11.3 Working with credential profiles

The Credential Profiles workflow contains a number of stages. To move between the stages, click Next.

Note: You cannot go back to a previous stage. If you forget to select something, either start the workflow again immediately (all your changes will be lost) or complete the workflow and then modify the profile.

The Credential Profiles workflow is in the Configuration category. When you start the workflow, basic details of the profile shown in the Select Credential Profile field are displayed.

You can also launch this workflow from the Credential Configuration section of the More category in the MyID Operator Client. See the Using Credential Configuration workflows section in the MyID Operator Client guide for details.

Note: You cannot delete a profile that has issued credentials. You must cancel the credentials before you can delete the profile.

Click Details to see the details of the credential profile.

11.3.1 Credential profile options

If you are creating a new profile, give the credential profile a Name and optional Description. You can change existing details if necessary.

Note: Operators may have to choose a profile when issuing or requesting credentials. Use the Name and Description to provide information on which profile to choose.

You can also specify a Device Friendly Name that will be displayed during card selection operations in the Self-Service App or the MyID Operator Client to help users select the appropriate card.

Each of the entries below the Name of the profile is associated with a set of configuration options, which are displayed below the Description. Depending on the type of card you are using, you may not see all of the entries.

Note: This section describes the options available to you without setting any further system configuration options. See section 11.3.2, Additional credential profile options for details of other credential profile options that may be available.

11.3.1.1 Card Encoding

Select the features you want to use on the card. You must select one or more of:

Depending on your system configuration, you may have additional options in this list:

11.3.1.2 Services

Select the following options:

You can select certificates to be mapped to these services; the signing certificate is used for MyID Logon, and the encryption certificate is used for MyID encryption.

If no certificates are mapped to the logon and encryption services, an additional Manager Keypair is generated on the smart card for these services.

Note: Not all cards or devices support manager keypairs. You are recommended to select certificates for signing and encryption.

11.3.1.3 Issuance Settings

Specify how the credentials are issued and how long they remain valid.

11.3.1.4 Self-Service Unlock Authentication

Note: Currently, you cannot use the Self-Service Unlock Authentication options to configure the authentication requirements for Identity Agent-based credential profiles.

To allow users to unlock their own credentials, you must set the Self-service Unlock option (on the Self-Service page of the Security Settings workflow) to Yes. This is a global setting.

You can set the following global authentication options for self-service unlock:

You can also override these options using the Self-Service Unlock Authentication section of the credential profile.

To set the self-service authentication methods:

  1. Select the Credential owners must authenticate using one of the methods below in the order shown option.
  2. Click Add.

  3. Select the authentication methods you want to use, then click Add Selected.

    To change the order, select the logon mechanism and click Move Up or Move Down.

    Note: If you have Windows Logon in your list, it stays at the top of the list – Windows authentication is carried out before any interactive authentication methods. If Windows authentication is successful, the user continues; if it is unsuccessful, the user is presented with the next logon mechanism in the list.

    To remove an option, select the logon mechanism and clock Remove.

See the Self-service PIN reset authentication section in the Operator's Guide for more details.

11.3.1.5 MDM Restrictions

Available only if you have set the Card Encoding options to Identity Agent and Derived Credential.

Allows you to set restrictions for mobile identities issued using a Mobile Device Management system.

See the Configuring credential profiles for MDM restrictions section in the Mobile Identity Management guide for details.

11.3.1.6 PIN Settings

Note: You may be able to create a set of PIN options that make it impossible to log in. For example, if you set the Maximum PIN Length to 4, and the Minimum PIN Length to 4, you might expect to be able to enter 4-digit PINs. However, if the card does not allow you to change the minimum length and has this value set to 6, you end up with a card which cannot be issued – you cannot enter a PIN that is 4 characters or less, and 6 characters or more.

The options available depend on the card type you are using. You may not be able to change some options on all card types, as they are set at manufacture.

Note: You must make sure that the PIN settings you select match the capabilities of the smart cards you are issuing. Note also that some workflows within MyID (for example, batch and activation workflows) may generate temporary random PINs for the card, based on the settings you have specified in the PIN Settings section of the credential profile; if these settings do not match the PIN capabilities of the smart card, the batch issuance or encoding may fail.

The mandatory settings, with initial default values shown in brackets, are:

11.3.1.7 PIN Characters

Specify the type of characters that must, may or must not be contained in the PIN.

Note: Make sure that the cards you are using support the combination you select by checking the relevant integration guide. Some cards do not allow the PIN rule enforcement to be stored on the card; MyID will enforce the PIN rules, but external software may be able to change the PIN on the card without the rules being enforced.

If you are using an authentication service to issue one time passwords on the card, you must make sure that the PIN restrictions in the credential profile are the same as the PIN restrictions on the authentication service.

11.3.1.8 Mail Documents

There are two systems for mailing documents.

For Microsoft Word-based mailing documents:

For HTML-based mailing documents:

For details of configuring HTML templates, contact customer support, quoting reference SUP-255.

11.3.1.9 Credential Stock

This is used only if you are using a bureau to issue cards.

11.3.1.10 Device Profiles

The Card Format drop-down list contains the available data model files. These files are used to specify the structure of the electronic data written to cards. Select None from this list unless you are specifically instructed to select another option by the integration guide for your credentials; for example, for PIV cards you must select the correct PIV data model as detailed in the Setting up the credential profile section of the PIV Integration Guide.

When you import cards and tokens (for example, for one time password tokens) the capabilities of the object are stored in a data profile. Load this data profile to populate the credential profile with device-specific settings.

11.3.1.11 Requisite User Data

Note: This section appears only if you have selected the Requisite User Data option on the Issuance Processes tab of the Operation Settings workflow.

Contains a list of user attributes that must be present for this credential profile to be issued.

You can use this option to restrict the issuance of credentials to users with the appropriate attributes; for example, if the credential is to be used for email signing, you must select Email from the list, and provide an appropriate certificate for email signing – only users who have the Email attribute mapped in their user account will be able to receive a credential based on this credential profile. Similarly, if your credential is to be used for Windows Logon, you must select User Principal Name from this list, and provide an appropriate certificate for logging on to Windows. For Windows authentication, you must select User SID in this list, and provide a certificate that has the user security identifier attribute mapped; see section 6.9, Including user security identifiers in certificates.

For each user attribute, you can select the following options:

You can select the following user attributes:

Note: These are the default available fields; depending on your system, you may have a different list, or the names of the fields may be different; for example, the Address 1 field may be called Info 1, or another, custom, value. If your system implementation has customized the Address1/Info 1 field, to ensure that a meaningful label is displayed in the user interface and in the audit record, you can update the DisplayValue for this option in the SelectOptions table in the database:

UPDATE [dbo].[SelectOptions]
SET [DisplayValue]=N'<insert translated text here>'
WHERE [SelectID]=N'CredentialProfile_Required'
AND [Value]=N'OptionalLine1';

11.3.1.12 Restricting the list of credential profiles displayed

You can configure your system to hide any credential profiles that do not meet the Requisite User Data requirements by setting the Show Disqualified Credential Profiles option to No.

Note: This setting affects the display of credential profiles in the MyID Operator Client only.

To hide disqualified credential profiles:

  1. From the Configuration category, select Operation Settings.

  2. Click the Issuance Processes tab.

  3. Set the following option:

    • Show Disqualified Credential Profiles – set to No to hide any credential profiles that do not meet the Requisite User Data requirements.

      The default value is Yes, which displays all credential profiles, whether or not they meet the Requisite User Data requirements

  4. Click Save changes.

11.3.2 Additional credential profile options

Additional credential profile options are shown if MyID has been configured to enable particular features.

11.3.2.1 Credential group

If you have set the Active credential profiles per person configuration option – see section 30.10, Issuance Processes page (Operation Settings) – to One per credential group, you can specify the group to which the credential profile belongs. This enables you, for example, to issue a card, a token and so on to the same person.

When you enable a credential for a user, all other credentials issued to the user that belong to the same credential group are either disabled or canceled, depending on the Cancel Previously Issued Device setting.

If you leave the Credential Group blank, a user can have many active credentials from this profile, even if the One per credential group option is set. Enabling credentials with a blank credential group does not disable or cancel any other credentials.

Note: If you change the configuration option from Many to One or to One per credential group, MyID does not automatically disable or cancel any of a user’s credentials until the next time you enable credentials for that user. Similarly, if you change the option from One or One per credential group to Many, MyID does not automatically re-enable any disabled credentials for that user.

Note: If a user is disabled, and is re-enabled when the Active credential profiles per person setting does not allow the user to have all of the credentials previously issued to them, the credentials that are re-enabled for the user are the credentials with the highest ID (that is, the credentials that were added to the MyID system most recently), not necessarily the credentials that were active at the point when the user was disabled.

Note: A mobile identity on a single physical device may contain multiple logical devices (the Identity Agent itself, and separate devices for the credential stores) but for the purpose of this feature is treated as a single credential.

11.3.2.2 Exclusive Group

If you provide a value in this field, MyID prevents you from requesting or collecting credentials if the cardholder has an issued device or a request for a device that has a different value in its credential profile for its Exclusive Group.

You can request and collect as many credentials as you require that have the same Exclusive Group value. You can also request and collect as many credentials as you require that have no value in their Exclusive Group.

MyID checks the latest version of the relevant credential profiles, not the versions that were used to request or collect the device, when checking whether you can request or collect a device. MyID also checks the exclusive groups at request, validation, and collection; the cardholder's list of issued or requested devices, and the exclusive group settings of the credential profiles used to issue or request devices, may change between the request and the collection.

For example, if you have the following credential profiles:

You can request and collect the following credentials to the same cardholder:

But you cannot issue the following credentials to the same cardholder:

11.3.2.3 Exclusive group messages

The message when you attempt to request a device that is not permitted due to the exclusive group configuration is similar to the following:

The message when you attempt to validate a device that is not permitted due to the exclusive group configuration is similar to the following:

The message when you attempt to collect a device that is not permitted due to the exclusive group configuration is similar to the following:

11.3.2.4 Block Multiple Requests for Credential Group

Set this option to prevent an operator from creating a request for a person if they already have an outstanding request for a device with the same credential group. The operator will also be prevented from approving a request if the person has an outstanding request for a device with the same credential group.

Note: This affects operations carried out in the MyID Operator Client only. It does not affect requests made through MyID Desktop or the Lifecycle API. This feature does not support mobile issuance.

11.3.2.5 Cancel Previously Issued Device

If you set this option, instead of disabling any previously-issued device because of the action of the Active credential profiles per person configuration option and Credential Group setting in the credential profile, MyID cancels the previously-issued devices.

11.3.2.6 Issue over Existing Credential

Available for mobile derived credentials issued through an MDM only. When this option is set, if the device is already issued to the target user, it is automatically canceled and then the new device issued. Existing signing certificates are revoked, but existing archived certificates are not revoked. If the device is issued to a different user, the collection fails.

Note: The credential profile used for the existing issuance does not affect this behavior; existing credentials are overwritten only if the credential profile for the new credential has the Issue over Existing Credential option set.

11.3.2.7 Authentication Service Settings

If you want to issue software one time passwords, if your credentials operate as a one-time-password hardware token, or if you want users to be able to use virtual one time password tokens, set the authentication service options.

Note: These options are only displayed if token logon is enabled.

If you selected a device profile, the number and type of options available here are limited to the capabilities of the selected device, and you do not need to click the add button. You must make sure that you have added authentication services that correspond to the device's capabilities using the External Systems workflow.

Click the add button. You can add several authentication services to a credential profile.

From the Name drop-down list, select the authentication service (as set up in the External Systems workflow for your authentication service – see the integration guide for your authentication service for details) then select Hardware, Software or Virtual from the Type drop‑down list:

11.3.2.8 Authentication methods

The Require Fingerprints at Issuance and Activation Authentication options allow you to specify how the cardholder authenticates their identity to issue or activate.

Note: The Enforce biometrics at request configuration option (on the Biometrics page of the Operation Settings workflow) can enforce the Require Fingerprints at Issuance option in the credential profile for requests made using the MyID Operator Client.

The Require Fingerprints at Issuance option is enforced at issuance, but the Enforce biometrics at request option makes sure that a request cannot be created, thereby catching the issue with the person's biometrics at an earlier stage.

Scenario

Require Fingerprints at Issuance

Activation Authentication

No authentication at issuance or activation

Never Required

None

Biometric authentication at issuance or activation

Always Required

None

Biometric authentication at issuance or activation

N/A

Biometric

Code authentication at activation

Never Required

Authentication Code

Biometric authentication at issuance, and biometric authentication and code authentication at activation

Always Required

Authentication Code

Note: You cannot use authentication codes for face-to-face issuance.

11.3.2.9 Additional authentication

If you want to use the additional authentication system to use authorization codes to issue devices, you must carry out the following procedure.

  1. In the Configuration category, select Operation Settings.
  2. Click the Biometrics tab. Make sure the Enable additional authentication options option is set to Yes.

    This makes the following options visible in the Credential Profiles workflow:

    • Require Fingerprints at Issuance – you are recommended to leave this set to System Default.
    • Activation Authentication – allows you to specify biometric authentication or authentication codes for activation.
    • Minimum fingerprint quality – do not type a value. This setting is reserved for future use on biometric devices that support fingerprint quality ratings.
  3. Set up your credential profile as follows:

    1. Set the Require Activation option to Allow self collection or Assisted activation only.
    2. Set the Activation Authentication option to one of the following:

      • Biometric – biometric authentication is used to activate or unlock the card.
      • Authentication Code (Manual) – an authentication code is required to activate the card. An operator must request an authentication code.
      • Authentication Code (Automatic) – an authentication code is required to activate the card. An authentication code is emailed to the applicant when the card is issued.
  4. Request a card for the applicant, specifying the credential profile that has the activation authentication options.
  5. Collect the card for the applicant.

    • If the Activation Authentication option was set to Authentication Code (Automatic), an email that contains an authentication code is sent to the applicant.
    • If the Activation Authentication option was set to Authentication Code (Manual), you must request an authentication code using the Request Auth Code or Card Ready Notification workflow. You can also request an authentication code for card activation using the MyID Operator Client; see the Sending an authentication code to activate a device section in the MyID Operator Client guide for details.

    The card is now in a state in which it can be collected, and the applicant has the necessary authentication code sent by email.

  6. If the Require Activation option was set to Allow self collection, the applicant takes their own card and logs in to MyID, and activates it using the automatic Activate Card workflow.

    If the Require Activation option was set to Assisted activation only, an operator uses the Assisted Activation workflow to activate the card for the applicant.

11.3.3 Selecting certificates

Note: If you are not using certificates, click Next to skip this page.

This page lists all of the available certificate policies you can issue to a credential.

The Unmanaged option allows you to issue a certificate stored in a PFX file; for example, for mobile credentials.

You can click Show inactive certificate policies – this displays a list of certificate policies that were previously issued but are now disabled. You cannot issue new certificates based on these policies, but you can choose to recover a number of historic certificates.

To select certificates:

  1. Select the Required checkbox for the certificate policy you want to issue to the credential.

  2. If the certificate policy is set for key archival (there is an asterisk * next to the policy name) select the following options:

    • Action – select one of the following options:

      • Issue new – a new certificate based on this policy will be issued.

        Note: For Unmanaged certificate policies, you cannot select Issue new. The certificate is recovered from the PFX file, not issued from the CA.

      • Use existing – if a certificate based on this policy has been issued to the user before, and the certificate is live and unexpired, it is recovered onto the credential. If there are no available archived certificates, a new certificate is issued.

        Note: This option is not available if the Card Encoding is set to Software Certificates Only.

      • Historic Only – if a certificate based on this policy has been issued to the user before, the certificate is recovered onto the credential. If there are no available archived certificates, no new certificate is issued.

        Note: This option is not available if the Card Encoding is set to Software Certificates Only.

      Note: When you select an Action from the list, the Number of historic certificates field is reset to the default for that action.

    • Number of historic certificates – the maximum number of historic certificates to recover onto the credential. If there are more historic certificates available than the maximum allowed, the most recent certificates are issued.

      Note: If your credential supports storing fewer historic certificates than are specified in the credential profile, the most recent certificates are recovered; for example, if you specify four historic certificates in the credential profile, but your smart card can store only two historic certificates, the two most recent historic certificates are recovered.

  3. For archived and non-archived policies, set the following options:

    • Signing – if you selected MyID Logon in the Services section of the credential profile, you can select one certificate to be used for signing.

      If you selected MyID Logon but do not select a certificate, MyID will generate a keypair for the credential to be used for signing instead of a certificate. Note, however, that PIV cards cannot use these generic keys, so you must select a certificate.

    • Encryption – if you selected MyIDEncryption in the Services section of the credential profile, you can select one certificate to be used for encryption.

      Note: Do not select a certificate for encryption that has been marked as for signing in the Certificate Authorities workflow. You cannot use a signing certificate to perform encryption or decryption.

      This option determines which key is used to protect sensitive data such as archived keys in transit to the client:

      • For PIV cards, this key is not used for archived certificates; however, you must still select the MyID Encryption in the Services section of the credential profile, and select a certificate to be used for encryption.
      • For cards that use minidrivers, this key is used for protecting archived key material, and must be an RSA key that supports signature and key exchange. If you attempt to use an ECC key or a signature-only key, archived certificate issuance will fail.

      If you selected MyID Encryption but do not select a certificate, MyID will generate a keypair for the credential to be used for encryption instead of a certificate. Note, however, that PIV cards cannot use these generic keys, so you must select a certificate.

    • Default – you can select one certificate on the credential to be used as the default certificate.
  4. If the Card Format option (in the Device Profiles section of the credential profile) supports containers, select the container on the credential in which you want to store the certificate.

    Note: If you are using certificate containers, you can select only one certificate for each container.

    Note: Once you have finished selecting your certificates, click Next.

11.3.4 Selecting applets

Select the applets you want to copy onto the card. Click Next.

For more information about applets, see section 7, Applets.

11.3.5 Linking credential profiles to roles

On the Select Roles page, you must select which roles can receive credentials issued using this credential profile. Select the roles in the Can Receive column.

For information about roles, see section 4.1, Roles.

Note: If you specify a role, the credential profile is immediately available for use. If you do not want it to be used yet, do not associate it with any roles.

Note: If you associate more than one credential profile with the same role, the operator must select the correct profile when requesting or issuing credentials.

11.3.6 Constrain credential profile issuer

If you have the Constrain Credential Profile Issuer option set, on the Select Roles page you can also select which roles can request credentials using this credential profile. Select the roles in the Can Request column.

MyID checks the operator's permissions to access credential profiles at the point at which the operator has to select a credential profile. The workflows affected include all card and ID request workflows, as well as requests for updates and replacements.

To set the option, in the Configuration category, select the Security Settings workflow and click the Process tab.

The default for this option depends on whether you were upgrading a system with existing credential profiles when you installed MyID.

Note: If you are using a workflow that allows you to request and collect credentials in the same operation (for example, Issue Card) you need both the Can Request and Can Collect options.

11.3.7 Constrain credential profile validator

If you have the Constrain Credential Profile Validator option set, on the Select Roles page you can also select which roles can validate credentials using this credential profile. Select the roles in the Can Validate column.

To set the option, in the Configuration category, select the Security Settings workflow and click the Process tab.

11.3.8 Constrain credential profile collector

If you have the Constrain Credential Profile Collector option set, on the Select Roles page you can also select which roles can collect credentials using this credential profile. Select the roles in the Can Collect column.

To set the option, in the Configuration category, select the Security Settings workflow and click the Process tab.

The workflows affected include all card and ID collect workflows, batch collect, and activation workflows.

11.3.9 Constrain credential profile unlock operator

If you have the Constrain Credential Profile Unlock Operator option set, on the Select Roles page you can also select which roles can unlock credentials that were issued using this credential profile in the Unlock Credential and Reset Card PIN workflows. Select the roles in the Can Unlock column.

To set the option, in the Configuration category, select the Security Settings workflow and click the Process tab.

Note: This option does not affect the behavior of the Unlock Card or Remote Unlock Card workflows; it affects only the Unlock Credential and Reset Card PIN workflows.

11.3.10 Associating credential profiles with card layouts

Note: If you are not printing information on cards or have not yet designed your card layouts, you can click Next to skip this stage.

Select the card layouts that you want to be available when this credential profile is used. If you select more than one layout, the operator must decide which to use when issuing a card.

If you select more than one layout, you can click the name of the layout to select it as the default layout; this default layout will used in the Batch Collect Card workflow.

Note: To ensure that the print preview displays correctly, you must make sure that MyID is configured for the location of images. See section 8.2, Configuring the image location.

Click Next.

11.3.11 Adding comments to the credential profile

You must provide a comment for the credential profile to cover either the initial creation of the credential profile or the changes you have made.

Click Next to complete the workflow.