Derived credential handling overview

Only use the APIs relating to derived credentials if you are developing an app that obtains derived credentials from a derived credential provider and delivers the credentials to the MobileIron client.

A derived credential is derived from the primary credential on a user’s smart card and stored on the user’s mobile device. The derived credential contains X.509 public key identity certificates derived from the primary credential’s identity certificates.

The APIs allow your app to:

Send a derived credential to the MobileIron client.
Receive a request from the MobileIron client to get a new derived credential and deliver it to the MobileIron client.

Besides implementing this derived credential capability, your app must implement the necessary AppConnect APIs to behave as an AppConnect app.

Regarding derived credentials, when your app decides to get a derived credential, such as due to user interaction, your app does the following high-level steps:

1. Makes sure that the MobileIron client is installed and that it supports derived credentials.
2. Makes sure that sending derived credentials to the MobileIron client is currently allowed.
3. Obtains a derived credential from the derived credential provider.
4. Indicate which certificate in the derived credential is for what kind of use by AppConnect apps. The uses are authentication, signing, and encryption.
5. Sends the derived credential to the MobileIron client.

After the MobileIron client has the derived credential, AppConnect apps on the device can use the certificates that comprise the derived credential. Whether the AppConnect apps use the derived credential’s certificates or other certificates depends on configuration settings on the MobileIron server.

Also, at any time, the MobileIron client can request a new derived credential from your app. At that time, your app repeats the above steps.