generating Subject Alternative Name SAN fields for internal user certificate.

[nivasomu]

Feature Request Teleport auth generates a certificate for the user with O= objects in it. It will be nice to have a mechanism to add more SAN fields by copying the O= objects to DNSNames and then passing it to GenerateCertificate function so that the certificate has roles encodes as SAN fields in it. like the following example,

X509v3 Subject Alternative Name:
                email:all@goteleport.com, email:eng-staff@goteleport.com, email:eng-service-infra-team@goteleport.com

Usecase There are certain apps that can be authenticated through the certificates. So it would be nice to have the SAN fields on the cert to make the authentication happen and carry the traits from the teleport.

here is an example for cert based auth

Workaround Access to these apps can be worked around using Teleport teleport JWT or SAML-based authentication but it would be nice to take advantage of cert-based authentication since the user is already logged into teleport and has a cert that can be used for accessing apps as well.

[alakahakai]

• It is not the SANs DNSNames fields, but SANs URIs fields.
• The suggested workarounds (JWT or SAML IdP) does not really address the requirements:
  • JWT does not offer role-based authorization within the application that the user is accessing via teleport
  • SAML is not widely supported. oidc might be an option, but it also requires changes to many existing workflows.

[zmb3]

It's not clear to me what the request is here. Teleport generates lots of certificates - which certificates does this request pertain to?