Octopus.Deployment.CreatedBy.Username Mapped To SAM

security

(Simon) #1

Hi,

Originally our AD had the SAM Account Name and UPN matching, but we have recently updated our AD to have the UPN set to our email address.

The above change is reflected in the octopus variable Octopus.Deployment.CreatedBy.Username. However , we use the Octopus.Deployment.CreatedBy.Username variable value to integrate with other systems in our organisation and the change to UPN = email is not desirable.

Is there a way to map the Octopus.Deployment.CreatedBy.Username to SAM account rather then UPN. Or is there a variable to use to get the SAM Account Name.

Obviously, this is not a bug, any help would be appreciated.

Thank you
Simon.


(Jim Burger) #3

Hi Simon,

There isn’t currently a variable that we have that outputs the SAM Account name, nor can we change the Username variable to something else.

That said, with some work, it is possible to get at the SAM Account Name from a script step.

In short, we put the SAM Account Name in the users claims array, which can be accessed via our REST API with some lookups, from a script step early on in your deployment process. You can then output this value as your own output variable to make it available to subsequent steps for binding to.

I’m not 100% certain but Get-ADUser from the ActiveDirectory module might also be an option to lookup the SAM Account Name via the UPN.

Assuming you go down the first road and use our REST API, here are some details that might help with that:

This link shows how we store the SAM Account against a users identity.

This link shows the structure of the UserResource.

This link shows the structure of the IdentityResource, there you can see it has an IdentityProviderName.

Once you have a user object, you’ll want to drill into the Identities where the IdentityProviderName is ‘Active Directory’ and then drill into the Claims array on that object. You’ll be looking for a claim called ‘sam’

All said and done it would likely look something like this in C#

user.Identities.Where(i => i.IdentityProviderName == "Active Directory").Claims["sam"]

Ultimately, this will yield a Claim resource that will give you the SAM Account Name which you can pass onto other steps in your deployment process as required, and their steps text boxes etc. can bind to the value like any other variable at that point.

Hopefully this provides good grounds for a solution for you!

Kind regards

Jim


(Simon) #4

Hi Jim - thanks for the reply. We worked around the issue with an AD lookup, but we will look into using the Octopus API and identity, because I think it will be a cleaner solution.
Regards
Simon.


(Jim Burger) #5

No problem Simon,

Glad to be of help!

All the best,

Jim