Hi Chirag, Can you expound on what you mean by "sharing the same attribute details"? X509 Direct grant relies on mutual TLS, i.e. a client certificate to find a unique user, so having more than a single user associated with the same certificate will cause an authentication error. ________________________________________ From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on behalf of Chirag Unnadkat [Chirag.Unnadkat(a)cerillion.com] Sent: Monday, June 3, 2019 10:35 AM To: Chirag Unnadkat; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] X509 Direct Grant with client certificate Hi, Has anyone else faced a similar issue, and/or managed to resolve something similar? Kind Regards, Chirag Unnadkat Business Analyst Cerillion plc E. chirag.unnadkat(a)cerillion.com T. 0207 9276029 W. www.cerillion.com Addr. 25 Bedford Street, London, WC2E 9ES, UK -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; On Behalf Of Chirag Unnadkat Sent: 28 May 2019 16:03 To: keycloak-user(a)lists.jboss.org Subject: Caution -Identified as Possible Scam - [keycloak-user] X509 Direct Grant with client certificate Hi, Is it possible to pass the same client certificate in a token request with different login credentials? My current setup doesn't seem to allow this and I can't find any documentation saying this is not possible I have configured an X509 Direct grant flow using X509/Validate Username(X.509 Config) This is configured to take the Subjects Common Name, with the attribute "NAME" I have configured a trust store with 1 certificate (want to share this across users) When I add the Subject Common Name to user 1's attribute, they then require the key pair to generate a token, however once I share the same attribute details to user 2, both user 1 and 2 stop working. Maybe I am missing some configuration that will allow my users to share the same certificate I ideally do not want to have one certificate per user as this will get out of hand to manage, as the population of the realm increases Kind Regards, Chirag Unnadkat Business Analyst Cerillion plc E. chirag.unnadkat@cerillion.com<mailto:chirag.unnadkat@cerillion.com> T. 0207 9276029 W. https://clicktime.symantec.com/3Dkjz73Ak7RQtTbSctftLHd6H2?u=www.cerillion... Addr. 25 Bedford Street, London, WC2E 9ES, UK ________________________________ Cerillion Technologies Limited is a limited liability company registered in England No. 3849601 with Registered Office at 25 Bedford Street, London WC2E 9ES. VAT registration No. 743 8054 29. Website https://clicktime.symantec.com/3Dkjz73Ak7RQtTbSctftLHd6H2?u=www.cerillion... This email and any attachments with it are intended for the addressee only. It is confidential and may be the subject of legal and/or professional privilege. If you have received this email in error please notify the sender, destroy any copies and delete from your computer systems as any use, disclosure, dissemination, forwarding, printing or copying is strictly prohibited. The content may be personal or contain personal opinions and cannot be taken as an expression of Cerillion's position. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. Cerillion reserves the right to monitor all incoming and outgoing mail. Whilst every care has been taken to check this outgoing email for viruses, it is your responsibility to carry out any checks upon receipt. ________________________________ _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://clicktime.symantec.com/3R2MaYpXaCBqfdVw3He1gdp6H2?u=https%3A%2F%2... _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user