You can configure LDAP URL filters for Connection Server to identify an AD user that does not have an AD UPN.

You must use ADAM ADSI Edit on a Connection Server host. You can connect by typing in the distinguished name DC=vdi, DC=vmware, DC=int. Expand OU=Properties, and select OU=Authenticator.

You can then edit the pae-LDAPURLList attribute to add an LDAP URL filter.

For example, add the following filter:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=ldap:///???(telephoneNumber=$NAMEID)

Connection Server uses the following default LDAP URL filters:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=ldap:///???(&(objectCategory=user)(objectclass=user)(sAMAccountName=$NAMEID)) ldap:///???(&(objectCategory=group)(objectclass=group)(sAMAccountName=$NAMEID))
urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified=ldap:///???(&(objectCategory=user)(objectclass=user)(sAMAccountName=$NAMEID)) ldap:///???(&(objectCategory=group)(objectclass=group)(sAMAccountName=$NAMEID))

If you configure an LDAP URL filter, Connection Server uses this LDAP URL filter and does not use the default LDAP URL filter to identity the user.

Examples of identifiers that you can use for SAML authentication for an AD user that does not have an AD UPN:

  • "cn"
  • "mail"
  • "description"
  • "givenName"
  • "sn"
  • "canonicalName"
  • "sAMAccountName"
  • "member"
  • "memberOf"
  • "distinguishedName"
  • "telephoneNumber"
  • "primaryGroupID"

LDAP URL filters are not supported for users from untrusted domains.