Enter a name for the group.

This name will appear in the Search Identity Provider dialog when searching and/or adding virtual groups to a policy. The name is a human readable value that does not impact the validity of the virtual group in an identity bridging configuration.

Enter the pattern that the subject DN values of signed client certificates must match in order to be authorized as a member of this virtual group.You may use a regular expression.

The X509 Subject DN must at least partially match the "Issued to:" value in the CA root certificate attached to the Federated Identity Provider. Use the asterisk truncation operator (*) to retrieve DNs with a common initial spelling. The (*) substitutes a string of zero or more characters in a subject DN.

For example, a virtual group could contain the partial DN "O=ACME Inc., OU=Anvils, CN=*." Request messages in which the Subject DN was "O=ACME Inc., OU=Anvils, CN=Name" or "O=ACME Inc., OU=Anvils, CN=Name2" would both pass the corresponding group assertion that is required to gain web service access. However, request messages carrying the Subject DN “O=ACME Inc., CN=Name” would not pass. Every attribute specified in the subject DN pattern of a virtual group must be present in incoming certificates in order to be authorized.

Special care must be taken if the following special characters are used in the Subject DN name:

These characters, plus any leading or trailing spaces must escaped in order to be interpreted correctly.

The DN value can be quoted with a quotation pair. This allows all special characters except the backslash to be treated as literal characters and does not require escaping. When quoted, the backslash still require escaping.