Subject Alt: Email for GP authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Subject Alt: Email for GP authentication

L6 Presenter

I've been trying to setup this scenario. But I keep getting subject as username on GP portal. 

Is there any trick? Because configuration is pretty simple.

 

 

14 REPLIES 14

L7 Applicator

I'm not sure if i fully understand what you are trying to achieve but to use ldap authentication email address on GP you will need to add "mail" to the login attribute in the authentication profile.

I'm trying to setup 2 factor autehntication for GP users; client certificate and GP credentials.

 

I already made it work with self signed CA on PA where I'm issuing certificates with LDAP username in certificate subject. So once the user selects the correct certificate, username field is poulated with LDAP username from certificate subject field.

 

Now I'm trying to make the same scenario with CA i don't control and where I can't demand CA to issue certificates with LDAP usernames as certificate subject. But these certificates do have an email address as alternative subject parameter. So instead of selecting 'subject' as username field in Certificate Profile I select Subject Alt and Email for username field. However when I try to login to GP portal i'm still getting subject field (which is name and surname) in user login field. I would be expecting email in this field. I've checked the certifiate and it has email in subject alternative name field:

 

capture99.JPG

 

Then next step will be modifiying authentication profile to accept email for login imo.

I did a packet capture and I can see that LDAP authentication profile is trying to send mail as login atribute but the value is still from certificate subject instead of subject alternative parmameter email as configured in certificate profile:

 

Capture9.JPG

I have not used it in this way but what happens if you add the user domain in the auth profile and set modifier to :-

 

"%USERINPUT%@%USERDOMAIN&

 

i have tested part of this and my certificate alt email of mick.ball@domain.com is only adding mick.ball to the ldap authentication window.

Ty for your suggestion. 

But I'm stuck one step before this imo. In your case PA is already taking alternative subject parameter with email address from certificate it seems. While in my case PA keeps taking subject parameter even tho I change my certificate profile to fetch Alt Subject Email from certificate.

 

 

although you have no control over issued certificates you could generate your own root cert on the PA and then sign user certs from this, then create a test certificate profile and play with this on a test portal.

 

that is what i am doing

 

 

to confirm . this is the settings i have.

 

Certificate ProfileCertificate Profilemy certificatemy certificateoutput on iphone GP.output on iphone GP.

please note that when i generated my test certificate and added the email address to email it did not work, but when i added it as alt email it did work as expected.

 

perhaps this is your issue.

What were you getting as username when you were using 'normal' email addres in certificate (instead of alt email)? Whatever was in certificate subject? Or some different error?

 

 

Tho looking at your client cert and mine (in post above) the field looks the same.

 

yes they do look the same but windows may be collating this information from different fields to the PA.

when I added my emai to 'email' the auth failed and I was not prompted for ldap auth, the client on my iphone stated 'invalid certificate'.

 

it only started working when i added email to 'alt email'. this prompted me to login as michael.ball but my cn for my cert is mick ball, not michael.ball.

Ok, thanks so far. I'll play a bit more with local CA first and email/alt email fields.

 

 

I made a new cert with local CA with email and alt email properties. And "subject alternative name property" is definitelly alt email as PA understands it. Because email is expected in subject of certificate, while alt email goes in extended properties.

 

Cert made with CA on PA:

 

email1.JPGemail2.JPG

  • 4240 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!