A new Credential Management capability (CO-1256) will be central to the support of IdP of Last Resort capabilities (CO-44). This document describes the interaction between Registry Enrollment and IdPoLR credentialing.
- The credentialing process will be CO specific, but the Discovery Service is currently CMP-wide. This will not be suitable for most multi-tenant deployments.
- The actual credentialing process will likely vary according to the requirements of each type of credential plugin.
- Because the Enrollee will not have authenticated yet, they will enter the credentialing process without a valid login session. Use of a token (similar to enrollment flow tokens for unauthenticated steps, or possibly the same token) will be required.
- Credential Identifier Selection could be any of
- User self selected (with availability checks)
- Auto assigned via identifier assignment (but at credentialing step, rather than at CO Person Active status)
- Selected by credential plugin
- Is it possible to skip the discovery service when the Enrollee is returned to the Enrollment Flow?
- Yes, though details depend on the protocol involved.
- For both SAML and OIDC, redirect the browser to a particular URL