|
|
|
|
If your organization has a smart cards/ PKI/ certificates authentication system, then you can easily configure ADSelfService Plus to authenticate users through it during login. The smart card will serve as a first factor authentication option for ADSelfService Plus users in addition to the Windows domain username and password.
When users attempt to access ADSelfService Plus's web console, they would be allowed to proceed further only after completing smart card authentication in their machine, i.e., by presenting the smart card and subsequently entering the PIN.
Users can still login using their Windows domain username and password even if the smart card option is enabled. If two-factor authentication is enabled, users will be taken to the second-factor authentication page after completing the smart card authentication.
Steps to configure smart card authentication:
Prerequisite:
SSL settings must be enabled for configuring smart card authentication settings. To enable SSL, go to Admin → Product Settings → Connection. Select Enable SSL Port [HTTPS] option, and specify the port number. Click Save.
Configuration steps:
Go to Admin → Customize → Logon Settings.
Click the Smart Card Authentication tab.
In the Import CA Root Certification field, click Browse and import the required Certification Authority root certification file (X.509 certificate). You can download the certificate file by visiting http:// <CertificateAuthorityServerName>/certsrv/.
|
|
Replace CertificateAuthorityServerName with the name of your certificate server. |
In the Mapping Attribute in Certificate field, select a unique attribute in the certificate for mapping.
Make sure you map a unique attribute from the certificate with a unique attribute in Active Directory. Both the attribute values must be the same.
ADSelfService Plus provides the flexibility to specify any attribute of the smart card certificate that you feel uniquely identifies the user in your environment. You may choose any attribute among SAN.OtherName, SAN.RFC822Name, SAN.DirName, SAN.DNSName, SAN.URI, email, distinguishedName and CommonName. In case if any other attribute is used to uniquely identify the user in your environment, then enter the attribute name in text box provided and click the '+' icon.
In the Mapping Attribute in AD field, specify the LDAP attribute that should be matched with the specified certificate attribute.
Here you need to specify the particular LDAP attribute that uniquely identifies the user in ADSelfService Plus user store, e.g., sAMAccountName.
During authentication, ADSelfService Plus reads the value corresponding to the certificate attribute that you specified in Mapping Attribute in Certificate and compares it with the specified LDAP attribute in Mapping Attribute in AD.
In the Select Domains field, select the domains for which you wish to enable smart card authentication from the drop down menu.
Click Save
Managing smart card authentication configurations:
After you have added a smart card for authentication, you can perform any of the following functions:
Add a new smart card configuration
Edit a configured smart card
Enable/disable a smart card
Delete a configured smart card
Add a new smart card
To add a new smart card, follow the steps given below:
Navigate to Admin → Customize → Logon Settings → Smart Card Authentication.
Click the Add a New Smartcard button at the top-right corner of the screen.
Enter all the required details and click Save.
Edit a configured smart card
To edit a configured smart card, follow the steps given below:
Navigate to Admin → Customize → Logon Settings → Smart Card Authentication.
Click the 
corresponding to the smart card whose configuration you wish to edit.
Modify the settings you wish to change.
Click Save
Enable/disable a smart card
Navigate to Admin → Customize → Logon Settings → Smart Card Authentication.
To enable/disable a configured smart card, click on the 
/ 
icon located in the action column of the particular smart card.
Delete a configured smart card
Navigate to Admin → Customize → Logon Settings → Smart Card Authentication.
Click the corresponding to the smart card which you wish to delete.
Click Yes to confirm the deletion.
|
|
|
|
