How certificate authentication works

When you enable certificate authentication on the page Two-Factor Auth, the logon process for an administrator accessing the Security Manager URL is as follows:

• The Security Manager detects whether a client certificate is installed. If more than one certificate is available, the administrator is asked to select the certificate that allows access to the Security Manager.
• The administrator provides their two-factor authentication credentials as defined by your organization. For example, this could be through the use of the Common Access Card (CAC) and a card reader.
• After successful authentication, the Security Manager receives the client certificate and checks that it matches the signature in the uploaded root CA certificates. If the signature matches, the Security Manager checks for a full match with the certificates that were either uploaded to the Security Manager or imported from the user directory. If a match is found, the administrator associated with the two-factor authentication credentials is logged on.
• If no certificate match is found and attribute matching is configured as a fallback option, a check is performed to see if the client certificate contains a property matching a specific LDAP attribute in your user directory. If a match is found, the administrator associated with the two-factor authentication credentials is logged on to the Security Manager.

If all configured certificate and attribute matching fails, or if the administrator does not have a client certificate, you can allow password authentication as a fallback option. If password authentication is disabled, administrators without matching certificates cannot log on.