Use this guide to enable C-SSL authentication in SecureAuth IdP realm(s).

This configuration initiates a begin site that forces the browser to request a certificate before the end-user provides any information (client-side certificate) to enable access to the target resource (application, VPN, IdM tool, etc.).


1. Have a valid certificate that will be used to access the C-SSL-configured realm

This can be accomplished through another SecureAuth IdP realm (see Certificate Enrollment Configuration Steps below) or from an existing certificate (e.g. smart card)

If using a smart card certificate, the certificate chain must be imported from the card issuer to the SecureAuth IdP appliance

2. Create a New Realm or edit an existing realm to which C-SSL will be applied in the SecureAuth IdP Web Admin

3. Configure the following tabs in the Web Admin before configuring for C-SSL:

  • Overview – the description of the realm and SMTP connections must be defined
  • Data – an enterprise directory must be integrated with SecureAuth IdP
  • Workflow – the way in which users will access the target must be defined
  • Registration Methods / Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access the target (if any) must be defined
  • Post Authentication – the target resource or post authentication action must be defined
  • Logs – the logs that will be enabled or disabled for this realm must be defined

The Registration Methods tab in SecureAuth IdP Version 9.0 has been renamed Multi-Factor Methods as of Version 9.0.1

Certificate Enrollment Configuration Steps

If utilizing the SecureAuth IdP-generated certificates rather than smart cards, a Certificate Enrollment Realm will need to be created in addition to the C-SSL Realm

These configurations must be done on a different realm than the one configured below for C-SSL authentication



1. In the Product Configuration section, select Certificate Enrollment Only from the Integration Method dropdown

In versions 9.0.1+, this step is located in the Device Recognition Method section

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

Post Authentication


2. Select Native Mode Cert Landing Page from the Authenticated User Redirect dropdown

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

C-SSL Realm Configuration Steps

These configuration steps are for the actual realm to which C-SSL authentication will be applied (different than the Certificate Enrollment Realm)


In versions 9.0.1+, the following steps are located in the Custom Identity Consumer section

1. In the Custom Front End section, select Token from the Receive Token dropdown

2. Select True from the Require Begin Site dropdown

3. Select Client Side SSL from the Begin Site dropdown

4. The Begin Site URL will auto-populate to cSSL.aspx

Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes

IIS Manager Configuration Steps


1. In the SecureAuth IdP appliance's IIS Manager, select the realm to which C-SSL is applied under Sites and Default Web Site (e.g. SecureAuth3)

2. Click SSL Settings

3. Check Require SSL and select Require from the Client Certificates options

Sample End-user Workflow


1. When the end-user attempts to access the C-SSL-configured realm, the C-SSL Begin Site will launch

2. The Begin Site will immediately prompt the end-user for a certificate

3. The end-user will select the appropriate certificate retrieved from the Certificate Enrollment Realm

4. The end-user will be redirected to SecureAuth IdP to follow the outlined workflow of the C-SSL realm, and then to the target resource

Troubleshooting / Common Issues

1. If using a separate CRL (rather than SecureAuth IdP), make sure that the SecureAuth IdP appliance can access the CRL to check the validity of certificates

2. If receiving 403 errors, check the IIS logs to view the sub error code to further troubleshoot, e.g. 403.7: no certificate provided; 407.17: certificate was revoked

  • No labels