Certificate-Based Authentication

This guide demonstrates how to configure certificate-based authentication (CertificateAuth) in Fortified ID Access.

Scenario

Implementing certificate-based authentication enables secure user identification through client certificates. This configuration is particularly useful for environments requiring strong authentication mechanisms.

Prerequisite

  • Fortified ID Access installed and configured with the default settings.

  • Access to the configuration directory.

  • A valid client certificate authority (CA) and client certificates for user authentication. Can be self signed certificates.

  • A service to handle the mTLS for the path to be used by the "CertificateAuth" like Apache HTTPD, NGINX, etc.. See configuration example for Apache HTTPD here.

Configuration Steps

  1. Add Certificate Authentication to authn configuration

    Navigate to the authn configuration and append the following configuration:

 {
  "id": "cert",
  "type": "CertificateAuth",
  "config": {
    "base_path": "/access/authn",
    "certificate_header_name": "SSL_CLIENT_CERT",
    "missing_certificate_location": "https://<custom_location>",
    "exports": [
      {
        "name": "AuthnContextClassRef",
        "value": "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
      },
      {
        "name": "amrRef",
        "value": "x509"
      },
      {
        "name": "used_auth",
        "value": "cert"
      }
    ]
  }
}

Explanation:

  • id: Unique identifier for the authentication method.

  • type: Specifies the authentication type as CertificateAuth.

  • base_path: Defines the base path for authentication endpoints.

  • certificate_header_name: Specifies the HTTP header containing the client certificate.

  • missing_certificate_location: URL to redirect users if no certificate is provided.

  • exports: List of attributes to be included in the authentication context.

  1. Add Selector Configuration

    To present the certificate authentication option to users, add the following selector configuration to the selector configuration:

    {
      "id": "9",
      "target": "cert",
      "label": "Certificate",
      "logo": "assets/svg/certificate.svg"
    }

    Explanation:

    • id: Unique identifier for the selector.

    • target: References the authentication method ID (cert).

    • label: Displays the name of the authentication method to users, either hardcoded or variable from the language files.

    • logo: Path to the logo image representing the authentication method.

Test the configuration

  1. Ensure that the client certificate is installed in the user's browser.

  2. Navigate to the authentication endpoint configured for certificate-based authentication.

  3. Select the "Certificate" option from the available authentication methods.

  4. Verify that authentication proceeds using the client certificate and that the expected attributes are exported.

Troubleshooting

  • Missing Certificate: If users are redirected to the missing_certificate_location, ensure that the client certificate is properly installed and accessible.

  • Attribute Mapping Issues: Verify that the LDAP_search_filter is correctly configured and that the necessary LDAP attributes are available.

Last updated