Mapping Logical Role to the Subject for the Certificate CN

The certificate used for mutual authentication includes a common name (CN) that is extracted and compared to the physical role mapping you create using this CN.

CertificateValidationLoginModule validates the user certificate passed during mutual certificate authentication. Unlike other methods, it confers no physical roles. Therefore, the platform administrator must create a logical role mapping. A CN of a certificate typically looks like:
CN=TechnicalUser, OU=sybase, O=sap
Optionally, you can use the entire subject as the user name, meaning the whole CN is included, for example, user:CN=TechicalUser, OU=sybase, O=sap.

When using the certificate, ensure the Validated certificate is identity property of CertificateValidationLoginModule is set to true. Also ensure the user maps the entire subject name to the logical role, instead of the CN value.

If you are supporting multiple domains, the mapped user name must also include the named security configuration for either the package the DCN is targeted for or the Admin security configuration for of a Push domain, and appended as a @DomainSecurityConfigName suffix.

For example, uppose you have two packages (PKG_A, PKG_B) deployed to two domains (Domain_A, Domain_B) respectively. PKG_A in Domain_A has been assigned to the DCN security configuration, and PKG_B in Domain_B has been assigned to the "DCN2SecurityConfig" security configuration.
  • A DCN event for PKG_A is authorized with TechnicalUser@DCNSecurity.
  • A DCN event for PKG_B is authorized with TechnicalUser@DCN2SecurityConfig.
  1. In the navigation pane, select the security configuration you have created and assigned to the DCN package domain.
  2. Click the SUP DCN User role, and select Map Role.
  3. In Role name, enter the physical role as user:TechnicalUser, then click +.
    Repeat this action for each unique common name of different DCN users.
  4. Click Add to move the role to the Mapped Roles column.
  5. Click OK.
The SUP DCN User role now shows the mapping state changes to MAPPED.
Parent topic: Setting Up Authorization with Certificate Validation
Previous topic: Adding a certificateValidationLoginModule for DCN Mutual Authentication