2.7 Setting up the credential profiles for derived credentials

You must create new credential profiles for the derived credentials.

You must create at least one credential profile to contain the certificates that you want to issue to the derived credential. You may create as many of these credential profiles as you need; for example, you may want to create a credential profile for mobile devices and a credential profile for Microsoft VSCs.

2.7.1 Creating an Identity Agent credential profile

To create a credential profile for issuing derived credentials to mobile devices:

  1. From the Configuration category, select Credential Profiles.
  2. Click New.
  3. Type a Name for the credential profile.
  4. In Card Encoding, select Identity Agent and Derived Credential.

  5. In Services, make sure MyID Logon and MyID Encryption are selected.

    Note: If you select the Identity Agent option after you select the Derived Credential option, you cannot select the Services option; however, MyID Logon and MyID Encryption are automatically selected.

  6. In Issuance Settings, in the Mobile Device Restrictions drop-down list, select one of the following:

    • Any – The mobile identity can be loaded onto any mobile.

    • Known Mobiles – The mobile identity can be loaded onto any mobile that has already been registered with MyID. See the Setting up the Identity Agent credential profiles section in the Mobile Identity Management guide for details.

    • My Mobiles Only – The mobile identity can be loaded only onto mobiles associated with the user's account.

  7. If you are issuing Identity Agent credentials for users associated with cards that were not issued by the current system, set the following option:

    • Require Facial Biometrics – Never Required.

  8. In Device Profiles, select the appropriate data model file from the Card Format drop-down list.

    See the Setting up the Identity Agent credential profiles section in the Mobile Identity Management guide for details.

  9. Click Next.
  10. Select the certificates you want to make available.

    All of the certificates you select here will be issued to your mobile device.

    You can select the archived and historic certificate options on this screen. See the Import and distribute certificates to devices section in the Administration Guide for details of the Issue new, Use existing, and Historic Only options.

  11. Click Next and proceed to the Select Roles screen.
  12. Select the roles you want to be able to issue this credential profile, and the roles you want to be able to be issued this credential profile.

    Note: Any role to which you want to issue derived credentials must have the Issue Device option selected in the Cards category within the Edit Roles workflow.

  13. Click Next.
  14. Select the card layouts you want to make available to the mobile device.

    Badges based on these layouts will be transferred to the mobile device as part of the mobile ID. Note, however, that the reverse sides of the selected layouts (the _back layouts) will not be available on the mobile device.

    Note: You must select at least one card layout. If you do not want to display personalized badge information on the mobile device, create a card layout containing default artwork and no user information.

  15. Select one of the layouts to be the default layout.

    This layout will be displayed by default when using the Identity Agent app, and will be used for phone-to-phone identity verification.

  16. Click Next.
  17. Type your Comments and complete the workflow.

2.7.2 Creating a VSC credential profile

To create a credential profile for issuing derived credentials as Microsoft VSCs:

  1. From the Configuration category, select Credential profiles.
  2. Click New.
  3. Type a Name for the credential profile.
  4. For the Card Encoding, select Microsoft Virtual Smart Card and Derived Credential.
  5. In Services, make sure MyID Logon and MyID Encryption are selected.
  6. In Issuance Settings, set the following options:

    • Generate Logon Code – select one of the following:

      • None – no logon code is generated.
      • Simple – the logon code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option.
      • Complex – the logon code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option.

      Note: To be FIPS 201-2 compliant, you must select Simple or Complex. See the Logon using security phrases section in the Administration Guide for details of configuring the logon code complexity.

      Important: You must set the Allow Logon Codes option (on the Logon page of the Security Settings workflow) to Yes to allow MyID to use logon codes.

    • Credential Group – if you want to restrict users to have a single derived credential VSC, type an identifier here; for example:

      DC VSC

      If you set the Active credential profiles per person configuration option (on the Issuance Processes page of the Operation Settings workflow) to One per credential group, MyID ensures that the user can have only one credential with the same Credential Group name.

    • Cancel Previously Issued Device

      This option works in conjunction with the Credential Group setting. Select this option, and MyID cancels any previously-issued credentials instead of disabling them. When you collect the new VSC using the Self-Service App (and you have the Erase Unused VSCs permission for your role, as configured in the Edit Roles workflow) the Self-Service App will delete any of the canceled VSCs on your device.

      For more information on these options, see the Additional credential profile options section in the Administration Guide.

  7. For Microsoft VSCs, set the PIN to 16 numeric digits if you want to ensure that the derived credential is compliant with FIPS 201-2.

    1. In PIN Settings, set the Maximum PIN Length and Minimum PIN Length options to 16.
    2. In PIN Characters, set Numeric to Mandatory, and Lowercase, Uppercase, and Symbol to Not Allowed.
  8. Click Next.
  9. Select the certificates you want to make available.

    All of the certificates you select here will be issued to your VSC.

    You can select the archived and historic certificate options on this screen. See the Selecting certificates section in the Administration Guide for details of the Issue new, Use existing, and Historic Only options.

  10. Click Next and proceed to the Select Roles screen.
  11. Select the roles you want to be able to issue this credential profile, and the roles you want to be able to be issued this credential profile.

    Note: Any role to which you want to issue derived credentials must have the following configured in the Edit Roles workflow:

    • Select the Issue Device option in the list of workflows.

    • Select the Collect My Card option in the list of workflows.

    • Select the Password option in the Logon Methods.

  12. Click Next.
  13. Click Next.
  14. Type your Comments and complete the workflow.

2.7.3 Creating a Windows Hello credential profile

Important: The Windows Hello option in the credential profile appears only when you have set the Windows Hello for Business supported in MyID configuration option. See the Setting the Windows Hello configuration options section in the Windows Hello for Business Integration Guide for details.

To create a credential profile for issuing derived credentials to Windows Hello:

  1. From the Configuration category, select Credential Profiles.
  2. Click New.
  3. Type a Name and Description.
  4. In the Card Encoding section, select Windows Hello and Derived Credential.

  5. In the Services section, select MyID Logon and MyID Encryption.
  6. In Issuance Settings, set the following options:

    • Generate Logon Code – select one of the following:

      • None – no logon code is generated.
      • Simple – the logon code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option.
      • Complex – the logon code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option.

      Note: To be FIPS 201-2 compliant, you must select Simple or Complex. See the Logon using security phrases section in the Administration Guide for details of configuring the logon code complexity.

      Important: You must set the Allow Logon Codes option (on the Logon page of the Security Settings workflow) to Yes to allow MyID to use logon codes.

  7. In the Mail Documents section, set up any mailing documents you may want to issue.

    See the Mail Documents section in the Administration Guide for details.

  8. Click Next.
  9. On the Select Certificates screen, select the certificates you want to issue to the Windows Hello credential.

    Note: You must use a certificate for Signing and Encryption; you cannot use MyID keys for signing and encryption operations on Windows Hello credentials.

    For more information on this screen, see the Selecting certificates section in the Administration Guide.

  10. Click Next and proceed to the Select Roles screen.

    Note: Any role to which you want to issue derived credentials must have the following configured in the Edit Roles workflow:

    • Select the Issue Device option in the list of workflows.

    • Select the Collect My Card option in the list of workflows.

    • Select the Password option in the Logon Methods.

    See the Linking credential profiles to roles section in the Administration Guide for details.

  11. Click Next and complete the workflow.

    You do not need to specify any card layouts.

2.7.4 Creating a FIDO authenticator credential profile

See the FIDO Authenticator Integration Guide for details of setting up MyID to issue FIDO authenticators.

To set up a credential profile for FIDO authenticators that you can use for requests made in the Self-Service Request Portal:

  1. Log on to MyID Desktop as an administrator.

  2. From the Configuration category, select Credential Profiles.

  3. Click New.

  4. In the Card Encoding list, select the following:

    • Derived Credential

    • FIDO Authenticator (Only)

    Note: The other options are disabled.

  5. In the Services section, you can set the following:

    • MyID Logon – select this option if you want to be able to log on to MyID with the authenticator.

    Note: The MyID Encryption option is disabled. You cannot use a FIDO Authenticator to store an encryption certificate.

  6. In the Issuance Settings section, the following options are available:

    • Validate Issuance

    • Validate Cancellation – do not select this option. Validating cancellation is not supported with FIDO authenticators, and setting this option may result in being unable to cancel the device.

    • Lifetime

    • Credential Group

    • Block Multiple Requests for Credential Group

    • Cancel Previously Issued Device

    • Enforce Photo at Issuance – do not select this option. Request checks are performed for FIDO authenticators, but issuance checks are not; instead of standard MyID issuance, authenticators use a FIDO-specific registration process.

    • Notification Scheme

    • Require user data to be approved

    See the Working with credential profiles section in the Administration Guide for details of these options.

    You must also set the following option:

    • Generate Logon Code – set this to one of the following options:

      • Simple – the FIDO registration code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option on the Logon tab of the Security Settings workflow.

        By default, this is 12-12N, which means a 12-digit number.

      • Complex – the FIDO registration code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option on the Logon tab of the Security Settings workflow.

        By default, this is 12-12ULSN, which means a 12-character code containing upper case, lower case, special characters, and numbers.

      Important: Do not select None. MyID must generate a FIDO registration code to be used in the FIDO authenticator registration process.

      For more information about the format of these codes, see the Setting up logon codes section in the Administration Guide.

  7. In the FIDO Settings section, set the following:

    • Assurance Level – select one of the following options:

      • Basic – the FIDO authenticator uses single factor authentication, and is suitable for use with some external systems, but not for access to crucial systems.

      • High – the FIDO authenticator uses multi-factor authentication, and is suitable for use with secure systems, such as logging on to MyID.

        You are recommended to set Assurance Level to High only when you have also set the User Verification to Required.

      MyID differentiates between FIDO authenticators that have been issued with a credential profile where the Assurance Level is set to Basic or High – for example, you can enable logon to MyID for FIDO High Assurance, but disable logon for FIDO Basic Assurance.

    • User Verification – select one of the following options:

      • Required – the FIDO authenticator supports two-factor authentication. If the authenticator does not support two-factor authentication, it cannot be registered.

      • Preferred – the FIDO authenticator will use two-factor authentication if the authenticator supports that feature, but will still be registered if it supports only one-factor authentication.

      • Discouraged – the FIDO authenticator will use single-factor authentication, unless the authenticator cannot work without multi-factor authentication.

    • Authenticator Type – select one of the following options:

      • Internal – you can issue this credential profile to internal FIDO authenticators; for example, authenticators included in mobile devices such as cell phones.

      • Removable – you can issue this credential profile to external removable authenticators; for example, USB tokens or smart cards.

      • Internal or Removable – you can issue this credential profile to internal or removable FIDO authenticators.

    • Require Client Side Discoverable Key – select this option to ensure that the FIDO authenticator supports Resident Keys. If you select this option, and the FIDO authenticator supports client side discoverable keys, you can choose not to provide the username manually when using the FIDO authenticator to log on to MyID.

    • Enforce Authenticator Attestation Check – select this option to carry out an authenticator attestation check during the registration process.

    • Immediate registration via Self-Service Request Portal – select this option if you want to register the authenticator immediately when the cardholder makes the request in the Self-Service Request Portal. If you do not select this option, MyID sends the standard registration messages, and the person can register their authenticator later.

  8. In the Requisite User Data section, set any user attributes that you want to require for the people who will request FIDO authenticators.

    For example, if you are not using immediate registration, as the FIDO notification is sent as an email, you are recommended to select Email in the Required for Request column.

    If you have configured your system to send the registration code in an SMS, you are recommended to select Cell in the Required for Request column.

    For more information about this features, see the Requisite User Data section in the Administration Guide.

  9. Click Next.

  10. In the Select Roles screen, select the Derived Credential Owner role for each of the following:

    • Can Receive

    • Can Request

    • Can Collect

    Note: You do not need to select any of the roles held by the person who will receive the FIDO registration request.

  11. Click Next.

  12. Type your Comments, then click Next to save the credential profile and complete the workflow.

2.7.5 Creating a credential profile for other devices

To create a credential profile for issuing derived credentials to any other type of device (for example, smart cards and USB tokens):

  1. From the Configuration category, select Credential profiles.
  2. Click New.
  3. Type a Name for the credential profile.
  4. For the Card Encoding, select Contact Chip and Derived Credential.
  5. In Services, make sure MyID Logon and MyID Encryption are selected.
  6. In Issuance Settings, set the following option:

    • Generate Logon Code – select one of the following:

      • None – no logon code is generated.
      • Simple – the logon code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option.
      • Complex – the logon code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option.

      Note: To be FIPS 201-2 compliant, you must select Simple or Complex. See the Logon using security phrases section in the Administration Guide for details of configuring the logon code complexity.

      Important: You must set the Allow Logon Codes option (on the Logon page of the Security Settings workflow) to Yes to allow MyID to use logon codes.

  7. In Device Profiles, if the devices to which you want to issue the derived credentials require a card format file (for example, to use a PIV data model), select the appropriate file from the Card Format drop-down list.

    See the Smart Card Integration Guide for information on the card format files required for your devices.

  8. Click Next.
  9. Select the certificates you want to make available.

    • For credential profiles that use a PIV data model, select the PIV containers for the certificates. To allow online unlocking, you must include a certificate in the PIV Card Authentication Certificate container.

    • For credential profiles that do not use a PIV data model, do not select any containers.

    All of the certificates you select here will be issued to your device.

    You can select the archived and historic certificate options on this screen. See the Selecting certificates section in the Administration Guide for details of the Issue new, Use existing, and Historic Only options.

  10. Click Next and proceed to the Select Roles screen.
  11. Select the roles you want to be able to issue this credential profile, and the roles you want to be able to be issued this credential profile.

    Note: Any role to which you want to issue derived credentials must have the following configured in the Edit Roles workflow:

    • Select the Issue Device option in the list of workflows.

    • Select the Collect My Card option in the list of workflows.

    • Select the Password option in the Logon Methods.

  12. Click Next.
  13. Click Next.
  14. Type your Comments and complete the workflow.

2.7.6 Credential profile restrictions

Note: At the point of the request for the derived credential, full details about the user are not known; this means that MyID cannot verify some credential profile requirements, including the requirement for facial and fingerprint biometrics, as well as the enforcement of a UPN or email address. You are recommended not to apply these restrictions to a credential profile used for derived credentials as, if these values are not available, the user will be unable to collect the derived credential.

2.7.7 Configuring the available credential profiles

You can edit the ssrp.conf.xml configuration file on the MyID application server to configure which credential profiles are available through the SSRP.

2.7.8 Mapping certificates to roles and credential profiles

You can configure the system to make specific credential profiles available to users based on the user certificates on their original smart cards. To do this, you set up a mapping between the OIDs of the possible certificates and the roles you have set up within MyID; if the user has a certificate that matches the listed OIDs, they are given the specified roles, and therefore granted access to any credential profiles for derived credentials that are available to these roles.

Example

You have configured three roles:

You have configured four credential profiles for derived credentials:

You set up the mappings as follows:

If a user presents a credential with no matching OIDs, they are allocated the Derived Credential User role, and therefore can choose one of the following credential profiles:

If a user presents a credential with the following matching OIDs:

they are allocated the Derived Credential User role, the Secure Access role, and the Remote Access role, and therefore can choose any of the following credential profiles:

If a user presents a credential with the following matching OIDs:

they are allocated the Derived Credential User role and the Secure Access role, but not the Remote Access role – they match some, but not all of the OIDs required for remote access. Therefore they can choose from the following credential profiles:

2.7.9 Restricting based on the certificate authority path

You can further restrict the available role based on the path of the CA that issued the certificate used to make the request – you can specify a DN that must be included in the SSL certificate's chain to be eligible. If the DN is not present, the role is not allowed.

2.7.10 Verifying certificates

You can configure the system to perform a real-time certificate validity check before requesting the derived credential. If the check fails, the issuance is prevented – even if the user selects a credential profile from a different role.

Certificate validation occurs using the Microsoft WinCrypt API.

2.7.11 Configuration file format

The ssrp.conf.xml configuration file is stored on the MyID application server in the following location:

C:\Program Files\Intercede\MyID\Settings\

Within the top-level <roles> node, you can add one or more <role> nodes.

Within this <role> node, you can add the following nodes:

Example:

<?xml version="1.0" encoding="utf-8" ?>
<roles>
  <role>
    <role userprofileid="984" UserProfileName="Derived Credential User" scope="1" logonmechanism="0" />
    <role userprofileid="984" UserProfileName="Derived Credential User" scope="1" logonmechanism="1" />
  </role>
  <role>
    <OID>1.2.826.0.1.2697033.1.1</OID>
    <role userprofileid="21" UserProfileName="Secure Access" scope="1" logonmechanism="1" />
  </role>
  <role>
    <OID>2.16.840.1.101.3.2.1.6.1</OID>
    <OID>2.16.840.1.101.3.2.1.6.2</OID>
    <OID>2.16.840.1.101.3.2.1.6.3</OID>
    <OID>2.16.840.1.101.3.2.1.6.4</OID>
    <CAPath>dc=VPN,o=intercede,o=com</CAPath>
    <VerifyCertificate>true</VerifyCertificate>
    <role userprofileid="20" UserProfileName="Remote Access" scope="1" logonmechanism="1" />
  </role>
</roles>