Mapping certificate identity to Ubisecure Identity
It is possible to directly map a certificate identity to a local identity in either the Ubisecure Directory or an external LDAP directory. By mapping a certificate identity, the user becomes a registered user which enables fine-grained access control on a per-user basis.
Use of the function requires that each mapped user is a registered user according to the software license agreement.
Creating Directory User Mapping Entries
To map the users, first create a Directory User mapping. The screenshots Figure 1, Figure 2Â and Figure 3Â illustrate a mapping for HST card users.
Figure 1. A list of the Directory User Mappings. In this chapter there is one entry, labeled 'HST ID', to be used for mapping HST card identities to registered users. |
Figure 2. A view of the User Mappings under the Directory User Mapping 'HST ID'. Figure 3Â displays the entry in full. |
Figure 3Â and Figure 4Â display two possible directory user mapping entries. The meaning of each field is explained below. Please refer also to the SSO Management for Directory User Mapping instructions.
If a precondition exists, it must be evaluated successfully before the LDAP search is performed. The syntax of precondition follows the precondition syntax of method attribute mapping with an exception in attribute names: attribute name is defined with prefix:name
notation, where prefix may be one of the following:
- method
Attribute name refers to the method attributes. Refer to the authentication method documentation for a list of available attributes for specific authentication methods. - subject
Attribute name refers to the subject attributes. Subject attributes are following:- format
Format of username - username
Actual username string - namequalifier
Namequalifier specifying the username namespace
- format
The LDAP URL section of the directory user mapping edit view has following fields:
- Server
The base address of the LDAP server in URI format. Example:ldap://localhost/
. The special value ldap:/// defines the LDAP server of the Ubisecure Directory. - Distinguished Name
The name of a directory object - Scope
Search scope. One of base, one, or sub.- Base
The object defined by the Distinguished Name value only. - One
Exactly one level below the object defined by the Distinguished Name. - Sub
Descendants of the object defined by the Distinguished Name, including the object itself.
- Base
- Filter
LDAP search filter expression. Example:(&(objectclass=ubiloginUser)(mobile={method:mobile}))
The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt). Attribute names enclosed in curly braces are replaced with corresponding attribute values before the search. The syntax of attribute names follows the sameprefix:name
notation as the precondition syntax. An attribute must have exactly one single value or else the search fails.
Figure 3. The editing view of the new Directory User Mapping entry. In this example, we map the certificate policy attribute 'username' to the user attribute 'sn'. |
Figure 4. Another possible Directory User Mapping entry where we map the 'satu' attribute provided by the certificate policy to the user's Organization attribute. By doing this, we are utilizing the easily accessible Organization attribute for storing the 'satu' number of the user. |
Figure 5. A view of a user configured to work with the mapping entry in Figure 4. In this example, the Organization field contains the user's SATU, which is used to link the information from the card's certificate to this user. |
Ensure that the Directory User Mapping is enabled for the appropriate authentication methods. Directory User Mapping is only performed for the authentication methods which have been selected under the methods tab. In Figure 6, pki.ubilogin.1
is enabled. When authenticates using this methods, the mapping will be performed. In this way, a mapping template is created, and the same mapping may be reused for similar authentication methods where appropriate.
Figure 6. Ensure that the Directory User Mapping is enabled for the appropriate authentication methods. |
Figure 7. The active Directory User Mappings for the authentication method will be displayed in the Mappings tab of that authentication method. |
Figure 8. The SAML configuration of the certificate authentication method. The Directory LDAP URL should point to the Ubilogin Directory server. The ldap:/// shown indicates localhost. |