December 16, 2015 at 1:11 am #6556[email protected]Participant
I am looking for concise instructions for setting up OpenAM to allow for PKI authentication (only) on my application.
I have an application that is served up by Apache 2.4, Apache will ask my user for it’s browser-loaded PKI certificate then pass it over to OpenAM. I want OpenAM to do CRL, OSCP, and some other attribute lookup, then pass authentication data base to Apache to be used within my application.
I have a very lean prototype working with username/password, however, I need to get it functional with PKI only.
Am I on the correct track in my thinking of how authentication should behave? I don’t want to do anything exotic, just grab a cert from the user, check it for validity, grab some info, then head back to the app.
I haven’t seen how I setup OpenAM to do this. I see how I can setup Tomcat to ask for PKI to log me into the OpenAM admin console, however, I haven’t seen anything for web agent clients. I assume there’s some sort of header that’s going to be set by OpenAM or something like????December 16, 2015 at 3:11 am #6557Scott HegerParticipant
I did this type of setup years ago using OpenSSO and Sun Webserver. Not exactly your setup but the concepts are all the same and the UI of OpenSSO for the relevant parts are still the same in OpenAM. I worked with Jeff Nester, who was at Sun Microsystems at that time, on this and he put together a document that described the process of setting it up. That document can be found here: http://jeffnester.com/howtos/opensso/openSSOCACconfigWebServer7.pdf
Hope that helps.December 16, 2015 at 12:33 pm #6561barramundiParticipant
For Apache fronting the OpenAM server doing the SSL authentication, use ajp:// to proxy the request to OpenAM. The authenticated client cert will be passed automatically.December 16, 2015 at 2:08 pm #6562[email protected]Participant
Thanks for the thoughts! Is my thinking correct how Authentication works with OpenAM and PKI?July 5, 2016 at 6:21 am #11815mehdi.chemsiParticipant
I am trying to achieve the same outcome by using Apache as a reverse proxy and openAM to verify the certificate CN in openDJ. I can’t find seem to find any direct instructions on how to implement.
Are there any useful links that you guys can recommend?
MehdiFebruary 20, 2018 at 11:27 pm #20973tlmacalParticipant
Has anyone managed to use X.509 certificates for SSO authentication with OpenAM or AM5? I haven’t seen any mention since 2015 and none of them seem to claim success.
You must be logged in to reply to this topic.