When the Identity Service runs in apache-httpd
,
you can use external authentication methods that differ from
the authentication provided by the identity store back-end.
For example, you can use an SQL identity back-end together with
X.509 authentication, Kerberos, and so on instead of using the
user name and password combination.
Web servers, like Apache HTTP, support many methods of
authentication. The Identity Service can allow the web
server to perform the authentication. The web server then
passes the authenticated user to the Identity Service by
using the REMOTE_USER
environment variable.
This user must already exist in the Identity Service
back-end so as to get a token from the controller. To use
this method, the Identity Service should run on
apache-httpd
.
The following Apache configuration snippet authenticates the user based on a valid X.509 certificate from a known CA:
<VirtualHost _default_:5000> SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl.cert SSLCertificateKeyFile /etc/ssl/private/ssl.key SSLCACertificatePath /etc/ssl/allowed_cas SSLCARevocationPath /etc/ssl/allowed_cas SSLUserName SSL_CLIENT_S_DN_CN SSLVerifyClient require SSLVerifyDepth 10 (...) </VirtualHost>