Hello Peter,
very good job!
but there is one thing which comes to my mind:
it the last days we configured IA for some customers we had the following challenges:
+ often we use an FQDN like "identity.company.local" to let the IA Agent connect to.
therefor we import certificates into the Browser Authentication part in the Dashboard. Even when Browser Authentication is not really required for IA Agents right ? But this seems the only plausible location to import a certificate for "identity.company.local" for me, right?
+ when there are multiple certificates imported on a system, MOB/IA/UserCheck, sometimes the IA Agent connects to different portals by random? mostly the IA Agents shows a fingerprint from the external portals, MOB mostly.
is this an error made by me, or a generell problem?
a customer reported this to me, after policy install some IA Agent disconnect and show the certificate of the MOB blade.
+ Last night we changed a certificate for "identity.company.local" on a medium size customer, he was concern that hundres of users might have to manually approve the new fingerprint. we managed this with the "Distributed Configuration Tool". After a reboot or the restart of the IA Agent service the new fingerprint was loaded succesfully.
still the question remains, what to do in large scale enviroments? we cannot expect that all user always reboot their clients, if they wake up after hibernate or something the will be prompted to approve the new fingerprint manually. A nightmare for all heldesk workers. How to overcome this?
perhaps you can also deep dive into this, since IA is a userexperience product, a smooth integration into the Windows ecosystem is a must!
best regards!