Questions about Certificate Authentication Scheme

book

Article ID: 212826

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running a Policy Server and enabling a Certificate Authentication
Scheme, one might like to know :

  - Why the Policy Server can't authenticate with certificate if the
    Subject CN value has an Email in it ?

  - What all parameters are checked in certificate ?

  - Is there any limitations on encryption it supports or any other
    limitations ?

 

Resolution

 

Here are the answers :

  - The Policy Server should be able to authenticate using a
    certificate for which there's an Email in the Subject along with
    CN value. In order to understand the reason why it wasn't able in
    the environment, we would need the full logs, traces, config from
    the environment.

  - Mainly the Subject of the Certificate is used (1).

  - Encryption from certificate is limited to some algorithms (2).

 

Additional Information

 

(1)

    How SiteMinder Uses Certificate Data to Identify Users

       The Policy Server then performs certificate mapping. The goal of
       certificate mapping is to locate a user by the Subject Name in the
       user certificate.

       First, the Policy Server looks up the appropriate certificate
       mapping in the policy store. The Policy Server uses the
       certificate Issuer DN to locate the mapping. The Issuer DN is part
       of the certificate mapping configuration. After the Policy Server
       finds the mapping, it takes the Subject Name from the certificate
       and applies the mapping to find the user entry in the user
       directory.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/x-509-client-certificate-authentication-schemes.html

(2)

    Digital Signing and Private Key Algorithms

      SiteMinder uses the following algorithms for Private Key
      generation (Certificate/Keys):

      Key Algorithm
      RSA
      Sign Algorithms
      MD5withRSA, SHA1withRSA, SHA256withRSA & SHA512withRSA
      Additional algorithms supported from Release 12.8.05: RSASSA-PSS

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/encryption-and-decryption-algorithms.html