|Home How it works, BrieflyBest PracticesAPI Dependencies (Getting Ready)API Preparations (Setup)API Operating ModeHTTPS Based Certificate DetectionHTTP Certificate IdentificationRedirect IntentsLegacy Certificate Detection RequestGuided RegistrationAPI MethodsValidating A CertificateSimple ResponsesAccount BindingPlacing an off-site secretAdding Tokens Of TrustDisconnecting AccountsReporting an IntrusionsConflict ResolutionActivity DiagramReturn CodesTrust NormalizationTrust Anchors||
API Dependencies (Getting Ready)
Because of it's nature, the identity service can serve either as a substitute or can live alongside your current single or two factor authentication system, adding to its security. The identity system is in itself a two factor authentication mechanism (password / PIN + SSL client certificate), but it is extremely inconspicuous and therefore, will add very little overhead to the user. Once the certificate is installed on the client and authenticated through identity, it becomes relatively transparent. Unless the certificate is flagged or the user deliberately chooses to introduce his identity password / PIN, every time, the certificate will be used to identify his device and the user will walk through as if there were no barriers. There are no tokens, no SMSs, the very device it uses, becomes an authentication tool itself.
The obvious first requirement is that you need to run your site on HTTPS, and for this you need to have an SSL Server certificate which identity does not provide. There are no additional requirements imposed by the identity system, you can use any certificate provider and any type of certificate (domain validation, extended validation) that browsers accepts.
It is important to mention that in case you do not wish to, or can't spend money on the certificate, you can simply turn to "Let's Encrypt" an emerging certificate authority which not only gives domain validated certificates for free but they also provide various levels of automation for certificate issuing and renewal to make the process more user friendly.
If you are unable to run HTTPS, you are unable to import the identity certificates into your trust store or if for any other reason you cannot detect identity client certificates, please refer to the HTTP Legacy section which is a work-around for such cases.
Recognize identity Issued Client Certificates
The SSL / TLS certificate requires that a trust relationship exist, not only encryption. For this to be true in a dual authenticated manner, the server needs to trust the Certificate Authority, that issued the client certificate the same way as the browsers trusts the CA that issued the server certificate. While most browsers come with pretty much all recognized authorities installed the server side catches up a little bit slower. Additionally, some browsers are buggy and will not return the client certificate unless it is directly signed by a trusted certificate, meaning it is not enough if the server contains the identity root certificate. So to be on the safe side, we recommend you import all three identity authority certificates from the chain into your trusted certificate store. Follow the instructions on the Trust Anchors to download & import certificates from where you can also download the certificates.