Showing results for 
Search instead for 
Did you mean: 

Client Certificate optional fields

Frequent Contributor

Client Certificate optional fields

I've been using client certificates as a form of 2 factor authentication for a while where the IVE just simply checked to make sure the user had a certificate that was signed by a Trusted Client CA. I want to take that a step further now and make sure that one of the fields (L, for Locality) is the same as the username they typed in to sign in (So User A can't steal User B's certificate and use it). Now I can get this to work fine with hard coded values in testing... but I can't seem to figure out the syntax for the IVE to check the L field against their entered username (the one it'll do rolemapping against).

Anyone have any experience in doing such a thing?

Super Contributor

Re: Client Certificate optional fields

I've done something like this. In may case, I did not do certificate authentication but did use certificate restrictions at the realm level. Then, in my role mapping, I map a role using an expression like "user != certDn.serialNumber" (that is, the username used to sign on does not match a field on the certificate. The role that is selected by this rule tells the user that the field in the cert did not match the username, and does not allow the user to do anything.

I recommend using policy tracing to see the name of the field to compare to the user name.

Not applicable

Re: Client Certificate optional fields

Hi Tessian,

Could you send me documentation or steps to use 2 factor authentication Local CA Root and then AD for authentication.

Thank you