Currently Universal ZTNA will
authenticate user certificates using one of two specific formats. Use this task to
select the client certificate attribute that Universal ZTNA should examine to detect the
username (an email address).
- Go to .
- From the Certificate Attribute for
Username field, select one of the three options:
Note
Universal ZTNA expects the Username to
be an email address or a User Principal Name (UPN). Other values will be
rejected.
- Subject Distinguished
Name | Common Name - The Subject field of
the certificate the CN or Common
Name must contain the full email address of the client.
- SAN | Email Address - The
SAN or Subject Alternative
Name must contain either an email attribute, or that attribute
must contain the full email address of the client.
- SAN | User Principal Name
- The UPN must be the user‘s complete email address.
- To choose the username value from the RADIUS Request, under Fallback Criteria select Match with RADIUS Username.
- From the Certificate Attribute for Device Identifier select one of three options:
- Subject Distinguished
Name | Common Name
- SAN | User Name Principal
- SAN | DNS Name
Note
For Microsoft Intune synced devices, the Entra ID Device Identifier is used to match devices.
- Select Update.
Once you have matched the client
criteria, go to Connect with OCSP Responder.
