--- title: Certificate User Extractor node description: The Certificate User Extractor node extracts an identifier from the certificate collected by the Certificate Collector node and searches for that identifier in the identity store. The purpose of this node is to match the collected certificate with a user in the identity store. component: auth-node-ref version: latest page_id: auth-node-ref::certificate-user-extractor canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/certificate-user-extractor.html keywords: ["Nodes & Trees", "Journeys", "Authentication", "Certificates", "Identity Store", "Users", "User Profiles"] page_aliases: ["self-managed/auth-node-certificate-user-extractor.adoc"] superseded_by: https://docs.pingidentity.com/auth-node-ref/latest/certificate-user-extractor.html section_ids: example: Example availability: Availability inputs: Inputs dependencies: Dependencies configuration: Configuration outputs: Outputs callbacks: Callbacks outcomes: Outcomes errors: Errors --- # Certificate User Extractor node The Certificate User Extractor node extracts an identifier from the certificate collected by the [Certificate Collector node](certificate-collector.html) and searches for that identifier in the identity store. The purpose of this node is to match the collected certificate with a user in the identity store. ## Example This example shows an authentication journey using a certificate as credentials. ![journey certificate auth](_images/journey-certificate-auth.png) 1. The Certificate Collector node attempts to collect the certificate from the request body or the header. * If the node can collect the certificate, the journey proceeds to the [Certificate Validation node](certificate-validation.html). * If the node can't collect the certificate, the journey proceeds to a [Page node](page.html) containing a [Platform Username node](platform-username.html) and a [Platform Password node](platform-password.html) to let the user authenticate with username/password credentials. 2. The Certificate Validation node attempts to validate the certificate based on the configuration of that node. * If the certificate can be validated, the journey proceeds to the [Certificate User Extractor node](certificate-user-extractor.html). * If the certificate is invalid, the journey proceeds to the Failure node. * In all other cases, the journey proceeds to a [Page node](page.html) containing a [Platform Username node](platform-username.html) and a [Platform Password node](platform-password.html) to let the user authenticate with username/password credentials. 3. The Certificate User Extractor node extracts the user ID from the certificate and attempts to find a match in the identity store. * If the username can be extracted and a matching user is found in the identity store, the journey increments the login count and authenticates the user. * If the username can't be extracted or no matching user is found in the identity store, the journey proceeds to the Failure node. ## Availability | Product | Available? | | ------------------------------------- | ---------- | | PingOne Advanced Identity Cloud | Yes | | PingAM (self-managed) | Yes | | Ping Identity Platform (self-managed) | Yes | ## Inputs This node reads the value of the `X509Certificate` property from the transient state. Implement the [Certificate Collector node](certificate-collector.html) as input to this node to obtain the `X509Certificate`. ## Dependencies This node has no dependencies. ## Configuration | Property | Usage | | --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Certificate Field Used to Access User Profile | Specifies the field in the certificate that Advanced Identity Cloud uses to search for the user in the identity store. Possible values are:- `Subject DN` - `Subject CN` - `Subject UID` - `Email Address` - `Other` - `None`If you select `Other`, provide an attribute name in the Other Certificate Field Used to Access User Profile property.Select `None` if you want to specify an alternate way of looking up the user profile in the SubjectAltNameExt Value Type to Access User Profile property.Default: `Subject CN` | | Other Certificate Field Used to Access User Profile | Specifies a custom certificate field to use as the base of the user search. | | SubjectAltNameExt Value Type to Access User Profile | Specifies how to look up the user profile:- `None` Advanced Identity Cloud uses the value specified in the Certificate Field Used to Access User Profile or the Other Certificate Field Used to Access User Profile properties when looking up the user profile. - `RFC822Name` Advanced Identity Cloud looks up the user profile using the value of the `RFC822Name` field. - `UPN` Advanced Identity Cloud looks up the user profile as the User Principal Name attribute used in Active Directory.Default: `None` | ## Outputs If the node can extract a value from the certificate, that value is stored in the `username` key in the shared node state. ## Callbacks This node doesn't send any callbacks. ## Outcomes * `Extracted` The node extracted the user ID from the certificate and found a match in the identity store. * `Not Extracted` The node couldn't extract the user ID from the certificate or couldn't match the ID to an identity in the identity store. ## Errors If the node can't extract the user ID from the certificate, it logs the following error: `Unable to parse user token ID from Certificate`