Auth0 Home Blog Docs

how does client certificate authentication for LDAP/AD work ?

client
certificate
ad-connector
silent-authenticatio

#1

I am wondering how the LDAP/AD authentication with client certificate works from a client point of view. How is the client certificate selected/set for the authentication and is all handled at the layer of SSL or does this require any additional code on the client?

I read this article: https://auth0.com/docs/connector/client-certificates
but the questions above remain.


#2

Based on the information I could obtain when you enable that authentication mode the end-user is directed to a TLS endpoint that as part of the connection establishment requires the client to provide a client certificate. In general, this authentication will happen in a browser so the browser will be in charge of providing the respective UI so that the end-user can select a client certificate from the list of applicable ones.

If the selected client certificate meets the requirements, the main ones being that is certificate signed by one of the CA’s you configured in the connector and that it has a subject name that matches a directory user then authentication can be completed based solely on the certificate. In conclusion, for a web application the only setup you would have with regards to the client would be to ensure that certificates would be available (for example, both IE and Chrome would get certificates from the underlying Windows certificate store).


#3

Thanks for your answer. How would this work for a non-browser client? Can I automate the certificate selection in code instead of having the user select one? In my case I am trying to find a solution for authenticating ‘things’, so no user involved but a valid certifcate has been installed on the thing through another channel.


#4

Thanks for your answer. How would this work for a non-browser client? Can I automate the certificate selection in code instead of having the user select one? In my case I am trying to find a solution for authenticating ‘things’, so no user involved but a valid certifcate has been installed on the thing through another channel.


#5

In theory yes, the browser already somewhat automate that selection because they don’t show all the available certificates and only the ones signed by the CA’s configured in the connector, however, I have to confess I’m unaware of any sample code for that. In addition, have in mind that if the thing is accessible to a malicious user then it could try to obtain the certificate from the thing which could render the whole authentication scheme useless.


#6

The thing (a train) does have a separate channel to distribute confidential information and does have save places to store information. Can I discuss this case with you in more detail? My company does have an enterprise license to Auth0.


#7