Activate One Touch - SSL Client Certificate

Requirements :  

- One Touch must be configured

- OneTouch activation app must be configured

- To follow the exact instructions in this document, One Touch activation base uri must be /activateonetouch. If the base uri is set to another value, please follow the instructions below and change relevant config params to match your base uri. .

- Front end server setup with SSL Client Certificate authentication configured (for details, view these prereqs)

- Front end server has ssl client certificate protection configured for uri /activateonetouch/authenticate/activateonetouch  (change to your base uri if needed)

 

About this configuration

The configuration example below displays the configuration for ssl client certificate authentication to activate one touch. The client certificate subject (SITHS HSA-ID in this example) is picked up, and the string after "-" is used as userID (ie, when the user activates onetouch, the onetouch userid will be the hsa-id suffix).

Perform the following steps in the ADVANCED tab of the Configuration GUI

Step 1 - Authentication - HTTP

Add the following section to “Authentication - HTTP”

{
		"alias": "activateonetouch",
		"name": "HeaderBasedCertificate",
		"configuration": {
			"pipeID": "pipeCert",
			"certificateheader": "SSL_CLIENT_CERT",
			"successURL": "/activateonetouch/"
		},
		"id": "activateonetouch"
	}

Step 2 - Modules

Modules

Locate the activateonetouch module

Change the auth_redirect_url to /activateonetouch/authenticate/activateonetouch

Stage changes

Commit changes

{
	"name": "com.phenixidentity~phenix-prism",
	"enabled": "true",
	"config": {
		"base_url": "/activateonetouch",
		"auth_redirect_url": "/activateonetouch/authenticate/activateonetouch",
		"http_configuration_ref": "http_pki",
		"module_refs": "enroll_pki_01",
		"enable_roles": "false",
		"use_css": "false"
	},
	"id": "enrollpki"
}

Step 3 - Pipes

Add the following section to “Pipes”

{
		"id": "pipeCert",
		"valves": [
		
			{
				"name": "ItemCreateValve",
				"config": {
					"dest_id": "{{request.serialNumber}}"
				}
			},
			{
				"name": "CertificateValidatorValve",
				"config": {
					"cert": "{{request.SSL_CLIENT_CERT}}",
					"trust_store_path": "C:/Program Files/PhenixID/server/config/trust.jks",
					"trust_store_password": "{enc}PUXHRET7bjMbJahy2OEAQJlNU7ifBvpQHTmAxVC1tGc=",
					"enable_crl": "false",
					"enable_ocsp": "true"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "cn",
					"value": "{{request.serialNumber}}"
				}
			},
			{
				"name": "PropertyReplaceRegexValve",
				"config": {
					"source": "cn",
					"regex": "^[^-]*-",
					"replacement": ""
				}
			},
			{
				"name": "SessionLoadValve",
				"config": {
					"id": "{{request.session_id}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "givenName",
					"value": "{{request.givenName}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "sn",
					"value": "{{request.surname}}"
				}
			},
			{
				"name": "PropertyAddValve",
				"config": {
					"name": "mail",
					"value": "{{item.cn}}"
				}
			},
			{
				"name": "SessionBindToUidValve",
				"config": {
					"userid": "{{item.cn}}"
				}
			},
			{
				"name": "SessionPersistValve",
				"config": {}
			}
		]
	}

Replace the following Pipe settings:

trust_store_path - point to jks file containing the client certificate CAs to be trusted

trust_store_password - password to jks file. Enter in clear text - it will be encrypted once the configuration is committed.

Test

Browse to /activateonetouch

Redirect to /activateonetouch/authenticate/activateonetouch should occur

SSL Client certificate authentication should be triggered