Activate One Touch - SSL Client Certificate

Requirements :  

- One Touch must be configured

- One Touch activation base uri must be /activateot

- Front end server setup with SSL Client Certificate authentication configured (for details, view Authenticators-HTTP->SAML - SSL Client Certificate authentication

- Front end server has ssl client certificate protection configured for uri /activateot/authenticate/activateot

 

About this configuration

The configuration example below displays the configuration for ssl client certificate authentication to activate one touch. The client certificate subject (SITHS HSA-ID in this example) is picked up, and the string after "-" is used as userID (ie, when the user activates onetouch, the onetouch userid will be the hsa-id suffix).

Perform the following steps in the ADVANCED tab of the Configuration GUI

Step 1 - Authentication - HTTP

Add the following section to “Authentication - HTTP”

{
		"alias": "activateot",
		"name": "HeaderBasedCertificate",
		"configuration": {
			"pipeID": "pipeCert",
			"certificateheader": "SSL_CLIENT_CERT",
			"successURL": "/activateot/",
			"translationKey": "login.messages.information.body.enrollment.onetouch",
			"headingtranslationKey": "login.messages.information.header.enrollment.onetouch",
			"title": "login.messages.information.title.enrollment.onetouch",
			"loginTemplate": "enrollmentonetouch.template",
			"allowLanguageChange": "true"
		},
		"id": "activateot"
	}

Step 2 - HTTP connections

Add the following section to “HTTP connections”, change “port” and “ssl” settings to your requirements

{
	"id": "http_pki",
	"port": "8443",
	"ssl": "true"
}

Step 3 - Modules

Add the following section to “Modules”

{
	"name": "com.phenixidentity~phenix-prism",
	"enabled": "true",
	"config": {
		"base_url": "/activateot",
		"auth_redirect_url": "/activateot/authenticate/activateot",
		"http_configuration_ref": "http_pki",
		"module_refs": "enroll_pki_01",
		"enable_roles": "false",
		"use_css": "false"
	},
	"id": "enrollpki"
},
{
    "id": "enroll_pki_01",
    "name" : "com.phenixidentity~phenix-prism-enroll-pki",
    "enabled" : "false",
    "prism_enabled" : "true",
    "config" : {
      "display_name" : "One Touch enrollment",
      "base_uri" : "pki",
      "http_configuration_ref" : "http_pki",
      "url_prefix" : "replace-url_prefix",
      "enroll_timeout_mins" : "1",
      "enroll_pollinterval_ms" : "2000",
      "use_push" : "true"
    }
}

Replace

replace-url_prefix with your url, example "https://192.168.10.118:8443"

Change the following parameters, if needed, to suit your environment

"enroll_timeout_mins":
"enroll_pollinterval_ms":
"use_push":

Step 4 - NODE_GROUPS

Add the module “enrollpki” to module_refs in “NODE_GROUPS” , see example below

example

"module_refs": "d55205cc-e067-4490-9e2b-dbc98459e501,f4660046-9003-4131-ae4b-3710c6b1d147,b7f370d7-f9ec-41f7-982c-408b9cbfc5a3,d802bda5-623e-4afe-b740-f318ee5683dd,enrollpki"

Step 5 - Pipes

Add the following section to “Pipes”

	{
		"id": "pipeCert",
		"valves": [
		
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "{{request.serialNumber}}"
				}
			},
			{
				"name": "CertificateValidatorValve",
				"config": {
					"cert": "{{request.SSL_CLIENT_CERT}}",
					"trust_store_path": "C:/Program Files/PhenixID/server/config/trust.jks",
					"trust_store_password": "{enc}PUXHRET7bjMbJahy2OEAQJlNU7ifBvpQHTmAxVC1tGc=",
					"enable_crl": "false",
					"enable_ocsp": "true"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "cn",
					"value": "{{request.serialNumber}}"
				}
			},
			{
				"name": "PropertyReplaceRegexValve",
				"config": {
					"source": "cn",
					"regex": "^[^-]*-",
					"replacement": ""
				}
			},
			{
				"name": "SessionLoadValve",
				"config": {
					"id": "{{request.session_id}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "givenName",
					"value": "{{request.givenName}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "sn",
					"value": "{{request.surname}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "mail",
					"value": "{{item.cn}}"
				}
			},
			{
				"name": "SessionBindToUidValve",
				"config": {
					"userid": "{{item.cn}}"
				}
			},
			{
				"name": "SessionPersistValve",
				"config": {}
			}
		]
	}

Replace the following Pipe settings:

trust_store_path - point to jks file containing the client certificate CAs to be trusted

trust_store_password - password to jks file. Enter in clear text - it will be encrypted once the configuration is committed.