Certificate-based authentication in the IdP

Certificate-based authentication is enabled from the Enterprise Application Access (EAA) Management Portal in the identity provider (IdP) general settings.

For certificate-based authentication, a certificate is validated when the user agent establishes connection with the EAA service. After authentication, user-facing authentication mechanisms also apply. After the certificate is validated, the expected user-facing authentication mechanism also applies. For example, while configuring User-facing authentication mechanism for applications, if Form is selected as the application’s user-facing authentication mechanism, an end user must also enter their login credentials into the login form after the has been validated.

To use this feature, you must enable certificate-based authentication for an IdP and upload a trusted certificate authority (CA) to validate the end user’s certificate.

When you Enable certificate-based authentication for the IdP, configure these settings,

  • Certificate validation:This setting must be selected in order to enable certificate-based authentication for the IdP.
  • CA certificate issuer: The CA that will validate the client certificate. To provide a CA see Add a certificate to EAA.
  • Certificate identity attribute: Select the attribute to identify the user in the certificate.
  • Certificate validation method: Used to verify the validity of the certificate and ensure that the certificate has not been revoked. Currently, the Online certificate status protocol (OCSP)Online Certificate Status Protocol (OCSP) is supported. This setting is optional.
  • Select OCSP: If the Certificate Validation Method is Online certificate status protocol (OCSP), select an OCSP from the list. To create a new OCSP see Create an online certificate status protocol (OCSP).
  • Certificate Onboard URL: The URL where the end user is redirected if no certificate is presented for authentication.
Note: Leave the Certificate identity is username checkbox unselected.