Mapped sites
Overview
Mapped sites define which destination services fall under Redtrust's control when certificate authentication occurs through a centralized authentication gateway or an intermediary application. Without this configuration, access through those intermediaries is automatically allowed and not recorded — mapped sites are the mechanism that brings those services into Redtrust's policy scope.
The problem
Shared authentication portals
Many public administration services use a centralized authentication portal. The user enters their certificate once at that portal and then accesses the service they need, without authenticating again. The user is typically not aware of this redirect — they navigate to a service and authenticate without ever noticing the gateway URL. Redtrust detects certificate use at the portal, but cannot determine which service the user accessed next.
The reason is that the gateway and the destination service communicate in a way that is opaque to the user and to Redtrust, making it impossible to establish the relationship between the two.
Common examples in Spain: AOC's VÀLid (cert.valid.aoc.cat, valid.aoc.cat) in Catalonia, which gives access to services such as Seu Antifrau or Ajuntament de Barcelona; and Izenpe's Giltza (eidas.izenpe.com, eidas2.izenpe.com) in the Basque Country, which gives access to Basque Government services and the provincial councils (diputaciones forales).
Desktop applications
In other cases, a desktop application manages certificate authentication on behalf of the user. The user interacts with the application, which in turn accesses one or more services. Redtrust detects certificate use at the application, but not at the services the application accesses on the user's behalf.
How mapped sites work
Mapped sites solve this problem by telling Redtrust which specific services to associate with each portal or application. You define the downstream service domains within the site group of the portal or application; your active policies then determine the outcome.
| Situation | Outcome |
|---|---|
| The domain is mapped and included in an allow policy | Access is permitted and recorded in Events |
| The domain is mapped but not included in any policy | Access is automatically blocked |
| The domain is mapped and included in a deny policy | Access is explicitly blocked |
If a domain is not defined as a mapped site, Redtrust cannot distinguish it from other authentications at the portal and certificate use goes without precise tracking.