Client certificates are available as java.security.cert.X509Certificate objects. This allows you to map certificate attributes by using methods that are defined in the Java Platform, Standard Edition API Specification. For a full list of available methods, see the J2SE online javadoc.

To get the first client certificate in the chain as an X509Certificate object, you must use the ClientCertificateChain keyword within the OGNL expression. For example:

#this.get("ClientCertificateChain").getObjectValue()

To get the entire client certificate chain as an iterable collection of X509Certificate objects, use the getAllObjectValues() method in the OGNL expression. For example:

#this.get("ClientCertificateChain").getAllObjectValues()

The following table lists example OGNL expressions you can use to map certificate attributes during the setup or deployment of the X.509 Certificate Adapter. For information about using OGNL for attribute mapping in PingFederate, see Attribute Mapping Expressions in the PingFederate documentation.

OGNL Expression Description

#x509Cert = #this.get("ClientCertificateChain").getObjectValue(), #hexEncoded = new String (@org.apache.commons.codec.binary.Hex@encodeHex (#x509Cert.getSignature()))

Returns a hex-encoded signature from the X.509 client certificate.

#x509Cert = #this.get("ClientCertificateChain").getObjectValue(), #hexEncoded = new String (@org.apache.commons.codec.binary.Hex@encodeHex (#x509Cert.getExtensionValue("2.16.840.1.113730.1.13")))

Extracts the comment certificate extension (Object Identifier (OID) 2.16.840.1.113730.1.13) from the X.509 client certificate, which is then hex encoded.

Other certificate extensions can be extracted by using the correct OID for the extension.