Previous Topic: X.509 Certificate or Basic Authentication SchemesNext Topic: X.509 Client Certificate or HTML Forms Authentication Schemes


X.509 Client Certificate and HTML Forms Authentication Schemes

The X.509 Client Certificate and HTML Forms authentication scheme combines HTML Forms authentication and X.509 Client Certificate authentication. This authentication scheme provides an extra layer of security for critical resources. In order for a user to authenticate successfully, the following two events must occur:

For X.509 Client Certificate authentication, CA SiteMinder® processes authentication using the following steps:

  1. The Policy Server instructs the CA SiteMinder® Web Agent to redirect the user to an FCC on an SSL-enabled web server.
  2. The Web Agent presents the form.
  3. The FCC passes the certificate and form back to the Policy Server.
  4. The Policy Server verifies that the user in the certificate mapping exists.
  5. The Policy Server verifies the user’s HTML form credentials.
  6. CA SiteMinder® verifies that the certificate credentials and the HTML Forms credentials represent the same user.

More information:

X.509 Client Certificate Authentication Schemes

X.509 Client Certificate and HTML Forms Scheme Prerequisites

Ensure the following prerequisites are met before configuring a X.509 Client Certificate and HTML Forms authentication scheme:

Note: For Apache Web servers where Certificates are required or optional, the SSL Verify Depth 10 line in the httpd.conf file must be uncommented.

The certificate and forms data are collected and passed to the Policy Server together.

If...

then...

There is no certificate

CA SiteMinder® issues error 500

The certificate and forms credentials are not accepted

CA SiteMinder® issues error 500

More information:

User Directories

Agent API Support

The X.509 Client Certificate and HTML Forms uses the Sm_AuthApi_Cred_SSLRequired and the Sm_AuthApi_Cred_FormRequired bits.

Configure an X.509 Certificate and HTML Forms Authentication Scheme

You can use an X.509 Certificate and HTML authentication scheme to combine certificate authentication and HTML forms-based authentication.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

Follow these steps:

  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.

    The Authentication Schemes page appears.

  3. Click Create Authentication Scheme.

    Verify that the Create a new object of type Authentication Scheme is selected.

  4. Click OK

    The Create Authentication Scheme page appears.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  5. Enter a name and a protection level.
  6. Select X509 Client Cert and Form Template from the Authentication Scheme Type list.

    Scheme-specific settings open.

  7. Enter the server name and target information for the SSL Credentials Collector.
  8. (Optional) Select Persist Authentication Session Variables in Scheme Setup. This option specifies that the authentication context data is saved in the session store.
  9. Click Submit.

    The authentication scheme is saved and can be assigned to a realm.