cancel
Showing results for 
Search instead for 
Did you mean: 

How to check Client Certificate fields in User Role > General > Restricitions > Certificate

SOLVED
henke_
Occasional Contributor

How to check Client Certificate fields in User Role > General > Restricitions > Certificate

Hello,

I am having trouble checking some specific client certificate fields under the User Role > General > Restrictions > Certificate.

I have NO problem checking certDn fields such as CN, OU, e.t.c.
Given certDn field
certDn.CN = "DOE, John"
In this case using
Certificate Field Expected Value
CN DOE, John

works fine.

I am, however, Not able to check certAttr.* or certIssuerDn.* fields.
For example
certIssuerDn.CN = "Issuing CA XX"
or
certAttr.altName.UPN = "[email protected]"

Those, I have not been able to check.

I should probably add that I am trying this on 6.5R5 on a SA6500 and 7.0R1 (DTE VA)

Anyone have an idea?

Thanks,

Henrik.

1 ACCEPTED SOLUTION

Accepted Solutions
henke_
Occasional Contributor

Re: How to check Client Certificate fields in User Role > General > Restricitions > Certifi

According to JTAC, only certDn.* and certAttr.* fields can be checked under Realm or Role Restrictions > Certificate .

Other certificate fields, in my case certIssuerDn.*, can only be used in Custom Expressions in Role Mappings.

What a shame.

"

Realm Cert restrictions would only be able to pull up details
mentioned in the Subject and Alternate Subject fields of the user certificate. Also,
within these fields, only the CN. OU, O, C and DC fields are
supported for the Realm level cert restriction checks. For all other fields, we would
suggest that you use the custom expressions at the role mapping level to allow/deny
users based on other cert attributes

View solution in original post

2 REPLIES 2
henke_
Occasional Contributor

Re: How to check Client Certificate fields in User Role > General > Restricitions > Certifi

JTAC case opened for this.

henke_
Occasional Contributor

Re: How to check Client Certificate fields in User Role > General > Restricitions > Certifi

According to JTAC, only certDn.* and certAttr.* fields can be checked under Realm or Role Restrictions > Certificate .

Other certificate fields, in my case certIssuerDn.*, can only be used in Custom Expressions in Role Mappings.

What a shame.

"

Realm Cert restrictions would only be able to pull up details
mentioned in the Subject and Alternate Subject fields of the user certificate. Also,
within these fields, only the CN. OU, O, C and DC fields are
supported for the Realm level cert restriction checks. For all other fields, we would
suggest that you use the custom expressions at the role mapping level to allow/deny
users based on other cert attributes

View solution in original post