Re: [Fed-Talk] Anyone know of code for performing CAC authentication for a web site
Re: [Fed-Talk] Anyone know of code for performing CAC authentication for a web site
- Subject: Re: [Fed-Talk] Anyone know of code for performing CAC authentication for a web site
- From: email@hidden
- Date: Tue, 22 Apr 2008 16:37:58 -0500
Jim Solderitsch <email@hidden> writes:
> Most of us use web sites that seamlessly ask for our CAC pin to allow
> our identity to be passed on in support of accessing web resources.
> Outlook Web Access works for me this way for my .mil email access
> (except for encrypted mail -- can only get that through a Citrix ICA
> login on a PC).
>
> I am now faced with the possibility of supporting the implementation
> of a web site -- Java based back-end with Javascript for UI support --
> that will authenticate users based on their CAC. Or more precisely, be
> able to get the EDIPI number from the CAC when the user supplies the
> PIN.
>
> ActiveGold has an SDK which supports Windows and IE. I am looking for
> something that is more cross-platform that would allow Mac users to
> participate in the web site using their CAC.
>
> Anyone have any pointers to software -- open source preferred but
> cross-platform and Java friendly are more important.
>
> I did some Googling and didn't see any promising hits. I suspect that
> any solution might have platform and browser dependencies but I am
> hoping to not have to target only one platform/browser (e.g. Windows/
> IE).
If you give a little more detail on exactly what http server software
you are using we might be able to give you some more specific pointers
(Apache, Tomcat, IIS, etc).
However, generally speaking you want to enable SSL **CLIENT**
authentication. Once you do that you will get a copy of the client's
public certificate, and from that you can get the EDIPI number, either
parse it from the Common Name part of the Subject Name or if you have
the identity certificate you can look at the otherName of the Subject
Alternate Name which is EDIPI@mil
This approach is platform independent. The users just need a Web
Browser that can access the CAC card, how it reads the CAC really
doesn't matter. Your application will work with a Mac using Safari
accessing the CAC via Keychain or a Windows box using IE accessing the
CAC via ActivCard/ActivIdentity or a Linux box using Firefox and CoolKey
to access the CAC.
--
Lee
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden