The "Credential Data Certificate Matcher" can be used to not only extract the username from the certificate but to create matching rules that validate attributes from the certificate against context data from a user persister.
For this example we have chosen to use the "User Persister" for administrators to store the user information of the transaction approval client. This setup has the advantage that such clients are not part of the regular users.
The "Credential Data Certificate Matcher" must be configured with the following settings:
- Username Extraction Settings: Extract an attribute from the certificate to compare to the data in the user persister. In our example we extract the "cn" attribute from the DN of the certificate.
- User Iterator: Search a user record in the user persister that matches the extracted attribute against a data column. In our example we search the username attribute in the the administrator database persister.
Note: The username retrieved from the user persister is also used for logging purposes.
In this example a transaction approval client will be able to successfully authenticate if all of the following conditions are true:
- The client has a valid certificate that is trusted by the transaction approval module
- The subject of the certificate contains a "cn" element (e.g. /CN=ebanking)
- The administrators database has an administrator with username = ebanking
Note: If the "User Iterator" uses a "Context Data Item" different from username, this "Context Data Item" must be configured in the underlying user persister. Attribute "username" is the only exception from this rule.