Tech Tip : X509 Certificate mapping for ODBC user store


How to configure X509 certificate mapping for ODBC user store (e.g MSSQL, Oracle Database etc.)?


  • Policy Server : ANY
  • User Store :  ODBC – ANY

Step 1. Note the Issuer DN from the user certificate.

Step 2.   Create certificate mapping.

Specify the exact Issuer DN from the user certificate.

Specify Directory Type as ODBC

Select  Single Attribute mapping and choose the Attribute Name that needs to be mapped from the certificate.

For e.g. choose CN (Common Name) for the mapping from the certificate.

Step 3.  Adjust the SQL Schema for the ODBC directory as required. The default SQL schema uses “Name” parameter for user Init as highlighted in the query below.

For e.g. The default InitUser query is : SELECT NAME FROM <DataSource> Where Name = ‘%s%’

Here, the place holder %s% will be replaced by the mapped attribute extracted from the user’s certificate Subject DN.

For e.g. for the below user’s certificate , as the “CN” attribute is mapped in the “Cert Mapping” , the CN value  “Guest”   is extracted and replaced in the %S% place holder in the user Init Sql query as below :

SELECT NAME FROM <DataSource> Where Name = ‘Guest’

Sample Log :

[Certificate’s Issuer DN found in mapping rules][][][][][][][][][][][C=AU,ST=NSW,L=Sydney,O=CA,OU=Support,CN=RootCA,]


[map subjectDN (C=AU,ST=NSW,L=Melbourne,O=CA,OU=Dev,CN=Guest,  using string: ‘(%{CN})’]



[Name is (CN.CN) Value is (Guest)]


[SmAuthenticate][][][][Guest][][][][][][][][][Sm_AuthApi_Success][][][][][][][][Will be authenticating user.]


[CDb.cpp:204][CSmRecordset::DoSelect][][][][][][][][][][][][][][][][][][][][][Start processing SQL statement.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][SELECT Name FROM SmUser WHERE Name = ‘Guest’][][][][][][][][]

Related Blogs :

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply

Your email address will not be published.