X509 Authn in IDPv3

Mike Wiseman mike.wiseman at utoronto.ca
Wed Apr 6 11:06:35 EDT 2016

> >My experience in using the idp-v3 X509AuthHandler is that a Java ‘response object’ is
> required by the servlet. A Java service needs to have handled the X509 authentication to
> generate the required object response.
> The +ExportCertData option in mod_ssl when using AJP will populate it. That said, I don't
> think I would necessarily favor using Apache just to get this part done, but it does work.

Yes, I'm leaning towards using 'Tomcat-only' for idp operation mainly for this purpose - handling TLS client authentication which is our principal MFA method. I could use Jetty but am not comfortable/experienced with using it for client auth handling. I also tried httpd/mod_ssl over HTTPS (instead of AJP) to Jetty - had trouble with that.


More information about the users mailing list