Configuring X.509 certification-based single sign-on

To configure Application Security to use X.509 certification-based SSO:

  1. Configure X.509 client certification in Tomcat.

    For information about certificateVerification and related options, see the Apache Tomcat documentation.

  2. Sign in to Application Security as an Administrator.
  3. On the header, select Administration.

  4. On the navigation pane, expand Configuration, and then click SSO.

    You can configure only one single sign-on solution at a time.

  5. From the Enabled SSO list, select X.509.

  6. In the X.509 certificate username pattern box, type a regular expression for Application Security to specify how to retrieve the username from the client certificate, then do one of the following:

    • To retrieve the username from the X.509 certificate Subject field, use a regular expression with capturing groups. The regular expression is then used to match the username from the Subject field value.

      Example: To match the CN attribute of the certificate Subject field, specify the CN=(.*?) pattern.

    • To retrieve the username from the X.509 certificate Subject Alternative Name (SAN) extension Other Name, use $0!OID$regex pattern, where:

      • OID represents the identifier of the Other Name from which to retrieve the username. Only Other Names that contain string values are supported.

      • regex represents the regular expression with capturing group to use to retrieve the username from the Other Name value.

      Example: One of the widely used SAN Other Names is User Principal Name (UPN), with OID1.3.6.1.4.1.311.20.2.3. Its value takes the form username@domain.

      To match the whole username@domain under UPN, type the following pattern:

      $0!1.3.6.1.4.1.311.20.2.3$(\S+@\S+)

      To match only the user name before the @ sign, without the domain, under UPN, type the following pattern:

      $0!1.3.6.1.4.1.311.20.2.3$(.+?(?=@))
  7. Click SAVE.
  8. To implement the configuration, restart the Application Security server.

If you configured X.509 certification-based SSO, and you want users (local and LDAP) to be able to sign in using their user names and passwords, you must directly enable it.

To enable user name and password login when you have X.509 SSO configured:

  1. Open the <fortify.home>/<app_context>/conf/app.properties file in a text editor.
  2. Set the sso.localAuthenticationEnabled property to true.
  3. Save and close the app.properties file.
  4. Restart the server.