To use PKI certificates for end user authentication, the campus uses a web server configured to request or require a client certificate as it's local Shibboleth "handle service". Instructions on how to configure an Apache 1.3-4 server to request a client certificate are available at: http://www.dartmouth.edu/~pkilab/pages/Web_Access_Control.html on the Dartmouth PKI Lab web site, for example. Other web server software would need to be similarly configured.

The address of the handle service is registered as usual with the Shibboleth Club. This will be an https URL which will start a SSL session when it is followed. The Shibboleth target will redirect a user through this web server "handle service" for authentication. This web server will authenticate the user by causing a client side SSL session to be started.

Client side SSL session setup causes the user's web browser to present a client certificate. (The user may be involved in selecting the certificate to be used and providing a password to authorize use of the private key, depending on which web browser is being used and how it's user preferences have been set for the SSL and certificate features.) The SSL session setup verifies that the private key corresponding to the public key in the certificate was used in the session negotiation. The client certificate's contents are validated, the expiration date is checked and a CRL may be checked. The validity of the signing certificates used in the certificate signature chain are checked. The local web server validates that the certificates presented have been signed by acceptable root certificates (for example the campus CA). Successful verification results in a completed SSL session and the contents of the certificate being available in the web server's environment variables.

After this "authentication" process is completed, the normal Shibboleth Origin processing continues, authorization is checked and then the request is passed back to the Shibboleth protected target service.

Normally Shibboleth checks the value of the REMOTE_USER environment variable (normally filled in by the web server's "Basic_Auth" module) to obtain a handle for the user. Version 0.8 of the Shibboleth origin is able to obtain the user's "handle" from the web servers SSL environment variables, if the REMOTE_USER environment variable is not defined. In order to use a client side certificate for end user authentication, the "Client Cert AuthN filter" is added to the Shibboleth Origin configuration. This is described in section "4.c.i Enabling client certificate authentication" of the version 0.8 "Deployment Guide For Origin Sites".

The "Client Cert AuthN filter" allows a regular expression to determine what part of the Client certificate's Distinguised Name (DN) is used as a "handle" to lookup attributes. The default regular expression uses the Common Name (CN) portion of the certificate's DN. Using this "handle" the normal Shibboleth invocation of the local attribute authority is used as needed to request user attributes. If the CN value in an institution's LDAP directory is not unique, but another LDAP attribute is used to distinguish users with the same name (eg. CN=Jack Smith, uid=jsmith versus CN=Jack Smith, uid=jsmith1), then another expression should be used. The value for the E (Email address) attribute may be a good choice as a handle value since these are generally unique.

If the web (aka Shibboleth handle) server described above is configured such that client side SSL is optional, solutions that allow other authentication techniques to co-exist with PKI certificate authentication are possible. For example, the Univ. of Wisconsin-Madison is designing a combination authentication module that will use a client certificate authentication if it's available but falls back to requesting an LDAP directory user-id and password lookup otherwise. Dartmouth College has been able to do something similar using Kerberos.

Dartmouth College has configured it's test Shibboleth Origin in this manner. To try it with a Dartmouth College issued certificate, follow this SSL link to the Shibboleth Test Target.