Show Table of Contents
23.6. Authenticating to the Identity Management Web UI with a Smart Card
As an Identity Management user with multiple role accounts in the Identity Management server, you can authenticate with your smart card to the Identity Management web UI as a selected role. This enables you to use the web UI as the selected role.
Note
Only Identity Management users can log in to the web UI with a smart card. Active Directory users can log in with their user name and password. For details, see Section 5.4.2.4, “Authenticating to the IdM Web UI as an AD User”.
For information on configuring the environment to enable the authentication, see:
For information on how to authenticate, see:
23.6.1. Preparing the Identity Management Server for Smart-card Authentication in the Web UI
As the Identity Management administrator:
- On an Identity Management server, create a shell script to configure the server.
- Use the
ipa-advise config-server-for-smart-card-authcommand, and save its output to a file:#
ipa-advise config-server-for-smart-card-auth > server_smart_card_script.sh - Open the script file, and review its contents.
- Add execute permissions to the file using the
chmodutility:#
chmod +x server_smart_card_script.sh
- Run the script on all servers in the Identity Management domain.
- Make sure the sssd-dbus package is installed.
Additionally, if an external certificate authority (CA) signed the certificate on the smart card:
- On an Identity Management server, add the CA certificate to the NSS database used by the HTTP server:
#
ipa-cacert-manage -n "SmartCard CA" -t CT,C,C install ca.pem#ipa-certupdateRepeatipa-certupdateon all replicas and clients. - Restart the HTTP server and the Kerberos server:
#
systemctl restart httpd#systemctl restart krb5kdcRepeat the commands on all replicas.
23.6.2. Preparing the Browser for Smart-card Authentication
To configure the browser for smart-card authentication, perform these steps on the client from which the user launches the web browser to access the web UI. The system on which the browser is running does not have to be part of the Identity Management domain. In this procedure, we are using the Firefox browser.
- Launch Firefox.
- Configure Firefox to read the certificate from the smart card.
- Select → → → →
Figure 23.16. Configuring security devices in Firefox
- Click . In the Load PKCS#11 Device window, fill out the following information:
- Module Name:
OpenSC - Module filename:
/usr/lib64/opensc-pkcs11.so
Figure 23.17. Device Manager in Firefox
- Click to confirm. Then click to close the Device Manager.
Firefox can now use smart card certificates for authentication.
23.6.3. Authenticating to the Identity Management Web UI with a Smart Card as an Identity Management User
To authenticate:
- Insert the smart card into the smart card reader.
- In the browser, navigate to the Identity Management web UI at
https://ipaserver.example.com/ipa/ui. - If the smart card certificate is linked to a single user account, do not fill out the Username field.If the smart card certificate is linked to multiple user accounts, fill out the Username field to specify the required account.
- Click .
Figure 23.18. in the Identity Management web UI
- Enter the smart card PIN when prompted.
Figure 23.19. Entering the smart card PIN
- A new window opens, proposing the certificate to use. Select the smart card certificate.
Figure 23.20. Selecting the smart card certificate
You are now authenticated as the user who corresponds to the smart card certificate.
Note
If an administrator reset the password of a user, the IdM web UI denies access until the user set a new password, for example, using the kinit utility.
Additional Resources
- If the authentication fails, see Section A.4, “Investigating Smart Card Authentication Failures”.
23.6.4. Additional Resources
- For details on the Identity Management web UI, see Section 5.4, “The IdM Web UI”.