We have a customer use case asking for the ability to identify corporate devices vs. non-corporate devices at the point of authentication to dictate as to whether users can be authorised or not. Corporate devices have a x.509 certificate installed to identify the device.
Could anyone explain our capabilities regarding certificate authentication (machine authentication)?
Would we be able to meet such a use case?
CA SSO has the ability to authenticate CERT + FORMS. there is an OOB Authentication Scheme. Also there is a GD Module which provides added features which is unavailable in the OOB Authentication Scheme.
The Value from CERT has to match the username being entered on FORM. If both values + password match user will be authenticate. If both values don't match or password is incorrect user will be not authenticated.
Had a similar requirement and we POC this approach.
The only caveat is that the device cannot be a shared device i.e. it cannot have different CLIENT CERT. If there are multiple CLIENT CERT, when user accesses the protected content on browser, user would be asked to select the intended CLIENT CERT. Thus the user needs to be educated to select the correct CLIENT CERT.
Thank You Hubert,
If we use the cert + form, would SSO be able to take a generic attribute from the cert that simply identifies the device as 'company owned' independent of the user logging in...?
For example, a check is done on the cert first to identify it as a corporate device, not tied to a user (=allow), then present a form that would prompt for valid user + password (a shared device)
The objective is to expose the portal (Identity Portal, SSO protected) from anywhere, but only for corporate devices and from valid identities (although the cert will be a device cert, not a user cert)
Looks like we'll need the GB Module "Advanced Certificate Authentication for CA Single Sign-On". OOB CERT + FORMs won't suffice.
QUESTION-1 : would SSO be able to take a generic attribute from the cert that simply identifies the device as 'company owned' independent of the user logging in...?
QUESTION-2 : would SSO be able to take a generic attribute from the cert that simply identifies the device as 'company owned' independent of the user logging in...?
I have provided inputs on a very high level. We'll need to POC this further into finer details. Especially the second requirement. I am probably going to call out @RichardSiek on this second requirement.
Documentation for the GD Module : https://support.ca.com/phpdocs/7/5262/SmX509CertAuthuthInstallConfigV2_10.pdf
Download for GD Module : https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-global-delivery-packaged-work-product-module-index.html
To answer the question I would need to know exactly which attribute the customer wants to use to identify a certificate coming from an approved corporate device. It would also be very helpful if a sample public cert could be provided as well information on the attribute to be used to identify the cert.
One other consideration is that the value of the attribute would have to exist within the user store entry for every user.
Thank You Richard,
We don't know which attribute would be used as this is in early planning (so the customer doesn't know either).
I could try to get a sample public cert as you mention...
Thanks for helping..