Show Contents / Index / Search

Identity Mapper Pane

Getting there

Reflection PKI Services Manager binds certificates to one or more allowed identities using mapping rules. Typically, allowed identities are users or hosts. To authenticate a user correctly, you need to define a rule that links information in the validated certificate to an allowed user account. The mapper provides flexible options for mapping certificates to names. You can specify allowed names explicitly in your rules, or define rules that extract information, such as user or host name, from a certificate. By using these options, you can bind identities to certificates without having to create a separate rule for each certificate.

Notes:

  • After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.
  • If no true condition is found, certificate validation fails and an appropriate error message is returned to the validating application.

Rules for determining how to map a certificate to an identity

Rule

Click Add to configure a new rule. This opens the Add Mapper Rule dialog box, which you can use to construct new rules. Use the arrows to control the order in which rules are processed within each group.

To use an existing rule as a template for creating a new rule, click Duplicate, then select the copy and click Edit.

Note: Rules are saved to the the map file, which can also be edited directly.

 

Rules are grouped by type. The following types are available:

 

 

user-address=server

The rule applies only to user certificates that are being used to authenticate to the specified server.

 

 

host

The rule applies to host certificates only.

 

 

user

The rule applies to user certificates only.

 

 

none

The rule applies to both host certificates and user certificates.

 

 

Note: Rule type determines the order in which rules are processed. The order for processing user certificates is: user-address, user, none. The order for processing host certificates is: host, none. Within each rule type, rules are processed in order from top to bottom.

Settings

Refresh rules from file before mapping operation

When this option is selected PKI Services Manager reloads the map file every time it evaluates a certificate to determine which identities are allowed.

Timeout for 'Extern' operations

Sets the timeout (in milliseconds) to use when you've configured an external application to handle mapping conditions.

Note: Global mappings are saved to the default PKI Services Manager map file. Certificate-specific mappings are saved to a uniquely named map file that is created in the same location. Map files can be viewed and edited directly. For information about rule syntax, see PKI Services Manager Map File Reference.

Related Topics

PKI Services Manager Map File Reference (pki_mapfile)

Sample PKI Services Manager Mapping Rules

Sample Map File with RuleType Stanzas