StoneBlog.stonesoft.com

Few days ago I described a technique using certificate based authentication in StoneGate SSL VPN to match a certificate attribute to user attribute, in order to uniquely identify a user in Directory Service and allow login, perform Single Sign-On (SSO), etc.

In this article I’m taking it one step further, since StoneGate SSL VPN can authenticate a user presenting a valid certificate without even knowing who the user is, and use then whatever field of the certificate to perform SSO to protected resources.

The idea of testing and verifying this came, as usual, from a customer case discussed earlier this week in a webinar.

The customer wanted to have their users presenting a valid certificate, having the SSL VPN system validating them and granting the direct access to a backend application.

To minimize the usage of passwords, they wanted that SSL VPN extracts from the validated certificate a whatever field and uses this to SSO to backend application.

Here’s how to configure it.

First, access to StoneGate SSL VPN Administrator interface and click on Manage System – Authentication Methods.

Select the Certificate Authentication method you have defined (if you did not define, refer to previous article linked in first sentence).

Select Extended Properties tab.

Add two extended properties if they are not there:

• Allow user not listed in any user storage set to true
• Certificate Attribute set to the certificate field you are interested to use as a User ID (for instance CN, OU, O, etc)

Documentation reports that this field should be only used in conjunction with User Attribute to execute the match as described previously, but the reality is that if you reference this alone, then StoneGate SSL VPN will use this as the user ID of the authenticated user as shown below (I referenced the attribute O to get the organization’s name):

Soon I’ll publish another article about how to use this credential in Form Based SSO to an application, but for instance you can already configure the system to pass this information to backend application within the HTTP Header as a cookie: click on Manage Resource Access,  Global Resource Settings, Advanced and mark the checkbox User ID.

Save and publish and now the system is configured to add the User ID in a cookie within the HTTP request to backend resource.

Certificate based authentication. Simplified!

written by RoarinPenguin - 1,157 views \\ tags: authentication, certificate, SSL VPN