Blog Viewer

Tech Tip : CA Single Sign-On :: Policy Server::X509 Cert mapping for ODBC user store

By Ujwol posted 07-24-2016 08:12 PM

  

Introduction:

How to configure X509 certificate mapping for ODBC user store (e.g MSSQL, Oracle Database etc.)?

 

Environment:

Policy Server : ANY

User Store :  ODBC - ANY

 

Instructions:

Step 1. Note the Issuer DN from the user certificate.

 

Step 2.   Create certificate mapping.

Specify the exact Issuer DN from the user certificate.

Specify Directory Type as ODBC

Select  Single Attribute mapping and choose the Attribute Name that needs to be mapped from the certificate.

For e.g. choose CN (Common Name) for the mapping from the certificate.

Step 3.  Adjust the SQL Schema for the ODBC directory as required. The default SQL schema uses "Name" parameter for user Init as highlighted in the query below.

For e.g. The default InitUser query is : SELECT NAME FROM <DataSource> Where Name = '%s%'       

Here, the place holder %s% will be replaced by the mapped attribute extracted from the user's certificate Subject DN.

 

 

 

For e.g. for the below user's certificate , as the "CN" attribute is mapped in the "Cert Mapping" , the CN value  "Guest"   is extracted and replaced in the %S% place holder in the user Init Sql query as below :

SELECT NAME FROM <DataSource> Where Name = 'Guest'

   

Sample Log

===========

[Certificate's Issuer DN found in mapping rules][][][][][][][][][][][C=AU,ST=NSW,L=Sydney,O=CA,OU=Support,CN=RootCA,E=rootca@ca.com]

..

 

[map subjectDN (C=AU,ST=NSW,L=Melbourne,O=CA,OU=Dev,CN=Guest,E=guest@ca.com)  using string: '(%{CN})']

..

..

[Name is (CN.CN) Value is (Guest)]

..

[SmAuthenticate][][][][Guest][][][][][][][][][Sm_AuthApi_Success][][][][][][][][Will be authenticating user.]

..

[CDb.cpp:204][CSmRecordset::DoSelect][][][][][][][][][][][][][][][][][][][][][Start processing SQL statement.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][SELECT Name FROM SmUser WHERE Name = 'Guest'][][][][][][][][]

 

Additional Information:

N/A

1 comment
0 views