2.7 Setting up the credential profiles for derived credentials
You must create new credential profiles for the derived credentials.
You must create at least one credential profile to contain the certificates that you want to issue to the derived credential. You may create as many of these credential profiles as you need; for example, you may want to create a credential profile for mobile devices and a credential profile for Microsoft VSCs.
2.7.1 Creating an Identity Agent credential profile
- 
                    IKB-260 – Role enforcement for derived credentials When creating or updating a credential profile for derived credentials, do not allow Can Request permissions to any role that can access the Request ID and Request My ID workflows. This would allow any user who has those roles assigned and can log on to MyID Desktop to create a request for derived credentials outside the SSRP process. 
To create a credential profile for issuing derived credentials to mobile devices:
- From the Configuration category, select Credential Profiles.
- Click New.
- Type a Name for the credential profile.
- 
                    In Card Encoding, select Identity Agent and Derived Credential. 
- 
                    In Services, make sure MyID Logon and MyID Encryption are selected. Note: If you select the Identity Agent option after you select the Derived Credential option, you cannot select the Services option; however, MyID Logon and MyID Encryption are automatically selected. 
- 
                    In Issuance Settings, in the Mobile Device Restrictions drop-down list, select one of the following: - 
                            Any – The mobile identity can be loaded onto any mobile. 
- 
                            Known Mobiles – The mobile identity can be loaded onto any mobile that has already been registered with MyID. See the Setting up the Identity Agent credential profiles section in the Mobile Identity Management guide for details. 
- 
                            My Mobiles Only – The mobile identity can be loaded only onto mobiles associated with the user's account. 
 
- 
                            
- 
                    If you are issuing Identity Agent credentials for users associated with cards that were not issued by the current system, set the following option: - 
                            Require Facial Biometrics – Never Required. 
 
- 
                            
- 
                    In Device Profiles, select the appropriate data model file from the Card Format drop-down list. See the Setting up the Identity Agent credential profiles section in the Mobile Identity Management guide for details. 
- Click Next.
- 
                    Select the certificates you want to make available. All of the certificates you select here will be issued to your mobile device. You can select the archived and historic certificate options on this screen. See the Import and distribute certificates to devices section in the Administration Guide for details of the Issue new, Use existing, and Historic Only options. 
- Click Next and proceed to the Select Roles screen.
- 
                    Select the roles you want to be able to issue this credential profile, and the roles you want to be able to be issued this credential profile. Note: Any role to which you want to issue derived credentials must have the Issue Device option selected in the Cards category within the Edit Roles workflow. 
- Click Next.
- 
                    Select the card layouts you want to make available to the mobile device. Badges based on these layouts will be transferred to the mobile device as part of the mobile ID. Note, however, that the reverse sides of the selected layouts (the _back layouts) will not be available on the mobile device. Note: You must select at least one card layout. If you do not want to display personalized badge information on the mobile device, create a card layout containing default artwork and no user information. 
- 
                    Select one of the layouts to be the default layout. This layout will be displayed by default when using the Identity Agent app, and will be used for phone-to-phone identity verification. 
- Click Next.
- Type your Comments and complete the workflow.
2.7.2 Creating a VSC credential profile
To create a credential profile for issuing derived credentials as Microsoft VSCs:
- From the Configuration category, select Credential profiles.
- Click New.
- Type a Name for the credential profile.
- For the Card Encoding, select Microsoft Virtual Smart Card and Derived Credential.
- In Services, make sure MyID Logon and MyID Encryption are selected.
- 
                    In Issuance Settings, set the following options: - 
                            Generate Logon Code – select one of the following: - None – no logon code is generated.
- Simple – the logon code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option.
- Complex – the logon code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option.
 Note: To be FIPS 201-2 compliant, you must select Simple or Complex. See the Logon using security phrases section in the Administration Guide for details of configuring the logon code complexity. Important: You must set the Allow Logon Codes option (on the Logon page of the Security Settings workflow) to Yes to allow MyID to use logon codes. 
- 
                            Credential Group – if you want to restrict users to have a single derived credential VSC, type an identifier here; for example: DC VSC If you set the Active credential profiles per person configuration option (on the Issuance Processes page of the Operation Settings workflow) to One per credential group, MyID ensures that the user can have only one credential with the same Credential Group name. 
- 
                            Cancel Previously Issued Device This option works in conjunction with the Credential Group setting. Select this option, and MyID cancels any previously-issued credentials instead of disabling them. When you collect the new VSC using the Self-Service App (and you have the Erase Unused VSCs permission for your role, as configured in the Edit Roles workflow) the Self-Service App will delete any of the canceled VSCs on your device. For more information on these options, see the Additional credential profile options section in the Administration Guide. 
 
- 
                            
- 
                    For Microsoft VSCs, set the PIN to 16 numeric digits if you want to ensure that the derived credential is compliant with FIPS 201-2. - In PIN Settings, set the Maximum PIN Length and Minimum PIN Length options to 16.
- In PIN Characters, set Numeric to Mandatory, and Lowercase, Uppercase, and Symbol to Not Allowed.
 
- Click Next.
- 
                    Select the certificates you want to make available. All of the certificates you select here will be issued to your VSC. You can select the archived and historic certificate options on this screen. See the Selecting certificates section in the Administration Guide for details of the Issue new, Use existing, and Historic Only options. 
- Click Next and proceed to the Select Roles screen.
- 
                    Select the roles you want to be able to issue this credential profile, and the roles you want to be able to be issued this credential profile. Note: Any role to which you want to issue derived credentials must have the following configured in the Edit Roles workflow: - 
                            Select the Issue Device option in the list of workflows. 
- 
                            Select the Collect My Card option in the list of workflows. 
- 
                            Select the Password option in the Logon Methods. 
 
- 
                            
- Click Next.
- Click Next.
- Type your Comments and complete the workflow.
2.7.3 Creating a Windows Hello credential profile
Important: The Windows Hello option in the credential profile appears only when you have set the Windows Hello for Business supported in MyID configuration option. See the Setting the Windows Hello configuration options section in the Windows Hello for Business Integration Guide for details.
To create a credential profile for issuing derived credentials to Windows Hello:
- From the Configuration category, select Credential Profiles.
- Click New.
- Type a Name and Description.
- 
                    In the Card Encoding section, select Windows Hello and Derived Credential. 
- In the Services section, select MyID Logon and MyID Encryption.
- 
                    In Issuance Settings, set the following options: - 
                            Generate Logon Code – select one of the following: - None – no logon code is generated.
- Simple – the logon code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option.
- Complex – the logon code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option.
 Note: To be FIPS 201-2 compliant, you must select Simple or Complex. See the Logon using security phrases section in the Administration Guide for details of configuring the logon code complexity. Important: You must set the Allow Logon Codes option (on the Logon page of the Security Settings workflow) to Yes to allow MyID to use logon codes. 
 
- 
                            
- 
                    In the Mail Documents section, set up any mailing documents you may want to issue. See the Mail Documents section in the Administration Guide for details. 
- Click Next.
- 
                    On the Select Certificates screen, select the certificates you want to issue to the Windows Hello credential. Note: You must use a certificate for Signing and Encryption; you cannot use MyID keys for signing and encryption operations on Windows Hello credentials. For more information on this screen, see the Selecting certificates section in the Administration Guide. 
- 
                    Click Next and proceed to the Select Roles screen. Note: Any role to which you want to issue derived credentials must have the following configured in the Edit Roles workflow: - 
                            Select the Issue Device option in the list of workflows. 
- 
                            Select the Collect My Card option in the list of workflows. 
- 
                            Select the Password option in the Logon Methods. 
 See the Linking credential profiles to roles section in the Administration Guide for details. 
- 
                            
- 
                    Click Next and complete the workflow. You do not need to specify any card layouts. 
2.7.4 Creating a credential profile for other devices
To create a credential profile for issuing derived credentials to any other type of device (for example, smart cards and USB tokens):
- From the Configuration category, select Credential profiles.
- Click New.
- Type a Name for the credential profile.
- For the Card Encoding, select Contact Chip and Derived Credential.
- In Services, make sure MyID Logon and MyID Encryption are selected.
- 
                    In Issuance Settings, set the following option: - 
                            Generate Logon Code – select one of the following: - None – no logon code is generated.
- Simple – the logon code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option.
- Complex – the logon code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option.
 Note: To be FIPS 201-2 compliant, you must select Simple or Complex. See the Logon using security phrases section in the Administration Guide for details of configuring the logon code complexity. Important: You must set the Allow Logon Codes option (on the Logon page of the Security Settings workflow) to Yes to allow MyID to use logon codes. 
 
- 
                            
- 
                    In Device Profiles, if the devices to which you want to issue the derived credentials require a card format file (for example, to use a PIV data model), select the appropriate file from the Card Format drop-down list. See the Smart Card Integration Guide for information on the card format files required for your devices. 
- Click Next.
- 
                    Select the certificates you want to make available. - 
                            For credential profiles that use a PIV data model, select the PIV containers for the certificates. To allow online unlocking, you must include a certificate in the PIV Card Authentication Certificate container. 
- 
                            For credential profiles that do not use a PIV data model, do not select any containers. 
 All of the certificates you select here will be issued to your device. You can select the archived and historic certificate options on this screen. See the Selecting certificates section in the Administration Guide for details of the Issue new, Use existing, and Historic Only options. 
- 
                            
- Click Next and proceed to the Select Roles screen.
- 
                    Select the roles you want to be able to issue this credential profile, and the roles you want to be able to be issued this credential profile. Note: Any role to which you want to issue derived credentials must have the following configured in the Edit Roles workflow: - 
                            Select the Issue Device option in the list of workflows. 
- 
                            Select the Collect My Card option in the list of workflows. 
- 
                            Select the Password option in the Logon Methods. 
 
- 
                            
- Click Next.
- Click Next.
- Type your Comments and complete the workflow.
2.7.5 Credential profile restrictions
Note: At the point of the request for the derived credential, full details about the user are not known; this means that MyID cannot verify some credential profile requirements, including the requirement for facial and fingerprint biometrics, as well as the enforcement of a UPN or email address. You are recommended not to apply these restrictions to a credential profile used for derived credentials as, if these values are not available, the user will be unable to collect the derived credential.
2.7.6 Configuring the available credential profiles
You can edit the ssrp.conf.xml configuration file on the MyID application server to configure which credential profiles are available through the SSRP.
2.7.7 Mapping certificates to roles and credential profiles
You can configure the system to make specific credential profiles available to users based on the user certificates on their original smart cards. To do this, you set up a mapping between the OIDs of the possible certificates and the roles you have set up within MyID; if the user has a certificate that matches the listed OIDs, they are given the specified roles, and therefore granted access to any credential profiles for derived credentials that are available to these roles.
Example
You have configured three roles:
- 
                    Derived Credential User 
- 
                    Secure Access 
- 
                    Remote Access 
You have configured four credential profiles for derived credentials:
- 
                    Standard DC mobile – available to the Derived Credential User role. 
- 
                    Standard DC VSC – available to the Derived Credential User role. 
- 
                    Secure access mobile – available to the Secure Access role. 
- 
                    Remote access VSC – available to the Remote Access role. 
You set up the mappings as follows:
- 
                    Derived Credential User: - 
                            Any OID. 
 
- 
                            
- 
                    Secure Access: - 
                            1.2.826.0.1.2697033.1.1 
 
- 
                            
- 
                    Remote Access: - 
                            2.16.840.1.101.3.2.1.6.1 
- 
                            2.16.840.1.101.3.2.1.6.2 
- 
                            2.16.840.1.101.3.2.1.6.3 
- 
                            2.16.840.1.101.3.2.1.6.4 
 
- 
                            
If a user presents a credential with no matching OIDs, they are allocated the Derived Credential User role, and therefore can choose one of the following credential profiles:
- 
                    Standard DC mobile. 
- 
                    Standard DC VSC. 
If a user presents a credential with the following matching OIDs:
- 
                    1.2.826.0.1.2697033.1.1 
- 
                    2.16.840.1.101.3.2.1.6.1 
- 
                    2.16.840.1.101.3.2.1.6.2 
- 
                    2.16.840.1.101.3.2.1.6.3 
- 
                    2.16.840.1.101.3.2.1.6.4 
they are allocated the Derived Credential User role, the Secure Access role, and the Remote Access role, and therefore can choose any of the following credential profiles:
- 
                    Standard DC mobile. 
- 
                    Standard DC VSC. 
- 
                    Secure access mobile. 
- 
                    Remote access VSC. 
If a user presents a credential with the following matching OIDs:
- 
                    1.2.826.0.1.2697033.1.1 
- 
                    2.16.840.1.101.3.2.1.6.1 
they are allocated the Derived Credential User role and the Secure Access role, but not the Remote Access role – they match some, but not all of the OIDs required for remote access. Therefore they can choose from the following credential profiles:
- 
                    Standard DC mobile. 
- 
                    Standard DC VSC. 
- 
                    Secure access mobile. 
2.7.8 Restricting based on the certificate authority path
You can further restrict the available role based on the path of the CA that issued the certificate used to make the request – you can specify a DN that must be included in the SSL certificate's chain to be eligible. If the DN is not present, the role is not allowed.
2.7.9 Verifying certificates
You can configure the system to perform a real-time certificate validity check before requesting the derived credential. If the check fails, the issuance is prevented – even if the user selects a credential profile from a different role.
Certificate validation occurs using the Microsoft WinCrypt API.
2.7.10 Configuration file format
The ssrp.conf.xml configuration file is stored on the MyID application server in the following location:
C:\Program Files (x86)\Intercede\MyID\Settings\
Within the top-level <roles> node, you can add one or more <role> nodes.
Within this <role> node, you can add the following nodes:
- 
                    <OID> (optional) – specify an OID that must be present on the user certificate. You can include multiple <OID> nodes; the certificate must match all specified OIDs. 
- 
                    <CAPath> (optional) – specify a DN that must be included in the SSL certificate's chain. 
- 
                    <VerifyCertificate> (optional) – set to true to perform a real time certificate validity check before requesting the derived credential. 
- 
                    <role> – specify the role that will be granted. Within this node, you must include the following parameters: - 
                            userprofileid – the ID from the UserProfiles table in the MyID database for the role. 
- 
                            UserProfileName – the Name from the UserProfiles table in the MyID database for the role. 
- 
                            scope – set to 1 (self) for derived credential users. Other scope values are for operators and administrators. 
- 
                            logonmechanism – set to 1 for password logon, 2 for smart card logon. If you want to allow multiple methods of logging in, repeat the same <role> node and supply a different logonmechanism value. 
 
- 
                            
Example:
<?xml version="1.0" encoding="utf-8" ?>
<roles>
  <role>
    <role userprofileid="984" UserProfileName="Derived Credential User" scope="1" logonmechanism="0" />
    <role userprofileid="984" UserProfileName="Derived Credential User" scope="1" logonmechanism="1" />
  </role>
  <role>
    <OID>1.2.826.0.1.2697033.1.1</OID>
    <role userprofileid="21" UserProfileName="Secure Access" scope="1" logonmechanism="1" />
  </role>
  <role>
    <OID>2.16.840.1.101.3.2.1.6.1</OID>
    <OID>2.16.840.1.101.3.2.1.6.2</OID>
    <OID>2.16.840.1.101.3.2.1.6.3</OID>
    <OID>2.16.840.1.101.3.2.1.6.4</OID>
    <CAPath>dc=VPN,o=intercede,o=com</CAPath>
    <VerifyCertificate>true</VerifyCertificate>
    <role userprofileid="20" UserProfileName="Remote Access" scope="1" logonmechanism="1" />
  </role>
</roles>
        