Example: Attribute Mapping for Client Certificates

Denise DeLassandros wants to set up an application that authenticates with X.509 client certificates. She can store the certificate of each user on the directory service as an attribute of the user account. When business users start the application and present their client certificate, the application grants access to the corresponding business user.

To enable the User Management Engine (UME) to search for and store these certificates, Denise must ensure that the corresponding attributes are mapped correctly in the data source configuration file.

The table below lists the relevant logical attributes of a user account:

Relevant Logical Attributes of a User Account

Attribute	Description
`certificatehash`	Hash value of the client certificate
`javax.servlet.request.X509Certificate`	Used to search for the directory service certificate
`certificate`	Used to store the directory service certificate

To set up attribute mapping for client certificates, Denise must edit the following subsections of the directory service section of the data source configuration file:

<responsibleFor>
<attributeMapping>

<responsibleFor> Subsection

Denise must add the attributes listed above to the <responsibleFor> subsection of the data source configuration file. Adding these attributes defines that these attributes are stored on the directory server.

Example: <responsibleFor> Subsection

  <dataSource id="CORP_LDAP"
         className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
         isReadonly="false"
         isPrimary="true">
     …
     <responsibleFor>
       <principal type="account">
         <nameSpace name="com.sap.security.core.usermanagement">
           <attributes>
             …
             <attribute name="certificatehash"/>
             <attribute name="javax.servlet.request.X509Certificate"/>
             <attribute name="certificate"/>
            </attributes>
         </nameSpace>
       </principal>
       …
     </responsibleFor>
     …
  </dataSource>

<attributeMapping> Subsection

Denise must map the logical attributes to the corresponding physical attributes in your directory service. These attributes are vendor-specific.

Example: <attributeMapping> Subsection

  <dataSource id="CORP_LDAP"
       className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"
       isReadonly="false"
       isPrimary="true">
     …
     <attributeMapping>
       <principals>
         <principal type="account">
           <nameSpace name="com.sap.security.core.usermanagement">
             <attributes>
               …
               <attribute name="certificatehash">
                 <physicalAttribute name="*null*"/>
               </attribute>
               <attribute name="javax.servlet.request.X509Certificate">
                 <physicalAttribute name="usercertificate"/>
               </attribute>
               <attribute name="certificate">
                 <physicalAttribute name="usercertificate"/>
               </attribute>
             </attributes>
           </nameSpace>
         </principal>
         …
       </principals>
       …
     </attributeMapping>
     …
   </dataSource>