Hi, after some testing together with JTAC, i have now more insight and an solution, that i wanted to share with you. To make sure that we are talking about the same, i wanted to glue a userid/pw that should be sent to a Win AD to some valaues of a user cert. in order to make sure that for company ABC every employee has to use their own cert and userid+pw rather than any mix of the above. insights: - not all cert variables are available for comparisons at any stage. Auth Policy: - only the "main" attribute values from the DN text are available at the pre-signin level (Users -> User Realm -> <NAME> -> Auth Policy -> Certificates -> Restrictions - At the aforemention level you can only check for the content of a variable , like O= ABC - but comparing two arbitrary variable's values does not work. User Role mapping: - here the comparison of two arbitrary variable's does work in general. - only a subset of variables can not be compared for whatever reason (for example, given your WinAD login name is [email protected]
, then your SA username would contain "firstname.lastname". The comparison of <certAttr.altName.Emailid> != <USERNAME> does not work, but here a explanation is missing why. - another rolemapping rule of the kind of "if certIssuer.DN != "ABC User CA" then don't do a role map. works just nicely at the rolemapping level. Solution: - create 2 auth servers: - primary: local cert server - 2ndary: Win AD, with userid field preset with <certAttr.altname.EmailID> and password to be specified at login page. Now this works, if the lefthand values of an users emailaddress does exist in the Win AD as a user AND their password do match on the WinAD. I do further checks on the rolemapping level: "if <certIssuerDN.CN != "My Company User CA" then no role map works quite nicely now. Thanks for your answers, i appreciate them.
... View more