When running a Policy Server and enabling a Certificate Authentication
Scheme, one might like to know :
- Why the Policy Server can't authenticate with certificate if the
Subject CN value has an Email in it ?
- What all parameters are checked in certificate ?
- Is there any limitations on encryption it supports or any other
limitations ?
Here are the answers :
- The Policy Server should be able to authenticate using a
certificate for which there's an Email in the Subject along with
CN value. In order to understand the reason why it wasn't able in
the environment, we would need the full logs, traces, config from
the environment.
- Mainly the Subject of the Certificate is used (1).
- Encryption from certificate is limited to some algorithms (2).
(1)
How SiteMinder Uses Certificate Data to Identify Users
The Policy Server then performs certificate mapping. The goal of
certificate mapping is to locate a user by the Subject Name in the
user certificate.
First, the Policy Server looks up the appropriate certificate
mapping in the policy store. The Policy Server uses the
certificate Issuer DN to locate the mapping. The Issuer DN is part
of the certificate mapping configuration. After the Policy Server
finds the mapping, it takes the Subject Name from the certificate
and applies the mapping to find the user entry in the user
directory.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/x-509-client-certificate-authentication-schemes.html
(2)
Digital Signing and Private Key Algorithms
SiteMinder uses the following algorithms for Private Key
generation (Certificate/Keys):
Key Algorithm
RSA
Sign Algorithms
MD5withRSA, SHA1withRSA, SHA256withRSA & SHA512withRSA
Additional algorithms supported from Release 12.8.05: RSASSA-PSS
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/encryption-and-decryption-algorithms.html