When using the Geneva Server as an Identity Provider and an "Authentication type = Certificate" endpoint

1) How are the client certificates validated? Must the certificates map to windows accounts?
2) What are the extracted claims?

Thanks
Pedro Felix

---

http://pfelix.wordpress.com

The standard Windows certificate mapping is used here.

I used to know how it exactly works - but i forgot.

Basically the UPN is pulled out of the cert (that's a special name property) - and checked against the certs that are mapped to the user in AD (there is a certificates tab in "Active Directory Users and Computers" MMC snap-in). I am not sure if you can map non enterprise CA issued certs to a Windows account.

Nothing special is required at Geneva Server. That's standard Windows security infrastructure.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Thanks
Pedro

---

http://pfelix.wordpress.com

Bo,

Can you ellaborate on this? I'm running in to this situation with my application currently.

I want my ASP.Net web app to get a token from my Geneva STS for calls torelying WCF services. If the web app authenticates to the STS using an x.509 cert, what do I need to do to map the cert to an AD user?

Thanks in advance.

Certificates issued by an AD integrated CA contain a UPN name (user@domain) - this is used to map the cert to a Windows account (which in turn maps to valid certs).

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Thanks for your feedback Dominick. When you say "this is used to map the cert to a Windows account (which in turn maps to valid certs)", is there an administrative step required in Geneva Server to link the cert to an AD account when authenticating the incoming token against AD, or will or Geneva Server do this automatically by looking at the UPN name of the cert? Does the cert need to be placed in the Trusted People store of the Geneva Server for this to work? Is there any documentation on this that you've seen anywhere; I can't find any?

Also, I don't have a PKI infrastructure setup, and am using makecert to create the certs in development. Is there a way to map a self-created cert to a windows account?

Thanks again!

The standard Windows certificate mapping is used here.

I used to know how it exactly works - but i forgot.

Basically the UPN is pulled out of the cert (that's a special name property) - and checked against the certs that are mapped to the user in AD (there is a certificates tab in "Active Directory Users and Computers" MMC snap-in). I am not sure if you can map non enterprise CA issued certs to a Windows account.

Nothing special is required at Geneva Server. That's standard Windows security infrastructure.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Got it. Thanks again.

Along the lines of the OP's second question, is there an "easy" way to get the cert OID into a claim using what's built into Geneva Server? It'd be nice for differentiating between credential strength (soft cert, hard token, etc).

You have the certificate in your SslClientSignin.aspx and it is (probably already, or you could put, part of,it there) in an AD attribute(can do a claims tranfrom).