Working with credential profiles

9.2 Working with credential profiles

The Credential Profiles workflow contains a number of stages. To move between the stages, click Next.

Note: You cannot go back to a previous stage. If you forget to select something, either start the workflow again immediately (all your changes will be lost) or complete the workflow and then modify the profile.

The Credential Profiles workflow is in the Configuration category. When you start the workflow, basic details of the profile shown in the Select Credential Profile field are displayed.

You can also launch this workflow from the Credential Configuration section of the More category in the MyID Operator Client. See the Using Credential Configuration workflows section in the MyID Operator Client guide for details.

To create a new profile, click New.
To modify an existing profile, select it from the Select Credential Profile list then click Modify.
To create a profile based on an existing profile, select the profile you want to copy from the Select Credential Profile list then click Copy.
To delete a profile, select it from the list in Select Credential Profile then click Delete. You are prompted to confirm your request.

Note: You cannot delete a profile that has issued credentials. You must cancel the credentials before you can delete the profile.

Click Details to see the details of the credential profile.

9.2.1 Credential profile options

If you are creating a new profile, give the credential profile a Name and optional Description. You can change existing details if necessary.

Note: Operators may have to choose a profile when issuing or requesting credentials. Use the Name and Description to provide information on which profile to choose.

You can also specify a Device Friendly Name that will be displayed during card selection operations in the Self-Service App or the MyID Operator Client to help users select the appropriate card.

Each of the entries below the Name of the profile is associated with a set of configuration options, which are displayed below the Description. Depending on the type of card you are using, you may not see all of the entries.

9.2.1.1 Services

Select the following options:

MyID Logon – select this option if you want the credentials to be used to logon to MyID.
MyID Encryption – select this option if you want to be able to encrypt data.

If you want to issue archived certificates, you must select the MyID Encryption service.

You can select certificates to be mapped to these services; the signing certificate is used for MyID Logon, and the encryption certificate is used for MyID encryption.

If no certificates are mapped to the logon and encryption services, an additional Manager Keypair is generated on the smart card for these services.

Note: Not all cards or devices support manager keypairs. You are recommended to select certificates for signing and encryption.

9.2.1.2 Issuance Settings

Specify how the credentials are issued and how long they remain valid.

Validate Issuance

If you set this option, credentials issued using this profile will require secondary authorization – either a witness during the issuance process, or a validation of the request.
Lifetime

The Lifetime setting determines the number of days for which the credentials will be valid. The initial default value is 9999 days. Mandatory.

Note: You must make sure that the lifetime of the credential is appropriate for your purposes; once the credential expires, you can no longer issue new certificates to the card, and you must request a replacement; collecting the replacement (even to the same physical smart card) resets the credential lifetime and issues new certificates.

If you do not require a fixed lifetime, and do not want to request card replacements periodically, you are recommended to retain the default 9999 and use the certificate renewal process to refresh the credentials.
Lock User PIN at Issuance

If you set this option, the card is locked after it is issued, and must be unlocked before it can be used.

Note: If you set this option, it may fail in certain scenarios (for example, when certificates are written to a card using vendor middleware, MyID may be denied access to lock the card on completion).
Issue Additional Identities

Used for additional identities. See section 19, Additional identities.
Exclusive Group – see section 9.2.2.1, Exclusive Group for details.
Generate Code on Request

Used to send a one-time logon code to the cardholder when the credential is requested. The cardholder can use this code to log on to MyID and collect their credential. See section 3.4, Logon using codes for details.

9.2.1.3 Self-Service Unlock Authentication

Note: Currently, you cannot use the Self-Service Unlock Authentication options to configure the authentication requirements for Identity Agent-based credential profiles.

You can set the following global authentication option for self-service unlock:

Ask Security Questions for Self Service Card Unlock – on the Device Security page of the Security Settings workflow.

You can also override these options using the Self-Service Unlock Authentication section of the credential profile.

To set the self-service authentication methods:

Select the Credential owners must authenticate using one of the methods below in the order shown option.
Click Add.
Select the authentication methods you want to use, then click Add Selected.

To change the order, select the logon mechanism and click Move Up or Move Down.

Note: If you have Windows Logon in your list, it stays at the top of the list – Windows authentication is carried out before any interactive authentication methods. If Windows authentication is successful, the user continues; if it is unsuccessful, the user is presented with the next logon mechanism in the list.

To remove an option, select the logon mechanism and clock Remove.

Note: Biometrics is included in the list, but biometric authentication is not supported in MyID Professional.

See the Self-service PIN reset authentication section in the Operator's Guide for more details.

9.2.1.4 PIN Settings

Note: You may be able to create a set of PIN options that make it impossible to log in. For example, if you set the Maximum PIN Length to 4, and the Minimum PIN Length to 4, you might expect to be able to enter 4-digit PINs. However, if the card does not allow you to change the minimum length and has this value set to 6, you end up with a card which cannot be issued – you cannot enter a PIN that is 4 characters or less, and 6 characters or more.

The options available depend on the card type you are using. You may not be able to change some options on all card types, as they are set at manufacture.

Note: You must make sure that the PIN settings you select match the capabilities of the smart cards you are issuing. Note also that some workflows within MyID (for example, batch and activation workflows) may generate temporary random PINs for the card, based on the settings you have specified in the PIN Settings section of the credential profile; if these settings do not match the PIN capabilities of the smart card, the batch issuance or encoding may fail.

The mandatory settings, with initial default values shown in brackets, are:

Maximum PIN Length (12)
Minimum PIN Length (4)
Repeated Characters Allowed (0)

Set to the maximum number of repeated characters in the PIN.

For example, if you set this value to 3:
- 333999000 – is allowed.
- 333399000 – is not allowed.
Set this value to 0 to allow any number of repeated characters.
Sequential Characters Allowed (0)

Set to the maximum number of sequential characters in the PIN.

For example, if you set this value to 3:
- 123987456 – is allowed.
- 123487456 – is not allowed.
Set this value to 0 to allow any number of sequential characters.
Logon Attempts (5)

Set to the number of incorrect PINs you can enter before the card is locked.

Note: This setting is supported only for cards that support on-card PIN policy settings; see the PIN policy settings section of the appropriate chapter in the Smart Card Integration Guide for details.
PIN Inactivity Timer (180 minutes)
PIN History (0)

Note: If the PIN History option is supported, it indicates the number of previous PINs to remember. You cannot reuse a remembered PIN. If your smart cards support this feature, it will be specified in the PIN policy settings section of the appropriate chapter in the Smart Card Integration Guide for details.
From the Issue With drop-down list, select one of the following:
- User specified PIN – the user types the PIN when the card is issued. This is the default option.
- Client Generated PIN – the PIN is generated on the client PC. Type the Length for the PIN.
- Server Generated PIN – the PIN is generated by the MyID server. See section 8, PIN generation for more information. Complete the following details:
  - Length – the length of the generated PIN. The maximum length is 16 characters.
  - PIN Algorithm – select the PIN generation algorithm. You can select one of the following:
    - EdeficePinGenerator – creates a PIN using a known algorithm, a PIN generation key, and the card serial number as diversification data. You can regenerate the same PIN on another system as long as you have the algorithm, PIN generation key, and the card serial number.
    - RandomPinGenerator – creates a random numeric PIN that is guaranteed not to contain the user's logon name or employee ID. This PIN is not stored and cannot be regenerated; additionally, only the Issue Card workflow displays the PIN on screen – if you are using any other workflows to issue the card, the PIN is never displayed; this means that you must set up MyID to issue a PIN notification email when the card is issued.
  - Protected Key – select the PIN generation key you added using the Key Manager workflow. This option is required for EdeficePinGenerator but not for RandomPinGenerator.
Use Global PIN

Set this option to issue the smart card with Global PIN support.

Global PIN is an alternative PIN for supported PIV cards that allows a wider range of characters than the standard numeric-only user PINs. The smart card must support this feature. See the Global PIN support section of the Smart Card Integration Guide.
Enforce Banned Words – for user specified PINs, you can select this option to prevent the user from using particular words in their PINs.

See section 9.3, Enforcing banned words in PINs for more information.

9.2.1.5 PIN Characters

Specify the type of characters that must, may or must not be contained in the PIN.

Note: Make sure that the cards you are using support the combination you select by checking the relevant integration guide. Some cards do not allow the PIN rule enforcement to be stored on the card; MyID will enforce the PIN rules, but external software may be able to change the PIN on the card without the rules being enforced.

If you are using an authentication service to issue one time passwords on the card, you must make sure that the PIN restrictions in the credential profile are the same as the PIN restrictions on the authentication service.

9.2.1.6 Device Profiles

The Card Format drop-down list contains the available data model files. These files are used to specify the structure of the electronic data written to cards. Select None from this list unless you are specifically instructed to select another option by the integration guide for your credentials.

When you import cards and tokens (for example, for one time password tokens) the capabilities of the object are stored in a data profile. Load this data profile to populate the credential profile with device-specific settings.

9.2.2 Additional credential profile options

Additional credential profile options are shown.

9.2.2.1 Exclusive Group

If you provide a value in this field, MyID prevents you from requesting or collecting credentials if the cardholder has an issued device or a request for a device that has a different value in its credential profile for its Exclusive Group.

You can request and collect as many credentials as you require that have the same Exclusive Group value. You can also request and collect as many credentials as you require that have no value in their Exclusive Group.

MyID checks the latest version of the relevant credential profiles, not the versions that were used to request or collect the device, when checking whether you can request or collect a device. MyID also checks the exclusive groups at request, validation, and collection; the cardholder's list of issued or requested devices, and the exclusive group settings of the credential profiles used to issue or request devices, may change between the request and the collection.

For example, if you have the following credential profiles:

ContractorA – has an Exclusive Group of Contractor.
ContractorB – has an Exclusive Group of Contractor.
EmployeeA – has an Exclusive Group of Employee.
UniversalA – has no Exclusive Group.

You can request and collect the following credentials to the same cardholder:

ContractorA, ContractorB – a combination of two Contractor credentials.
ContractorA, ContractorB, UniversalA – a combination of two Contractor credentials and one with no exclusive group.
ContractorA, UniversalA – a combination of Contractor and no exclusive group.
ContractorB, UniversalA – a combination of Contractor and no exclusive group.
EmployeeA, UniversalA – a combination of Employee and no exclusive group.

But you cannot issue the following credentials to the same cardholder:

ContractorA, EmployeeA – a combination of Contractor and Employee exclusive groups.
ContractorB, EmployeeA – a combination of Contractor and Employee exclusive groups.

9.2.2.2 Exclusive group messages

The message when you attempt to request a device that is not permitted due to the exclusive group configuration is similar to the following:

In the MyID Operator Client:

The user has an existing request or device that exists with a different exclusive group, the request cannot be added.

Error number: WS50055
In MyID Desktop:

Error: Unable to request credential.

Cause: The credential could not be requested because the user has a request or a credential with a different exclusive group.

Solution: To request a new credential, either cancel any pending requests or credentials that are within a different group.

The message when you attempt to validate a device that is not permitted due to the exclusive group configuration is similar to the following:

In the MyID Operator Client:

The user has an existing request or device that exists with a different exclusive group, the request cannot be validated.

Error number: WS50056
In MyID Desktop:

Error: Unable to validate credential.

Cause: The credential could not be validated because the user has a request or a credential with a different exclusive group.

Solution: To validate this credential, either cancel any pending requests or credentials that are within a different group.

The message when you attempt to collect a device that is not permitted due to the exclusive group configuration is similar to the following:

In the Collect Card workflow (whether launched from MyID Desktop or from the MyID Operator Client):

Validation Error

An existing request or device exists with a different exclusive group.

9.2.3 Selecting certificates

Note: If you are not using certificates, click Next to skip this page.

This page lists all of the available certificate policies you can issue to a credential.

You can click Show inactive certificate policies – this displays a list of certificate policies that were previously issued but are now disabled. You cannot issue new certificates based on these policies, but you can choose to recover a number of historic certificates.

To select certificates:

Select the Required checkbox for the certificate policy you want to issue to the credential.
If the certificate policy is set for key archival (there is an asterisk * next to the policy name) select the following options:
- Action – select one of the following options:
  - Issue new – a new certificate based on this policy will be issued.
    
    Note: For Unmanaged certificate policies, you cannot select Issue new. The certificate is recovered from the PFX file, not issued from the CA.
  - Use existing – if a certificate based on this policy has been issued to the user before, and the certificate is live and unexpired, it is recovered onto the credential. If there are no available archived certificates, a new certificate is issued.
    
    Note: This option is not available if the Card Encoding is set to Software Certificates Only.
  - Historic Only – if a certificate based on this policy has been issued to the user before, the certificate is recovered onto the credential. If there are no available archived certificates, no new certificate is issued.
    
    Note: This option is not available if the Card Encoding is set to Software Certificates Only.
  Note: When you select an Action from the list, the Number of historic certificates field is reset to the default for that action.
- Number of historic certificates – the maximum number of historic certificates to recover onto the credential. If there are more historic certificates available than the maximum allowed, the most recent certificates are issued.
  
  Note: If your credential supports storing fewer historic certificates than are specified in the credential profile, the most recent certificates are recovered; for example, if you specify four historic certificates in the credential profile, but your smart card can store only two historic certificates, the two most recent historic certificates are recovered.
For archived and non-archived policies, set the following options:
- Signing – if you selected MyID Logon in the Services section of the credential profile, you can select one certificate to be used for signing.
  
  If you selected MyID Logon but do not select a certificate, MyID will generate a keypair for the credential to be used for signing instead of a certificate. Note, however, that PIV cards cannot use these generic keys, so you must select a certificate.
- Encryption – if you selected MyIDEncryption in the Services section of the credential profile, you can select one certificate to be used for encryption.
  
  Note: Do not select a certificate for encryption that has been marked as for signing in the Certificate Authorities workflow. You cannot use a signing certificate to perform encryption or decryption.
  
  This option determines which key is used to protect sensitive data such as archived keys in transit to the client:
  - For PIV cards, this key is not used for archived certificates; however, you must still select the MyID Encryption in the Services section of the credential profile, and select a certificate to be used for encryption.
  - For cards that use minidrivers, this key is used for protecting archived key material, and must be an RSA key that supports signature and key exchange. If you attempt to use an ECC key or a signature-only key, archived certificate issuance will fail.
  If you selected MyID Encryption but do not select a certificate, MyID will generate a keypair for the credential to be used for encryption instead of a certificate. Note, however, that PIV cards cannot use these generic keys, so you must select a certificate.
- Default – you can select one certificate on the credential to be used as the default certificate.
If the Card Format option (in the Device Profiles section of the credential profile) supports containers, select the container on the credential in which you want to store the certificate.

Note: If you are using certificate containers, you can select only one certificate for each container.

Note: Once you have finished selecting your certificates, click Next.

9.2.4 Selecting applets

Applet are not available in this edition of MyID.

9.2.5 Linking credential profiles to roles

On the Select Roles page, you must select which roles can receive credentials issued using this credential profile. Select the roles in the Can Receive column.

For information about roles, see section 4.1, Roles.

Note: If you specify a role, the credential profile is immediately available for use. If you do not want it to be used yet, do not associate it with any roles.

Note: If you associate more than one credential profile with the same role, the operator must select the correct profile when requesting or issuing credentials.

9.2.6 Constrain credential profile issuer

You can select which roles can request credentials using this credential profile. Select the roles in the Can Request column.

MyID checks the operator's permissions to access credential profiles at the point at which the operator has to select a credential profile. The workflows affected include all card and ID request workflows, as well as requests for updates and replacements.

Note: If you are using a workflow that allows you to request and collect credentials in the same operation (for example, Issue Card) you need both the Can Request and Can Collect options.

9.2.7 Constrain credential profile validator

You can select which roles can validate credentials using this credential profile. Select the roles in the Can Validate column.

9.2.8 Constrain credential profile collector

You can select which roles can collect credentials using this credential profile. Select the roles in the Can Collect column.

To set the option, in the Configuration category, select the Security Settings workflow and click the Process tab.

The workflows affected include all card and ID collect workflows, batch collect, and activation workflows.

9.2.9 Constrain credential profile unlock operator

You can select which roles can unlock credentials that were issued using this credential profile in the Unlock Credential and Reset Card PIN workflows. Select the roles in the Can Unlock column.

9.2.10 Card layouts

Card layouts are not available in this edition of MyID. Click Next.

9.2.11 Adding comments to the credential profile

You must provide a comment for the credential profile to cover either the initial creation of the credential profile or the changes you have made.

Click Next to complete the workflow.