Certificate-based device authentication or user validation in the application

Learn more about how to use certificate-based authentication or user validation in applications.

In some authentication scenarios a user agent is not capable of following authentication redirects to the login service. To work around this limitation of the user agent, you can configure the EAA service to disable authentication or use an authentication scheme that works well for the user agent. For example, if the user-agent supports Basic, you can configure the user-facing authentication mechanism for applications as basic. In these scenarios enable certificate-based device authentication or certificate-based user authentication on the application, for additional security.

The certificate-based device authentication inherits certificate validation configuration such as the root certificate authority (CA) bundle and online certificate status protocol (OCSP) provider configuration from the identity provider (IdP) to which the application was assigned. After the application is assigned to an IdP with device certificate authentication enabled, the administrator must explicitly enable certificate validation on the application, if device certificate authentication is also desired for application connections.

While you can use device certificate authentication on applications in conjunction with other user-facing authentication mechanisms, none, form, or basic, the Enterprise Application Access (EAA) service also supports a certonly certificate-based user authentication for the application access. When the user-facing authentication is configured as certonly, the identity obtained from the validated client certificate is used as the user identity for access to application.