GlobalID Integration: Micro Focus Access Manager (IdP), v5.0.7

Liga GlobalID provides the required eDirectory management and value for Micro Focus Access Manager to be able to perform a secure 2-way x509 Certificate authentication as the Identity Provider.

The value that is used, is the “GlobalIDX509Identifier” which is described in the https://ligasoftware.atlassian.net/wiki/spaces/PSPD/pages/599425644 in the “Device” section.

The value is synchronized to the user object if the device template is configured accordingly. Otherwise the value is only available at the specific device of the user.

GlobalIDX509Identifier Structure

Excerpt from the Access Manager documentation about the structure of the value:

Serial number and issuer name: Lets you match a user’s certificate by using the serial number and issuer name. The issuer name and the serial number must be put into the same LDAP attribute of the user, and the name of this attribute must be listed in the Attribute Mappings section.

When using a Case Ignore String attribute, both the issuer name and the serial number must be in the same attribute separated by a dollar sign ($) character. The issuer name must precede the $ character, with the serial number following the $ character. Do not use any spaces preceding or following the $ character. For example: O=CURLY, OU=Organization CA$21C0562C5C4

The issuer name can be from root to leaf or from leaf to root. The issuer name must be comma-delimited with a space after the comma. (For example, O=CURLY, OU=Organization CA or OU=Organization CA, O=CURLY.)

The serial number cannot begin with a zero (0) or with a hexadecimal notation (0x). If the serial number is 0x0BAC05, the value of the serial number in the attribute must be BAC05. The certificate number is displayed in Internet Explorer with a space after every fourth digit. However, you must enter the certificate number without using spaces.

The LDAP attribute can be any Case Ignore List or Case Ignore String attribute of the user. If you are configuring your own attribute, ensure that the attribute is added to the Person class. When using a Case Ignore List attribute, both the issuer name and the serial number must be on the same list. The issuer name needs to be the first item on the list, with the serial number being the second and last item on the list.

Examples:

Nets DanID MOCES2 x509 certificate (NemID medarbejdercertificat):

1 CN=TRUST2408 Systemtest XXXIV CA, O=TRUST2408, C=DK$5f9c4fa8

Active Directory Certificate

1 CN=globalid-DEMO-AD-DC01-CA-3, DC=globalid, DC=local$420000096f8e2002368321157500010000096f

Official Micro Focus Documentation

This link leads to the official documentation for Mutual SSL (X.509) Authentication with the Access Manager version 5 and prior product.

https://www.microfocus.com/documentation/access-manager/5.0/admin/x509validation.html

© All rights reserved Liga Software ApS 2014 - 2022