Configuring various authentication methods for OAuth token authorization
Set Authentication Methods
- (Optional) Configure IIS Manager to accept certificate authentication for Remote Web SDK clients. Recommended for POST Authorize/Certificate.
- From the Platform menu click API > Default Settings.
- Enabled: Default. Allow multi-factor authentication for devices. A successful response, includes a web link to complete the authentication.
-
Disabled: Block browser-based authentication.
-
(Optional) Complete the Certificate Authentication section:
Certificate Authentication Settings Field
Parameter
X.509 Identity Field The field for Trust Protection Platform Authentication Server to use as the user identity:
- SubjectAltName: UPN: The identity that also has access to the
Web SDK.
- SubjectAltEmail: The email address (es).
- CN: The certificate name (CN). For local identities, always specify CN.
Trusted Certificate Authorities The CA(s) that are approved to issue client certificates for authentication. Select a Trusted Certificate Authority certificate from the Roots tree. AD Security Identifier (SID) The certificate is mapped to the Active Directory User’s SID (objectSid). - SubjectAltName: UPN: The identity that also has access to the
Web SDK.
- Click Save.
|
Authentication |
Trust Protection Platform Authentication Server setting |
|---|---|
| Username & Password | The client passes a user name and password to the VEDAuth server. Recommended for POST Authorize/OAuth. |
| Integrated MS Windows Authentication | Default. The client passes Windows credentials to the VEDAuth server. |
|
Browser-based authentication |
Default. Required for POST Authorize/Device. Recommended for multi-factor SAML authentication: |
|
JSON web token |
A token in JSON format that is used to communicate between a trusted identity provider and Venafi Platform. |
|
Certificate |
The caller passes a client certificate to the VEDAuth server. When selected, the Use AD Security Identifier (SID) value if available option appears. |
|
AD Security Identifier (SID) |
If you select Certificate, the Use AD Security Identifier (SID) value if available option appears. In this scenario, AuthServer follows a specific process. First, it looks for the SID Extension value in the certificate. If the SID Extension is found, AuthServer tries to find the matching AD user. However, if the SID Extension is not in the certificate or doesn't match an AD account, AuthServer will then use the "Location" setting as a backup. |