The Identity Applications does not support client certificate-based authentication out-of-the-box. That functionality can be obtained, however, by using NetIQ Access Manager. See your NetIQ representative for more information. See also Enabling Third-Party Authentication and Single Sign-On.
You can configure Identity Manager to work with NetIQ Access Manager using SAML 2.0 authentication. This capability enables using a non-password-based technology to log in to the identity applications through Access Manager. For example, users can log in through a user (client) certificate, such as from a smart card.
Access Manager interacts with One SSO Provider (OSP) in Identity Manager to map the user to a DN in the Identity Vault. When a user logs in to the identity applications through Access Manager, Access Manager can inject a SAML assertion (with the user’s DN as the identifier) into an HTTP header and forwards the request to the identity applications. The identity applications use Proxied Control Authorization to establish the LDAP connection with the Identity Vault, see NetIQ eDirectory Administration Guide. For information on configuring Access Manager to support this capability, refer to the Access Manager documentation.
Accessory portlets that allow single sign-on authentication based on passwords do not support single sign-on when SAML assertions are used for identity application authentication.
For more information about configuring Identity Manager to work with Access Manager, see Using SAML Authentication for Single Sign-on.