.userPrincipleName> (works for me ...) But be aware that beginning with 6.5 the actual IVE OS versions have a strange bug with the variable for the UPN !!. Web SSO (with Basic Authentication) did stop working in my Environment after upgrading from 6.4R5.1 to 6.5. <[email protected]
> (or the version which you did use: userAttr.userPrincipalName) does not transmit the domain-part of the UPN. I was getting crazy on this problem since a couple month now and worked together with the Juniper support since this time - till Juniper was able approve this strange behaviour. The Juniper Support found the problem finally and told me that they are working on a fix.....(Still waiting) The Problem is newly listed in known/unfixed Limitations of IVE OS 6.5R6 and the Release Notes give a hint that it may be a problem on previous Releases too. I have had the issue with all 6.5 (R1-R6)and the new 7.0R Firmware Releases. Link to the release Note "Known Issues/Limitations in 6.5R6 Release The following list enumerates known issues in this release. Some of these issues may exist in previous releases as well: 1. Web-sso - SSO polices working in 6.0 do not work after upgrade to 6.5 (479100)" In my Case the problem did NOT show up on IVE OS 6.4 (R1 -R5.1) and earlier versions of the firmware ......(I did not test 6.4R6-R8) Perhaps you have the same problem.....(depending on your IVE OS Version...) This may not be a solution, but i hope it can give you a useful information..
... View more