Example: Attribute Mapping for Client Certificates 

Denise DeLassandros wants to set up an application that authenticates with X.509 client certificates. She can store the certificate of each users on the directory service as an attribute of the user account. When business users start the application and present their client certificate, the application grants access to the corresponding business user.

To enable the User Management Engine (UME) to search for and store these certificates, Denise must ensure that the corresponding attributes are mapped correctly in the data source configuration file.

The table below lists the relevant logical attributes of a user account:

Relevant Logical Attributes of a User Account

Attribute	Description
certificatehash	Hash value of the client certificate
javax.servlet.request.X509Certificate	Used to search for the directory service certificate
certificate	Used to store the directory service certificate

To set up attribute mapping for client certificates, Denise must edit the following subsections of the directory service section of the data source configuration file:

●      <responsibleFor>

●      <attributeMapping>

<responsibleFor> Subsection

Denise must add the attributes listed above to the <responsibleFor> subsection of the data source configuration file. Adding these attributes defines that these attributes are stored on the directory server.

Example: <responsibleFor> Subsection

<dataSource id="CORP_LDAP"         className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"         isReadonly="false"         isPrimary="true">     …     <responsibleFor>       <principal type="account">         <nameSpace name="com.sap.security.core.usermanagement">           <attributes>             …             <attribute name="certificatehash"/>             <attribute name="javax.servlet.request.X509Certificate"/>             <attribute name="certificate"/>            </attributes>         </nameSpace>       </principal>             …     </responsibleFor>     …   </dataSource>

 

<attributeMapping> Subsection

Denise must map the logical attributes to the corresponding physical attributes in your directory service. These attributes are vendor-specific.

Denise must enter the name of the physical attribute in lower case letters! Otherwise the mapping does not work.

Example: <attributeMapping> Subsection

<dataSource id="CORP_LDAP"       className="com.sap.security.core.persistence.datasource.imp.LDAPPersistence"       isReadonly="false"       isPrimary="true">     …     <attributeMapping>       <principals>         <principal type="account">           <nameSpace name="com.sap.security.core.usermanagement">             <attributes>               …               <attribute name="certificatehash">                 <physicalAttribute name="*null*"/>               </attribute>               <attribute name="javax.servlet.request.X509Certificate">                 <physicalAttribute name="usercertificate"/>               </attribute>               <attribute name="certificate">                 <physicalAttribute name="usercertificate"/>               </attribute>             </attributes>           </nameSpace>         </principal>         …       </principals>       …     </attributeMapping>     …   </dataSource>

 

The certificatehashattribute must be mapped to *null*, as directory servers cannot handle hashed certificates. This prevents the hash value from being stored.

You must map the logical attributes javax.servlet.request.X509Certificate and certificate to the same physical attribute on your directory server.