Certificate User Extractor node

The Certificate User Extractor node extracts an identifier from the certificate collected by the Certificate Collector node and searches for that identifier in the identity store. The purpose of this node is to match the collected certificate with a user in the identity store.

Compatibility

Product	Compatible?
Advanced Identity Cloud	Yes
PingAM (self-managed)	Yes
Ping Identity Platform (self-managed)	Yes

Product

Compatible?

Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

This node reads the value of the X509Certificate property from the transient state.

Implement the Certificate Collector node as input to this node to obtain the X509Certificate.

Dependencies

This node has no dependencies.

Configuration

Property Usage

Property	Usage
Certificate Field Used to Access User Profile	Specifies the field in the certificate that AM uses to search for the user in the identity store. Possible values are: `Subject DN` `Subject CN` `Subject UID` `Email Address` `Other` `None` If you select `Other`, provide an attribute name in the Other Certificate Field Used to Access User Profile property. Select `None` if you want to specify an alternate way of looking up the user profile in the SubjectAltNameExt Value Type to Access User Profile property. Default: `Subject CN`
Other Certificate Field Used to Access User Profile	Specifies a custom certificate field to use as the base of the user search.
SubjectAltNameExt Value Type to Access User Profile	Specifies how to look up the user profile: `None` AM uses the value specified in the Certificate Field Used to Access User Profile or the Other Certificate Field Used to Access User Profile properties when looking up the user profile. `RFC822Name` AM looks up the user profile using the value of the `RFC822Name` field. `UPN` AM looks up the user profile as the User Principal Name attribute used in Active Directory. Default: `None`

Certificate Field Used to Access User Profile

Specifies the field in the certificate that AM uses to search for the user in the identity store. Possible values are:

Subject DN
Subject CN
Subject UID
Email Address
Other
None

If you select Other, provide an attribute name in the Other Certificate Field Used to Access User Profile property.

Select None if you want to specify an alternate way of looking up the user profile in the SubjectAltNameExt Value Type to Access User Profile property.

Default: Subject CN

Other Certificate Field Used to Access User Profile

Specifies a custom certificate field to use as the base of the user search.

SubjectAltNameExt Value Type to Access User Profile

Specifies how to look up the user profile:

None: AM uses the value specified in the Certificate Field Used to Access User Profile or the Other Certificate Field Used to Access User Profile properties when looking up the user profile.
RFC822Name: AM looks up the user profile using the value of the RFC822Name field.
UPN: AM looks up the user profile as the User Principal Name attribute used in Active Directory.

Default: None

Outcomes

Extracted: The node extracted the user ID from the certificate and found a match in the identity store.
Not Extracted: The node couldn’t extract the user ID from the certificate or couldn’t match the ID to an identity in the identity store.

Outputs

If the node can extract a value from the certificate, that value is stored in the username key in the shared node state.

Errors

If the node can’t extract the user ID from the certificate, it logs the following error:

Unable to parse user token ID from Certificate

Example

This example shows an authentication journey using a certificate as credentials.

The Certificate Collector node attempts to collect the certificate from the request body or the header.
- If the node can collect the certificate, the journey proceeds to the Certificate Validation node.
- If the node can’t collect the certificate, the journey proceeds to a Page node containing a Platform Username node and a Platform Password node to let the user authenticate with username/password credentials.
The Certificate Validation node attempts to validate the certificate based on the configuration of that node.
- If the certificate can be validated, the journey proceeds to the Certificate User Extractor node.
- If the certificate is invalid, the journey proceeds to the Failure node.
- In all other cases, the journey proceeds to a Page node containing a Platform Username node and a Platform Password node to let the user authenticate with username/password credentials.
The Certificate User Extractor node extracts the user ID from the certificate and attempts to find a match in the identity store.
- If the username can be extracted and a matching user is found in the identity store, the journey increments the login count and authenticates the user.
- If the username can’t be extracted or no matching user is found in the identity store, the journey proceeds to the Failure node.