How to send DOMAIN\Username in an assertion

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth Idp Version affected:  9.0+


    How to send a down-level logon name by having the username prefixed by the NETBIOS domain name.



    Sometimes there is a requirement to send usernames prefixed by the NETBIOS domain name e.g. DOMAIN\Username instead of just the plain username.  Also referred to as the Down-Level logon name.



    Instead of using sAMAccountName or UPN in the Post Authentication assertion there is a constructed Active Directory attribute available in the 2008 AD schema called msDS-PrincipalName.  This contains the user down-level logon name in DOMAIN\Username format.


    Map this AD attribute to an IdP Property on the Data Store tab (e.g. AuxID1 = msDS-PrincipalName) and use that Property in the assertion.



    Only IdP version 9.0 and higher are capable of reading constructed attributes in Active Directory.  If using an older version of IdP then a different approach, such as using the Transformation engine to manipulate the UPN, will be needed.

    If it is also desired that the users authenticate with an IdP realm using their down-level logon name then this can be accomplished by following this article: 


    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.