Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Support for X509 UserPrincipalName Resolution

Description

Microsoft (and others) support the embedding of a UserPrincipalName object as a SubjectAlternateName extension within an X509 certificate, allowing properly-empowered certificates to be used for network logon (via SmartCards, or alternately by 'soft certs' in certain environments). An X509UserPrincipalNameResolver class would make the use of CAS as a web single sign on solution incredibly easy for AD domains with an existing PKI infrastructure.

Environment

Microsoft / Active Directory Environments

Attachments

3

Activity

Show:

Misagh Moayyed 
July 5, 2014 at 9:55 AM

Philippe MARASSE 
June 14, 2014 at 9:22 PM
(edited)

Three years ago I wrote an extension for our CAS server to extract UPN from X509 Certificates. I can confirm the OID for SAN UPN given by Dmitriy. Another test can be conducted against ExtendedKeyUsage, the SmartCardLogin tag should also be present (OID 1.3.6.1.4.1.311.20.2.2 )

Dmitriy Kopylenko 
June 12, 2014 at 8:36 PM

The attached 'UPN-Cert.pem' certificate is successfully used in the unit test. The file in the repository is renamed to 'x509-san-upn-resolver.crt'

Dmitriy Kopylenko 
June 12, 2014 at 8:32 PM
(edited)

I have a working code locally which will be formulated as a pull request by Friday (06/12/2014). The parsing code in the resolver assumes the following OID for the SAN UPN field in the certificate: 1.3.6.1.4.1.311.20.2.3. If absent, the null principal id will be returned.

Sean Baker 
June 12, 2014 at 5:21 PM
(edited)

UPN-Cert.pem – An example certificate with embedded UserPrincipalName object [test-user@some-company-domain].

UPN-Cert-CA.pem – The CA which signed it.

Hopefully these would at least serve for unit tests?

Fixed

Details

Assignee

Reporter

Labels

Components

Fix versions

Priority

Created June 12, 2014 at 5:18 PM
Updated July 14, 2014 at 6:21 PM
Resolved July 14, 2014 at 6:21 PM