Associate a CCA to a User
Before associating a CCA to a user, the feature must be enabled in FMOS.
Client Certificate Authentication (CCA) is a form of multi-factor authentication that uses a certificate authority stored on the server and a client certificate presented by the user's system (e.g., operating system or web browser). This authentication method can be enabled in FMOS. In this setup, Apache is responsible for validating the certificate. If the request is successfully processed by Apache and passed to SIP, SIP attempts to match the certificate to a user. If a valid user is found, authentication proceeds. If no matching user is found, the user is redirected to a page informing them that their certificate is not associated with an account and advising them to contact their administrator.
Complete these steps to add a CCA certificate to a user.
-
Navigate to Access > Users.
-
Either select an existing user or create a new user.
-
In the User Properties section, under Client Certificate, click Upload to browse to the user's .crt file.
-
Select the file and click Open.
-
Click Save.
Log in using the new authentication
You may need to clear your cache and do a forced refresh of your SIP URL in the browser when logging in with a certificate for the first time.
When a user does not have a valid certificate
If the user's certificate is not able to validate via Apache, you will see a "This site cannot be reached" error.
When a certificate does not match to a user
If the user's certificate is able to validate via Apache, but does not match up to a user in SIP, you will see an "The certificate does not match to a user. Please contact a system administrator." error message.