What is an authentication scheme?
An authentication scheme is a module that implements a way for a user to authenticate itself to SimpleID. In particular, an authentication scheme checks credentials presented by the user against some data store containing user information, and determines whether the credentials match those stored in the data store.
The following authentication schemes are enabled by default:
- A password-based authentication scheme (
- A cookie-based "remember me" authentication scheme (
For additional login verification, the OTP authentication scheme
SimpleID\Auth\OTPAuthSchemeModule) can be enabled on top of the default modules.
The extensibility of SimpleID means an entirely different set of authentication schemes can be implemented. One such scheme is the CertAuthSchemeModule distributed with SimpleID.
CertAuthSchemeModule can be enabled to support logging in using client SSL certificates instead of using a user name and password.
Instead of being prompted to enter a user name and password, your browser will ask you to select a certificate stored on your computer. SimpleID will then match the certificate against information stored in your user file and log you in.
Note that this is for advanced users only. It requires a large number of highly technical steps to set up.
Much of this information is taken from Using SSL Client Certificates with PHP.
What you need
You will need the following:
- SimpleID 2.0 or later
- Apache version 2.3 or later, with
mod_sslinstalled, and access to the server's Apache configuration file
- Your personal certificate issued by a certificate authority recognised by the web server
Configure your web server
You will need to configure your web server to request a certificate from your browser and verify it when you go to your SimpleID installation.
Add the following directives to the virtual host within the server configuration:
SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars SSLCACertificateFile /path/to/your/trusted/ca/certificates SSLOCSPEnable on
CertAuthSchemeModule module by including
modules setting in the
To avoid conflicts with other authentication scheme modules, it is recommended that you
by removing them from the
See enabling and disabling modules for further details.
Add certificate details to your user file
Your certificate is identified using two parameters:
- the certificate's serial number
- the distinguished name of the certificate's issuer
You can find out these two values using OpenSSL by running the following commands (replacing the file name of the certificate as required):
openssl x509 -noout -serial -in certificate.crt
openssl x509 -noout -issuer -in certificate.crt
These two values are then combined and placed in the
cert section of your user file as follows:
- "02A97C;/C=Example/O=Example CA/OU=Example CA Certificate Signing/CN=Example Client CA"