2.8 Attribute mapping for PIV systems
For PIV systems, you must set up the attributes of the PIV certificate policies to have specific dynamic mappings.
Note: The FASC-N mapping is required for standard PIV cards, but is not permitted for PIV-I cards. The PIV Card Authentication certificate policy must not contain a mapping for Email.
Important: If you upgrade a MyID system from before MyID 12.14, the changes to the display names for the User Principal Name and Email certificate policy attributes mean that those attributes are cleared for any certificate policy you have configured. Before you upgrade MyID, take a note of all certificate policies that use these attributes, then re-apply the changes after you have upgraded.
2.8.1 Example attribute mapping for PIV systems
|
Certificate Policy |
FASC-N |
UUID |
NACI |
User Principal Name |
|
|---|---|---|---|---|---|
|
PIV Authentication |
FASC-N (Hex) |
UUID (ASCII) |
NACI Status |
User Principal Name |
Not Required |
|
PIV Card Authentication |
FASC-N (Hex) |
UUID (ASCII) |
NACI Status |
Not Required |
Not Required |
|
PIV Encryption |
Not Required |
Not Required |
Not Required |
Not Required |
Email (optional) |
|
PIV Signing |
Not Required |
Not Required |
Not Required |
Not Required |
Email (optional) |
2.8.2 Example attribute mapping for PIV-I systems
|
Certificate Policy |
FASC-N |
UUID |
NACI |
User Principal Name |
|
|---|---|---|---|---|---|
|
PIV Authentication |
Not Required |
UUID (ASCII) |
Not Required |
User Principal Name |
Not Required |
|
PIV Card Authentication |
Not Required |
UUID (ASCII) |
Not Required |
Not Required |
Not Required |
|
PIV Encryption |
Not Required |
Not Required |
Not Required |
Not Required |
Email (optional) |
|
PIV Signing |
Not Required |
Not Required |
Not Required |
Not Required |
Email (optional) |
2.8.3 Editing the attribute mappings
To edit the attribute mapping:
-
Within the Certificate Authorities workflow, select an enabled certificate policy.
-
Click Edit Attributes.
-
For each attribute, select one of the following options from the Type list:
- Not Required – the attribute is not needed.
- Dynamic – select a mapping from the Value list to match to this attribute.
- Static – type a value in the Value box.
- Click Save.