Symantec Access Management

Expand all | Collapse all

Certificate mapping question

  • 1.  Certificate mapping question

    Posted 09-15-2015 12:02 AM

    Need experts suggestion on the below scenario for Client Certification Authentication:

     

    Users are having 2 types of certificate DN's based on the device which they use, for example:

     

    Cert Type:1  CN=str1234,OU=global,DC=test,DC=com

     

    Cert Type:2  CN=str1234-mpos,OU=global,DC=test,DC=com

     

    But the user store contains the user ID as "str1234" without "-mpos", is there a way i can strip off the "-mpos" in the attribute mapping and authenticate the user as "str1234" ?



  • 2.  Re: Certificate mapping question

    Posted 09-15-2015 10:42 AM

    Ashok ashokpearl

     

     

    Approach-1 : Within SiteMinder

    • One solution would be to use Custom Authentication Scheme Template. Here we are trying to merge two auth scheme functionalities i.e. Certificate Authentication Scheme and SMWALKER authentication wedge.
    • Use SMWALKER as the authentication scheme wedge, which would strip off matching pattern before doing the disambiguation process.
    • Now the Custom Authentication Scheme would need to have the FCC URL as same URL as for Certificate Authentication Scheme.

     

     

    Approach-2 : Outside of SiteMinder (SM only calls the Query, Function, Procedure).

    i.e. if you are using an ODBC User Store.

    • Write a wrapper around the authentication SQL Query (Function / Procedure).
    • We have one 'generic / reusable' Function / Procedure that does pure Username / Password match.
    • We Write a wrapper (another Function / Procedure that invokes the 'generic / reusable' Function / Procedure. The Wrapper does the job of pattern matching and stripping.
    • This would ensure, if there are usecase where regular authenticate call needs to occur we could reuse the 'generic / reusable' Function / Procedure.

     

    Certainly needs to be proved via a quick PoC. However note, doing this means this functionality would be applicable to all users trying to login.

     

     

    Regards

     

    Hubert



  • 3.  Re: Certificate mapping question

    Posted 09-15-2015 01:38 AM

    For CA Directory, there is no way of achieving this kind of identity mapping, the only alternatives are:

    * Creating separate identities in directory

    * Sharing certificates between devices

    * Enabling "set ssl-auth-bypass-entry-check = true;"

     

    I'm assuming that the authentication is occurring at a higher layer of the product stack.