Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AaronCP
Collaborator

Identity Awareness - Identity Agent & Browser Based Authentication

Good evening CheckMates,

 

I'm looking for some advice regarding the enabling of two authentication methods - namely Identity Agent & Browser Based Authentication.

 

We have been running Identity Agent using transparent Kerberos SSO for approximately 6 months and it has been working seamlessly. We've had a request from a 3rd party to access one of our internal systems that we don't want to expose over the internet. We considered a VPN, but they have an Azure tenancy that I'd like to configure using SAML2 via Browser Based Authentication. This is where I encountered issues.

 

The actual setup was straightforward and I was able to create the Identity Provider and connect it with the 3rd party enterprise application. I enabled the Browser Based Authentication on the SMS and configured two rules in the ruleset - first to allow my home public IP to connect to the gateway on port 443, the second using my access role & identity tag to access a host on the network. This worked as expected.

 

Shortly after setting up this test environment, our customers started reporting that they were unable to authenticate via their Identity Agent, preventing their access to core systems. They were receiving an error that they were required to trust a new certificate, which looked like a self-signed gateway certificate. Our Windows server team also reported that our Identity Collector server was being bombarded with traffic, even though the Identity Collector check box is no longer ticked/configured on the gateway. I noticed when I connected to the Gaia portal of the gateway that I was also being presented with this self-signed certificate.

 

When I was configuring the Browser Based Authentication, there was an area to install a certificate. I chose to use the self-signed certificate for this specific setup, so this is what would have been the cause of the certificate issue.

 

Can someone clarify why using the self-signed certificate purely for the Browser Based Authentication caused this behaviour for other Identity methods and the change in the gateway Gaia certificate, please? I assumed that I could use two different certificates for two different authentication methods.

 

Any advice on this would be greatly appreciated, as always!

 

Thanks,

 

Aaron.

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

I believe Identity Agent (particularly with Kerberos SSO) ultimately connects to the same portal as the browser.
As such, I would expect both methods to use the same certificate.

0 Kudos