Logging in with electronic signature tool#

Configuring the authentication method in the Admin console#

When using an electronic signature tool for authentication, you must:

  • in the Certificates setting block load the certificates of the certification authorities, confirming the authenticity of electronic signature key certificates and configure interaction with the external electronic signature verification service.

  • configure in the Compliance rules block the parameters of matching a user account in the storage by its attributes from an electronic signature certificate. Matching rules use substitution strings. For example, the cn=${SUBJECT.CN} rule means that the SUBJECT.CN attribute of the certificate will be compared to the cn attribute in the data store. It is possible to specify multiple conditions at the same time, as well as to specify alternative rules.

When configuring electronic signature login, you can also specify:

  • whether this method should be used as the first and second factor. If yes, a user authenticated by electronic signature will be considered to have passed two-factor authentication (see the figure below for an example setting);

  • whether to check the validity of the certificate. In this case, Blitz Identity Provider will use the revocation list distribution point (CRL) specified in the certificate to check if the certificate has been revoked. To activate this feature, check the checkbox Verify that the user's certificate has not been revoked;

  • whether to create (register) an account at the first login by e-signature. In this case, if the user is not found by certain matching rules, the user will be prompted to register an account. To enable this feature, you should check the checkbox Create an account if the user is not found by the electronic signature certificate and configure the user registration rules - how to fill in the attributes in the repository from the certificate attributes. You should use substitution strings to set the rules. For example, the email=${SUBJECT.E} rule means that the email attribute will store the e-mail from the user’s electronic signature certificate.

../_images/dsg_prop_en.png

Using and updating the plug-in#

A special plugin - Blitz Smart Card Plugin - is used on users’ computers for correct operation of the e-signature login. When logging in by e-signature for the first time, the user will be prompted to install the plugin. After downloading the file and running it, the user should go through all the steps of the plugin installation. When logging in again from this device, the plugin will not need to be installed again.

Blitz Identity Provider comes with a version of the plugin that allows you to work with electronic signatures as an authentication method.

If you need to update the Blitz Smart Card Plugin version, you should replace the plugin distributions - they are located in the assets directory with the Blitz Identity Provider installation, in the assets.zip archive. The structure of the archive is as follows:

plugins/sc/deb/BlitzScPlugin.deb
plugins/sc/rpm/BlitzScPlugin.rpm
plugins/sc/win/BlitzScPlugin.msi
plugins/sc/mac/BlitzScPlugin.pkg
plugins/sc/mac/BlitzScPlugin-10.14.pkg
...

You need to unzip the assets.zip archive, replace the files with the plugin distribution and zip the files back to assets.zip.