Setting up attribute matching

Before you begin

Use the page Global Settings > General > Two-Factor Auth > Configure Attribute Matching to define the administrator LDAP property that matches against a property in the certificate provided.

To configure attribute matching:

Steps

  1. From the page Global Settings > General > Two-Factor Auth, follow the steps under Configuring two-factor authentication, to enable certificate authentication.
  2. In the section Certificate Matching, click Configure Attribute Matching.
    The Attribute Matching page displays.
  3. In the section Administrator Property, select a property from the administrator user directory to use to match against the administrator’s certificate. This can be:
    • The administrator Email address (local and network accounts)
    • LDAP distinguished name (network accounts only)
    • User name (local and network accounts)
    • A Custom LDAP field (network accounts only)
    Note: If you are using a generic LDAP user directory, you must specify a custom field.
  4. If you have defined a custom LDAP field, click Verify Administrator Property to confirm that the property exists in your user directory. Select a network administrator account to verify against.
    Note: The Verify Administrator Property button appears only if you have configured a user directory in Global Settings and set up at least one network administrator account.

    When you save the settings on this page, the custom property is imported for all applicable accounts (network only, or local and network accounts) in the Security Manager. To change this field at a later date, click Update Property to import the new attribute matching value.

  5. In the Certificate Property section, select the property in the administrator’s logon certificate to match against the LDAP property that you defined:
    • The email (RFC822) attribute of the subjectAltName field. Select this if you are matching against the administrator email address in your user directory.
    • The Subject distinguished name (DN), which defines the entity associated with this certificate.
    • The unique serial number for each certificate issued by a particular Certification Authority (CA).
  6. Click OK.

    The configured properties display in the Certificate Matching section on the page General > Two-Factor Auth.