One Identity Safeguard for Privileged Sessions (SPS) provides a method to authenticate the users of the web interface with X.509 client certificates. The client certificate is validated against a trust store, and the username is exported from the client certificate for identification.

TIP: One Identity recommends using 2048-bit RSA keys (or stronger).

Prerequisites

Navigate to Basic Settings > Trust Stores and create a custom trust store. For more information, see Verifying certificates with Certificate Authorities using trust stores.

Figure 143: Basic Settings > Trust Stores— Creating a custom trust store

Authenticating SPS users on the SPS interface with X.509 certificates

To authenticate SPS users on the SPS web interface with X.509 client certificates, complete the following steps.

  1. Navigate to Users & Access Control > Login options.

  2. To configure an X.509 login method, select one of the following options:

    • Select an existing X.509 login option and click Edit.

    • Click Create new authentication method and select X.509.

    The following figure shows the configuration options of the X.509 login method.

    Figure 144: Users & Access Control > Login options — Configuring X.509 authentication

  3. In the Name field, specify a name for the login option.

  4. (Optional) Enable the X.509 login method.

    NOTE: You can enable only one X.509 login method at a time.

  5. Select the trust store you created as a prerequisite in Basic Settings > Trust Stores.

    CAUTION: From version 6.8, SPS changes authenticating the users of the web interface with X.509 client certificates: certificates are validated against a trust store instead of a trusted CA list. During the upgrade, the trusted CA list formerly used for authentication is copied to a trust store that has revocation check disabled by default.

    If you have previously enabled revocation check for your trusted CA list and already added the URLs of Certificate Revocation Lists (CRL), or you want to enable revocation check, you must edit the trust store settings manually.

    • Navigate to Basic Settings > Trust Stores.

    • Select the revocation check type Leaf or Full for the trust store.

    • Add a CRL URL for each root and intermediate CA.

    For more information about trust stores and how to configure them, see "Verifying certificates with Certificate Authorities using trust stores" in the Administration Guide.

  6. In the Certificate attribute field, select the user certificate field that contains the username. In most cases, it is the commonName or userid field, but SPS supports the emailAddress and userPrincipalName fields as well.

  7. Select LDAP server or Local as the Authorization Backend.

  8. (Optional) To add a new LDAP server, click New LDAP server under Authorization backend and select one of the server types:

  9. Script reference is filled out automatically when you specify the name for the login option. Special characters are automatically replaced with dashes ("-"). The Script name is a unique, human readable ID that is used by the REST API clients to select the login method.

  10. To save your modifications, click Commit.