Whitelisting clients

Currently any client that's present in the authentication federation is allowed to provision data.

An optional whitelist could let the service provider explicitly list the clients that are allowed to connect.
