Previous Topic: SecurID Authentication SchemesNext Topic: X.509 Client Certificate and Basic Authentication Schemes


X.509 Client Certificate Authentication Schemes

You can configure X.509 V3 client certificates. After a certificate is installed on a client, that certificate can be used to verify the identity of a user requesting a resource. Certificate authentication uses SSL communication and can be combined with basic authentication to provide an even higher level of access security.

Note: For certificate-only authentication schemes, the web agent returns HTTP Error 403: Access Denied/Forbidden for any failed authentication or authorization attempt. This is because there is no way for the web agent to challenge the user for a new certificate.

The X.509 Client Certificate authentication schemes implement certificate authentication. To use X.509 client certificate authentication, your environment must be able to handle SSL communication. This means that the client browser, the web server and any user certificates must be configured to accept and perform certificate authentication. These tasks are outside the scope of the Policy Server configuration.

After the necessary SSL components are set up properly, configure a X.509 authentication scheme. The configuration tasks include:

The X.509 Client Certificate authentication schemes do the following tasks:

More information:

Certificate Mapping for X.509 Client Certificate Authentication Schemes

Extracting a Certificate for Certificate Authentication

When a user requests a protected resource, the Web Agent first contacts the Policy Server to determine which authentication scheme is protecting the resource. If an X.509 authentication scheme is protecting a resource, the Web Agent redirects the user’s browser to the credential collector that corresponds to the configured authentication scheme. The path to the credential collector is defined in the authentication scheme configuration.

The connection to the credential collector is an SSL-secured connection and the web server is configured to require a client certificate. Therefore, the browser must submit a client certificate for authentication. The resource name and extension at the end of the credential collector URL instructs the Web Agent to extract a user certificate from the web server. The Web Agent then passes the certificate to the Policy Server for use by the authentication scheme.

More information:

Authentication over SSL

How SiteMinder Uses Certificate Data to Identify Users

After the Web Agent collects certificate information, it passes the data to the Policy Server for verification. The Policy Server then performs certificate mapping. The goal of certificate mapping is to locate a user by the Subject Name in the user certificate.

First, the Policy Server looks up the appropriate certificate mapping in the policy store. The Policy Server uses the certificate Issuer DN to locate the mapping. The Issuer DN is part of the certificate mapping configuration. After the Policy Server finds the mapping, it takes the Subject Name from the certificate and applies the mapping to find the user entry in the user directory.

The Policy Server can access user certificates that are stored only in the following repositories:

Important! You are required to configure certificate mapping for any X.509 client certificate authentication scheme.

More information:

Certificate Mapping for X.509 Client Certificate Authentication Schemes

X.509 Client Certificate Scheme Prerequisites

Satisfy the following prerequisites before configuring an X.509 Client Certificate authentication scheme:

Configure an X.509 Certificate Authentication Scheme

In addition to setting up the SSL environment, complete the following process to configure certificate authentication:

  1. Set up your environment to handle SSL communication. Configure the client browser, the web server and any user certificates to accept and perform certificate authentication.
  2. Verify that the installed Web Agent can handle SSL authentication.
  3. Configure a X.509 authentication scheme in the Administrative UI.
  4. Define certificate mappings to identify a user that is based on the information in the client certificate.
  5. (Optionally) Configure certificate validation using CRLs or OCSP.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

Follow these steps:

  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.
  3. Click Create Authentication Scheme.

    Verify that the Create a new object of type Authentication Scheme is selected.

    Click OK

  4. Enter a name and a protection level.
  5. Select the X.509 Client Cert Template from the Authentication Scheme Type list.
  6. Enter the server name and target information for the SSL Credentials Collector.
  7. (Optional) Select the Persist Authentication Session Variables in Scheme Setup. This option specifies that the authentication context data is saved in the session store for later use in authentication decisions.
  8. Click Submit.

    The authentication scheme is saved and can be assigned to a realm.

The X.509 certificate authentication scheme is now configured in the Administrative UI. Now set up certificate mapping.