Solved: Expressway certificate-based authentication

david.alfaro1 · ‎12-31-2021

Hello dears,

I would like to know if someone has configured how the Expressway retrieves authorization credentials (username) from a client browser'certificate, without standard log in mechanism.

The documentation explains the process configuring the Regex and Username Format fields on the Certificate-based authentication configuration page; the problem is the documentation just says the syntax "(?<name>regex)" for the Regex field, and the syntax "/(Subject:.*, CN=(?<Group1>.*))m". And it says delimiting each capture group name with #, for example "prefix#Group1#suffix".

My questions is, could you share an example how to write the syntaxes in these two fields having the following particular certificate Subject and CN, let's to say:

Subject: OU=Domain Control Validated, CN=amer-expressway01.ciscotac.net

I would appreciate your help, because the documentation is not clear enough and furthermore I do not know so much PHP.

Kind regards,

david.alfaro1 · ‎02-13-2022

Hello, I guess I found the explanation,

In the Regex field use the (?<name>regex) syntax to supply names for capture group (they are just like objects or variables) so that matching minor sub-patterns can be substituted in the associated Username Format field, in this case for example /(^Subject:.*, CN=(?<group1>.ciscotac.net)$)/

In the Username Format field we can delimit as #group1#. In that variable we can capture then the name amer-expressway01 as de username we were looking for authorization credentials, all of these when we find the structure of the text "Subject: OU=Domain Control Validated, CN=amer-expressway01.ciscotac.net"

Best regards,

View solution in original post

b.winter · ‎01-02-2022

Hi,

can't you just set up SSO, where the only authentication mechanism in the IDP is based on a certificate, instead of username password?

I have never deployed that on my own, but I would be my first idea on how to do that.

Best regards

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

david.alfaro1 · ‎01-03-2022

Hello again b.winter

The main idea is that Expressway retrieves authorization credentials from a Certificate and standard login is no longer available, so that an administrator can log in only if they present a valid browser certificate therefore the certificate contains the appropiate credentials that have the authorization level. The username authorization would be relayed to another external mechanism (in a Idp or an AD, I am not sure just now to be honest. Furthermore the users want to release the certificate from the browser entering a PIN, it is notable that they are married with the security). For now the idea is take advantage about avoiding to rely in the standar manual https log in to the expressway from outside, using the Regex and Username Format fields in the expressway certificate-based authentication configuration page, but I do not have idea how to set up the syntaxes in these fields (if for example the certificate has "Subject: OU=Domain Control Validated, CN=amer-expressway01.ciscotac.net" how to set up these fields); the documentation just says "(?<name>regex)" and "/(Subject:.*, CN=(?<Group1>.*))/m" respectively for each field, and it is no clear where to capture each group name with #, the documentation just says "for example prefix#Group1#suffix", so it is not understandable.

Best regards

david.alfaro1 · ‎02-13-2022

Hello, I guess I found the explanation,

In the Regex field use the (?<name>regex) syntax to supply names for capture group (they are just like objects or variables) so that matching minor sub-patterns can be substituted in the associated Username Format field, in this case for example /(^Subject:.*, CN=(?<group1>.ciscotac.net)$)/

In the Username Format field we can delimit as #group1#. In that variable we can capture then the name amer-expressway01 as de username we were looking for authorization credentials, all of these when we find the structure of the text "Subject: OU=Domain Control Validated, CN=amer-expressway01.ciscotac.net"

Best regards,