How to allow LDAP lookup via email address as well as samaccountname (AD)

Dave Perry d.perry1 at
Thu Nov 24 11:45:09 UTC 2022

Hi all

We finally rolled in the server, with the old 4.1.5 config plus some tweaks to Attribute Resolver, yesterday (it was using attribute registry AND the dataconnector, so that was corrected).
This was done as part of migrating to the latest version of Windows Server (the old one is on 2012R2, which needs to be migrated off asap).

There is one feature, which was not tested on the new one by one of the teams who knew it was there on the old service - and is now not working:
When entering a username for AD authentication, the old one would check against their regular username attribute AND their email address.

Looking at the old file (which was pasted in over the stock installed one), it only mentions sAMAccountName in the LDAP filter:
idp.authn.LDAP.userFilter= (sAMAccountName={user})

No mention of UPN, or mail, in that file.

I tried the following filter rule, to no avail (it didn't stop samaccountname logins working, just didn't pick up the email address ones):
idp.authn.LDAP.userFilter= (| (sAMAccountName={user}) (userPrincipalName={user}) )

Any ideas what I'm doing wrong? Or why it stopped working between a 4.1.5 and



Dave Perry
Application Analyst  |  Innovation & Technology Services

York St John University

Lord Mayor’s Walk, York, YO31 7EX
T: +44(0)1904 876 0000
email at<mailto:email at>  |<>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-2dhocaak.png
Type: image/png
Size: 12155 bytes
Desc: Outlook-2dhocaak.png
URL: <>

More information about the users mailing list