Configure AD/LDAP Connector Authentication with Client Certificates

The AD/LDAP Connector also allows users to authenticate with a certificate installed on their machine or device.

Enable client certificates

  1. Go to Auth0 Dashboard > Authentication > Enterprise > Active Directory/LDAP, and select the connection you want to configure.

    Dashboard - Connections - Enterprise - AD/LDAP - SSL

  2. Toggle the Use client SSL certificate authentication option in the settings.

    Dashboard - Connections - Enterprise - AD/LDAP - SSL

  3. Provide IP address ranges in the IP Ranges field. Only users coming from the given IP ranges are prompted to authenticate using client certificates. Users from different IP ranges are prompted to login with the username and password login form.

    Dashboard - Connections - Enterprise - AD/LDAP -  SSL Settings

Configure certificates

Once the AD/LDAP connection has been configured in Auth0, you'll need to configure the certificates in the AD/LDAP Connector. Supporting client certificates will require the following:

  • An SSL certificate for the Front Facing URL, because the interaction between the end user and the Connector will need to happen over HTTPS.

  • One or more CA certificates.

  • A Client Certificate signed by the CA for each user that needs to authenticate using Client Certificates.

  1. Before uploading certificates to the AD/LDAP connector, convert X.509 certificates to Base64. Use Base64 or Certutil on Windows Server. To learn more, see Base64 Decode at Base64decode or Certutil.exe in Microsoft documentation.

  2. Upload the SSL and CA certificates to the AD/LDAP Connector:

    Configure AD/LDAP Connector Authentication with Client Certificates Setup Screen

  3. To test, generate a self-signed CA and Client Certificates using makecert.exe on Windows, which is part of the Windows SDK:

    SET ClientCertificateName=jon
        SET RootCertificateName=FabrikamRootCA
        "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\makecert.exe" -sky exchange -r -n "CN=%RootCertificateName%" -pe -a sha1 -len 2048 -ss My "%RootCertificateName%.cer"
        "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\makecert.exe" -n "CN=%ClientCertificateName%" -pe -sky exchange -m 96 -ss My -in "%RootCertificateName%" -is my -a sha1

    Was this helpful?

    /
    It is important that the Client Certificate's subject be in the format of CN=AD_USERNAME, for example CN=jon.

In an application, when a user starts the sign-in flow using an AD/LDAP Connection:

auth.signin({
       popup: true,
       connection: 'FabrikamAD',
       scope: 'openid name email'
     }, onLoginSuccess, onLoginFailed);

Was this helpful?

/

If the user's IP address falls within the configured IP range, they'll be prompted to authenticate with a Client Certificate:

Configure AD/LDAP Connector Authentication with Client Certificates Choose Client Certificate

After choosing the certificate the AD/LDAP Connector will validate it and the user will be logged in:

Configure AD/LDAP Connector Authentication with Client Certificates Logged In User