Purdue University

Identity and Access Management

IAMO Home > Services > Web Page / Application Authentication > I2A2 >

Authentication by Purdue X.509 Certificate

Authentication by Purdue X.509 certificate

Users who possess a Purdue certificate may authenticate to the Purdue realm by establishing a client-side SSL connection with the authentication net daemon. Successful client-side SSL setup uniquely identifies the person because Purdue certificates have the person's PUID embedded within the certificate. The person is authenticated because he had to prove knowledge of the certificate's private key as part of the SSL negotiation. A successful certificate authentication to the Purdue realm establishes the user's identify in that realm, and possibly in other realms (see Trust relationships below).

Certificate-based authentication is not part of the protocol clients use to communicate with the net daemons. I.e., there is no "authenticate with a certificate" command in that protocol. Certificate-based authentication occurs when the client establishes a client-side SSL connection with a net daemon. Until this connection is established the net daemon doesn't listen for commands; once it is established the user has been authenticated even though protocol commands have not yet been sent by the client.

Restrictions

Certificate-based authentication is available only with Purdue-issued certificates. Certificates issued by other certificate authorities cannot be used because they do not have the PUID embedded within the certificate.

Authentication Sessions

While a user remains connected, the authentication net daemon tracks the session's authentication state and passes it to the authentication DBM with each command. Having established a client-side SSL connection, the user is authenticated to the Purdue realm. If the user authenticates to other realms via the authenticate by password protocol command, the authentication net daemon records each successful authentication and passes these additional authentication credentials to the authentication DBM.

Trust Relationships Realms may define trust relationships with other realms to allow a user to authenticate once and share the resulting authentication credentials with other realms. The combination of the authentication DBM's trust relationships and the authentication net daemon's tracking of authentication sessions allows users to establish their identities in multiple realms with a single authentication. Realms that trust the Purdue realm will automatically accept Purdue certificate authentications.