Client-Certificate Authentication

Users imported from AD and LDAP directories can log in to PrivX using SSL certificates. Such certificates may be for example from users' smart cards, or from client certificates imported to browsers.

Prerequisites

  • The users' client certificates must include a Subject Alternative Name​ that matches their ​User Principal Name in PrivX​​.

Client-Certificate-Authentication Setup

To enable certificate authentication for users from a certain directory:

  1. In the PrivX GUI on the ​Settings→Directories​ page, ​Edit​​ a AD or LDAP directory to display its settings.

  2. Expand ​Advanced directory settings​​. Then under ​Multi-Factor authentication settings​​, enable ​Client certificate authentication​​. You must also provide ​Trust anchors​​: the certificates of those CAs who issued the users' certificates.

    Click ​Save​​ to apply the new settings. Certificate authentication is enabled for users belonging to the directory.

Logging In with Client-Certificate Authentication

After certificate authentication is enabled, users can log into PrivX as follows:

  1. Ensure that your client certificate is available. For example, that your smart card is inserted and read properly, or your certificate is imported to the browser.

  2. Access the PrivX-login page. If prompted by your browser, provide your client certificate.

    For successful login, the ​Subject Alternative Name​ in your client certificate must specify your ​User Principal Name​​.

    After providing a valid client certificate you will be logged into PrivX.


Did this page help you?