1. |
2. |
2. |
If the smart card is PKA compliant, the Quest ESSO client reads the certificate and retrieves the user’s name using the attribute mapping rules. (contents of the certificate on one side and user’s attributes in the LDAP directory on the other side). |
3. |
Once the user has been identified, the Quest ESSO client prompts the user for his/her smart card PIN. |
5. |
Certificate enrollment: if this is the first time the user logs on his/her workstation using the PKA authentication method, the Quest ESSO Controller automatically creates in the Quest ESSO directory an object that contains the user’s LDAP credentials (login name and password). To create the LDAP object, the Quest ESSO Controller does the following: |
• |
If the certificate is valid, Quest ESSO prompts the user for his LDAP credentials (login name and password). |
• |
If these credentials grant access to the LDAP directory, Quest ESSO encrypts them using the user’s public key certificate. |
• |
Quest ESSO then creates an LDAP object where the user’s encrypted LDAP credentials are stored. Access to this LDAP object is restricted to that user; moreover, that user must authenticate using that certificate to gain access to his LDAP credentials. |
6. |
Retrieving encrypted LDAP credentials from the Quest ESSO directory. |
8. |
Using the decrypted LDAP credentials to retrieve Quest ESSO data from the LDAP directory. |
• |
• |
Anytime a user’s public key certificate is revoked, its status is updated in the Quest ESSO directory and the user’s smart card is automatically blacklisted |
1. |
• |
The Password authentication method must also be selected. |
3. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy