Layer7 Access Management

Expand all | Collapse all

SiteMinder's Certificate Mapping & Custom Mapping Expression

  • 1.  SiteMinder's Certificate Mapping & Custom Mapping Expression

    Posted 01-15-2013 05:31 PM

    Tuesday Tip by Vijay Masurkar, Principal Support Engineer, for 1-15-13

    A certificate mapping defines how the Policy Server uses the Subject Name from the user certificate to locate a SiteMinder user in a user directory and then authenticate that user. You can use custom mapping expressions for complex multiple attribute mapping. This allows you to specify multiple user attributes that should be extracted from a user DN to establish a certificate mapping. The syntax for a custom mapping expression is a parsing specification designed to enable full mapping flexibility. It indicates which information to take from the certificate and where it should be applied to in the user directory. The basic syntax is as follows:

    UserAttribute=%{CertificateAttribute}, UserAttribute2=%{CertificateAttribute}

    For example, If a user’s certificate contains:
    SubjectDN: CN=John Smith, UID=JSMITH, OU=development, O=CompanyA

    You can specify the following custom mapping as below:
    CN=%{UID}, OU=%{OU}, O=%{O}

    The custom expression is sensitive to extraneous characters. Following is an example causing a failure in authentication for a custom mapping expression when it’s used in parentheses : (UID=%{CN})

    The entry in the policy server trace log will look like this when using (UID=%CN)) in the custom mapping field in the Certficate Mapping pane and authetication will fail:

    [06/29/2012][10:06:36][12:06:26][3520][35][SmAuthCert.cpp:2848][ApplyMapToLDAPRules][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][map subjectDN (C=US,ST=Massachusetts,L=Framingham,O=CA,OU=Support,CN=JSRose,E=D1@ca.com)  using string: '((UID=%{CN}))']

    If the custom mapping is defined as UID=%{CN}, i.e. without parentheses, in the Certificate Mapping pane's custom expression field and the registry switch ‘EnableCustomExprOnly’ is enabled, the issue is resolved.

    What is the purpose of ‘EnableCustomExprOnly’, you may ask. To omit the User DN Lookup Start and End strings from the search query. So, you navigate to \Netegrity\SiteMinder\CurrentVersion\PolicyServer\ and set the EnableCustomExprOnly registry key to 1.

    The custom mapping syntax also handles more complex mappings. If the user’s certificate contains:
    Subject DN: CN=John Smith + UID=jsmith +EMAIL=jsmith@companyA.com, ou=development, o=companyA

    You can specify the following custom mapping: CN=%{CN.CN}+UID=%{CN.UID}, OU=%{O}. And, the resulting UserDN is: CN=John Smith+UID=JSMITH, OU=companyA

    See the Policy Server Configuration Guide to learn further details on the Certficate Mapping feature; and, specifically, the X.509 Client Authentication Schemes referred in this note.



  • 2.  RE: SiteMinder's Certificate Mapping & Custom Mapping Expression

    Posted 01-16-2013 08:00 PM
    Thanks for the tip Vijay! :grin:


  • 3.  Re: SiteMinder's Certificate Mapping & Custom Mapping Expression

    Posted 05-26-2015 04:21 PM

    Certificate Subject Name:

    Common name: apaulgc@xyz.com

     

    SAMACCOUNT NAME/cn in user directoory is  = apaulgc



    What should be the certificate mapping now?



  • 4.  Re: SiteMinder's Certificate Mapping & Custom Mapping Expression

    Posted 09-14-2015 01:56 PM

    Hi Vijay,

     

    My client certificate can contain "str123" or "str123-mpos" as CN. But my uid in the user store is just "str123".

     

    Is there a mapping method to trim the "-mpos" from the certificate CN(if exists) and authenticate the user against the user store.

     

    Thanks

    Ashok



  • 5.  Re: SiteMinder's Certificate Mapping & Custom Mapping Expression

    Posted 01-15-2016 03:33 PM

    Not sure if you ever found a solution but the Advanced Certificate Authentication module shows that you can use regular expressions in the custom mapping.

     

    "Expressions bracketed by %{…} will be interpreted as macros for extracting data from the certificate. The value of a macro can be modified using regular expression search and replace using the following syntax: %{…}.Replace(RE, replacement_expression) or %{…}.GlobalReplace(RE, replacement_expression)"

     

    Here is the example they provide:

     

    DNsearch=uid=%{DN.CN}.Replace([\^(]*\\\(\([0-9]*\)\\\),\\1), ou=internal, ou=person, o=UBS, c=CH, o=netegrity.com



  • 6.  Re: SiteMinder's Certificate Mapping & Custom Mapping Expression

    Posted 04-06-2016 03:33 PM

    Hi There,

    Is there a way to strip four characters out from a NameID Attribute within a Federation Partnership.

    I need to remove the first four chracters from the NameID Value which is AD's EmployeeID that has alphanumeric value e.g "ABC-123456". Within the Assertion configuration, I can only send the number "123456" stripping the "ABC-".  I have looked up everywhere, and could not find  any help.

    Any assistance is greatly appreciated.

    Thank you,

    Sowmya



  • 7.  Re: SiteMinder's Certificate Mapping & Custom Mapping Expression

     
    Posted 04-06-2016 05:05 PM
    1. Build a named expression.
      1. #IDNumOnly
      2. Use the expression: AFTER(EmployeeID,'-')
    2. Create an attribute mapping on the user directory
      1. IDNumOnly
      2. Selection expression:  The definition should reference the Named Expression: #IDNumOnly
    3. Use IDNumOnly as the name of the attribute to send.