Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. The credentialing process will be CO specific, but the Discovery Service is currently CMP-wide. This will not be suitable for most multi-tenant deployments.
  2. The actual credentialing process will likely vary according to the requirements of each type of credential plugin.
  3. Because the Enrollee will not have authenticated yet, they will enter the credentialing process without a valid login session. Use of a token (similar to enrollment flow tokens for unauthenticated steps, or possibly the same token) will be required.
  4. Credential Identifier Selection could be any of
    1. User self selected (with availability checks)
    2. Auto assigned via identifier assignment (but at credentialing step, rather than at CO Person Active status)
    3. Selected by credential plugin
  5. Is it possible to skip the discovery service when the Enrollee is returned to the Enrollment Flow?
    1. Yes, though details depend on the protocol involved.
    2. For both SAML and OIDC, redirect the browser to a particular URL