Doing it that way kind of locks you into only that format, so wouldn't be extensible to other DN formats. Depending on the 'order' of the DN should be able to just build it straight from the Issuer and Subject DNs. In our case we have to split and reverse it which adds a bit extra (maybe someone knows another way to easily do that?). Can't really share our full policy itself here, but the idea is that:
Build Issuer DN
* Split request.ssl.clientCertificate.issuer into Issuer on \s*,\s*
* Set context var revIssuer as string to empty (placeholder)
* Run assertion for each item of ${Issuer} as ${Issuer.attribute}
- Set var revIssuer as string to ${Issuer,attribute},${revIssuer}
* Evaluate Regular Expression ",$" on revIssuer and replace with nothing <-- removes trailing comma
Build Subject
* Set var origSubject as string ${request.ssl.clientCertificate.subject}
* Evaluate Regular Expression "\s*\+\s*" on origSubject and replace with a space <-- use a space char in replacement so the encoded + becomes actual space
* Split origSubject into modSubject on \s*,\s*
* Set context var revSubject as string to empty <-- Placeholder variable
* Run assertions for each item of modSubject as modSubject.attribute
- Set context var revSubject as String to ${modSubject.attribute},${revSubject}
* Evaluate regular expression",$" on revSubject and replace with nothing <-- removes trailing comma
Create ASI Value
* Ser var altSecurityIdentity Expression: X509:<I>${revIssuer}<S>${revSubject}
Since it's built straight from the Issuer and Subject strings, it is extensible to all the strings coming in - at least we haven't really run into any that failed it yet. Biggest hassle was having to reverse and clean up the strings due to the direction the variables are set by the API GW versus what's actually stored in the Microsoft ASI attribute.
Original Message:
Sent: 05-08-2020 09:04 AM
From: Sebastian van Voorn
Subject: ldap query using altSecurityIdentities
We want to look for a registered user in our #activedirectory using certificate info. Because it is #microsoft 's standard we use #altSecurityIdentities to search in AD.
We now define with a variable the altSecurityIdentities format (see attachment).
Is there an easier way to get to altSecurityIdentities?
Thanks for your response..
------------------------------
Sebastian van Voorn,
SR. System Engineer
RDW
------------------------------