PKI bridge configuration
The PKI bridge is an interface between the MobileFirst Server and a business' public key infrastructure (PKI). Each realm definition that uses the WorklightCertificateAuthenticator must have a PKI bridge defined in its configuration.
User certificate identity versus standard MobileFirst user identity
The standard MobileFirst user identity contains basic user details and is built after a user realm is authenticated. The identity contains user name, display name, and extra attributes. The identity can be requested for each realm in a security test by authenticated resources, such as an adapter. For user certificate authentication, more details might be required, such as device ID and application name. These details are provided in the user certificate identity object that is sent to the PKI bridge.
A user certificate identity instance contains the following elements:
- Standard MobileFirst user identity
- User name
- Display name
- Attributes
- Device ID
- Application name
Custom PKI bridge interface
A custom PKI bridge can be implemented by extending the com.org.auth.ext.UserCertificatePKIBridge abstract class. The API for the PKI bridge abstract class can be found at UserCertificatePKIBridge.
- Embedded PKI bridge
The embedded PKI bridge is an included PKI bridge that can be used with user certificate authentication. The embedded PKI bridge is available with the com.worklight.core.auth.ext.UserCertificateEmbeddedPKI class name and is configured by adding parameters to the realm definition.
- External/adapter-based PKI bridge
The adapter-based PKI bridge is an included PKI bridge that can be used with user certificate authentication. The adapter-based PKI bridge is available with the com.worklight.core.auth.ext.UserCertificateAdapterBasedPKI class name, and is configured by adding parameters to the realm definition. An adapter is required for this PKI bridge to work, and must be uploaded before any user connects with this configuration. The adapter-based PKI bridge is useful if the PKI can be accessed with an adapter (such as a REST API).
- Custom PKI bridge
A custom PKI bridge can be implemented by extending the com.org.auth.ext.UserCertificatePKIBridge abstract class.
Parent topic: User certificate authentication on the server