Linking an X.509 certificate

IAM provides the ability to link X.509 certificates to a user account. X.509 account linking works if:

  • X.509 certificate authentication is enabled for the IAM instance in use; for more information on this see the Getting started guide
  • The certificate is correctly installed in the browser used to access the IAM;
  • The certificate is trusted by the IAM (i.e. is signed by a certificate authority known and trusted by the IAM)

Authenticating with an X.509 certificate

If a certificate is correctly configured in the browser, the browser will show a dialog to select whether to authenticate with the certificate or not as in the following screenshot:

INDIGO IAM Registration button

Note that this happens when enstabilishing the connection to the IAM. If no dialog is shown, either:

  • there’s no certificate in the browser that is trusted by the IAM (either the certificate is expired or signed by a CA not trusted by the IAM)
  • a certificate was selected automatically by the browser when authenticating to the IAM

In case the certificate used for the authentication is linked to an organization account, the IAM login page will display a “Sign in with your certificate” button:

Login page with cert recognized

Linking a certificate

If a certificate was recognized but is not linked to any membership in the IAM, the user will have to authenticate with other credentials (local username & password, or external authentication mechanisms (e.g. Google)).

After having logged in, the user can link a certificate by clickin on the Link Certificate button:

INDIGO IAM Registration button

Note that the Link certificate button will be shown in the page only if a valid and trusted certificate was detected by the IAM during the TLS handshake.

Clicking the Link certificate button opens a dialog that shows information about the certificate that should be linked to the account:

INDIGO IAM Registration button

If the linking completes succesfully, the linked certificate information will be shown in the X.509 certificates panel:

INDIGO IAM Registration button

To check that the linking actually works, the user can logout from the IAM and login again with the certificate.

Unlinking a certificate

A user can unlink a certificate by clicking on the Unlink button shown in the certificate panel (see the image above).

Last modified September 17, 2021: Fix some broken references (881a38a)