When X.509 authentication is enabled, any Address Manager user can present a valid, matching client certificate to log into Address Manager. If the user was created manually with a local password or associated with a remote authenticator, the user may also continue to log in at the standard Address Manager login screen with username and password. You can set X.509 user access when adding a new user or editing an existing user. Note that X.509 authentication isn't supported for an API user.
If you want to ensure that a user can only authenticate using a valid X.509 client certificate, set the X.509 Required flag for the user account. The X.509 Required flag is enabled by default for user accounts created by X.509 authentication in combination with an LDAP group. A user with this flag set won't be able to log into Address Manager with username and password.
To set X.509 user access:
- Select the Settings tab in the sidebar.
- Under User management, select Users.
- To add a new user, select the New button. To edit a user, click the row containing the user in the Users table, then select Edit in the expanded details section.
- Select the Authentication tab.
- X.509 required—select the check box to force the user to access Address Manager using X.509 authentication only. If deselected, the user can log in to Address Manager both using username and password credential and X.509 authentication.
- If adding a user, select Create or Create and add another. If editing a user, select Save.