Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Configuring X509 Authenticator to support 'X509v3 Subject Alternative Name' and extract specific string value of certificate's 'Subject' attribute RDN Added

...

  1. To test the sample, go to the following URL: http://<TOMCAT_HOST>:<TOMCAT_PORT>/travelocity.com/index.jsp  E.g., http://localhost:8080/travelocity.com
  2. Click the link to log in with SAML from WSO2 Identity Server.

    Note

    Note: If you have set this up as the first factor you will not get basic authentication.


     
     

  3. The basic authentication page appears unless it is not set as the first factor. Use your username and password and click Sign In(Only for the second step).
  4. You are directed to the X509 certificate authentication page (https://localhost:8443/x509-certificate-servlet). If the authentication is successful, you will be taken to the home page of the travelocity.com app.


Configuring X509 Authenticator to support 'X509v3 Subject Alternative Name' and extract specific string value of certificate's 'Subject' attribute RDN

Add the following configurations to the <IS_HOME>/repository/conf/identity/application-authentication.xml file under the AuthenticatorConfig name="x509CertificateAuthenticator” tag. As per your requirement

Authenticating using Subject Alternative Names


 <Parametername="AlternativeNamesRegex">^[a-zA-Z]{3}$</Parameter>

Without this configuration the system will not check for the alternative names in the certificate. When the configuration is present in the application-authentication.xml file,  and when there are no alternative names in the certificate or when there are no matching string to the given pattern in alternative names of the certificate or if there is more than one match to the given pattern in alternative names  the system will throw an error and authentication process will fail. If there is one match to the given pattern, that match will be used as the username and the systems attempts to authenticate the user. If there is a user in the system with that given username, the user will get authenticated. 



Authenticate using specific string value of subject DN


             <Parametername="UsernameRegex">[a-zA-Z]{3}</Parameter> 

When this configuration is present in the application-authentication.xml file,  the system will get the matching string from the subject DN. That will be used as the username to authenticate. If more than one match found or there are no matches found, the system will throw an error and fail the authentication process.