Given a user with a valid CAC or PIV certificate
When the user attempts to sign in
Then the user's PKI certificate should be used to authenticate the user
and the official CRL (certificate revocation list) should be checked
and the user's status within the business's directory server should be checked
Note, take a look into PKI JS as a possible support library for this. Classically this issue has been exceedingly difficult to reliably implement due to restrictions on server configuration. If this can be handled in a contained manner in the front end securely by digitally signing a session bound/CSRF protected challenge using PKI, that would be preferable rather than binding implementations to a single department or agency's current practice.
Given a user with a valid CAC or PIV certificate When the user attempts to sign in Then the user's PKI certificate should be used to authenticate the user and the official CRL (certificate revocation list) should be checked and the user's status within the business's directory server should be checked
Note, take a look into PKI JS as a possible support library for this. Classically this issue has been exceedingly difficult to reliably implement due to restrictions on server configuration. If this can be handled in a contained manner in the front end securely by digitally signing a session bound/CSRF protected challenge using PKI, that would be preferable rather than binding implementations to a single department or agency's current practice.