Attribute Mapping for Client
Certificates
When you set up an application for authentication with X.509 client certificates, each user must be associated with a certificate, so that when the user starts the application and presents his or her client certificate, the application grants access to the corresponding user.
Users’ certificates can be stored on the LDAP directory as an attribute of their user account. To allow UME to search for and store these certificates, you must ensure that the corresponding attributes are mapped correctly in your data source configuration files.
The following logical attributes of a user account are relevant:
· certificatehash: Hash value of the client certificate.
· javax.servlet.request.X509Certificate: Used to search for the LDAP certificate
· certificate: Used to store the LDAP certificate
There are two places in the data source configuration files that must be set up accordingly. Firstly, you must list the above attributes in the <responsibleFor>section of the LDAP data source. This defines that these attributes are stored on the LDAP data source.
Example: ResponsibleFor section of LDAP data dource
<dataSource id="CORP_LDAP" |
Secondly you must map the logical attributes to the corresponding physical attributes in your LDAP directory. These attributes are vendor specific.
Example: AttributeMapping section of LDAP data source
<dataSource id="CORP_LDAP" |
The certificatehashattribute has to be mapped to *null*, as directory servers cannot handle hashed certificates. This prevents the hash value from being stored.
You must map the logical attributes javax.servlet.request.X509Certificate and certificate to the same physical attribute on your directory server.