I2 IdP Profile Managed cards backed by X.509 certificate
From OSIS Open Source Identity Systems
Managed cards backed by X.509 certificate: Create a managed card backed by an X.509 certificate, import it into a selector, and use it at a relying party. (=mbj)
| IA to IdP | Description | Acceptable | Not Acceptable |
|---|---|---|---|
| X.509 authentication of IA | (NI) IA uses X.509 certificate issued by IdP to authenticate for managed cards (simple case). | Accept certificate and provide token. Does Microsoft support this? | Anything that involves something more complicated like installation of globally known "root" certificates. |
- X.509 and Kerberos for Authn to IdP (Tony)
- (NI) How much X.509? Since you always have to register and have an account with an IdP, the simplest way is just for the IdP to issue a client authentication certificate. There doesn't seem to be any need for any universally known CAs or path construction. Proper SSL configuration at the IdP can even make this all automatic. (Eric)
- I think that Eric's scheme may be the simplest but maybe not the one that will be used mostly by most IdPs... We use X509 authn in a way where we associate the cert with a user's account thus enabling the IdP to issue a card backed by this cert. In this scheme there is a need to install the root certificate and all the intermediate certificates of the client cert. Axel Nennker
