Response verification

After receiving the transaction response from the Session status API call, the following algorithm must be used to decide, if the authentication result is trustworthy and what the identity of the authenticating end user is.

  • result.endResult has the value OK.

  • The certificate from cert.value is valid:

    • The certificate is trusted (signed by a trusted CA).

    • The certificate has not expired.

  • The person’s certificate given in the cert.value is of required or higher assurance level as requested.

  • The identity of the authenticated person is in the subject field or subjectAltName extension of the X.509 certificate.

  • signature.value is the valid signature over the expected hash as described in Signature protocols, which was submitted by the RP verified using the public key from cert.value.

It is strongly recommended to have these steps performed using standard cryptographic libraries.

After successful authentication, the RP must invalidate the old user’s browser or API session identifier and generate a new one.

For further details and security considerations see also the Secure implementation guide.