Hello Experts,
Could you please shed some lights on how the mutual TLS authentication can be configured in the Identity IQ webservice connector?
I could see the client certificate authentication in the webservice connector guide , is it the same as mTLS?
Thanks
In mTLS (=mutual TLS), both the client and the server present their own certificates to each other and verify the identity of each other before establishing a secure connection.
For a HTTPS connection in the Web Service connector . IIQ trusts the server certificate as it is signed by a Certificate Authority which is the Java Truststore (also known as cacerts). This is called TLS authentication.
By enabling Client Certificate Authentication the certificate presented by IIQ should be trusted by the server. All HTTP-messages are signed with the private key and the server verifies it with the CA which signed the certificate (this CA should be in the truststore of the server). This is another TLS authentication.
Server → Client and Client → Server TLS authentication together is called mTLS authentication.
Simple answer:
If you enable Client Certificate Authentication and connecting to a Web Service over HTTPS, you have configured mTLS 
– Remold
great, appreciate your prompt response, I believe just setting up the keys in the application config is enough? I have seen some posts that the header needs to carry the client cert.
Am not seeing a good document on the webservice mTLS , if you have one on how this stuff works, please share.
one more question - can we have “No Auth” and just enable the Client Cert Auth alone?
A quick Google search for a good (and simple) explanation of mTLS results in:
What is mutual TLS (mTLS)?
(by CloudFare, not that SailPoint use CloudFare AFAIK, but the explanation of mTLS is very good).
There is no (better) SailPoint explanation, at least not that I could find.
The header-injection is already handled by the Web Service Connector (in IdentityIQ), so no need to do anything for it.
Regarding No Auth:
mTLS is used to encrypt the data and can also be used as authentication. If NoAuth can be set is dependent on the application running behind the Web Service. Please contact the team/company/owner of the web service what is supported for authentication (for instance if they support Client Certificate authentication. IdentityIQ supports almost all configurations possible for Web Services.
Per connected application agreements must be made on multiple levels between the IdentityIQ Admin/Developer and the ‘to be connected Application’-owner. This include, amongst others, connection protocol, authentication protocol (NoAuth/ClientCert/Basic/Auth/SAML/JWT/etc.), account schema’s, certifiers.
– Remold
@Remold - thank you very much for all your help!
Hello Saravanan, Were you able to get the answer which you were looking for? If yes, it would we great if you could mark that reply as the solution.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.