3.8 Setting up the Identity Agent credential profiles

You must create at least one new credential profile for issuing mobile IDs to mobile devices.

The credential profile contains the certificates that you want to issue to mobile users. You may create as many of these credential profiles as you need.

3.8.1 Creating the Identity Agent credential profile

To create a credential profile for issuing mobile identities:

  1. From the Configuration category, select Credential profiles.
  2. Click New.

  3. Type a Name for the credential profile.

  4. In Card Encoding, select Identity Agent.

  5. In Issuance Settings, in the Mobile Device Restrictions drop-down list, select one of the following:

    • Any – The mobile identity can be loaded onto any mobile.

    • Known Mobiles – The mobile identity can be loaded onto any mobile that has already been registered with MyID. See section 3.6, Registering mobile devices for details.

    • My Mobiles Only – The mobile identity can be loaded only onto mobiles associated with the user's account.

  6. Make sure that you do not require any biometrics:

    • Require Fingerprints at Issuance – set to Never required.

    • Require Facial Biometrics – set to Never required.

  7. In Device Profiles, set the following from the Card Format drop-down list:

    • For Citrix enabled mobile devices, select Citrix SecureVault.

      Select a different option for Citrix devices only if you have a customized data model that you must use for your system.

      If you have upgraded from MyID 10.8 or earlier, you may have the option to select Legacy Citrix Vault. This is for a legacy version of Citrix; do not select this option unless Intercede advises you otherwise.

    • To issue certificates to the iOS or Android System Store, select the generic Mobile card format with the System Store container. MyID will detect the type of mobile device when the mobile identity is issued and issue certificates to the appropriate system store, iOS or Android.

    • For MobileIron enabled mobile devices, select MobileIron AppConnect.

      Select a different option for MobileIron devices only if you have a customized data model that you must use for your system.

    • For Microsoft Intune, VMware AirWatch, and Centrify Identity Service enabled mobile devices, make sure that None is selected.

    • For all other mobile devices, make sure that None is selected.

    Note: If you attempt to issue a mobile device using a credential profile that includes support for certificates stored in the Citrix, MobileIron, or iOS System Store, but the mobile device does not support these certificate stores, the issuance will succeed; however, any certificates specified by the credential profile to be installed to containers that the mobile device does not support will be ignored.

    For example, if your credential profile contains a Citrix Signing certificate, a Citrix Encryption certificate, and a certificate with no container specified, a Citrix-enabled mobile device will receive all three certificates, while a mobile device that is not Citrix-enabled will receive only the certificate with no container specified.

  8. Click Next.

  9. Select the certificates you want to make available.

    • If you are issuing multiple certificates to the iOS System Store, make sure that all of the certificates have the same expiry date; if the certificates do not have the same expiry date, you will not be able to renew them, as all of the certificates are added to the same iOS security profile in the system keystore.

    • For credential profiles that use a Citrix data model, select the Citrix containers for the certificates.

      You can also select the System Store for one or more certificates. See section 3.7, Setting up iOS OTA provisioning for details of provisioning certificates to the iOS System Store.

    • For credential profiles that use the Mobile data model, you can select the System Store for one or more archive certificates.

    • For credential profiles that use a MobileIron data model, select the MobileIron containers for the certificates.

    • For Microsoft Intune, VMware AirWatch, and Centrify Identity Service enabled mobile devices, do not select any containers.

    • For all other types of credential profiles, do not select any containers.

    All of the certificates you select here will be issued to your mobile device.

    You can select the archived and historic certificate options on this screen. See the Selecting certificates section in the Administration Guide for details of the Issue new, Use existing, and Historic Only options.

    If you want to distribute certificates that were not issued through MyID, you can import a PFX file then select the Unmanaged certificate option to specify it for distribution to the mobile device. See the Import and distribute certificates to devices section in the Administration Guide for details of setting up your credential profile and using the Upload PFX Certificates workflow.

  10. Click Next and proceed to the Select Roles screen.

  11. Select the roles you want to be able to issue and receive this credential profile.

    • The Can Receive option determines which roles can receive credentials issued using this credential profile.

    • The Can Request option determines which roles can request credentials using this credential profile; for example, using Request ID for operator requests or Request My ID for self-service requests.

    • The Can Validate option determines which roles can validate requests for credentials using this credential profile using the Validate Request workflow.

    • The Can Collect option determines which roles can collect credentials using this credential profile; any user who is to receive a mobile identity must have both the Can Receive and the Can Collect options.

    • The Can Unlock option determines which roles can unlock mobile identities using the Unlock Credential workflow.

    Note: Not all options may be available, depending on your system configuration. See the Working with credential profiles section in the Administration Guide for details.

    Note: Any role you want to receive mobile identities must have the Issue Device option selected in the Cards category within the Edit Roles workflow.

  12. Click Next.

  13. Select the card layouts you want to make available to the mobile device.

    Badges based on these layouts will be transferred to the mobile device as part of the mobile ID. Note, however, that the reverse sides of the selected layouts (the _back layouts) will not be available on the mobile device.

    Note: Card layouts are optional, and will be created only when using the Intercede key store and certificates are selected in the credential profile.

  14. Select one of the layouts to be the default layout.

    This layout will be displayed by default when using the Identity Agent app, and will be used for phone-to-phone identity verification.

  15. Click Next.
  16. Type your Comments and complete the workflow.

3.8.2 Configuring authentication types for Identity Agent credential profiles

In the Credential Profiles workflow, when you select a Card Encoding type of Identity Agent, the Authentication Types section becomes available; this allows you to specify the additional types of authentication that are available for the end user to use to access the Intercede keystore. If you do not select any additional authentication types, the user will be able access the Intercede keystore only using their PIN.

Note: A PIN is mandatory, as it provides a fallback option to the user in the event that they are unable to provide any of the other authentication types.

To set the authentication types:

  1. From the Configuration category, select Credential Profiles.
  2. Click New.
  3. From the Card Encoding list, select Identity Agent.

  4. Click Authentication Types.

  5. Select the following:

    • Face – if the mobile device supports it, the user can use facial biometrics to access the Intercede keystore. Available on iOS devices that support facial ID only.

    • Fingerprint – if the mobile device supports it, the user can use fingerprint biometrics to access the Intercede keystore.

  6. Click Next and complete the workflow.