Requires 4 steps:
- Create a Web Login page enabled as SAML IdP
-- Set Vendor Settings to "Single Sign-On - SAML Identity Provider"
-- Set Client Certificate to "Required - require a client certificate from the user"
-- Set Authentication to "Certificate Only - no username or password required"
- Run the Certificate/Two-Factor Authentication for ClearPass Application Login service template to create the appropriate services
-- Select the Applications for which you want to enable certificate authentication
-- Select the Authentication Source (though this wont be used if you're only using certificates)
-- Select the IdP page you created above
-- Specify the enforcement details (essentially you're mapping certificate attributes to operator privileges). You can tweak these later by editing the appropriate Enforcement Profile
- In Configuration > Identity > Single Sign-On (SSO)
-- Set the IdP URL to your Web Login page (e.g. https://<CPPM>/guest/idp.php)
-- Insure SSO is enabled for the applications you want
- Add the root/issuer of your client certificates to Administration > Certificates > Trust List
I would suggest just enabling SSO for Insight as a starting point. You can then test by browsing to https://<CPPM>/insight. This prevents locking yourself out of the Policy Manager or Guest until you have the workflow down. If you've done everything correctly, when you hit the Insight page, you'll be redirected to the Web Login page which will prompt for a client certificate. Select your client cert and submit. The client cert should be accepted as your credential and you should be logged into Insight.