Skip to main content
Version: 4.42

How to define domain access for sites using a centralized authentication gateway

Overview

This guide explains how to configure mapped sites to control certificate use in services that authenticate through a centralized authentication gateway. It is useful for administrators who need to define which services fall under Redtrust's control, since without this configuration access through the gateway is automatically allowed and not recorded.

Context

Some centralized authentication gateways, such as AOC's VÀLid in Catalonia or Izenpe's Giltza in the Basque Country, provide access to multiple public administration services. When a user authenticates with a digital certificate through one of these gateways, the gateway issues an opaque token: a random string that contains no information about the destination service. The Redtrust agent detects certificate use at the gateway domains, but cannot determine which destination service that authentication corresponds to.

By configuring mapped sites, you tell Redtrust which destination services to associate with gateway authentications. This means that Redtrust's standard policies apply to the mapped destination services: a destination service URL must be explicitly authorized for the user to access it under the identity of the certificate used. This guide uses AOC as the example; the same steps apply to any centralized authentication gateway.

tip

For a conceptual overview of how mapped sites work, see Mapped sites.

For use cases where a desktop application manages certificate authentication rather than a centralized authentication gateway, see How to define domain access using application-based authentication.

Before you start

Before proceeding, make sure you have a Redtrust agent installed and basic configuration set up. If you use a different gateway, replace the AOC gateway domains with the appropriate ones. For example, for Izenpe's Giltza the domains are eidas.izenpe.com and eidas2.izenpe.com.

This guide uses Seu Antifrau (allowed) and Ajuntament de Barcelona (denied) as examples to illustrate a scenario where the same certificate should have access to one AOC-authenticated service but not another. Replace them with the services relevant to your organisation.

Step 1: Configure the AOC gateway site group

The AOC gateway is the authentication entry point. Create a site group for the gateway domains and add the downstream sites you want to control in the Advanced configuration section.

  1. Go to Policies > Sites and click Add site group.
  2. In the Site group name field, enter a relevant name, for example AOC - Gateway.
  3. Add the gateway domains:
    • Enter cert.valid.aoc.cat and click Add.
    • Enter valid.aoc.cat and click Add.
  4. Expand Advanced configuration and, in the Mapped sites field, enter etram.seu-e.cat. Press Enter to confirm.
  5. Click Apply.

Step 2: Add the downstream site group

Create a separate site group for each downstream service you want to allow.

  1. Go to Policies > Sites and click Add site group.
  2. In the Site group name field, enter Seu Antifrau.
  3. Enter etram.seu-e.cat and click Add.
  4. Click Apply.
info

Repeat this step for any other downstream AOC service you want to allow. Any site defined in Mapped sites but not included in any policy will have certificate access blocked. Domains not in the list are automatically allowed and not recorded — Redtrust has no way to evaluate them.

Step 3: Create a policy

Create a policy that includes both site groups.

  1. Go to Policies and click New.
  2. In the General step, enter a name such as AOC - Seu Antifrau and set the priority.
  3. Add the certificate and users in the Certificates and Who? steps.
  4. In the Where step:
    1. Click Add sites, select AOC - Gateway, and click Add.
    2. Click Add sites, select Seu Antifrau, and click Add.
    3. Click Next.
  5. In the When step, select Anytime and click Apply.
  6. In the policy summary, click Accept and Close.
info

For more information on policies and site groups, see Policies.

Step 4: Block access to other AOC services

Any domain added to Mapped sites in the gateway site group but not included in any allow policy is automatically blocked — no deny policy is required.

  1. Go to Policies > Sites, select the AOC - Gateway group, and click Edit.
  2. Expand Advanced configuration and, in the Mapped sites field, enter the domain of the service you want to block (for example, seuelectronica.ajuntament.barcelona.cat). Press Enter to confirm and click Apply.
info

If you want explicit policy entries for audit trail or visibility in the policy list, you can create a deny policy instead. Follow the same process as Steps 2–3 but in the General step, select Deny in the Action section. Add the gateway site group and the service site group in the Where step, and complete the remaining steps.

Verification

With the Redtrust agent running, authenticate through the gateway to each service you configured. Then go to Events in the admin console and confirm that the allowed site shows an access granted entry and the denied site shows an access blocked entry.