News & comment tagged ‘cac’
● SSO Plugin and CAC
posted by John B on 8th November 2011
We are regularly asked by US government agencies if SSO Plugin supports Common Access Cards.
SSO Plugin is used by a number of US military clients, some of which have integrated with CAC.
The answer is yes: SSO Plugin is the only solution suitable for the US government.
● X509 client certificates / DoD CAC
posted by John B on 6th February 2011
SSO Plugin version 3.3 provides support for X509 client certificates commonly used to implement DoD CAC.
In a nutshell, this means that if you wish to use client certificates and SSL, SSO Plugin can extract the Subject from the client certificate and use this as part of the login process.
Mapping a client certificate to an AR System User form entry
There are a number of ways you can map the subject to a User form entry. Typically, a subject will look like this:
cn=david, ou=users, o=jss, l=mk, st=bucks, c=uk
You may simply wish to extract david (from cn=david), and search for a user with this Login Name.
You may wish configure the user aliasing feature to map the entire subject to a User form entry by adding a new field to the User form, creating a set of internal AR System users and mapping a subject to each.
Naturally, both of these options are configured with ease through the SSO Plugin Midtier user interface.
● Single Sign-On with Common Access Cards
posted by John B on 5th January 2011
A military customer recently contacted us to ask whether we could support Common Access Cards (CAC).
Our aim is generally to support every feasible SSO system but after a discussion, we discovered that there appears to be a misconception about CAC and SSO on the BMC Midtier. A number of third parties are stating that a specific CAC plugin is required to interoperate with the AR System. This represents a misunderstanding of how Windows Authentication works.
The CAC is a two-factor security system: identifying users through something they have (a physical smartcard) as well as something they know (their Windows password). Both are required to log into the user's account. However, once they've logged onto the computer, they are identified from that point onwards.
The standard Windows authentication processes are all that's required to login to any web application that uses Integrated Windows Authentication. Web applications do not need any special support for CAC unless they have their own account management processes that step outside of the standard Windows authentication systems.
If you're using Windows-authentication-accepting applications such as Microsoft SharePoint, then you will, most likely, be using IWA already, every time you open IE and connect to those applications. If it's good enough to secure access to your Windows domain, mail and other intranet applications, it should be good enough for the Mid Tier.
So the simple answer to supporting CAC on for the AR System and Mid Tier is as simple as using SSO Plugin with built-in Active Directory or IIS integration—functionality that's supported out of the box.