Configure AD/LDAP Connector Authentication with Client Certificates

​

Enable client certificates

1. Go to Auth0 Dashboard > Authentication > Enterprise > Active Directory/LDAP, and select the connection you want to configure.
2. Toggle the Use client SSL certificate authentication option in the settings.
3. Provide IP address ranges in the IP Ranges field. Only users coming from the given IP ranges are prompted to authenticate using client certificates. Users from different IP ranges are prompted to login with the username and password login form.

​

Configure certificates

• An SSL certificate for the Front Facing URL, because the interaction between the end user and the Connector will need to happen over HTTPS.
• One or more CA certificates.
• A Client Certificate signed by the CA for each user that needs to authenticate using Client Certificates.

1. Before uploading certificates to the AD/LDAP connector, convert X.509 certificates to Base64. Use Base64 or Certutil on Windows Server. To learn more, see Base64 Decode at Base64decode or Certutil.exe in Microsoft documentation.
2. Upload the SSL and CA certificates to the AD/LDAP Connector:
   
3. To test, generate a self-signed CA and Client Certificates using makecert.exe on Windows, which is part of the Windows SDK:
   Copy

   Ask AI

   SET ClientCertificateName=jon
       SET RootCertificateName=FabrikamRootCA
       "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\makecert.exe" -sky exchange -r -n "CN=%RootCertificateName%" -pe -a sha1 -len 2048 -ss My "%RootCertificateName%.cer"
       "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\makecert.exe" -n "CN=%ClientCertificateName%" -pe -sky exchange -m 96 -ss My -in "%RootCertificateName%" -is my -a sha1
   

   It is important that the Client Certificate’s subject be in the format of CN=AD_USERNAME, for example CN=jon.

auth.signin({
       popup: true,
       connection: 'FabrikamAD',
       scope: 'openid name email'
     }, onLoginSuccess, onLoginFailed);