5 Authentication Proxies
5.1.1 A server or service can be placed in front of an application to PKI enable it. If a web server currently prompts the user for a username and password using standard Basic HTTP authentication, a proxy can be designed to process certificates, as above, and map a certificate to a user login using basic HTTP authentication.
5.1.2 For example, the proxy would have a table like this:
|
Certificate |
Username |
Password |
|
C=NZ, S=-, L=Wellington, O=The Treasury, CN=Franz Ombler, EMAIL=franz.ombler@treasury.govt.nz |
franzo |
78f893jd9!032j9823s |
|
C=NZ, S=-, L=Wellington, O=State Services Commission, CN=Mike Pearson, EMAIL=mike.pearson@ssc.govt.nz |
mikep |
Fj98032jf9{03ks8ifjj |
5.1.6 The proxy may be a black box networked somewhere between the client and the server (preferably closer to the server), it could be a component on the web server, or could even be built into the application.
5.1.7 The path between the proxy and the service must be well secured.
5.1.8 For applications with very simple authorisation and audit requirements, we could map multiple certificates to a single username and password, or map all certificates with a particular field value, e.g. O=The Treasury, to a particular username / password combination.
5.1.9 Note that we are just proxying authentication. The application is still responsible for authorisation to and within the system.
[ Previous | Next ]