Hi i am trying to test AuthAZ webservices , i have been able to make it work with basic auth scheme, i am now trying to configure the Cert auth scheme. I am confused as to does every user who access this webservice will need to present a certificate to access the webservice is that how it is supposed to work as in cert mapping it maps to the UID in a directory.
Can anyone help me understand how X509 cert auth scheme will work with this one ?
To configure x509 Authentication Scheme certificate mapping to a UID, you have
to set the certificate IssuerDN and map it to a single attribute which will be
UID in your case.
in the Certificate Mapping Properties :
Issuer DN : DC=com,DC=training,DC=root,CN=My CA Certificate Authority
Attribute Name : UID (User ID)
If the UID is in the User Store, you might set a Custom Mapping Expression :
Where the CertificateAttribute will have the value of the UID (user attribute)
What have you tried as configuration ?
Thanks for the info on cert auth scheme , i know how the X509 scheme works, my question was more on the requirement of having X509 scheme to protect the webservices, i want to understand that every user who access the webservices will then get authenticated with cert implying every user will need a cert . For SOAP webservice you need to send username/password in a SOAP request then in case of cert scheme how would my SOAP request look like ?.
Here is a related answer, it is a confusing area, and re-reading my original response here - I think I will re-visit it and try clarify it again :
For "RequireAgentEnforcement=yes" It really depends what you are trying to do with the webservice,
If you intent is :
So for case 2) it is a bit weird, since to access the <sps webservice> to log someone on, you need to already have an SMSESSION cookie - but that is the intent. I suspect the design of the feature really is for case 2) setup.
For case 1) style usage, the call to the Login makes sense to get an SMSESSION cooke. But for Az call from a module app does not make sense - cause you want to call a server that can give you the resource, not a service that just tells you a YES/NO if you have access to the resource.
Hope that helps.
Cheers - Mark