locked
Create a portal 2-factor authentication using client certificate and LDAP RRS feed

  • Question

  • Hi All,

    Does UAG supports a two-factor authentication which supports both client certificate and LDAP username and password? I know that each method can work by itself, but couldn't find a way to make the two work together. If it is possible, is there a way to bind the user's certificate CN/E field to the username?

    Thanks!

    Tuesday, August 9, 2011 12:39 PM

Answers

  • Hi Doctor.Nooo,

    you can chain those two repositories using trunk authentication and on-the-fly login pages.

    The potal trunk does the certificte authentication and the on-the-fly would ask the client for username and password before granting application access. To make this happen you have to use two different repositories for trunk and application (even in the case the same LDAP directory is used).

    If you customize the on-the-fly page you may also able to pass the certificate user name / upn to the login form.

    -Kai

    • Proposed as answer by Kai Wilke Sunday, August 14, 2011 12:06 AM
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:34 PM
    Tuesday, August 9, 2011 3:25 PM

All replies

  • Hi Doctor.Nooo,

    you can chain those two repositories using trunk authentication and on-the-fly login pages.

    The potal trunk does the certificte authentication and the on-the-fly would ask the client for username and password before granting application access. To make this happen you have to use two different repositories for trunk and application (even in the case the same LDAP directory is used).

    If you customize the on-the-fly page you may also able to pass the certificate user name / upn to the login form.

    -Kai

    • Proposed as answer by Kai Wilke Sunday, August 14, 2011 12:06 AM
    • Marked as answer by Erez Benari Friday, August 26, 2011 10:34 PM
    Tuesday, August 9, 2011 3:25 PM
  • Hi Kai,

    i am quite new to UAG.  can you elaborate on the solution above, e.g., e.g. on-the-fly?  i am looking for similar solution where i would like the user to type in their username and password (get authenticated) in the FBA > prompt for user certificate which is in a usb device > enter pin > validate the smtp attribute on the cert against the AD > access the application. 

    thanks,

    stephen


    stephen wong

    Friday, March 16, 2012 3:06 PM