Browser PKI certificates can be used as a strong authentication factor in addition to the user's password and one-time passwords.
Authentication with certificates
PKI certificates are issued by OneLogin and installed in the user's browser. After a user has signed into OneLogin with username and password, OneLogin validates that the PKI certificate installed in the user's browser matches the one registered on the user's record in OneLogin.
Security policies control the users who are required to authenticate with PKI certificates. You can apply a security policy to all users, to groups, or to individual users.
When self-installation is enabled, users who require certificates are prompted to install a certificate after they authenticate, but before they can sign into any applications.
Issuing and installing certificates
PKI certificates are issued by OneLogin on demand. To enable users to use PKI certificates, you must add them to a user security policy that requires certificates. The administrator can choose between installing certificates in a user's browser manually or allowing users to install them the next time they sign into OneLogin.
To configure a security policy to require certificates:
Go to Settings > Policies and select a user policy to update or click New User Policy to create a new one.
On the MFA tab, select PKI Certificate Required.
To enable users to install browser PKI certificates themselves, select Allow self-installation. Users who require certificates are prompted to install a certificate after they authenticate, but before they can sign into any applications.
You can set the certificate to expire in 1, 2, or 5 years.
You can obtain the user's certificate by going to Users >All Users, selecting the user, and selecting Download PKI Cert under the More Actions menu.
Replacing expired PKI certificates
When a user's PKI certificate expires, an administrator must generate a new certificate and distribute it to the user for installation:
As an admin, go to Users > All Users and select the user.
From the More Actions menu, select Download PKI cert.
Follow the prompts to download the certificate.
Distribute the certificate to the user, using a safe distribution method.
Install the certificate on the user's device or instruct them to do it themselves.
Windows and Mac OS X operating systems handle certificate installation themselves. For Linux, you must use browser-specific certificate installation processes. Installation instructions are easily found by searching the web.
- Ensure that the user deletes the certificate file from their hard drive after the certificate is installed.
Handling PKI certificates
Certificates should be handled with care, just like a physical authentication token such as a USB key. Be sure to tell users who install certificates themselves to delete them from the hard drive after they have been installed.
OneLogin's certificates support Chrome, Firefox, Safari and Internet Explorer. Windows and Mac OS have certificate management built into the OS, whereas browsers on Linux must deal with the certificates themselves.
|Windows||Certificate Manager||Certificate Manager||Certificate Manager|
|Mac OS X||Keychain||Keychain||Keychain|