I've been trying to setup this scenario. But I keep getting subject as username on GP portal.
Is there any trick? Because configuration is pretty simple.
I'm not sure if i fully understand what you are trying to achieve but to use ldap authentication email address on GP you will need to add "mail" to the login attribute in the authentication profile.
I'm trying to setup 2 factor autehntication for GP users; client certificate and GP credentials.
I already made it work with self signed CA on PA where I'm issuing certificates with LDAP username in certificate subject. So once the user selects the correct certificate, username field is poulated with LDAP username from certificate subject field.
Now I'm trying to make the same scenario with CA i don't control and where I can't demand CA to issue certificates with LDAP usernames as certificate subject. But these certificates do have an email address as alternative subject parameter. So instead of selecting 'subject' as username field in Certificate Profile I select Subject Alt and Email for username field. However when I try to login to GP portal i'm still getting subject field (which is name and surname) in user login field. I would be expecting email in this field. I've checked the certifiate and it has email in subject alternative name field:
Then next step will be modifiying authentication profile to accept email for login imo.
I did a packet capture and I can see that LDAP authentication profile is trying to send mail as login atribute but the value is still from certificate subject instead of subject alternative parmameter email as configured in certificate profile:
I have not used it in this way but what happens if you add the user domain in the auth profile and set modifier to :-
i have tested part of this and my certificate alt email of email@example.com is only adding mick.ball to the ldap authentication window.
Ty for your suggestion.
But I'm stuck one step before this imo. In your case PA is already taking alternative subject parameter with email address from certificate it seems. While in my case PA keeps taking subject parameter even tho I change my certificate profile to fetch Alt Subject Email from certificate.
although you have no control over issued certificates you could generate your own root cert on the PA and then sign user certs from this, then create a test certificate profile and play with this on a test portal.
that is what i am doing
please note that when i generated my test certificate and added the email address to email it did not work, but when i added it as alt email it did work as expected.
perhaps this is your issue.
What were you getting as username when you were using 'normal' email addres in certificate (instead of alt email)? Whatever was in certificate subject? Or some different error?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!