You can configure x509 certificate authentication to allow clients to authenticate with certificates on their desktop and mobile devices or to use a smart card adapter for authentication. Certificate-based authentication is based on what the user has (the private key or smart card), and what the person knows (the password to the private key or the smart-card PIN.) An X.509 certificate uses the public key infrastructure (PKI) standard to verify that a public key contained within the certificate belongs to the user. With smart card authentication, users connect the smart card with the computer and enter a PIN.

The smart card certificates are copied to the local certificate store on the user's computer. The certificates in the local certificate store are available to all the browsers running on this user's computer, with some exceptions, and therefore, are available to a VMware Identity Manager instance in the browser.

Note:

When Certificate Authentication is configured and the service appliance is set up behind a load balancer, make sure that the VMware Identity Manager Connector is configured with SSL pass-through at the load balancer and not configured to terminate SSL at the load balancer. This configuration ensures that the SSL handshake is between the connector and the client in order to pass the certificate to the connector. When your load balancer is configured to terminate SSL at the load balancer, you can deploy a second connector behind another load balancer to support certificate authentication.

See the VMware Identity Manager Installation and Configuration guide for information about adding a second connector.