Instead of enrolling with a pre-exchanged JWT or a certificate generated from a third-party CA, allow the configuration of external OIDC providers to prove an enrollee's identity and then allow the enrollee to create a certificate authenticator from a CSR. Additionally, allow configuration to dictate whether future authentication requires the certificate or cert+jwt from the IDP.
allow the configuration of an OIDC provider
allow the OIDC provider to map claims to attributes (custom or standard)
allow the restriction of users allowed to enroll based on claims (custom or standard)
allow a CSR process for certificate generation
allow configuration for the enrolling identities authentication policy (certificate, certificate+jwt)
Instead of enrolling with a pre-exchanged JWT or a certificate generated from a third-party CA, allow the configuration of external OIDC providers to prove an enrollee's identity and then allow the enrollee to create a certificate authenticator from a CSR. Additionally, allow configuration to dictate whether future authentication requires the certificate or cert+jwt from the IDP.