• State Not Answered
  • Replies 2 replies
  • Subscribers 95 subscribers
  • Views 228 views
  • Users 0 members are here
Options
Related

mTLS authentication method via a SCIM connector

panagiotis georgakopoulos
4 months ago

Hi all,

Question in general, is it possible to setup the mTLS authentication method when trying to configure a SCIM connector?

Meaning that, the Job Server of One Identity (acting as client) authenticates itself to the target system using its certificate, and the target system (acting as server) authenticates itself to One Identity, which is the most common one.

If yes, how is this configured, what pieces do I need to make it work? Not asking for pure specifics, just if this is technically possible as I could not find anything related inside the documentation.

I am assuming that from the authentication methods provided by the SCIM connector template, the "Use the client certificate" is pretty much close but could not make it work as expected so far after trying quite a few things already.

Thanks in advance.

Parents
  • 0 3 months ago

    Hi panagiotis,

    for SCIM connector the TLS1.2 and TLS1.3  protocols are valid for connection handshake. The "mTLS" option should work since TLS1.2 . The logon using certificates makes sense to try this. SCIM connector is sending the client certificate and would validate the servers certificate. If both certificates are issued from the same CA root it should work.

    Regards,

        Tino

  • 0 3 months ago in reply to tlindner

    Hi Tino, appreciated the reply.

    You mentioned that "If both certificates are issued from the same CA root it should work.", is this really the case?
    Meaning, if both certificates have been issued by a different CA and every CA's certificate (including the whole chain of trust) is imported inside the certificate store of both sides (server's CA certificate imported inside the client's certificate store and client's CA certificate imported inside the server's certificate store), wouldn't that suffice? Do you have more insights on that?

Reply
  • 0 3 months ago in reply to tlindner

    Hi Tino, appreciated the reply.

    You mentioned that "If both certificates are issued from the same CA root it should work.", is this really the case?
    Meaning, if both certificates have been issued by a different CA and every CA's certificate (including the whole chain of trust) is imported inside the certificate store of both sides (server's CA certificate imported inside the client's certificate store and client's CA certificate imported inside the server's certificate store), wouldn't that suffice? Do you have more insights on that?

Children
No Data