PIV/CAC/Smart cards
Login to Keeper Connection Manager with a PIV/CAC device
KCM allows authentication with the web application using the DoD's Common Access Cards (CAC), as well as with any smart card supported by the browser for SSL client auth such as Personal Identity Verification (PIV).
This feature allows users to authenticate to Keeper Connection Manager using CAC, this does not allow pass-through of CAC to the remote desktop.
This support depends on an SSL termination instance providing SSL/TLS authentication, a capability that was added to KCM version 2.12.0.
A typical configuration for PIV/CAC would be the following:
An SSL termination instance configured with two hostnames: one for normal access (such as
kcm.example.net
) and another just for handling SSL client auth, which should ideally be a wildcard domain (such as*.login.kcm.example.net
). The SSL client auth configuration would include the certificate of the CA providing the PIV/CAC cards.PIV/CAC support installed and configured to authenticate users against
*.login.kcm.example.net
and redirect them back tokcm.example.net
once ready.Database backend configured to automatically create user accounts for users coming from SSO.
User creation workflow configured to require approval for users that SSO from PIV/CAC.
Configuration Options for PIV/CAC
Support for PIV/CAC is configured using Keeper's new support for SSL/TLS client authentication. This support is provided by the “guacamole-auth-sso-ssl” extension, which we package as kcm-guacamole-auth-sso-ssl
. Setting any SSL_*
variable will implicitly include the kcm-guacamole-auth-sso-ssl
package.
The following options will need to be set in the keeper/guacamole Docker container definition (or in guacamole.properties for linux distributions):
The following options are also available, though it would be unusual to need to set them:
SSL (NGINX) Configuration Options for PIV/CAC
Authenticating with PIV/CAC (or any smart card) via the browser is using SSL/TLS client authentication. This capability was further enhanced for PIV/CAC by adding convenient configuration options for testing whether certificates have been revoked via OCSP or a CRL. For reference, the following are all options related to SSL/TLS client authentication currently supported by the keeper/guacamole-ssl-nginx Docker image:
Example PIV/CAC Configuration
The example docker-compose.yml
below uses the following placeholders:
In practice, these values will vary, as will whether the user chooses to use MySQL or PostgreSQL. The example below was written using PostgreSQL.
Configuring the KCM user creation workflow
Prior to configuring the user workflow, make sure to set the REQUIRE_ACCOUNT_APPROVAL
key to the appropriate authentication method.
For PIV/CAC, you would set it to ssl
:
Once you have successfully configured, there will be a new "Use Certificate or Smart Card" link on the login screen of the application as seen below:
For additional details on user creation workflow, visit this page.
Installing CA Authority
For each end-user client device that will need access to Keeper Connection Manager, you may need to install the internal CA as a trusted authority into the user's browser. The installation of CA trusted authority varies by platform.
Last updated