action.skip

X.509 Authentication

X.509 client authentication allows clients to authenticate to servers with certificates rather than with a user name and password by leveraging the X.509 public key infrastructure (PKI) standard.

MSS has additional information on X.509 configuration.

Enabling X.509 client authentication

  • When the user accesses the web client using TLS the browser sends a certificate to the session server identifying the end user and completing the TLS handshake.

  • The session server refers to its truststore to check the client’s certificate and verify its trust.

  • Once the TLS negotiation is complete (the session server trusts the end user), the session server sends the end user’s public certificate to MSS for further validation.

  • MSS also verifies that it trusts the end users certificate using its trust store.

  • When MSS finishes the validation, the end user will have successfully authenticated.

The client’s full certificate chain needs to be present in the session server and MSS truststores or alternatively signed by a Certificate Authority that is present in the truststores.

The browser determines what client certificate to send using a browser or smart card specific configuration.

Basic steps

  1. First, enable OAuth.

  2. Configure X.509 in the MSS Administrative Console.

  3. Ensure the user certificate is properly installed on the client system.