Smart card Authentication

If you have a smart card authentication system enabled in your environment, you can configure AD360 to authenticate users through it, bypassing other first factor authentication methods.

This feature provides an additional authentication option for AD360 login by enabling the use of smart cards/ PKI/ certificates to grant access to the tool. Smart card authentication strengthens the security further because getting access to AD360 shall then require the user to possess the smart card and know the personal identification number (PIN) as well.

When a user attempts to access AD360's web-interface, they would be allowed to proceed further only after completing smart card authentication in the machine, i.e., by presenting the smart card and subsequently entering the PIN. AD360's web-interface supplements smart card technology with SSL communication. So, the user is prompted to specify the X.509 certificate for getting access.

Users can choose to provide the certificate from the smart card or the local certificate store, in which case AD360 performs the steps to authenticate the user with the certificate. The users can also choose to decline providing the certificate and the tool takes them to the usual login page for authentication.

Steps to configure smart card authentication settings

  1. Click the Admin tab.
  2. SSL port must be enabled for configuring smart card authentication settings. To check your SSL port settings, click Product Settings provided under General Settings. If not enabled already, select the radio button against HTTPS, and specify the port number in the field. Click Save.
  3. Navigate to Admin → Administration → Logon Settings → Smart Card Authentication.
  4. In the Import CA Root Certification field, click Browse and import the required Certification Authority root certification file from your computer.

    Connect to http://CertificateAuthorityServerName/certsrv/ to download CA root certification.

  5. In the Mapping Attribute in Certificate field, specify the certificate attribute for mapping. The user details need to be mapped between the smart card certificate and the AD360 database. This denotes that the attribute in the smart card certificate that uniquely identifies the user should match with the corresponding value in the AD360 user database. This mapping involves specifying which attribute in certificate should be taken up for comparison with which attribute in AD360 user store.

    AD360 provides the flexibility to specify any attribute of the smart card certificate that you feel uniquely identifies the user in your environment. You may choose any attribute among SAN.OtherName, SAN.RFC822Name, SAN.DirName, SAN.DNSName, SAN.URI, email, distinguishedName and CommonName. In case if any other attribute is used to uniquely identify the user in your environment, contact AD360 support to add that attribute.

  6. In the Mapping Attribute in AD field, specify the LDAP attribute that should be matched with the specified certificate attribute.

    Here you need to specify the particular LDAP attribute that uniquely identifies the user in AD360 user store, e.g., sAMAccountName.

    During authentication, AD360 reads the value corresponding to the certificate attribute that you specified in Mapping Attribute in Certificate and compares it with the specified LDAP attribute in Mapping Attribute in AD.

  7. In the Linked Domains field, select the appropriate domains from the drop down menu.
  8. Click the arrow sign next to the section OCSP Settings to expand the menu.

    During authentication, AD360 checks for certificate revocation status against an Online Certificate Status Protocol (OCSP) server, with details available in the certificate. If the certificate does not have the OCSP information, the information provided in the settings here will be used.

    • In the OCSP Server Name field, specify the name of the OCSP server.
    • In the OCSP Server Port filed, mention the OCSP server port number.
  9. Click Save.

After you have added a smartcard for authentication, you can perform any of the following functions:

  1. Add a new smartcard
  2. Edit a configured smartcard
  3. Enable/Disable a smartcard
  4. Delete a configured smartcard

Add a new smartcard

To add a new smartcard, follow the steps given below:

  1. Navigate to Admin → Administration → Logon Settings → Smart Card Authentication.
  2. Click the Add a New Smartcard button at the top-right corner of the screen.
  3. Enter all details required and click Save

Edit a configured smartcard

To edit a configured smartcard, follow the steps given below:

  1. Navigate to Admin → Administration → Logon Settings → Smart Card Authentication.
  2. Click the edit-icon corresponding to the smartcard whose configuration you wish to edit.
  3. Modify the settings you wish to change.
  4. Click Save

Enable/Disable a smartcard

  1. Navigate to Admin → Administration → Logon Settings → Smart Card Authentication.
  2. To enable/disable a configured smartcard, click on the disable icon/enable icon icon located in the action column of the particular smartcard.

Delete a configured smartcard

  1. Navigate to Admin → Administration → Logon Settings → Smart Card Authentication.
  2. Click the corresponding to the smartcard which you wish to delete.
  3. Click Yes to confirm the deletion.

Don't see what you're looking for?

  •  

    Visit our community

    Post your questions in the forum.

     
  •  

    Request additional resources

    Send us your requirements.

     
  •  

    Need implementation assistance?

    Try onboarding

     

Copyright © 2023, ZOHO Corp. All Rights Reserved.