|DACS_AUTOLOGIN_SSL(8)||DACS Web Services and CGI||DACS_AUTOLOGIN_SSL(8)|
dacs_autologin_ssl — use an SSL client certificate to automatically obtain DACS credentials
This program is part of the DACS suite.
The dacs_autologin_ssl CGI program, in conjunction with appropriate DACS configuration and a valid SSL client certificate, can be used for user-transparent DACS authentication. A user is not prompted for a username or password, and no user-visible sign-on procedure takes place.
At present, the program merely acts as glue to indirectly invoke dacs_authenticate(8). Any valid X.509 certificate can be used for this purpose, including a self-signed certificate. Please refer to the OpenSSL documentation for additional information about certificates.
This program can be used to automatically and transparently authenticate
a user that has been issued an SSL client certificate.
When an unauthenticated user is denied access to a
she can be automatically authenticated and redirected back to the resource
without any user input or action.
This assumes that the client certificate is sent automatically by the
browser and that no additional user prompting is needed by the authenticating
For redirection to the original resource to work properly.
the original request must have used the
cert style of authentication
must be configured when
dacs_autologin_ssl is being used as described.
Only the standard dacsoptions command line arguments are recognized.
dasc_autologin_ssl understands the following CGI arguments.
When dacs_autologin_ssl is invoked as
a result of DACS event handling,
DACS_ERROR_URL is automatically passed to it by
and represents the original URL to which access was denied.
In typical use, dacs_autologin_ssl is configured as the
handler for a dacs_acs
902 error code
Authentication by DACS is required").
dacs_autologin_ssl then invokes
If DACS authentication is successful,
issues a browser redirect to the value of
and a cookie bearing the credentials are set in the browser
(but see the
This argument is optional; if not provided, the jurisdiction's configured
post-authentication action will occur.
If this optional argument is present (its value is immaterial),
dacs_authenticate to not issue
a browser redirect to the value of
If this optional argument is present, it gives the name of the jurisdiction at which authentication should take place. By default, dacs_authenticate is invoked at the same jurisdiction as dacs_autologin_ssl.
This optional argument explicitly names the attribute
in the certificate from which to set
The default value is
It is an error if the specified attribute name does not exist.
Giving the value of
CERT_NAME_ATTR as the empty
string results in the empty string being passed as the value of
A typical use of dacs_autologin_ssl is to transparently authenticate a user via his SSL client certificate.
In the DACS configuration file,
EXAMPLE is configured as follows
(this excerpt from a configuration file uses fictitious domain names):
<Jurisdiction uri="example.com"> JURISDICTION_NAME "EXAMPLE" ACS_ERROR_HANDLER "NO_AUTH https://example.com/cgi-bin/dacs/dacs_autologin_ssl" <!-- Authenticate using an SSL certificate. --> <Auth id="cert"> URL "https://example.com/cgi-bin/dacs/local_cert_authenticate" STYLE "cert" CONTROL "sufficient" CERT_CA_PATH "/usr/local/apache2.4/conf/ssl.crt" CERT_NAME_ATTR "SSL_CLIENT_S_DN_CN" </Auth> </Jurisdiction>
Assume the following access control rule applies to the request:
<acl_rule status="enabled"> <services> <service url_pattern='/foo.html'/> </services> <rule order="allow,deny"> <allow> user("auth") </allow> </rule> </acl_rule>
The preceding configuration results in the following behaviour.
An unauthenticated user accessing
https://example.com/foo.html) is denied access
because the rule governing that web page tests for authentication and no
credentials are sent with the request.
As a result, the
directive causes the user to be redirected to
which redirects the user to dacs_authenticate,
passing arguments as necessary.
dacs_authenticate then invokes local_cert_authenticate, passing it the client's certificate. The certificate is validated and a username is extracted from it and mapped to a valid DACS username.
If authentication succeeds, DACS credentials
for the jurisdiction
EXAMPLE are generated.
These credentials are returned to the browser within a cookie and
the browser is redirected to the value of
was passed to dacs_autologin_ssl
by dacs_acs when the 902
handler was invoked and was forwarded to
In this example the user is redirected to
Given the rule above, this time the user's request for
foo.html will be granted.
dacs_autologin_ssl may also be used as the target of an explicit authentication link. For example:
<a href="https://example.com/cgi-bin/dacs/dacs_autologin_ssl?\ AUTH_JURISDICTION=EXAMPLE&\ DACS_ERROR_URL=https://example.com/cgi-bin/dacs/dacs_current_credentials">Login</a>
Following the link should result in the user being authenticated and redirected to the specified URL.
Distributed Systems Software (www.dss.ca)
Copyright © 2003-2018 Distributed Systems Software.
file that accompanies the distribution
for licensing information.
|DACS Version 1.4.42||28-Jan-2019||DACS_AUTOLOGIN_SSL(8)|
|Table of Contents||
$Id: dacs_autologin_ssl.8.xml 3016 2018-08-17 18:12:46Z brachman $