Creating and Importing a Login Correlation Rule

A Login Correlation Rule is used by the Identity Manager X509 Certificate Login Module to determine how to map the certificate data to the appropriate Identity Manager user. Identity Manager includes a built-in correlation rule, named Correlate via X509 Certificate subjectDN.

You can also add your own correlation rules. Refer to LoginCorrelationRules.xml, which is located in the idm/sample/rules directory, as an example.

Each correlation rule must follow these guidelines:

• Its authType attribute must be set to LoginCorrelationRule

• It is expected to return an instance of a list of AttributeConditions to be used by the login module to find the associated Identity Manager user. For example, the login correlation rule might return an AttributeCondition that searches for the associated Identity Manager user by email address.

Arguments passed to login correlation rules are:

• Standard X509 certificate fields (such as subjectDN, issuerDN, and valid dates)

• Critical and noncritical extension properties

The naming convention for certificate arguments passed to the login correlation rule is

cert.field name.subfield name

Example argument names that are available to the rule include:

• cert.subjectDN

• cert.issuerDN

• cert.notValidAfter

• cert.notValidBefore

• cert.serialNumber

The login correlation rule, using the passed-in arguments, returns a list of one or more AttributeConditions. These are used by the Identity Manager X509 Certificate Login Module to find the associated Identity Manager user.

A sample login correlation rule is included in idm/sample/rules, named LoginCorrelationRules.xml.

After creating a custom correlation rule, you must import it into Identity Manager. From the Administrator Interface, select Configure, and then select Import Exchange File to use the file import facility.