This module allows users to log into your site securely without usernames and passwords. It uses digital/identity certificates users have imported into their browsers as part of a public key infrastructure (PKI). The certificates can be generated by Drupal's PKI Registration Authority module or any other registration authority (RA) / certification authority (CA).

When a Drupal page is accessed via HTTPS the module checks for certain environmental variables that contain the user's unique information, such as an email address. Depending on the settings it then logs the user in or, if enabled, creates a new account.


  • Automatic account creation
  • Login link on access denied page (403) (D7)
  • Current login override (D7)
  • Using authmap to log in with multiple certificates
  • Automatic setting of a role for created users (D7)
  • Allows you to restrict certificate logins to users whose certificates were issued by a particular CA. If enabled, each certificate is cryptographically verified to ensure that its CA matches the configured one. (D8)
  • As the cryptographic library used for verification checking was implemented as a plug-in (phpseclib by default), other libraries can be used as well. (D8)

Drupal 7

This module makes no schema changes to your database.

Drupal 8

At the time of this writing, the Drupal 8 version does not have all of Drupal 7's features. Please open issues for anything missing that you'd like to see. Patches welcome!

General notes

Please see the documentation for further details.

Supporting organizations: 
Drupal 8 planning, architecture and implementation

Project information