PhenixID web apps authentication – SSL Client Certificate Authentication

The purpose of this document is to describe how to configure PhenixID server internal web applications for authentication using SSL Client Certificate Authentication

Prerequisites

Follow the prerequisites for Certificate infrastructure in this document: Prerequisites

Modules Required

  • auth-http

Configuration

Configuration Properties:

Name Description Default value Mandatory
successURL The URL to redirect the browser to after successful authentication Yes
includeQueryString Enable to append query string (passed to authenticator) to successURL. false No
pipeID Id of pipe to be executed Yes
certificateheader Name of header containing the certificate information. Yes
errorURL The URL to redirect the browser to if an error occurs. No

Example configuration

The configuration must be added in the Advanced section of Configuration Manager.

HTTP Authenticators 

{
"name" : "HeaderBasedCertificate",
"id" : "siths",
"alias" : "siths",
"displayName" : "SITHS",
"configuration" : {
"pipeID" : "pipeSiths",
"certificateheader" : "SSL_CLIENT_CERT",
"successURL" : "/selfservice/"
}
}

Pipe 

{
"id" : "pipeSiths",
"valves" : [ {
"name" : "CertificateValidatorValve",
"config" : {
"cert" : "{{request.SSL_CLIENT_CERT}}",
"trust_store_path" : "/opt/PhenixID/PAS/config/siths_trust.jks",
"trust_store_password" : "{enc}sSlbfYJVOr5V+LM8RsgWhKBzyEOTLGvYdamWIAuVqGo=",
"enable_crl" : "false",
"enable_ocsp" : "true"
}
},
{
"name" : "LDAPSearchValve",
"config" : {
"connection_ref" : "local_ldap",
"base_dn" : "dc=demo,dc=phenixid,dc=se",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(uid={{request.serialNumber}})",
"attributes" : "mail"
}
} ,
{
		"name": "PropertyAddValve",
		"config": {
			"name": "roles",
			"value": "auth:7313aa29-f399-4a5b-afd3-fb1d7a88ae93",
			"enable_multi_value": "true"
		}
	}
	]
}

Read this article to get the correct value for the roles property.