Web Browser Choices and Usage
From GFIPM Implementation Wiki
Within a GFIPM federation, the choice of web browser is a personal and/or business decision made according to personal or corporate preferences and end-user device constraints (e.g., mobile access). In an ideal scenario, GFIPM would be able to extend this liberty to federation users, but in reality this is often not possible. During GFIPM implementations, participants have gained several important insights into the Web browser options that are available to federation users.
- Any Web browser used in GFIPM must be able to support HTTPS (HTTP over TLS) as well as HTTP redirection. All modern browsers can do this. But not all modern browsers are configured by default to use TLS. While this issue is relatively easy to solve in the browser (by simply changing the browser's configuration), it can nevertheless cause usability problems, because the problem typically manifests as a cryptic Web server error that is not easily identifiable as a browser configuration problem. This problem specifically affects Internet Explorer (IE) version 6, which has TLS turned off by default. The simplest work-around for the problem is for the user to upgrade to IE version 7, which is configured to use TLS by default. If an upgrade to IE 7 is impossible, users must be given brief instructions on how to modify their IE 6 settings to enable TLS.
- The only other constraints imposed by the GFIPM federation are specific to the limitations of certain applications within the federation. For example, if a specific application requires the use of Internet Explorer (IE) by its users prior to becoming federation-enabled, then it will almost certainly require IE for federation users as well. In these (admittedly rare) instances, users who use the Firefox browser would not be able to access the application.
- Participants may place further constraints on browsers for their own users. For example, CISA requires that CISA users must use IE for authenticating with the CISA client certificate SSO system at CISA's IDP. Therefore, since CISA users cannot use Firefox to authenticate to their IDPs, they also cannot use Firefox to access federation resources.
- Interoperability problems may arise if the browser required by a user's IDP is Browser X (e.g., IE) and the browser required by an SP that the user wishes to access is Browser Y (e.g., Mozilla Firefox). However, this scenario has not happened yet. Typically, if an application requires a specific browser, the browser required is IE. There are no known instances in the federation in which an application has a browser-specific requirement for a browser other than IE.