I would like to create a policy that requires the request to contain a particular client certificate.
I created a policy containing an assertion "Require SSL or TLS Transport with Client Certificate Authentication". When we send a request without a certificate, the request is rejected. It works fine with a valid certificate. However, it appears that any valid certificate is accepted. I would like to limit which certificates are accepted. Ideally I would do this in the require SSL assertion.
Lacking the ability to limit the request to particular certificates, I tried to examine the certificate and match on attributes such as subject.CN. I added an assertion "Extract Attributes from Certificate". However, this assertion always evaluates to false. I cannot examine the certificate even though I can only reach the assertion if the request contains a certificate.
Any suggestions on why "Extract Attributes from Certificate" always evaluates to false?
Is there a different approach to limiting access to a policy by certificate?
As you have found out the assertion "Require SSL or TLS Transport with Client Certificate Authentication" will only check for a certificate. You need to combine this with more policy logic to authenticate and or authorise it. For example 'Authenticate Against Identify Provider' Assertion can be placed afterwards and you can match the cert to a one stored against a user in an identity provider.
There is a number of other options depending on what you are authenticating against.
Thanks for the very quick response. The scenario we would like to implement is that a request will contain a client certificate. We do not need to require the user to log in. You stated, "You need to combine this with more policy logic to authenticate and or authorise it." I am looking for a mechanism to authenticate the certificate. I thought that either of the assertions "Extract Attributes from Certificate" or "Look Up Trusted Certificate by Name" would do the trick. However, both of those assertions always fail. Any additional ideas?
Figured it out. Needed to create a user on the internal identity provider with the same name as the certificate CN.
The other option is to create a Federate Identity Provider with a user as well with the authenticate against a identity provider or user/group.
Director, CA Support
Do we have any documentation on how to create a user on the internal identity provider with the same name as the certificate CN.
and how to create the certs ,private keys and sign them