Select the type of certificate that is to be mapped

Specifies whether the rule applies to user or host authentication. Select "Any certificate" to have the rule apply to all authentications.

Apply this rule only to this server

This option is available when the rule type is set to "User Certificate". To apply a rule only to users authenticating to a specific server, enable this setting and then specify the server.

Note: When PKI Services Manager evaluates this rule, it uses the server name (not the DNS host name) of the server the user is connecting to. The server sends its name to PKI Services Manager when it requests validation of a user certificate, and PKI Services Manager uses that name when applying the rule. To determine the host name that is sent, you can enter the hostname command from a Windows DOS window or from a UNIX terminal session.

Specify one or more identities for the mapped certificate

Use the text box to specify which identities can authenticate with a valid certificate. Use spaces to separate multiple allowed identities.

For example, to allow users named root, joe, and fred to authenticate with a valid certificate, enter:

root joe fred

Note: If an allowed name includes spaces, enclose it in quotes.

The format domain\user is required for Windows domain users, for example:

windomain\joe windomain\fred

Choose certificate identity to insert

Select an item from this drop-down list to construct the allowed identity set based on the contents of the certificate presented for authentication. In the resulting rule, the percent symbol (%) precedes and follows the item you select.

For example, if you are configuring host authentication, you can select "UPN Host" to allow authentication by the host specified in the Host portion of the UPN field. The allowed identity set shows as:

%UPN.Host%

You can combine text strings with extracted information. The following example adds a Windows domain name to an extracted user identity:

windomain\%UPN.User%

Note: You can precede a text string with an extracted identity, and/or add a text string after an extracted identity, but you cannot combine more than one extracted value to form a single identity.

Accept claimed identity

When this option is selected, no conditions are set on the identity being mapped.

Caution: This option allows the listed identities to authenticate with any valid certificate and should therefore be used with caution.

Allow authentication if the following condition is met

When this option is selected, the set of allowed identities can authenticate only if the condition you configure is true. For details, see "Defining Conditions in a Rule" (below).

Contains

Checks if the Field value is contained anywhere within the Argument.

Equals

Checks for absolute equality between the Field value and the Argument value. (This is the only option available if you select Certificate or Serial/Issuer from the first drop-down list.)

For DNS, UPN and Email options, the comparison is case-insensitive.

Extern

Uses an external application to test the condition. Use Argument to point to the application. If the match within the external application is successful, it should exit with status 0; a non-zero return means an unsuccessful match.

Regular Expression

Applies the Argument as a regular expression to the Field. If the regular expression includes an exact match to the Field contents, the condition is true.