User Management usually performs authentication by using a user name and password. User Management also supports certificate-based authentication, which you can use to authenticate users through Acrobat or to authenticate users programmatically. For details about authenticating users programmatically, see Programming with AEM forms.
To use certificate-based authentication, import a Certificate Authority (CA) certificate that you trust into the Trust Store and then create a certificate mapping.
When importing the certificate, select the Trust for Certificate Authentication and Trust for Identity options, and any other options that you require. For details about importing certificates, see Managing certificates.
To enable certificate-based authentication for users, create a certificate mapping. A certificate mapping defines a map between a certificate’s attributes and the attributes of users in a domain. You can map more than one certificate to the same domain.
When you test a certificate, User Management uploads the certificate checks to ensure that it meets the following requirements:
You cannot edit an existing certificate mapping.
Add a certificate mapping
In administration console, click Settings > User Management > Configuration > Certificate Mapping.
Click New Certificate Mapping and, in the For Issuer list, select the certificate alias as configured in Trust Store Management.
Map one of the certificate’s attributes to a user’s attribute. For example, you can map the certificate’s common name to the user’s login ID.
If the content of the attribute in the certificate is different from the content in the user’s attribute in the User Management database, you can use a Java Regular Expression (regex) to match the two attributes. For example, if the common names of the certificates are names like Alex Pink (Authentication) and Alex Pink (Signing) and the common name in the User Management database is Alex Pink, you use a regex to extract the required part of the certificate attribute (in this example, Alex Pink.) The regular expression you specify must conform to the Java regex specification.
You can transform the expression by specifying the order of the groups in the Custom Order box. The custom order is used with the java.util.regex.Matcher.replaceAll()
method. The behavior that is seen will correspond to that method’s behavior, and the input string (the custom order) must be specified accordingly.
To test the regex, enter a value in the Test Parameter box and click Test.
You can use the following characters in the regex:
Examples of regular expressions:
To extract “Alex Pink” from “Alex Pink (Authentication)”
Regex: (.*) (Authentication)
To extract “Alex Pink” from “Alex (Authentication) Pink”
Regex: (.*)(Authentication) (.*)
To extract “Pink Alex” from “Alex (Authentication) Pink”
Regex: (.*)(Authentication) (.*)
Custom Order: $2 $1 (return second group, concatenated to first group, captured by whitespace character)
To extract “apink@sampleorg.com” from “smtp:apink@sampleorg.com”
Regex: smtp:(.*)
For details on using regular expressions, see Java tutorial about regular expressions.
In the For Domain list, select the user’s domain.
To test this configuration, click Browse to upload a sample user certificate, click Test Certificate and, if the configuration is correct, click OK.
Edit an existing certificate mapping
Delete a certificate mapping