Virtual Smartcard is an extension of PKI method. Advanced Authentication allows users to enroll the PKI method using a virtual smartcard that is imported to the browser on the user’s system and used for authentication. Virtual smartcard is a certificate that contains information such as digital signature, expiration date, name of user, name of CA (Certificate Authority), and can be used in client SSL certificate. Typically, the certificate is available in .pfx format. The information available in the virtual smartcard is used to authenticate the user to any web environment.
NOTE:The virtual smartcard supports authentication to the OAuth 2.0 and SAML 2.0 events. The virtual smartcard does not support authentication to Advanced Authentication portals, such as Administration, Helpdesk, Self-Service, and Reporting.
To configure the virtual smartcard, perform the following steps:
NOTE:Before you configure the virtual smartcard support for the SAML 2.0 events, ensure to specify the Identity Provider’s URL in format https://webauth.domain_name in the Web Authentication policy. Later, save the settings before downloading the SAML 2.0 metadata file.
NOTE:Before you configure virtual smartcard support for the PKI method, ensure to perform the following tasks:
Resolve the IP address of Advanced Authentication server with the following host names on the DNS server:
<aaserver_ip_address> <aaserver_hostname>
<aaserver_ip_address> <webauth.aaserver_hostname>
Define the following attributes in the third-party application that you want to integrate with Advanced Authentication server:
authorization_endpoint = https://webauth.aaserver-hostname/osp/a/TOP/auth/oauth2/auth
token_endpoint = https://webauth.aaserver-hostname/osp/a/TOP/auth/oauth2/token
Configure the following settings in the HTTPS Options policy:
Set Enable Client SSL for Webauth Service to ON and upload Root CA certificate in the .pem format that is used by the Web server.
Set Enable auto enrollment based on certificate to ON. This enables you to allow users to auto-enroll the PKI method using virtual smartcard for the OAuth 2.0 and SAML 2.0 events.
NOTE:The manual enrollment of the PKI method using the virtual smartcard is not supported. Therefore, it is required to set Enable auto enrollment based on certificate to ON in the HTTPS Options policy. With this configuration, the users can auto-enroll PKI method using virtual smartcard when they access OAuth 2.0 event for the first time and select a valid certificate. This auto-enrollment happens irrespective of enrollment status of other method(s) that are available with the PKI method in the same authentication chain.
To allow a user to login to the OAuth 2.0 and SAML 2.0 events before auto-enrolling the PKI method, ensure to add at least one more chain to the event (for example, a chain with only the LDAP Password method) below the PKI chain. The user must enroll all method(s) of new chain. During the first login attempt, the PKI method using the virtual smartcard gets enrolled automatically. For the sub-sequent log ins, the top chain in the list (which is PKI) is selected and user is authenticated automatically.
Upload Root CA certificate in the Trusted root certificates section of PKI method.
Import the client SSL certificate to the users browser.
NOTE:The procedure to import the client SSL certificate varies on each browser.
For more information about how to import the client SSL certificate to the Chrome browser, see Importing Client SSL Certificate to a Certificate Store.
Consider the administrator has performed the following steps to allow auto-enrollment of the PKI method using the virtual smartcard:
Created a chain with the PKI method and another chain with preferred methods such as LDAP password and Password.
Mapped the chain to the OAuth 2 event.
Configure the following settings in the HTTPS options policy:
Set Enable SSL Client Certificate to ON and uploaded a valid CA certificate.
Set Enable Auto Enrollment based on certificate to ON.
Imported the client certificate to the user’s browser in the .pfx format containing details, such as digital signature, expiration date, name of user, name of CA and so on.
Mark, an end user, wants to auto-enroll the PKI method using the virtual smartcard. When he tries to access the somecompany.com website, the user name stored in the certificate gets filled in the user name field in the login form automatically. Mark is required to select the preferred certificate to validate his identity in the User Identification Request dialog box. Then, Mark must specify LDAP details for additional validation. If the specified details are valid, Mark gets auto-enrolled to the PKI method using the virtual smartcard without physical PKI token.
During subsequent logins, Mark may experience one of the following scenario:
If there is a chain with only PKI method associated to the web authentication event, then Mark gets authenticated automatically.
If there are more than one chain associated to the web authentication event, then Mark is prompted with the list of chains that contains PKI in addition to other available chains. In this case, he can select the chain with only PKI method to authenticate automatically or select preferred chain and provide corresponding details to authenticate successfully.