Keycloak Smart Card Auth (DoD CAC, specifically) Setup Help
3,075 views
Skip to first unread message
Jason Sheridan
Apr 13, 2022, 9:45:22 AM4/13/22
to Keycloak User
Does anyone out there have any kind of whitepaper/tutorial on how to enable DoD CAC smart card authentication on Keycloak? I'm having a heck of a time getting this going.
I have my instance using SSL with full certs, nothing self-signed; that's good to go, it's just the last bit of getting it to PIN-in the user vs. username/password. I've run through the x509 browser setup in the documentation, but it's not doing it. Lot's of hours spent on this so far, any help would be great, I've reached the end of the internet.
Thanks,
Jason
Dave Godso
Feb 15, 2023, 8:41:18 PM2/15/23
to Keycloak User
Jason, Did you ever get this solved?
Welton Torres
Mar 21, 2023, 9:19:53 PM3/21/23
to Dave Godso, Keycloak User
What you need to find is where the username is encoded in the certificate.
Based on this: https://www.dau.edu/faq/Documents/LocateCACSignatureCertificateInfo.pdf I believe its (as one would expect) in the subjectalternativenames with an email type.
Keycloak supports this right now. Follow the x509 authentication documentation and choose “Suject’s Alternative Name E-mail” and the User Identity Source.
That should do It.
The docs say it, but you’ll need to import DoD certification chain in the keycloak truststore.
If you have any proxy doing ssl offload in front of Keycloak, the situation is a little bit more confusing.
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/e914644c-b991-4052-98a5-a733a64ff826n%40googlegroups.com.
noname
Mar 21, 2023, 9:44:48 PM3/21/23
to keyclo...@googlegroups.com
Hi Jason,
Sorry to drop in onto the discussion. SSL offload is supported, however it is dependent on a type of proxy, as each proxy is slightly different in the ways it sends the SSL client certificate. HAProxy and nginx are supported out of the box (here a link to an old documentation https://www.keycloak.org/docs/10.0/server_admin/#client-certificate-lookup)
To verify if the KC server is set up correctly you could try
openssl s_client command to see the handshake to check if the list
of CA alt subj names sent by the server includes the CA used to
sign your DoD client certs
Hope this helps
--Cheers
Peter
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/EEC99FA0-BBF0-49DF-9FA7-8F76445B1B6B%40prf.gov.br.
Reply all
Reply to author
Forward
0 new messages