Enable certificate-based authentication for the IdP

How to enable and configure certificate-based authentication for an identity provider (IdP).

Before you begin

To use this feature, you must Add a certificate to EAA from a trusted certificate authority (CA) to validate the client certificate. The client certificate must be uploaded to the user’s device.

If you want to create a new OCSP, see Create an online certificate status protocol (OCSP) and then return to this procedure.

Note: If you are modifying a previously created identity provider (IdP), changes to the IdP do not take effect until the applications associated with the IdP are deployed.

How to

  1. Log in to the Enterprise Application Access (EAA) Management Portal.
  2. From the top menu bar, click Identity > Identity Provider.
  3. Locate the IdP that you want to enable for certificate-based authentication.
  4. Click the Settings (gear) icon to modify or configure the settings of the identity provider.
  5. In the General Settings, select the Certificate validation setting.
  6. Select the CA certificate issuer that you want to use to validate the end user’s certificate.
  7. In the Certificate identity attribute menu, select the attribute in the certificate for the username.
  8. In the Certificate validation method menu, select either None or OCSP .
    1. If you select OCSP, the Select OCSP field appears.
    2. Select an OCSP from the list.
  9. Optionally, in the Certificate Onboard URL field, enter the URL where the user is redirected if no certificate is provided.
    Note: Leave the Certificate identity is username checkbox unselected.
  10. To save the changes click Save and exit or Save and go to directories.

Next steps

For the changes to go into effect, Deploy the identity provider.