Show Contents / Index / Search

Identity Mapper Pane

Getting there

Reflection PKI Services Manager binds certificates to one or more allowed identities using mapping rules. Typically, allowed identities are users or hosts. To authenticate a user correctly, you need to define a rule that links information in the validated certificate to an allowed user account. The mapper provides flexible options for mapping certificates to names. You can specify allowed names explicitly in your rules, or define rules that extract information, such as user or host name, from a certificate. By using these options, you can bind identities to certificates without having to create a separate rule for each certificate.


  • After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.
  • If no true condition is found, certificate validation fails and an appropriate error message is returned to the validating application.

Rules for determining how to map a certificate to an identity


Click Add to configure a new rule. This opens the Add Mapper Rule dialog box, which you can use to construct new rules. Use the arrows to control the order in which rules are processed within each group.

To use an existing rule as a template for creating a new rule, click Duplicate, then select the copy and click Edit.

Note: Rules are saved to the map file, which can also be edited directly.


Rules are grouped by type. The following types are available:




The rule applies only to user certificates that are being used to authenticate to the specified server.




The rule applies to host certificates only.




The rule applies to user certificates only.




The rule applies to both host certificates and user certificates.



Note: Rule type determines the order in which rules are processed. The order for processing user certificates is: user-address, user, none. The order for processing host certificates is: host, none. Within each rule type, rules are processed in order from top to bottom.


Refresh rules from file before mapping operation

When this option is selected PKI Services Manager reloads the map file every time it evaluates a certificate to determine which identities are allowed.

Timeout for 'Extern' operations

Sets the timeout (in milliseconds) to use when you've configured an external application to handle mapping conditions.

Note: Global mappings are saved to the default PKI Services Manager map file. Certificate-specific mappings are saved to a uniquely named map file that is created in the same location. Map files can be viewed and edited directly. For information about rule syntax, see PKI Services Manager Map File Reference.

Related Topics

Troubleshooting Identity Mapping

Add Mapper Rule

pki_mapfile Map File Reference

Sample Mapping Rules

Sample Map File with RuleType Stanzas