AnsweredAssumed Answered

cert + smsession custom auth scheme

Question asked by gstephe on Oct 5, 2010
Hello all,

We have 2 web sites, call them site A and site B. The normal process is to login to site A, which is protected with form based authentication at level 5. The application checks to see if you have already been issued a client certificate and if you have it forwards to site B.

Site B is a certificate + forms authentication scheme at level 10. Apache prompts for the client cert and then you get a login page.

Pretty basic. Now the developers want to eliminate the second login page. CA support says that is a custom login page to capture the original SMSESSION and tack a certificate on top while validating the client cert and the SMSession belong to the same user.

Does anyone have an experience with this scenario?

Outcomes