How X.509 authentication works - BlueCat Address Manager - 8.3.0

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
8.3.0

Overview of the behaviour of X.509 Authentication.

X.509 login behavior

When a client system establishes an HTTPS connection to Address Manager, Address Manager will request an X.509 certificate from the client. If the user has one or more client certificates that can be used for X.509 authentication, the web browser will typically prompt the user to select a certificate (exact behavior is dependent on the user’s operating system and browser).

If the user does not have a certificate or if the user elects to not provide a certificate (typically by canceling the certificate selection process), the user will be presented with the standard Address Manager login page: X.509 authentication is no longer applicable.

If the user selects a certificate, the browser will send the certificate to Address Manager, which will verify the integrity of the certificate. Address Manager will communicate with the configured Online Certificate Status Protocol (OCSP) Responder(s) to verify that the certificate has not been revoked. If the certificate fails any of these tests, the user will be denied access. If the certificate passes these tests, the user’s credentials are considered to be valid, but the user not yet logged in.

If a user matching the certificate already exists in Address Manager, the user will be logged in. The user’s login name is taken from the last CN (Common Name) element in the client certificate’s Subject attribute, which is expected to be in X.509 DN (Distinguished Name) format. For example, if the client certificate’s Subject is CN=John Smith, CN=Users, DC=example, DC=corp, the user’s login name will be John Smith.

If the user does not exist and one or more LDAP Groups are configured in Address Manager, the associated LDAP group will be examined for a member whose name matches the username. If the user is found to be a member of one or more of these LDAP groups, the user will be created and associated with the LDAP Group in Address Manager.

If the user does not exist, and no LDAP Groups are configured or if the user belongs to no configured LDAP Groups, the user will be denied access.

Client

The client establishes a connection to Address Manager

Address Manager

Address Manager sends client certification information to OCSP server

Authentication Server

 

Client certificate is sent as part of authentication request

       
   

User is granted access to Address Manager

 

OCSP server verifies client certificate status

X.509 logout behavior

When an X.509 authenticated user logs out from Address Manager, they will be presented with a message indicating that they must close their web browser to log out completely. This is required due to web browser behavior. If the user does not close their browser, an attempt to access Address Manager may result in automatic login due to browser certificate caching.

Create a non-existent user

If X.509 authentication is enabled, the auto-creation of LDAP users in Address Manager when logging in to Address Manager will be inhibited. You must first add a user manually for the user to be able to log in to Address Manager using X.509 authentication.