Previous Topic: Configure a SecurID and HTML Forms Authentication SchemeNext Topic: Configure an X.509 Certificate Authentication Scheme


X.509 Client Certificate Authentication Schemes

X.509 client certificates provide cryptographic evidence of a user’s identity. A user certificate, supplied by a certificate vendor, is unique, and can be used to identify the user who attempts to access a protected resource.

A client certificate contains the following information:

SiteMinder uses the X.509 Client Certificate authentication schemes to implement certificate authentication. To use X.509 client certificate authentication, your environment must be able to handle SSL communication. This means that the client browser, the web server and any user certificates must be configured to accept and perform certificate authentication. These tasks are outside the scope of SiteMinder configuration.

After the necessary SSL components are set up properly, you can configure a SiteMinder X.509 authentication scheme. SiteMinder configuration tasks require that you do the following:

The SiteMinder X.509 Client Certificate authentication schemes perform the following tasks:

More information:

Certificate Mapping for X.509 Client Authentication Schemes

Extracting a Certificate for Certificate Authentication

When a user requests a SiteMinder-protected resource, the Web Agent first contacts the Policy Server to determine which authentication scheme is protecting the resource. If an X.509 authentication scheme is protecting a resource, the Web Agent redirects the user’s browser to the SiteMinder credential collector that corresponds to the configured authentication scheme. The path to the credential collector is defined in the authentication scheme configuration.

The connection to the credential collector is an SSL-secured connection and the web server is configured to require a client certificate. Therefore, the browser must submit a client certificate for authentication. The resource name and extension at the end of the credential collector URL instructs the Web Agent to extract a user certificate from the web server. The Web Agent then passes the certificate to the Policy Server for use by the authentication scheme.

More information:

Authentication over SSL

How SiteMinder Uses Certificate Data to Identify Users

After the Web Agent collects certificate information, it passes the data to the Policy Server for verification. The Policy Server then performs certificate mapping. The goal of certificate mapping is to locate a SiteMinder user by the Subject Name in the user certificate.

First, the Policy Server looks up the appropriate certificate mapping in the policy store. The Policy Server uses the certificate Issuer DN to locate the mapping. The Issuer DN is part of the certificate mapping configuration. After the Policy Server finds the mapping, it takes the Subject Name from the certificate and applies the mapping to find the user entry in the user directory.

The Policy Server can access user certificates that are stored only in the following repositories:

Important! You are required to configure certificate mapping for any X.509 client certificate authentication scheme.

More information:

Certificate Mapping for X.509 Client Authentication Schemes

X.509 Client Certificate Scheme Prerequisites

Satisfy the following prerequisites before configuring an X.509 Client Certificate authentication scheme: