What is X.509 Authentication?
The X.509 standard uses the widely accepted international public key infrastructure to verify that a public key belongs to the user, computer, or service identity contained within the certificate.
EasySSO receives the X.509 certificate and extracts necessary information to use to authenticate the user to provide them with Single Sign-On.
Once configured, X.509 authentication allows EasySSO to:
- for a request coming from a specific IP address such as your reverse proxy server or your internal network
- check if the an HTTP header containing an X.509 certificate is present and
- if the certificate is present to check that the certificate:
- is valid, and
- is trusted, and
- skip an attempt to use alternative SSO authentication methods, and
- extract the information from the certificate and log the user onto the Atlassian application if they already exist. New users cannot be created using EasySSO with X.509 authentication.
X.509 Authentication Use Case
If you have an existing X.509 infrastructure in place to authenticate users, such as your external customers, with X.509 certificates pre-loaded into users' browsers or devices (e.g. mobile phones) – you can extend the benefits of SSO not only to your employees but to the customers as well.
Segmenting you network using IP Filters, and enabling X.509 authentication with EasySSO for the external segment (usually identified by the reverse proxy IP address) means that your internal users can enjoy NLTM/Kerberos transparent SSO while your customers will no longer be served with the default login screen either. Instead the information in the certificate can be used to perform the authentication.
X.509 in EasySSO also allows integration with legacy or custom authentication mechanisms external to the Atlassian application, when authentication decision is made by an external provider (i.e. reverse proxy) and the username is passed to the application in the form of X.509 certificate.
Since an HTTP headers can be set by any agent it is important to ensure that X.509 information is coming from trusted sources e.g. needs to originate from your proxy's IP address.