Subject Alt: Email for GP authentication

Reply
L5 Sessionator

Subject Alt: Email for GP authentication

I've been trying to setup this scenario. But I keep getting subject as username on GP portal. 

Is there any trick? Because configuration is pretty simple.

 

 

L6 Presenter

Re: Subject Alt: Email for GP authentication

I'm not sure if i fully understand what you are trying to achieve but to use ldap authentication email address on GP you will need to add "mail" to the login attribute in the authentication profile.

L5 Sessionator

Re: Subject Alt: Email for GP authentication

I'm trying to setup 2 factor autehntication for GP users; client certificate and GP credentials.

 

I already made it work with self signed CA on PA where I'm issuing certificates with LDAP username in certificate subject. So once the user selects the correct certificate, username field is poulated with LDAP username from certificate subject field.

 

Now I'm trying to make the same scenario with CA i don't control and where I can't demand CA to issue certificates with LDAP usernames as certificate subject. But these certificates do have an email address as alternative subject parameter. So instead of selecting 'subject' as username field in Certificate Profile I select Subject Alt and Email for username field. However when I try to login to GP portal i'm still getting subject field (which is name and surname) in user login field. I would be expecting email in this field. I've checked the certifiate and it has email in subject alternative name field:

 

capture99.JPG

 

Then next step will be modifiying authentication profile to accept email for login imo.

L5 Sessionator

Re: Subject Alt: Email for GP authentication

I did a packet capture and I can see that LDAP authentication profile is trying to send mail as login atribute but the value is still from certificate subject instead of subject alternative parmameter email as configured in certificate profile:

 

Capture9.JPG

L6 Presenter

Re: Subject Alt: Email for GP authentication

I have not used it in this way but what happens if you add the user domain in the auth profile and set modifier to :-

 

"%USERINPUT%@%USERDOMAIN&

 

i have tested part of this and my certificate alt email of mick.ball@domain.com is only adding mick.ball to the ldap authentication window.

L5 Sessionator

Re: Subject Alt: Email for GP authentication

Ty for your suggestion. 

But I'm stuck one step before this imo. In your case PA is already taking alternative subject parameter with email address from certificate it seems. While in my case PA keeps taking subject parameter even tho I change my certificate profile to fetch Alt Subject Email from certificate.

 

 

L6 Presenter

Re: Subject Alt: Email for GP authentication

although you have no control over issued certificates you could generate your own root cert on the PA and then sign user certs from this, then create a test certificate profile and play with this on a test portal.

 

that is what i am doing

 

 

L6 Presenter

Re: Subject Alt: Email for GP authentication

to confirm . this is the settings i have.

 

cert profile.pngCertificate Profilecert properties.pngmy certificateimage.pngoutput on iphone GP.

L6 Presenter

Re: Subject Alt: Email for GP authentication

please note that when i generated my test certificate and added the email address to email it did not work, but when i added it as alt email it did work as expected.

 

perhaps this is your issue.

L5 Sessionator

Re: Subject Alt: Email for GP authentication

What were you getting as username when you were using 'normal' email addres in certificate (instead of alt email)? Whatever was in certificate subject? Or some different error?

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!