IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

How can I pass an extended attribute from EAI when User Mapping Module drops the attribute?

  • 1.  How can I pass an extended attribute from EAI when User Mapping Module drops the attribute?

    Posted Fri March 07, 2025 01:12 PM

    I have an environment using Verify Access 10.0.8 appliances.  Users authentication is done with Kerberos SSO, and for step-up authentication using client certificates. We had to configure a User Mapping to deal with some issues with Kerberos.  We also had to use an EAI to retrieve certain values from the client certificates that are not retrievable with the built-in functionality.

    The EAI passes the user email as the username and the certificate DN as an extended attribute. We can see in the pdweb traces that WebSeal is receiving these values.  However, Webseal then runs the User Mapping module (when it is not really needed for the certificate authentication) and it drops the certificate DN attribute when it finds the user in the local directory.

    The certificate is issued by a separate directory so there is no correlation between the local directory and the certificate directory.  We need the certificate DN to pass on in SAML assertions.

    So my question is, what can be done to retain the certificate DN in this case?



    ------------------------------
    James Smith
    ------------------------------


Related Content