23.4. Configuring a User Name Hint Policy for Smart-card Authentication

As an Identity Management administrator, you can configure a user name hint policy for smart cards linked with multiple accounts.

23.4.1. User Name Hints in Identity Management

The user name hint policy configures Identity Management to prompt smart card users for their user name. When a user tries to authenticate with a smart card certificate that matches multiple user accounts in Identity Management, one of the following occurs:

If the user name hint policy is enabled, the user is prompted for a user name and then can proceed with authentication.
If the user name hint policy is disabled, the authentication fails without prompting.

Identity Management adds the user name hint to applications that would by default prompt for a smart card PIN without asking for a user name. On Red Hat Enterprise Linux, this is currently only the Gnome Desktop Manager (GDM) login.

Figure 23.4. User name hint in the Gnome Desktop Manager

Identity Management does not add the user name hint to applications that ask for a user name by default, for example:

The Identity Management web UI authentication, because the GUI always displays the Username field
ssh authentication, because ssh uses the current user’s login name or the name provided with the -l option or in the username@host format
Console authentication, where the login name is always supplied

In these situations, authentication with a certificate that matches multiple users is always allowed.

23.4.2. Enabling User Name Hints in Identity Management

The Identity Management administrator sets the user name hint policy centrally. The policy applies to all hosts enrolled into the Identity Management domain.

Perform these steps on any Identity Management system.

Command Line: Enabling User Name Hints in Identity Management

$ kinit admin
Password for admin@IDM.EXAMPLE.COM:

Enable user name hints by using the ipa certmapconfig-mod command with the --promptusername=True option.
```
$ ipa certmapconfig-mod --promptusername=TRUE
Prompt for the username: TRUE
```
To disable user name hints, use the --promptusername=False option.

Web UI: Enabling User Name Hints in Identity Management

Click Authentication → Certificate Identity Mapping Rules → Certificate Identity Mapping Global Configuration.
Select Prompt for the username, and click Save.
Figure 23.5. Enabling user name hints in the web UI

Additional Resources

For details on the ipa certmapconfig-mod command, execute it with the --help option.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories