Single Sign-On with X.509 certificates

[4marcsap]

Request Type

Feature Request

Hello Team,
we have the request to enable Single Sign-On with X.509 certificates for TheHive.
So this means to enhance the Play SSL Server to accept and read X.509 certificates for configured CAs. By this option users do not have to provide user and password to authenticate but have a convenient and secure way of authenticating to the system.
Play allows to implement a customer SSL Engine -
https://www.playframework.com/documentation/2.6.x/ConfiguringHttps

thank you
marc

[To-om]

In order to authenticate user using certificate, TheHive must be able to extract user login from the certificate provided by client. User login can be in subject RDN and in alternative subject name.
In your use case, where is the user login ?

With this kind of authentication you can't use reverse proxy and if you want to use standard port (443/tcp), TheHive must be run with root user, which is not recommended (or add a rule in your local firewall to translate the port).

[crackytsi]

UserPrincipalName is also a very common attribute of Certificates, where I think this functionallity would make sense ;)

[To-om]

UserPrincipalName is usually in SubjectAlternativeName but I don't know how to extract it. Using Java API, it doesn't seem easy.

Maybe I should have a look at Bouncy Castle library.

[4marcsap]

In our case the user login in name is the X.509 subject Common Name (CN).

[crackytsi]

Maybe this helps?
https://stackoverflow.com/questions/11961913/read-alternative-name-from-certificate

[To-om]

Thank you. It uses Bouncy Castle. I prefer not to depends on this library. I'll try to understand how it extracts upn from certificate and implement my own function (if not too complicated).

[crackytsi]

Any news about this @To-om ?
It seems as you already implemented some parts with bouncy casle... :)

[To-om]

This feature has been implemented but not fully tested. I'll add it in the next release as beta (planned the 5th of December). If changes is need, I'll push hotfix.

[crackytsi]

I'm happy to test it ;)