Identity Mapper Pane

Reflection PKI Services Manager mapping binds certificates to one or more allowed identities using mapping rules. Typically, allowed identities are users or hosts. For SSH connections, to authenticate a user correctly, you need to define a rule that links information in the validated certificate to an allowed user account. The mapper provides flexible options for mapping certificates to names. You can specify allowed names explicitly in your rules, or define rules that extract information, such as user or host name, from a certificate. By using these options, you can bind identities to certificates without having to create a separate rule for each certificate. Some PKI Services Manager client applications, including Reflection Security Gateway, use PKI Services Manager for certificate validation only, and do not require any identity mapping.


  • The identity mapping requirements for PKI Services Manager clients vary. For example: The Reflection for Secure IT server supports multiple formats for specifying domain user names in map rules. The Reflection for Secure IT User Manager requires that only one user be allowed for any valid certificate. For additional information refer to information about configuring validation using Reflection for Secure IT in your product documentation.

  • After a certificate is determined to be valid, rules are processed in order (based on rule type then sequence). If the certificate meets the requirements defined in the conditional expression (or if the rule has no condition), the allowed identities specified in that rule are allowed to authenticate. No additional rules are applied after the first match.

  • If no true condition is found, certificate validation fails and an appropriate error message is returned to the validating application.

Rules for determining how to map a certificate to an identity


Click Add to configure a new rule. This opens the Add Mapper Rule dialog box, which you can use to construct new rules. Use the arrows to control the order in which rules are processed within each group.

To use an existing rule as a template for creating a new rule, click Duplicate, then select the copy and click Edit.

NOTE:Rules are saved to the map file, which can also be edited directly.


Rules are grouped by type. The following types are available:



The rule applies only to user certificates that are being used to authenticate to the specified server.



The rule applies to host certificates only.



The rule applies to user certificates only.



The rule applies to both host certificates and user certificates.


NOTE:Rule type determines the order in which rules are processed. The order for processing user certificates is: user-address, user, none. The order for processing host certificates is: host, none. Within each rule type, rules are processed in order from top to bottom.


Refresh rules from file before mapping operation

When this option is selected PKI Services Manager reloads the map file every time it evaluates a certificate to determine which identities are allowed.

Timeout for 'Extern' operations

Sets the timeout (in milliseconds) to use when you've configured an external application to handle mapping conditions. The default is 0 (zero), which sets no time out.

NOTE:Global mappings are saved to the default PKI Services Manager map file The map file binds certificates to one or more allowed identities using mapping rules. UNIX: /opt/attachmate/pkid/config/pki_mapfile Windows: \ProgramData\Attachmate\ReflectionPKI\config\pki_mapfile . Certificate-specific mappings are saved to a uniquely named map file that is created in the same location. Map files can be viewed and edited directly. For information about rule syntax, see PKI Services Manager Map File Reference.