Set up certificate-based login to Identity Manager
Not yet supported for docker. The article is only relevant for WAR file deployment.
This article is valid for Smart ID 20.11 and later.
This article describes how to set up certificate-based login to Smart ID Identity Manager.
Prerequisites
A working HTTPS configuration with client authentication on the Tomcat is required. See Configure HTTPS for Tomcat.
Step-by-step instruction
Set up authentication profile
The first step is to set up an authentication profile in Identity Manager Admin:
Follow the instructions in Set up authentication profile in Identity Manager, to set up an authentication profile of any of the following types:
Client Certificate and LDAP
Client Certificate and Core Object
Client Certificate Internal - not recommended in a production environment
Select the certificate attribute the system shall extract the login information from.
User Principal Name (UPN): Extracts the information from the SANAttribute "otherName"
SAN Email (RFC822Name): Extracts the information from the SANAttribute "rfc822Name"
Subject CN: Extracts the information from the CN field
Subject Email: Extracts the information from the EMAILADDRESS field
Set up validation chain for user certificates
When a user logs in to Identity Manager with a certificate, the Identity Manager server does a validation of the corresponding certificate revocation lists (CRLs). To check the certificate chain of the CRL Signing CA, there is a separate truststore configured on the Identity Manager server.
To configure the path to the truststore
On the Identity Manager server, open the file system.properties.
Modify the path to the truststore, if needed:
TEXTjksKeyStoreProvider.keyStorePath = "file:C:/idmCerts/crlCaChain-truststore.jks" jksKeyStoreProvider.keyStorePassword = "123456"
For more information on how to configure a truststore file with the java keytool, see Configure HTTPS for Tomcat.
Access Identity Manager clients
To access the Identity Manager clients, use the following links:
https://<idmhost>:8444/prime_explorer/
https://<idmhost>:8444/prime_designer/
https://<idmhost>:8444/ussp/
For Smart ID Self-Service you need to click on the link "Client Certificate Login" on the login page.