### Problem we're trying to solve Add support for Smartcard (CaC) authentication via LDAP. + All major browsers support Smartcard authentication by forwarding the Smartcard certificate to the requested web server. https://help.ubuntu.com/community/CommonAccessCard#Firefox + NGINX can be configured to forward a `ssl_client_certificate` from an attempted Smartcard authentication http://geocentlabs.com/configure-nginx-for-ssl-with-dod-cac-authentication-on-centos-6-3/ GitLab could retrieve the Smartcard certificate from the request headers and verify this against a certificate stored in Active Directory (via LDAP). ### Additional information See mediawiki implementation: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Smartcard_Configuration_Examples Adding to this issue to include any kind of access tokens (whether it be Smartcard authentication or PKI-based browser certs). ### Proposal First iteration: * Authenticating with a card with a single certificate, mapped to a single user. Create user if not found, or login with existing credentials if found. * GitLab authentication only, no LDAP in this iteration. * Omnibus package only. We'll need additional issues for multi user/cert, LDAP, and other distros. //cc @dblessing ____________ ZD: https://gitlab.zendesk.com/agent/tickets/28048 SFDC links: https://gitlab.my.salesforce.com/0016100000W3JGF?srPos=0&srKp=003 https://gitlab.my.salesforce.com/0016100000SEhmS?srPos=0&srKp=003 https://gitlab.my.salesforce.com/0066100000JadmW https://gitlab.my.salesforce.com/0066100000JYhNZ https://gitlab.my.salesforce.com/0066100000LOwJN https://gitlab.my.salesforce.com/0066100000LNBNL https://gitlab.my.salesforce.com/0066100000LOkuy https://gitlab.my.salesforce.com/0066100000KPun9 https://gitlab.my.salesforce.com/0066100000KxlKp