I've been using client certificates as a form of 2 factor authentication for a while where the IVE just simply checked to make sure the user had a certificate that was signed by a Trusted Client CA. I want to take that a step further now and make sure that one of the fields (L, for Locality) is the same as the username they typed in to sign in (So User A can't steal User B's certificate and use it). Now I can get this to work fine with hard coded values in testing... but I can't seem to figure out the syntax for the IVE to check the L field against their entered username (the one it'll do rolemapping against).
Anyone have any experience in doing such a thing?
I've done something like this. In may case, I did not do certificate authentication but did use certificate restrictions at the realm level. Then, in my role mapping, I map a role using an expression like "user != certDn.serialNumber" (that is, the username used to sign on does not match a field on the certificate. The role that is selected by this rule tells the user that the field in the cert did not match the username, and does not allow the user to do anything.
I recommend using policy tracing to see the name of the field to compare to the user name.
Could you send me documentation or steps to use 2 factor authentication Local CA Root and then AD for authentication.