Understanding HxGN EAM flow - HxGN EAM - Version 11.07.01 - Feature Briefs - Hexagon

HxGN EAM Certificate-Based Client Authentication

Search by Category
Feature Briefs
HxGN EAM Version

An HxGN EAM administrator must create a user record for each user in his/her organization prior to turning on or enabling client authentication. After the administrator creates the user records, client authentication can be enabled as previously outlined.

When a user performs a browser login, before accessing the application login page, the user is presented with a dialog popup box by the browser to select a specific, personal certificate to use for authentication. If the user does not own any personal certificates, no application page is loaded (the browser will supply a bad SSL connection error). After the user selects their personal certificate to use to authenticate with the application, a login attempt is made with that specific certificate.

If the certificate has already been linked to a specific user, the login request processes without issue and the user is logged in. If the certificate has not been linked to a specific user, the user is presented with the application login page and the following message:

"Client authentication credentials not found. First time manual login is required."

The user must log in with a username and password. After successful login, the client certificate is linked to this user (as defined by the CAETYPE install parameter value), and the user expiration and user password expiration dates are set to 2099 (the certificate manages user expiration values). The user receives a confirmation message:

"Client authentication was successfully linked to your user."

If the user selects a certificate other than the one already linked with their user account, they will again be presented with the login screen in the scenario described above. After successful login, the new certificate overwrites the old certificate value without warning, discarding any association with the old certificate.

The user can also access the My Account screen in the application, and click the Unlink Certificate button to remove their association with their current certificate.

  • This circumvents the need for an administrator to remove the user’s associated certificate.

  • Once the user removes the link to their certificate, the next time the user accesses the application, the user follows the flow as described in the section above for a first-time login.

If the user attempts to access an application login page without using HTTPS, the user receives an error message:

"Client authentication was not successful."

If the user is a caller/portal user, the flow follows a normal application user. However, if a certificate needs to be unlinked for caller/portal user, a system administrator must log in to the main application and blank out the External Contact ID/External Caller ID value.