We’re currently evaluating the product for implementation for a environment that falls under FISMA/NIST 800-53. They have a few IA requirements that all relate to Multi-factor Authentication/PKI (PIV) for non-privileged and privileged accounts (IA-2) (as well as requirements around acquisition of technology SA-4 (10)).
Would like to see a feature that would allow us to “trust” one or more PKI certificate authorities for user authentication. Ideally we could import the Root CA’s and Sub-CA’s, and then type in a field that would map to the same extension used by Active Directory for mapping user accounts (UPN).
This would need to support OCSP and CRL’s to verify that credentials have not been revoked.
Ideally we would be able to completely remove username and password authentication. LDAP for account verification is still desirable for mapping to groups that would map to permissions.
Let me know if there are other questions about this enhancement request.