Any option for Smartcard Based Certificate Login when External SSO/SAML options are not available?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2017 09:01 AM
Have the requirement to only allow users to log into ServiceNow using DoD CAC certificates.
I can get the DoD Root CA certs to use for trusted Roots
Have done many searches already however and dont see anyone talking about the possibility of having the browser prompt for which certificate to use, requesting PIN, and then using the SSL/TLS certificate info to 1st check against a certificate revocation list and then either associate the certificate with a known user or create a new user account using info from within the certificate info.
To the best of my knowledge there is not a viable external SSO authority to which I can connect for this purpose.
Any advise / direction would be much appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2019 11:14 AM
To do this you need a Big-IP with Access Policy Manager to act as the Identity Provider, and have it tied to either an LDAP or a AD Server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2019 11:13 AM
I understand this post is several years old right now. Im currently pursuing ServiceNow SSO capability with DoD/CAC sign on with the use of a F5 Big-IP LTM/APM.
This issue im currently encountering is I have the Big-IP Access Policy set to prompt the client/user for a Certificate. It does this and the user can enter their Pin. However, whenever they do this the Big-IP appears to fully authenticate the User and establishes a Session which can be viewed along with all of its variables in the Access Policy -> Manage Sessions page of the Big-IP.
Now, When i review the ServiceNow logs it appears that one of the certificates in the SAML Response is part of the DoD Root CA Chain and even though both the Big-IP SAML IDP has this certificate loaded. It seems that the ServiceNow cant validate the certificate because its expecting the SAML IDP's certificate but keeps getting the DoD Root CA Certificate. This is where i've been stuck. When i remove that Certificate the client cant establish a secure connection to the SAML. However, with it it can but it cant be validated. Something i do not understand is why its attempting to validate that CA Root Cert when it have nothing to do with the Client/User Certificate validation.
Would love to hear y'alls thoughts and see where you all have progressed with all of this.
