Hi Tim!
Thanks! That was quick... But I don't think I fully understand how to set things up properly. I have, in authsources.php:
'certificate' => [
'authX509:X509userCert',
'backend' => '<LDAP dir>',
'authX509:x509attributes' => ['serialNumber' => 'workforceID'],
'authX509:ldapusercert' => null,
],
That is, the value I use in the certificate subject dn is serialNumber and that is matched against the value in workforceID in the directory. In the ldap:ldap authsource i have:
'search.enable' => true,
'search.base' => ['ou=Users,o=<LDAP dir>' ],
'search.scope' => 'one',
'search.attributes' => ['workforceID'],
'search.filter' => '(employeeType=Emp*)', <--- this is where I'm a bit lost. If I skip this line things work like before, but whatever I put here makes the certificate login fail with "Unknown certificate"
Then, in saml20-idp-hosted.php I pick up a bunch of attributes with ldap:AttributeAddFromLDAP for the authenticated user, again using workforceID to search. There are other authsources that return workforceID that also use this.
It seems really close here...
Thanks
Bengt