Common Access Card Authentication

Learn the methods available for enabling CAC authentication when not using SAML.


This guide discusses the processes required to enable users with customer-managed installations of the Kinetic Platform to authenticate to the Platform using a Common Access Card (CAC). There are two possible authentication methods:

  • Using X.509 certificate authentication with the Lightweight Directory Access Protocol (LDAP)
  • Using Reverse Proxy authentication with an appliance terminating the CAC and providing the Platform with trusted headers

We’ll discuss both methods in more detail below.

X.509 Certificate Authentication

The X.509 security strategy is used when your browser provides CAC credentials on web requests. To use this method, you will need to know the structure of your certificate’s Common Name (CN) and must have access to the LDAP server that contains the CN.

Complete the following steps to configure X.509 certificate authentication:

  1. Open the file and uncomment the following line:
  2. Configure your subject-matching regex expression in This is used to extract the "subject" from the certificate so that it can be used to retrieve the user from the LDAP.

    Note: While there is an example expression, the expression will vary depending on your provider, so you’ll need to determine what format your provider uses for subjects. The example expression looks something like this: security.x509.matchPattern=(CN=.*?)(?:,|$)

  3. Uncomment and configure each property starting with security.x509 in the file, where SPACESLUG is the slug of the space you are currently configuring. This configuration is identical to the LDAP configuration.
  4. Add the certificate authorities involved in signing the user's CAC certificate to the Platform. See ? for more information.

Reverse Proxy Authentication

The "Reverse Proxy" strategy works on the premise that there is some application or appliance intercepting calls intended for the Kinetic Platform. The application or appliance performs any required authentication and authorization, then forwards the call to the Kinetic Platform with the username, email, and display name trusted headers. You can optionally map additional headers to user attributes.

Complete the following steps to configure reverse proxy authentication:

  1. Enable the Reverse Proxy strategy by adding the following to the file.
  2. Uncomment the entries prefixed security.reverseproxy in the file, except for the userAttribute specific lines.
  3. Set security.reverseproxy.attributes.username,, and security.reverseproxy.attributes.displayName using the names of the headers that will be sent by the appliance running in front of the Kinetic Platform.
  4. Repeat this process for any user attributes you want to map. The name/mapping match and replace process is the same as it is for all security strategies, with the name being the attribute name and the mapping being the header used to provide the value.