One Identity Safeguard for Privileged Sessions (SPS) provides a method to authenticate the users of the web interface with X.509 client certificates. The client certificate is validated against a CA list, and the username is exported from the client certificate for identification. One Identity recommends using 2048-bit RSA keys (or stronger).
To authenticate SPS users on the SPS web interface with X.509 client certificates, complete the following steps.
You will have to upload the CA certificates that issued the certificates of the users, so this CA certificate must be available on your computer in PEM format.
The certificates of the users must contain the username used to authenticate on SPS. You must know which certificate field will contain the usernames (for example, CN or UID).
The certificates must be imported into the browsers of the users. SPS offers the possibility to authenticate with a certificate only if a personal certificate is available in the browser.
Figure 73: Policies > Trusted CA Lists — Creating Trusted CA lists
To authenticate users with X.509 certificates
Navigate to Policies > Trusted CA Lists and create a Trusted CA List.
If the user certificates contain the username in the Common Name field, make sure that the Strict Hostname Check is disabled.
Upload the CA certificate.
Adjust other settings as needed. For details on creating a trusted CA list, see Verifying certificates with Certificate Authorities.
Navigate to AAA > Settings > Authentication settings.
Figure 74: AAA > Settings > Authentication settings — Configuring X.509 authentication
Select the trusted CA list created in the first step in Authentication CA.
Select which field of the user certificate contains the username in the Parse username from field. In most cases, it is the commonName or userid field, but SPS supports the emailAddress and userPrincipalName fields as well.
To allow the admin user to be able to log in without using X.509 authorization, select Enable fallback for admin. This will fallback to password authentication.