Policy Server GuidesPolicy Design GuideAuthentication Scheme and Related Dialogs ReferenceCertificate Mapping Properties DialogCertificate Mapping Properties Dialog Fields and Controls › Mapping Group Box

Previous Topic: Map from Issuer DN in Certificate to Directory Type Group Box

Next Topic: Certificate Revocation List (CRL) Checking Group Box
Mapping Group Box

The Mapping group box is where you specify how the X.509 client certificate will map to the user information in the authentication directory. The contents of the group box change depending on the radio button you select for the type of mapping. You can select one of the following:

Single Attribute

The Policy Server matches a single attribute from the subject DN of a user’s certificate to a single attribute stored in the user directory to verify the user’s identity.

Attribute Name

The following table lists the types of attributes from you can select for a mapping:

Attribute

Description

UID

User ID

CN

Common Name

Important! Novell eDirectory cannot have CN attribute set to a value longer than 64 characters.

SN

Surname

E

Email address

Enodomain

Contents of the email address that precede the @ symbol

Note: For non-English versions of SiteMinder, the Enodomains selection is not translated from English. In order for this feature to work correctly, the ASCII string “Enodomain” must be used.

OU

Organizational unit

O

Organization

L

Locality or city

S

State

C

Country

When you configure the user directory to which the certificate is mapped, the Policy Server uses the values of the Start and End fields of the LDAP User DN Lookup group box in the SiteMinder User Directory dialog to locate the attribute in the directory to which the certificate is mapped.

For example, if you create a certificate mapping to the UID attribute of an LDAP user directory with the Start and End values pictured in the following graphic, SiteMinder maps the UID from the subject DN to the user directory using the value:

uid=<value of UID attribute from subject DN>, ou=marketing,o=myorg.org

Custom

The Policy Server uses a custom mapping expression to verify the user’s identity. Enter the expression in the field to the right of the radio buttons.

Mapping Expression

For information about mapping expressions, see Custom Mapping Expressions.

Note: If you enter a single attribute in the Mapping Expression field, the Policy Server automatically converts the custom expression to a single attribute as described in step 1.

Exact

The Policy Server matches the user’s entire DN from the certificate to the entire DN in the authentication directory.

Test Button

This button is available regardless of the radio button selected. It opens the Certificate Map Test Dialog.