Sm_PolicyApi_CertMapFlags_CertRequired

Setting this flag causes SiteMinder to verify that the certificate presented by the user matches the certificate stored in the user's entry in the authentication directory. The authentication directory must be an LDAP user directory.

0x01

Sm_PolicyApi_CertMapFlags_UseDistributionPoints

Set this flag if your Certificate Revocation List (CRL) uses distribution points. Large CRLs may contain multiple distribution points that can be used to locate a revoked user. Distribution points indicate a starting point in the CRL LDAP directory. The distribution point provides a starting point for a CRL check and saves the processing time that it would take to search the entire CRL for a particular user.

When this flag is set, SiteMinder retrieves the distribution point from the user's certificate, then uses it to find the appropriate LDAP directory entry point for the CRL.

0x02

Sm_PolicyApi_CertMapFlags_VerifySignature

Set this flag to enable signature verification, where the Policy Server checks the Certificate Authority's public certificate against a signature stored in the policy database.

0x04

Sm_PolicyApi_CertMapFlags_CRLCheck

Set this flag to make SiteMinder perform a Certificate Revocation List check. A Certificate Revocation List (CRL) is a list of revoked X.509 client certificates published by the Certificate Authority. Comparing certificates against CRLs is one way to ensure that certificates are valid. When a user with such a certificate tries to access a protected resource, SiteMinder finds the user's certificate in the CRL and rejects the authentication.

0x08

Sm_PolicyApi_CertMapFlags_Cache

Setting this flag causes SiteMinder to use cached CRL information until the date specified in the NextUpdate field in the CRL.

0x10