Smart card log in is a certificate-based log in. The certificate is supplied by the smart card and used by Privileged Access Service to authenticate users. To use smart card authentication with Privileged Access Service, your users must already be configured for smart card log in.
To set up smart card authentication
- Log in to the Admin Portal.
- Click Access > Policies.
- Select the relevant policy or create a new one.
- Click Authentication Policies > Centrify Services.
Confirm that "Use certificates for authentication" (in the Other Settings section) is enabled (default).
You must have this option enabled to use smart card authentication. This option allows Privileged Access Service to use the smart card generated certificate to authenticate users to the cloud.
(Optional) Enable the "Set identity cookie for connections using certificate authentication" option only if you have a hybrid system where users are logging in using smart cards and another authentication method.
Enabling this option will allow the Privileged Access Service to write cookies in the browser after a successful log-in. Privileged Access Service will then check the browser for this cookie upon subsequent log ins and take action based on any identity cookie authentication rules you have configured. See Creating authentication rules.
Upload your certificate authority chain.
- Log-in to Admin Portal.
- Click Settings > Authentication > Certificate Authorities.
- Provide a unique name for the trusted certificate authority.
- Specify the field to use for extracting the user login name from the certificate.
Select the same field for all certificates in the chain.
- Click Browse to select certificate authority chain for uploading.
The uploaded chain must contain all certificates for chain validation, starting from intermediate CA trusting to a root certificate authority.
Note: The uploaded file must contain all certificates required to establish chain trust from a user certificate. If chain trust verification requires intermediate authorities, package all required certificates in p7b format, and upload the p7b file. The p7b file should contain all intermediate authorities chaining up to a root authority.
(Optional) Select the Enable Client Certificate Revocation Check checkbox to allow Privileged Access Service to verify that the smart card certificate has not been revoked.
If the user certificate has revocation check information -- CRL Distribution Point (CDP) or Online Certificate Signing Protocol (OCSP) URL -- and the Enable Client Certificate Revocation Check option is enabled on the CA chain, Privileged Access Service communicates with the certificate endpoints to check for certificate validity.
Important: To perform certificate revocation checks, CDP URLs and OCSP URLs must be reachable from the Internet. Turning on revocation check on the CA chain when revocation check endpoints are not reachable from the Internet causes certificate authentication to fail.
This revocation check is specific to smart card logins. After derived credentials are securely stored on enrolled devices, this check does not impact the derived credentials.
- Click Save.
For more information on managing certificate authorities, see Managing Certificate Authorities