Tuesday Tip by Vijay Masurkar, Principal Support Engineer, for 1-15-13
A certificate mapping defines how the Policy Server uses the Subject Name from the user certificate to locate a SiteMinder user in a user directory and then authenticate that user. You can use custom mapping expressions for complex multiple attribute mapping. This allows you to specify multiple user attributes that should be extracted from a user DN to establish a certificate mapping. The syntax for a custom mapping expression is a parsing specification designed to enable full mapping flexibility. It indicates which information to take from the certificate and where it should be applied to in the user directory. The basic syntax is as follows:
UserAttribute=%{CertificateAttribute}, UserAttribute2=%{CertificateAttribute}
For example, If a user’s certificate contains:
SubjectDN: CN=John Smith, UID=JSMITH, OU=development, O=CompanyA
You can specify the following custom mapping as below:
CN=%{UID}, OU=%{OU}, O=%{O}
The custom expression is sensitive to extraneous characters. Following is an example causing a failure in authentication for a custom mapping expression when it’s used in parentheses : (UID=%{CN})
The entry in the policy server trace log will look like this when using (UID=%CN)) in the custom mapping field in the Certficate Mapping pane and authetication will fail:
[06/29/2012][10:06:36][12:06:26][3520][35][SmAuthCert.cpp:2848][ApplyMapToLDAPRules][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][map subjectDN (C=US,ST=Massachusetts,L=Framingham,O=CA,OU=Support,CN=JSRose,E=D1@ca.com) using string: '((UID=%{CN}))']
If the custom mapping is defined as UID=%{CN}, i.e. without parentheses, in the Certificate Mapping pane's custom expression field and the registry switch ‘EnableCustomExprOnly’ is enabled, the issue is resolved.
What is the purpose of ‘EnableCustomExprOnly’, you may ask. To omit the User DN Lookup Start and End strings from the search query. So, you navigate to \Netegrity\SiteMinder\CurrentVersion\PolicyServer\ and set the EnableCustomExprOnly registry key to 1.
The custom mapping syntax also handles more complex mappings. If the user’s certificate contains:
Subject DN: CN=John Smith + UID=jsmith +EMAIL=jsmith@companyA.com, ou=development, o=companyA
You can specify the following custom mapping: CN=%{CN.CN}+UID=%{CN.UID}, OU=%{O}. And, the resulting UserDN is: CN=John Smith+UID=JSMITH, OU=companyA
See the Policy Server Configuration Guide to learn further details on the Certficate Mapping feature; and, specifically, the X.509 Client Authentication Schemes referred in this note.