Silent Certificate Authentication for User Sessions

How to authenticate users (using OIDC) without end users needing to interact with prompts

  • Updated on Feb 13, 2024

Silent Cert Authentication Overview

Historically, Identity Provider (IDP) configurations in Banyan have required that end users accept a certificate prompt when authenticating. For many end users, the default behaviour was to cancel the certificate prompt (thus denying themselves access to anything) or to allow once (instead of selecting “Always allow”), triggering continued certificate prompts with each authentication attempt.

With silent certificate authentication, Banyan silently presents the user authentication certificate, so that end users don’t have to interact with a prompt, creating a smoother login experience. This doc outlines the steps required to configure silent cert authentication for users in your org. Here, we use Okta as an example; but this configuration will work for any IDP that supports OIDC or SAML.

Note: This configuration is only applicable to users logging in on a Mac or Linux device.


  • Banyan app v3.14+

How silent authentication works

Banyan silently sends the certificate to our cloud services, outside the browser flow. This process requires additional redirect URLs and configurations to be applied to the app.

Note: Silent certificate authentication is only applicable to user authentication; device registration will still send a prompt for a certificate.

Steps to set up silent authentication

Step 1: Add a Portal Redirect URL in Okta

1.1 In your Okta account, create 2 apps: a Device Registration app, and a Banyan TrustProvider app (end user login app). In the following steps, the Banyan TrustProvider app configuration will be updated; the Device Registration app, however, will not require any configuration updates.

1.2 In your Banyan TrustProvider app (i.e., the end user login app), navigate from General Settings > Edit > Sign-in redirect URLs. Edit the existing URL by replacing “trust” with “portal” (i.e., enter https://{ORGNAME} in your IDP’s redirect URL).

Note: Without setting this redirect URL, the device’s end user will continue to see the certificate prompt. See Troubleshooting section below.

Step 2: Update User Identity Provider Config in Banyan

2.1 In the Command Center, navigate from Settings > Identity and Access > End User, and then select Update User Identity Provider Config.

2.2 Enter https://{ORGNAME} as your Redirect URL (replacing https://{ORGNAME}

Note: Without this Redirect URL, the device will fail to authenticate. See Troubleshooting section below.


End user is still seeing a certificate prompt when authenticating

Verify that the redirect URLs include https://{ORGNAME}

End user is seeing “Admin has not setup IDP Correctly”

Verify that the redirect URLs for User Authentication in the Banyan Command Center are set to https://{ORGNAME}

Can’t find what you’re looking for?

We’re happy to help. Contact our team.