When OAM authenticates a new user login, it adds an IdentityAssertion header into the authenticated HTTP request. This IdentityAssertion is a SAML-compliant structure that contains an X.509 certificate.

X.509 is a data structure that sends a public key to a receiving party. Certificates are issued by certificate authorities (CA), which verify an entity’s identity and grants a certificate, signing it with the CA’s private key. The CA publishes its own certificate, which includes its public key.

Each network entity has a list of the certificates of the CAs it trusts. Before communicating, this list is used to verify that the signature of other certificates comes from a trusted CA. For detailed information on X.509 certificates, refer to the RFC 3280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile document on the IETF Web site.

You can configure ATG to perform certificate validation using the /atg/userprofiling/oam/
OamCertificateVerifier component. When this component is running, ATG extracts the certificate from the IdentityAssertion in the header and uses the trusted key to verify the authenticity of the HTTP request.