Authentication nodes

Certificate Validation node

The Certificate Validation node validates the X.509 digital certificate or chain of certificates collected by the Certificate Collector node.

Certificate validation rules

  • If you add this node to a journey, you must configure it. With no configuration, the node returns True as the outcome by default, regardless of the validity of the certificate provided in the journey.

  • This node validates the first certificate in a certificate chain (the user certificate) by default and ignores the remaining certificates in the chain.

    RAPID only To validate all certificates in a certificate chain:

    1. Create an ESV variable named esv-am-nodes-certificatechain-validation-enforced and set its value to true.

    2. Make sure all intermediate and root certificates from the chain are present in the truststore.

      If any intermediate or root certificates are missing from the truststore, certificate validation fails.

  • If the collected user certificate is a self-signed certificate (test environments only), the self-signed user certificate must be present in the truststore for certificate validation to succeed.

  • If the collected user certificate is signed by a valid issuer, the issuing certificates (intermediate, or intermediate and root) must be present in the truststore for certificate validation to succeed.

    If the issuing certificates are missing from the truststore, certificate validation fails.

  • The node uses the intermediate and user certificates to verify certificate revocation status.

Example

This example shows an authentication journey using a certificate as credentials.

journey certificate auth

  1. The Certificate Collector node attempts to collect the certificate from the request body or the header.

  2. The Certificate Validation node attempts to validate the certificate based on the configuration of that node.

  3. The Certificate User Extractor node extracts the user ID from the certificate and attempts to find a match in the identity store.

    • If the username can be extracted and a matching user is found in the identity store, the journey increments the login count and authenticates the user.

    • If the username can’t be extracted or no matching user is found in the identity store, the journey proceeds to the Failure node.

Availability

Product Available?

PingOne Advanced Identity Cloud

Yes

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

This node requires an X509Certificate property in the incoming node state.

Implement the Certificate Collector node as input to the Certificate Validation node.

Dependencies

This node has no dependencies.

Configuration

Property Usage

Match Certificate in LDAP

When enabled, Advanced Identity Cloud matches the collected certificates with a certificate stored in the identity store.

Set the Subject DN Attribute Used to Search LDAP for Certificates to specify which LDAP property to search for certificate information.

Default: Not enabled

Check Certificate Expiration

When enabled, Advanced Identity Cloud checks if the collected certificates have expired.

Default: Not enabled

Subject DN Attribute Used to Search LDAP for Certificates

The attribute Advanced Identity Cloud uses to search the identity store for the certificates. The search filter is based on this attribute and the value of the Subject DN as it appears in the certificate.

Default: CN

Match Certificate to CRL

When enabled, Advanced Identity Cloud checks if the collected certificates have been revoked according to a Certificate Revocation List (CRL) in the identity store.

Define related CRL properties later in the node configuration.

Default: Not enabled.

Issuer DN Attribute(s) Used to Search LDAP for CRLs

The name of the attribute or attributes in the issuer certificate that Advanced Identity Cloud uses to locate the CRL in the identity store.

  • If you specify only one attribute here, the LDAP search filter used is (attr-name=attr-value-in-subject-DN).

    For example, if the subject DN of the issuer certificate is C=US, CN=Some CA, serialNumber=123456, and the attribute specified is CN, Advanced Identity Cloud uses a search filter of (CN=Some CA) to locate the CRL.

  • Specify several CRLs for the same CA issuer in a comma-separated list (,) where the names are in the same order in which they appear in the subject DN.

    In this case, the LDAP search filter used is (attr1=attr1-value-in-subject-DN,attr2=attr2-value-in-subject-DN,…​), and so on.

    For example, if the subject DN of the issuer certificate is C=US, CN=Some CA, serialNumber=123456, and the attributes specified are CN,serialNumber, the LDAP search filter used to find the CRL is (CN=Some CA,serialNumber=123456).

Default: CN

HTTP Parameters for CRL Update

Parameters Advanced Identity Cloud includes in any HTTP CRL call to the CA that issued the certificate.

If the client or CA certificate includes the IssuingDistributionPoint extension, Advanced Identity Cloud uses this information to retrieve the CRL from the distribution point.

Add the parameters as key-value pairs in a comma-separated list (,). For example, param1=value1,param2=value2.

Cache CRLs in Memory

When enabled, Advanced Identity Cloud caches CRLs in memory.

If this option is enabled, Update CA CRLs from CRLDistributionPoint must also be enabled.

Default: Enabled

Update CA CRLs from CRLDistributionPoint

When enabled, Advanced Identity Cloud fetches new CA CRLs from the CRL Distribution Point and updates them in the identity store. If the CA certificate includes either the IssuingDistributionPoint or the CRLDistributionPoint extensions, Advanced Identity Cloud attempts to update the CRLs when they’re out of date.

Default: Enabled

OCSP Validation

When enabled, Advanced Identity Cloud checks the validity of certificates using the Online Certificate Status Protocol (OCSP).

Default: Not enabled

Certificate Identity Store

Select the default identity store (OpenDJ) from the list. You must select this identity store to let Advanced Identity Cloud search for certificates. Advanced Identity Cloud ignores all LDAP server settings below this field.

LDAP Server Where Certificates are Stored

This property doesn’t apply to Advanced Identity Cloud.

LDAP Search Start or Base DN

This property doesn’t apply to Advanced Identity Cloud.

LDAP Server Authentication User and LDAP Server Authentication Password

This property doesn’t apply to Advanced Identity Cloud.

mTLS Enabled

This property doesn’t apply to Advanced Identity Cloud.

mTLS Secret Label Identifier

This property doesn’t apply to Advanced Identity Cloud.

Use SSL/TLS for LDAP Access

This property doesn’t apply to Advanced Identity Cloud.

Outputs

This node doesn’t change the shared state.

Callbacks

This node doesn’t send any callbacks.

Outcomes

True

The node could validate the certificates.

When the outcome is True, add a Certificate User Extractor node to extract the values of the user certificate.

False

The node couldn’t validate the certificates. The journey follows this path when the node can’t validate the certificates and there isn’t a more specific outcome available.

Not found

The Match Certificate in LDAP property is enabled, but the certificates weren’t found in the LDAP store.

Expired

The Check Certificate Expiration property is enabled, and the certificates have expired.

Path Validation Failed

The Match Certificate to CRL property is enabled, and the certificate path is invalid.

Revoked

The OCSP Validation property is enabled, and the certificates have been revoked.

Errors

This node doesn’t log any error or warning messages of its own.