Client and User mTLS on subdomain(s) #48474
Replies: 1 comment
-
|
Was hoping someone has already dealt with this 😭. Couldn't find a way to adjust the mTLS Alias without customizing that which seems ...wrong...but is what it is if we have to. It'd be so much easier if we could just do path-based TLS like in IIS heh. mTLS is so much easier to issue device certs for device authenticated channels, then carry user tokens bound to those versus all the other wonky stuff (at least for Enterprise, not generic internet users). Then I can validate device over domain X with CA trust store Y and users over domain A with trust store B. Such that end-users are never actually prompted to pick a cert or get confused. Device cert thumbprint / base64 carried in session data and when connecting to applications mTLS for the device must pass and user session over a connection authenticated with that same device cert. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Issue: Enabling mTLS for the entire domain causes users to get prompted for certificate authentication - even if it's "optional".
What I'm trying to get to:
The intent being when a user gets to my sign in page they are never prompted. They only get prompted with selecting "smartcard sign in" which can either call an authentication API endpoint that is mTLS or redirect them to the right domain.
What I'm not sure of:
What Keycloak configuration is there to effect doing cert auth on one endpoint for users / clients while not touching the primary domain? Can we modify the mTLS aliases in the metadata - I was struggling to find a configuration for that.
Beta Was this translation helpful? Give feedback.
All reactions