How X.509 authentication works - BlueCat Address Manager - 9.2.0

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
9.2.0

Overview of the behavior of X.509 Authentication.

X.509 login behavior

When a client system establishes an HTTPS connection to Address Manager, Address Manager will request an X.509 certificate from the client. If the user has one or more client certificates that can be used for X.509 authentication, the web browser will typically prompt the user to select a certificate (exact behavior is dependent on the user’s operating system and browser).

If the user doesn't have a certificate or if the user elects to not provide a certificate (typically by canceling the certificate selection process), the user will be presented with the standard Address Manager login page: X.509 authentication is no longer applicable.

If the user selects a certificate, the browser will send the certificate to Address Manager, which will verify the integrity of the certificate. Address Manager will communicate with the configured Online Certificate Status Protocol (OCSP) Responder(s) to verify that the certificate hasn't been revoked. If the certificate fails any of these tests, the user will be denied access. If the certificate passes these tests, the user’s credentials are considered to be valid, but the user not yet logged in.

If a user matching the certificate already exists in Address Manager, the user will be logged in. The user’s login name is taken from the last CN (Common Name) element in the client certificate’s Subject attribute, which is expected to be in X.509 DN (Distinguished Name) format. For example, if the client certificate’s Subject is CN=John Smith, CN=Users, DC=example, DC=corp, the user’s login name will be John Smith.

If the user doesn't exist and one or more LDAP Groups are configured in Address Manager, the associated LDAP group will be examined for a member whose name matches the username. If the user is found to be a member of one or more of these LDAP groups, the user will be created and associated with the LDAP Group in Address Manager.

If the user doesn't exist, and no LDAP Groups are configured or if the user belongs to no configured LDAP Groups, the user will be denied access.

X.509 logout behavior

When an X.509 authenticated user logs out from Address Manager, they will be presented with a message indicating that they must close their web browser to log out completely. This is required due to web browser behavior. If the user doesn't close their browser, an attempt to access Address Manager may result in automatic login due to browser certificate caching.

Create a non-existent user

If X.509 authentication is enabled, the auto-creation of LDAP users in Address Manager when logging in to Address Manager will be inhibited. You must first add a user manually for the user to be able to log in to Address Manager using X.509 authentication.