Tech Tip : X509 Certificate mapping for ODBC user store

TechTip

How to configure X509 certificate mapping for ODBC user store (e.g MSSQL, Oracle Database etc.)?

 

Environment:
  • Policy Server : ANY
  • User Store :  ODBC – ANY
Instructions:

Step 1. Note the Issuer DN from the user certificate.

Step 2.   Create certificate mapping.

Specify the exact Issuer DN from the user certificate.

Specify Directory Type as ODBC

Select  Single Attribute mapping and choose the Attribute Name that needs to be mapped from the certificate.

For e.g. choose CN (Common Name) for the mapping from the certificate.

Step 3.  Adjust the SQL Schema for the ODBC directory as required. The default SQL schema uses “Name” parameter for user Init as highlighted in the query below.

For e.g. The default InitUser query is : SELECT NAME FROM <DataSource> Where Name = ‘%s%’

Here, the place holder %s% will be replaced by the mapped attribute extracted from the user’s certificate Subject DN.

For e.g. for the below user’s certificate , as the “CN” attribute is mapped in the “Cert Mapping” , the CN value  “Guest”   is extracted and replaced in the %S% place holder in the user Init Sql query as below :

SELECT NAME FROM <DataSource> Where Name = ‘Guest’

Sample Log :

[Certificate’s Issuer DN found in mapping rules][][][][][][][][][][][C=AU,ST=NSW,L=Sydney,O=CA,OU=Support,CN=RootCA,E=rootca@ca.com]

..

[map subjectDN (C=AU,ST=NSW,L=Melbourne,O=CA,OU=Dev,CN=Guest,E=guest@ca.com)  using string: ‘(%{CN})’]

..

..

[Name is (CN.CN) Value is (Guest)]

..

[SmAuthenticate][][][][Guest][][][][][][][][][Sm_AuthApi_Success][][][][][][][][Will be authenticating user.]

..

[CDb.cpp:204][CSmRecordset::DoSelect][][][][][][][][][][][][][][][][][][][][][Start processing SQL statement.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][SELECT Name FROM SmUser WHERE Name = ‘Guest’][][][][][][][][]

Related Blogs :

 

Tech Tip – X.509 Certificate Authentication with IIS Agent

Leave a Reply