SiteMinder's Certificate Mapping & Custom Mapping Expression

Document ID : KB000011446
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

A certificate mapping defines how the Policy Server uses the Subject Name from the user certificate to locate a CA SSO user in a user directory and then authenticate that user. You can use custom mapping expressions for complex multiple attribute mapping. This allows you to specify multiple user attributes that should be extracted from a user DN to establish a certificate mapping.

Question:

How do you set up a custom mapping expression for Certificate Authentication Schemes?

 

Environment:
Supported versions of Policy Server, Web Server with Agent and Certificate Authentication Schemes.
Answer:

The syntax for a custom mapping expression is a parsing specification designed to enable full mapping flexibility. It indicates which information to take from the certificate and where it should be applied to in the user directory. The basic syntax is as follows: 

UserAttribute=%{CertificateAttribute}, UserAttribute2=%{CertificateAttribute}

For example, If a user’s certificate contains: 
SubjectDN: CN=John Smith, UID=JSMITH, OU=development, O=CompanyA 

You can specify the following custom mapping as below: 
CN=%{UID}, OU=%{OU}, O=%{O}

The custom expression is sensitive to extraneous characters. Following is an example causing a failure in authentication for a custom mapping expression when it’s used in parentheses : (UID=%{CN})

The entry in the policy server trace log will look like this when using (UID=%CN)) in the custom mapping field in the Certficate Mapping pane and authetication will fail:

[06/29/2012][10:06:36][12:06:26][3520][35][SmAuthCert.cpp:2848][ApplyMapToLDAPRules][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][map subjectDN (C=US,ST=Massachusetts,L=Framingham,O=CA,OU=Support,CN=JSRose,
E=D1@ca.com)  using string: '((UID=%{CN}))']

If the custom mapping is defined as UID=%{CN}, i.e. without parentheses, in the Certificate Mapping pane's custom expression field and the registry switch ‘EnableCustomExprOnly’ is enabled, the issue is resolved.

What is the purpose of ‘EnableCustomExprOnly’, you may ask. To omit the User DN Lookup Start and End strings from the search query. So, you navigate to \Netegrity\SiteMinder\CurrentVersion\PolicyServer\ and set the EnableCustomExprOnly registry key to 1.

The custom mapping syntax also handles more complex mappings. If the user’s certificate contains: 
Subject DN: CN=John Smith + UID=jsmith 
+EMAIL=jsmith@companyA.com, ou=development, o=companyA 

You can specify the following custom mapping: CN=%{CN.CN}+UID=%{CN.UID}, OU=%{O}. And, the resulting UserDN is: CN=John Smith+UID=JSMITH, OU=companyA

Additional Information:

See the Policy Server's Certificate Mapping for Authentication Scheme sections in the product documentation to learn further details on the Certificate Mapping feature; and, specifically, the X.509 Client Authentication Schemes referred in this note.