This topic describes how you can specify an attribute in a certificate to uniquely identify the user for Public Key Infrastructure (PKI) authentication.
You must specify an attribute with user name or user id, in a certificate, to uniquely identify the user. A certificate may contain user name or user id in Extension (Non standard custom attributes), Subject DN or Subject Alternative Name field and Security Analytics server must be configured to read the value of this attribute. The Security Analytics server uses the extracted value of this attribute for authorization and retrieves the user groups from an Active Directory (AD) server. By default, Security Analytics server extracts the entire value of the selected attribute, without filtering any characters. You can use regular expression (REGEX) to refine the value extracted.
To configure user principal settings:
- In the Security Analytics menu, select Administration > Security.
The Security view is displayed with the Users tab open.
- Click the Settings tab.
- In the User Principal settings, click Configure.
The User Principal Settings dialog is displayed.
- In the Certificate field, paste the BASE64 encoded user certificate.
- Click Next.
The Extensions, SubjectDN and Subject Alternative name fields are displayed.
- Select a unique field that reflects the user name or user id.
- Click Test.
The user name or user principal name is extracted and displayed within square brackets.
- If the extracted user principal name does not match the AD user name, you can modify the Regex to extract the exact user name and click Test.
If the extracted value does not contain the Active Directory user name as a unique value and if it contains a uniquely identifiable attribute of the user such as EmpNo or EmpID. You must configure the custom LDAP filter in the Active Directory which uniquely identifies the user object. For more information to configure custom LDAP filter, see Step 1. Configure Active Directory.
- Click Save to update the Security Analytics server.