7.1 Configuring multiple authentication provider types

By default, SSRP is set up for client certificate derived credentials.

You can additionally configure SSRP to use OpenID Connect derived credentials.

The installation process creates the following websites:

• SSRP – contains configuration for the client certificate-based derived credentials.

  Located in the following folder by default:

  C:\Program Files\Intercede\MyID\SSRP\SSRP

• SSRPOID – allows you to add OpenID Connect authentication.

  Located in the following folder by default:

  C:\Program Files\Intercede\MyID\SSRP\SSRPOID

If you want to allow people to choose between client certificate derived credentials and OpenID Connect derived credentials, you configure the SSRPOID website folder for the SSRP web service for OpenID Connect authentication; you can configure each SSRP website folder for either client certificates or OpenID Connect , but not both. Note, however, that you can include multiple OpenID Connect identity providers in the same SSRP website folder.

Note: In previous versions of the SSRP, the initial page was StartPage rather than Start. If you go to the StartPage URL, you automatically use the page for client certificate-based derived credentials where you insert your PIV card. If you want to use an OpenID provider, or to offer a choice between client certificate-based derived credentials and OpenID Connect derived credentials, you must go to the Start URL instead.

Important: If you have a requirement to issue PIV Derived Credentials in accordance with US Government standard NIST SP-800-157, you must ensure that the PIV Derived Credential profile is not available to users who authenticate with an OpenID Connect Identity provider. It is recommended that distinct roles are assigned for each credential profile to ensure client certificate derived credentials are used.