Certificate-based device authentication or user validation in an application

Use certificate-based authentication or user validation in applications. When any user sends a request to access a web application or connects to an identity provider (IdP) login portal, the web browser sends an HTTP header called the user agent. The user agent string contains information about the user's web browser name, operating system, device type and other information. These device parameters are used for certificate-based device authentication or user validation. The user agent provides a valid certificate to authenticate the user's device to the IdP.

In some authentication scenarios a user agent is not capable of following authentication redirects to the login service. To work around this limitation of the user agent, you can configure the EAA service to disable authentication or use an authentication scheme that works well for the user agent. For example, if the user-agent supports Basic, you can configure the user-facing authentication mechanism for applications as Basic. In these scenarios enable certificate-based device authentication or certificate-based user authentication on the application, for additional security.

The certificate-based device authentication inherits certificate validation configuration such as the root certificate authority (CA) bundle and online certificate status protocol (OCSP) provider configuration from the identity provider (IdP) to which the application was assigned. After the application is assigned to an IdP with device certificate authentication enabled, you must explicitly enable certificate validation on the application, if device certificate authentication is also desired for application connections.

While you can use device certificate authentication on applications in conjunction with other user-facing authentication mechanisms, none, form, or basic, the Enterprise Application Access (EAA) service also supports a certificate only certificate-based user authentication for the application access. When the user-facing authentication is configured as certificate only, the identity obtained from the validated client certificate is used as the user identity for access to application.