I would like to create a policy that requires the request to contain a particular client certificate.
I created a policy containing an assertion "Require SSL or TLS Transport with Client Certificate Authentication". When we send a request without a certificate, the request is rejected. It works fine with a valid certificate. However, it appears that any valid certificate is accepted. I would like to limit which certificates are accepted. Ideally I would do this in the require SSL assertion.
Lacking the ability to limit the request to particular certificates, I tried to examine the certificate and match on attributes such as subject.CN. I added an assertion "Extract Attributes from Certificate". However, this assertion always evaluates to false. I cannot examine the certificate even though I can only reach the assertion if the request contains a certificate.
Any suggestions on why "Extract Attributes from Certificate" always evaluates to false?
Is there a different approach to limiting access to a policy by certificate?