Client certificate for browser authentication (X.509)
Airlock IAM can authenticate users by verifying X.509 client certificates.
A client certificate can be used in the SSL handshake by the browser to authenticate the user already while connecting to the server.
Client certificates can come in different forms:
- from a smart card (used with a smart card reader)
- from a USB or another device
- as a software certificate installed in the browser (less secure)
Involved systems
- Browser: has access to client certificate and uses it in SSL handshake
- Airlock Gateway: asks for client certificate in SSL handshakes
- Verifies that client certificate issuer is trusted
- Verifies signature on client certificate
- Verifies validity period of client certificate
- Airlock IAM: receives client certificate information from Airlock Gateway
- Verifies validity of client certificate with external CRL or OCSP server
- Maps client certificate to a user or extracts user information from certificate
- Takes into account the user account status (e.g. locked), the user's roles, and other information.