The Public Key Infrastructure (PKI) creates, stores, and distributes digital certificates. These certificates are used to verify whether a particular public key belongs to a specific entity.
Advanced Authentication supports the following two forms of PKI authentication:
From Advanced Authentication 6.4.2.1, the server facilitates auto-enrollment of PKI smart card based on the value in altSecurityIdentities attribute of LDAP repository for a specific user. The PKI card certificate id attribute in Group Name Attributes verifies the value of altSecurityIdentities attribute before auto-enrolling the PKI method.
IMPORTANT:Some key points to remember post upgrade to Advanced Authentication 6.4.2.1:
If a user has enrolled the PKI method earlier, then the existing enrollment takes precedence.
If a user has not enrolled the PKI method earlier and the altSecurityIdentities attribute has an appropriate value in it, then the PKI method gets auto-enrolled. However, a successful authentication using the PKI method happens based on the following factors:
Successful certificate mapping
Proof of matching certificate and private-key
If a user has not enrolled the PKI method and the altSecurityIdentities attribute does not have an appropriate value in it, then the PKI method does not get auto-enrolled. However, users can manually enroll.
Auto-enrollment of the PKI method is supported, if the Advanced Authentication Server and Device Service are upgrade to 6.4.2.1 version. Different versions of these components is not supported.
Auto-enrollment of the PKI method is only supported on the Window Device service.
After auto-enrollment of the PKI method, when the user logs in using PKI device to any web events, this completes full enrollment of the method.