AuthnMethodX509

X509 authentication method configuration. The "X.509" authentication type confirms users' identities by exchanging digital certificates. These methods require a Public Key Infrastructure (PKI) and a directory server that stores X.509 certificates and a Certificate Revocation List. If you want to validate certificates against an LDAP certificate store, you must ensure that:

  • The content of the LDAP directory is accessible by an anonymous bind.

  • A user certificate is contained in the userCertificate binary attribute of an entry in the LDAP directory that is an instance of the inetOrgPerson object class.

  • The DN of this inetOrgPerson entry matches exactly the subject DN of the user certificate it contains.

  • The certificate of the issuer of the user certificate is contained in the cACertificate binary attribute of an entry in the LDAP directory that is an instance of the certificationAuthority object class.

  • The DN of this certificationAuthority entry matches exactly the subject DN of the issuer certificate it contains.

  • This certificationAuthority entry also has a certificateRevocationList that contains the CRL of the revoked user certificates issued by this issuer.

  • This certificationAuthority entry also has an authorityRevocationList attribute that contains the CRL of the revoked CA certificates issued by this issuer.

Description

Description of the configuration object

Assurance level

A numeric weight to be assigned to this authentication method. You can create authorization conditions based on these assurance level weights.

Communication URLs holder

The holder for common URL configurations of an authentication method.

Prefix for URL definitions

The prefix for URL definitions. The base URL, specified as an absolute or relative path, to which users will be directed when events occur during the authentication workflow when using this authentication method. DirX Access redirects the authenticating user to the pages specified in the following fields.

Pre-login

The URL of the page to load before the login page, relative to 'Prefix for URL definitions'.

Login

The URL of the login page where users provide credentials for form-based authentication methods, relative to 'Prefix for URL definitions'.

Login success

The URL of the page to load when authentication succeeds, relative to 'Prefix for URL definitions'.

Login failed

The URL of the page to load when authentication fails, relative to 'Prefix for URL definitions'.

Error

The URL of the page to load when an error is encountered, relative to 'Prefix for URL definitions'.

Account expired

The URL of the page to load when the user’s account has expired, relative to the 'Prefix for URL definitions'.

Account locked

The URL of the page to load when the user’s account has been locked, relative to 'Prefix for URL definitions'.

Account disabled

The URL of the page to load when the user’s account has been disabled, relative to 'Prefix for URL definitions'.

Do correlate user accounts

Whether or not the authentication service correlates user accounts in the 'User Repository' upon successful validation of provided credentials. SAML assertion based authentication at SPs should consider unchecking depending on the underlying scenario.

  • For traditional initial authentication, the correlation is made based on the login name and the LDAP attribute 'Login name attribute' that can be configured in the SubjectTemplate configuration.

  • For X.509 certificate-based authentication, the correlation details can be configured on the basis of dedicated configuration fields in AuthnMethodX509 configuration.

  • For Kerberos or NTLM-based Windows authentication, the correlation is made based on the RFC 822 login name and the 'Mail attribute' that can be configured in the SubjectTemplate configuration.

  • For federated authentication based on SAML assertions, the correlation details can be configured in specific SAML assertion interpretation templates.

Do honor validity metadata

Whether or not the authentication service considers validity metadata for example, account lifetime or locking state.

Do use attribute finder

Whether or not the authentication service invokes the server-global subject attribute finder plug-in for this authentication method. This plug-in allows you to look up supplementary information about an authenticated user that is not part of the user account against which authentication was performed and is used when information about a single user is distributed across various repositories.

SAML authentication context class reference

A value to be imprinted as SAML authentication context class reference when issuing SAML assertions for subjects that have been authenticated with this method. If the value is undefined, a default mapping to SAML-defined values is used.

Do autogenerate domain identifier and format

Whether or not to generate the authentication-method-specific domain name in the format: authentication_id@authentication_method_id.

Domain identifier

The domain identifier used for the names retrieved by this authentication method during the domain name resolution.

Domain name format

The domain name format used for the names retrieved by this authentication method during domain name resolution. The format may contain placeholders: #1 (replaced by the authentication identifier), and #2 (replaced by the domain identifier).

Do hash authentication id

Whether or not the authentication identifier is hashed before it is included into the domain name.

User Correlation Policy

To what extent is the user correlation with an existing user record in user repository for this authentication method forced. This element has priority over the Do correlate user accounts element.

  • MANDATORY: The authentication method will fail if the user correlation cannot be made.

  • OPTIONAL: The server will try to correlate the user with a user record, but if the correlation fails the method will still pass if possible.

  • NONE: No user correlation will be done.

  • Allowed Values:

    • MANDATORY

    • OPTIONAL

    • NONE

Shared credentials authentication method identifier

Reference to authentication method of the same type to share the credentials and credential-specific configuration with. If null, this method works with its own configuration and set of credentials for each user. For every authentication method the domain name configuration is being resolved which is then used during unique name resolution. Specifics for some methods are:

  • AuthnMethodPassword - number of login failures, password from the user record with its respective configuration and max number of consecutive login failures from the authentication method configuration.

  • AuthnMethodOtpRfc4226 - number of login failures, shared secret and counter from the user record and number of digits, throttling value, shared secret encoding and look ahead from the authentication method configuration.

  • AuthnMethodOtpRfc6238 - number of login failures, shared secret and time drift from the user record and number of digits, throttling value, shared secret encoding, time step seconds and time drift limit from the authentication method configuration.

Just-in-time provisioning of user record to AppRepo

Indicates whether Just-in-Time (JIT) provisioning of user records to the application repository is enabled. If enabled, a user record is automatically created in the application repository after successful authentication if it does not already exist. If disabled, authentication will not trigger the creation of a new user record if one does not exist.

X509 certificate correlation

The X.509 certificate item that will be used in correlating user accounts in the LDAP directory server.

  • Allowed Values:

    • cn

    • dn

    • mail

    • uid

    • serialNumber

User account correlation

The LDAP attribute that will be used in correlating user accounts in the LDAP directory server.

Certificate expired

The URL of the page to load upon certificate expiration, relative to 'Prefix for URL definitions'.

Certificate revoked

The URL of the page to load upon certificate revocation, relative to 'Prefix for URL definitions'.

Do perform certificate path validation

Whether or not perform certificate path validation according to RFC 3280 and RFC 5280 is enabled or disabled. When the validation is disabled, the complete certificate path is still built until the trust anchor certificate and the certificate signatures are validated for all certificates in the path. As a result, the successfully validated certificate can be assumed to be trusted.

Do trim certificate paths

Whether or not trusted CA certificates are trimmed from certificates' chains of end user and CA certificates before the certificate validation.

End entity certificate revocation type

The type of certificate revocation check to be performed for end entity certificate:

  • nocheck - no revocation check is performed.

  • crlcheck - a revocation check based on CRLs is performed.

  • ocspcheck - a revocation check based on OCSP is performed.

  • bothcheck - a revocation check based on CRLs and OCSP is performed.

  • Allowed Values:

    • nocheck

    • crlcheck

    • ocspcheck

    • bothcheck

CA certificate revocation type

The type of certificate revocation check to be performed for CA certificates:

  • nocheck: no revocation check is performed.

  • crlcheck: a revocation check based on CRLs is performed.

  • ocspcheck: a revocation check based on OCSP is performed.

  • bothcheck: a revocation check based on CRLs and OCSP is performed.

  • Allowed Values:

    • nocheck

    • crlcheck

    • ocspcheck

    • bothcheck

OCSP responder URL

The URL of the Online Certificate Status Protocol (OCSP) responder server. This field allows you to configure OCSP responders to inquire about the revocation state of user certificates.

CRL distribution points

The URLs of CRL distribution points (CDPs) that DirX Access is to use for retrieving certificate revocation lists (CRLs) to inquire about the revocation state of user certificates. Note that CDP URLs from the 'CRLDistributionPoints' in an X.509 certificate, if present, take precedence over the CDPs specified in this field. In this case, the CDP URLs specified here are ignored.

CRL distribution points ignore expiry

The URLs of the CRL distribution points for which CRL expiration should be ignored. This means: in the absence of an up-to-date CRL object from a distinguished CRL distribution point, an eventual existing outdated CRL from this distribution point will be honored.

Initial policy set object identifiers

A list of the certificate policy extension identifiers that are acceptable for this X.509 authentication method.

Do initial policy mapping inhibit

Whether or not policy mapping is (initially) allowed in certificate paths.

Do initial explicit policy

Whether or not the certificate path must be valid for at least one of the certificate policies in the initial policy list.

Do initial any policy inhibit

Whether or not the anyPolicy OID should be processed if it is included in a certificate.

Truststore password

The password of the validation truststore.

Truststore identifier

The identifier of the validation truststore to be used for X.509 authentication purposes. It can be selected from items already configured.