June 7, 2018 at 6:25 pm #22250
I am configuring “Certificate Authentication Module” for my realm.
The whole config setting looks very neat and clean except one.
It is very clear that if there is a load-balance in front of AM, then we have to configure 2 properties
Trusted Remote Hosts and HTTP Header Name for Client Certificate so that LB can send out the client-certificate in a particular HTTP header which will be used by AM to map it with the identity.
There is also one more config setting i.e., “Use only Certificate from HTTP request header” which is confusing me.
If I interpret correctly, the way it works in following order
2-way SSL is established between client-browser and AM
If “Use only Certificate from HTTP request header” is OFF then, AM will pull out the client-certificate using request.getAttribute(“javax.servlet.request.X509Certificate”)
AM will use the above cert in establishing the mapping and creating the session.
However, if “Use only Certificate from HTTP request header” is ON, then
2-way SSL will be performed as usual between browser and AM
But now, instead of using the client-cert that was used for 2-way SSL, AM will look for one more certificate in the incoming HTTP request header.
Is my understanding correct ?
If yes, that means that the client has to pack this certificate in http request.
Thanks.June 8, 2018 at 8:35 am #22255Peter MajorModerator
The “Use only Certificate from HTTP request header” setting tells AM that it should ignore the certs defined on the HTTP request and always look for the cert in the header. The only use-case I can think of is when the LB/RP would use client auth (using their own private key) to access the AM container.June 8, 2018 at 4:01 pm #22264
Thanks Peter. Your clarification really helps me.
Sometime ago I requested one such similar quick clarification for “kerberos Auth Module”
Would you please confirm if I can correct in my understanding.
I want to know,
would AM’s Windows Desktop SSO auth module ever need to communicate with Kerbros-KDC OR Active-Directory during the IWA Authentication flow.
As per Kerberos protocol, there is NO such exchange defined between Service and KDC
I just wanted to confirm that AM adheres to the Kerberos design as in my organization we can not open up KDC or AD for AM
Our AM is in the AWS Cloud.
Thanks.June 8, 2018 at 4:06 pm #22265Peter MajorModerator
Fortunately Kerberos so far has eluded me, and I never really had to learn how any of it works. I can’t answer your question.June 8, 2018 at 7:53 pm #22269
No problem Peter. Will wait if somebody else response.
You must be logged in to reply to this topic.