2.4 MyID configuration options

SSRP uses the following MyID configuration options:

• Allow derived credential requests to create accounts

  This option appears on the Issuance Processes page of the Operation Settings workflow

  If this setting is referred to in the audit trail, it appears using the internal name DERIVED CREDENTIALS ALLOW IMPORT USERS.

  Must be set to Yes to allow SSRP to issue a derived credential to a cardholder whose original credential was issued by a different system. The unknown user is added to MyID.

  When this option is set to Yes, when a trusted credential is used to import a new user into MyID using SSRP, MyID creates a new group in which the user will be placed if the required group does not already exist. For PIV certificates that contain a FASC-N, the Agency code is used in the group name (constructed as Agency - <agencyCode> – for example, Agency - 0001). For certificates that do not contain a FASC-N, the organizational unit identified in the subject distinguished name is used. In each case, MyID attempts to identify existing groups using the respective identifiers.

  If a matching group is found and the group is associated with an LDAP configuration, the LDAP configuration is also used for the imported user.

  If a matching group is not found, but the subject distinguished name in the trusted credential conforms with the distinguished name format used in LDAP v3 directories, then MyID attempts to determine which LDAP the user belongs to. If MyID is unable to determine an appropriate LDAP, either because the subject DN does not match a configured LDAP or the DN is not LDAP v3 compliant, the Default ADS LDAP connection will be used (if configured).

  Finally, if an LDAP connection was identified, the imported user is associated with the LDAP. If MyID has been unable to determine a suitable LDAP connection by means described, the imported user will not be associated with an LDAP.

• Assign unmatched new accounts to default directory

  This option appears on the LDAP page of the Operation Settings workflow.

  When a new user account is created in MyID, the user OU may not be able to be matched to a MyID group that is linked to a directory OU; set this option to Yes to link the account to the default directory registered with MyID.

• Synchronize new accounts with directory

  This option appears on the LDAP page of the Operation Settings workflow.

  If this setting is referred to in the audit trail, it appears using the internal name DERIVED CREDENTIALS SYNC NEW USERS WITH LDAP.

  SSRP does not import the user's email address from a PIV card, since the email address is not present on the PIV Authentication certificate. If you want to issue (email) signing/encryption certificates as derived credentials, and you have the appropriate data in your LDAP directory, you can enable the Synchronize new accounts with directory feature so that additional data, including the email address, is imported from the directory

  If this option is set to Yes, immediately after importing an unknown user MyID will attempt to pull extended details for that user from LDAP. A match will first be attempted using the DN of the certificate used to make the request. If no match is found, and the certificate contains a UPN, a second attempt will be made to match against the UPN. If both of these fail to match, no further data will be imported for the account.

  This approach allows the system to consolidate users with multiple DNs but a common UPN into a single account, making collection easier.

  Note: If you set the Synchronize new accounts with directory option to Yes, you must set the Disable on removal from directory option (on the LDAP page of the Operation Settings workflow) to No; if you do not do this, newly-created accounts that do not match a directory entry will become disabled, preventing the issuance of a derived credential.

  Note: If this feature is enabled, and the user is matched against the UPN, the user's DN will be imported from the directory. If the DN in the directory does not match the DN on the original PIV card, this can cause the PIV derived credential to be issued with the DN from the directory, which may differ from the DN on the original PIV Authentication certificate.

It is important that if the hosting MyID system has any kind of LDAP sync enabled, such as background update, that the Synchronize new accounts with directory configuration option is configured ON. Failing to do this may cause inconsistent behavior due to LDAP synchronization schedules.

Note: Group default roles relate only to the Add Person and Edit Person workflows, and as such are not applied to users imported through SSRP. Roles that are configured to be imported from LDAP will be assigned to the newly-created user account. Any roles applied to user accounts by SSRP override any role restrictions in MyID.

2.4.1 Setting the credential check period

By default, seven days after MyID issues derived credentials, it checks the original credentials that were used to request the derived credentials. If, during this period, the original credentials became no longer valid (for example, if the smart card was canceled), MyID revokes the derived credentials.

Note: There may be a gap between the time the derived credentials were requested and when they were issued. The credential check period counts from the time the derived credentials were issued.

You can adjust the time period for this check:

1. From the Configuration category, select Operation Settings.

2. On the Certificates tab, set the following:

   • Derived credential revocation check offset – set to the number of days after issuing derived credentials that you want MyID to check the original credentials.
3. Click Save changes.