Tech Tip : CA Single Sign-On : How to handle certificate authentication when UID is mapped to UserID or Email Address ?

Discussion created by Patrick-Dussault Employee on Jan 2, 2017

Issue :


I have in my company 2 types of certificates: 1 with "UserID" in the Certificate "Subject", and 1 with "Email Address" in the Certificate "Subject".
When a user with "Email Address" in its Certificate Subject tries to authenticate, the authentication fails. The Policy Server doesn't find the user in the User Directory, because the User Directory is configured with UID attribute mapping to "UserID" and not "Email Address".


Environment :


Policy Server R12.52 SP1;


Cause :


By default, the User Directory definition gives only 1 attribute mapping for the UserID.


Solution :


A quick workaround is to configure a similar Second User Directory definition with the UID attribute mapped to "Email Address". Once the User won't be found in the first User Directory where the UID is mapped to the certificate "UserID", then it will look in the second User Directory, for which the UID is mapped to the "Email Address" and the user will be found.


KB : TEC1074295