SITHS Authentication with attributes from Active Directory

When using SITHS smart card authentication, it is very likely that you want to bring in attributes from an external source. This guide aims to explain how to get those attributes from an Active Directory.

For this, we need a few components:

  • Windows Connector
  • SITHS Authenticator
  • Active Directory Data Source
  • Attribute Transformer

Note

All examples and URLs depend on:

  • Curity Identity Server is running on https://localhost:8443
  • There is an authentication profile called authentication.
  • The profile has an an authentication endpoint on /authn/authenticate.
  • The profile is running the default Simple API protocol.

1. Windows Connector

To be able to to do smart card authentication and windows integrated authentication, Curity Identity Server needs an additional application installed on a IIS. This is called the Windows Connector. How to install this is covered in Windows.

2. SITHS Authenticator

Setup a SITHS authenticator named siths and point to the IIS configured in the previous step.

3. Test App

To test your configuration, we set up a dummy application to use. It will not need to point to an existing application, since we will use the browser developer tools to inspect the result.

CLI

Listing 173 Add a service provider TestApp1 to authentication profile authentication
    set profiles profile authentication authentication-service settings authentication-service service-providers service-provider TestApp1 target-url https://localhost:7777/auth-done
    commit

4. Test configuration

Make sure you have access to a computer with Secmaker Net iD installed, and a SITHS smart card.

Open up the browsers developer tools, and a new browser window in private mode.

  • Access Curity Identity Server in your browser with authentication-request. You will be prompted with the available methods, select siths if needed.
  • Authenticate using your newly made SITHS authenticator. The user should be prompted for the PIN , and then the result will be POSTed to the URL of TestApp1.

The result is a signed JWT. The JWT is two base64 encoded JSON documents, separated by a dot, followed by a base64 encoded binary signature. Header.Payload.Signature

Extract the payload from the token form parameter, and base64 decode it. The result will be a JSON document with information about the authentication, and most interesting in this case, the subject. The subject contains all attributes coming out of the authentication, and currently it should contain an attribute subject which is the HSAID of the card.

Listing 174 Example SITHS subject
    "subject": {
        "subject": "SE12344321"
    }

Next step is to add attributes to the subject.

Note

If a test application is available, it might be easier to use that than to inspect the browser traffic. There are sample applications available at the Curity Github .

Note

If your authentication profile is using a SAML protocol, there are several browser extensions that allows to inspect the SAML messages.

5. Active Directory Data Source

To be able to find a user corresponding to the smart card, the HSAID needs to be in the directory somehow. It is typically stored on a custom attribute like extensionAttribute1, but any string attribute could be used.

Configure an LDAP Data Source with the type Active Directory

CLI

Listing 175 Add a ldap data source, that searches with extensionAttribute1
    edit facilities data-sources data-source activeDirectory ldap
    set client-id CN=admin,OU=Users,CN=example,OU=org
    set client-secret Password1
    set hostname localhost
    set default-root OU=Users,CN=example,OU=org
    set ldap-server-type active-directory
    set attributes search-filter (extensionAttribute1={})
    commit
    top

Note the search filter. It will return the attributes of a user with extensionAttribute1 being the same as the HSAID from the authentication.

Tip

To speed up the search, make sure that the Active Directory indexes the attribute. Otherwise, the directory will need to check each object.

This configuration will return all attributes from the directory. See LDAP for how to limit the attributes returned.

6. Attribute Transformer

We now have the possibility to login using the SITHS card, and we have configured a data source to fetch the attributes. To connect the two, we need to configure a attribute transformer to add the attributes to the authentication.

CLI

Listing 176 Add an attribute transformer that use the ldap data source
     edit processing attribute-transformers attribute-transformer getAdAttributes data-source-transformer
     set attribute-data-source activeDirectory
     commit
     top

This is a simple configuration, and will add all attributes from the directory as is.

7. Add transformer to the authenticator

Finally, to make sure the attribute transformer runs, add it to the authenticator

CLI

Listing 177 Use the attribute transformer on the authenticator siths
    set profiles profile authentication authentication-service settings authentication-service authenticators authenticator siths attribute-transformer getAdAttributes

8. Test the configuration

Restart your private mode browser, to clear the login state. Then go through Step 4 again.

The subject should now contain all the users attributes from Active Directory.