Menu
▾
▴
Re: [Unity-idm-discuss] Safari issues with client certificate authentication
|
From: Krzysztof B. <go...@ic...> - 2016-02-17 11:14:43
|
Dear Willem, W dniu 17.02.2016 o 10:55, Willem Elbers pisze: > Dear Krzysztof, > > we have recently encountered issue with users accessing unity from a > safari browser, after enabling authentication with client certificates. > > Apparently iCloud installs a certificate in the OSX keychain. If a user > then tries to access unity with client certificate authentication > enabled, safari pops up a dialog where the user can select a certificate > or choose cancel to authenticate without using a certificate. > This is confusing for most users, especially because authentication > fails if they don't click cancel. > > Is there a way to enable certificate based authentication on a dedicated > endpoint, different from /home/home as a workaround for this issue? Or > do you have another suggestion? This is a difficult issue. Your solution is impossible in general. TLS authN happens on (obviously) TLS level, i.e. lower level then HTTP. So when this happens it is not known what will be an HTTP path of an endpoint the browser *will* try to access. Therefore the answer is no: acceptance of client's certificate based authentication can be turned on/off only per network socket (with unityServer.core.httpServer.wantClientAuthn, see docs) == Unity instance. Next, TLS offers a feature to help clients decide whether client certificate base authN is possible. Namely on TLS handshake, client gets a list of DNs of server-accepted CAs. Unity supports this feature, here is part of TLS handshake with EUDAT instance retrieved by s_client: [...] Acceptable client certificate CA names /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 /C=FI/ST=Uusimaa/L=Espoo/O=CSC - Tieteen tietotekniikan keskus Oy/CN=b2access.eudat.eu /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Grid - G01 /C=DE/ST=NRW/L=Juelich/O=FZJ/OU=JSC/CN=EUDAT CA /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3 [...] A smart browser should take this into account and do not bug the user if there is no certificate installed, which is issued by an accepted CA. To my knowledge Firefox honors this. From what you wrote Safari doesn't. All in all you can: -) try to search for some hints on Safari itself knowing the above. -) disable wantClientAuthn per Unity server -) setup two Unity instances on different ports (sharing the same DB) to solve the issue fully - like using a sledgehammer to crack a nut... Best regards, Krzysztof |
