By: Koji Tashima user 03 Nov 2016 at 2:18 p.m. CDT

4 Responses
Koji Tashima gravatar
Where can I set oxExternalId for the user to authenticate with certificates? I'm trying to implement a 'certificate authentication'. And I checked the script for it and I have a question in that. ----------- cert_user_external_uid = "cert:%s" % x509CertificateFingerprint print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) ----------- I think this means finding "cert: <fingerprintvalue>" in user's oxExternalId. So here comes the question, where can I set the value for each user?

By Aliaksandr Samuseu staff 05 Nov 2016 at 10:45 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Koji. Can't find proper docs for this script. I'll try to ask around, somebody has to know a proper procedure. You may check diagram [here](https://gluu.org/docs/multi-factor/cert/), may be it will give you some hint. Best regards, Alex.

By Yuriy Movchan staff 08 Nov 2016 at 12:59 a.m. CST

Yuriy Movchan gravatar
Right, It public cert fingerprint in SSH format. https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/cert/UserCertExternalAuthenticator.py#L310 This python method uses next java code to calculate it: https://github.com/GluuFederation/oxAuth/blame/master/Server/src/main/java/org/xdi/oxauth/cert/fingerprint/FingerprintHelper.java#L42 Are you trying manually add required attribute to LDAP to avoid mapping cert to user account which implemented in script?

By Koji Tashima user 08 Nov 2016 at 9:47 a.m. CST

Koji Tashima gravatar
Thank you. Now I understand the flow. So it maps the certificate to the user by signing in to gluu server, right? And after that it checks certificate to sign in.No ID/PW is required.

By Aliaksandr Samuseu staff 12 Nov 2016 at 11:40 a.m. CST

Aliaksandr Samuseu gravatar
I was able to verify that script works with Firefox. Here what I did to configure it: 1. Used EasyRSA package to simulate organization's PKI. I generated CA cert with it, and issued client certificate+key pair for test user. 2. I placed CA's certificate in `/etc/certs/chain_cert.pem` (by default script will check this location for trust chain it will use to verify certificate presented by client; I suppose, that means only certificates signed by this only CA will be accepted?) 3. Disabled all validation methods except for `use_generic_validator` in script's properties 4. Converted key and cert issued at step 1) to pfx file: `# openssl pkcs12 -export -out gluuadmin.pfx -inkey gluuadmin.key -in ./gluuadmin.crt -certfile ./my.host.loc_CA.crt` (didn't set any password) 5. Imported this `gluuadmin.pfx` into my browser as a personal certificate 6. Set script as default auth method and restarted tomcat to make sure every change is applied. Then, on attempt to access login page, I was presented with a new screen informing me that login with certificate will happen. Clicking "Login" button there first took me to a warning page, explaining that flow is failed and providing a lot of info why it could be so. In my case, I had just to remove "Active logins" using "Clear recent history" tool of Firefox. In other cases browser's restart may help. After that on clicking this "Login" button I was presented with a pop-up asking me to confirm using my personal cert for authentication, and proposal to persist my choice. Then I was asked to provide my usual login/password for this user (enrol step). On the next login attempts it didn't ask for creds any more, I just was logged in right away. Unfortunately, I couldn't make it work with Chrome. Browser restarts didn't help, it was telling me again and again that I either didn't have cert imported into browser, or I already chose not to provide it to this site. The latter is quite possible, and was the same for Firefox first, but for Chrome I didn't find how to reset it.