Common Access Card Authentication

Learn the methods available for enabling CAC authentication when not using SAML.

Overview

This guide discusses the processes required to enable users with customer-managed installations of the Kinetic Platform to authenticate to the Platform using a Common Access Card (CAC). There are two possible authentication methods:

  • Using X.509 certificate authentication with the Lightweight Directory Access Protocol (LDAP)
  • Using Reverse Proxy authentication with an appliance terminating the CAC and providing the Platform with trusted headers

We’ll discuss both methods in more detail below.

X.509 Certificate Authentication

The X.509 security strategy is used when your browser provides CAC credentials on web requests. To use this method, you will need to know the structure of your certificate’s Common Name (CN) and must have access to the LDAP server that contains the CN.

Complete the following steps to configure X.509 certificate authentication:

  1. Open the security.properties file and uncomment the following line:
    security.strategy=com.kineticdata.core.web.security.strategies.x509.X509SecurityStrategy
  2. Configure your subject-matching regex expression in security.properties. This is used to extract the "subject" from the certificate so that it can be used to retrieve the user from the LDAP.

    ℹ️

    While there is an example expression, the expression will vary depending on your provider, so you’ll need to determine what format your provider uses for subjects. The example expression looks something like this: security.x509.matchPattern=(CN=.\*?)(?:,|$)

  3. Uncomment and configure each property starting with security.x509 in the security.SPACESLUG.properties file, where SPACESLUG is the slug of the space you are currently configuring. This configuration is identical to the LDAP configuration.
  4. Add the certificate authorities signing the user's CAC certificate to the Platform.

Reverse Proxy Authentication

The "Reverse Proxy" strategy works on the premise that some application or appliance intercepting calls are intended for the Kinetic Platform. The application or appliance performs any required authentication and authorization, then forwards the call to the Kinetic Platform with the username, email, and display name trusted headers. You can optionally map additional headers to user attributes.

Complete the following steps to configure reverse proxy authentication:

  1. Enable the Reverse Proxy strategy by adding the following to the security.properties file.
    security.strategy=com.kineticdata.core.web.security.strategies.x509.X509SecurityStrategy
  2. Uncomment the entries prefixed security.reverseproxy in the security.SPACESLUG.properties file, except for the userAttribute specific lines.
  3. Set security.reverseproxy.attributes.username, security.reverseproxy.attributes.email, and security.reverseproxy.attributes.displayName using the names of the headers sent by the appliance running in front of the Kinetic Platform.
  4. Repeat this process for any user attributes you want to map. The name/mapping match and replace process is the same as it is for all security strategies, with the name being the attribute name and the mapping being the header used to provide the value.