3.5.2 Creating a VSC credential profile

To create a credential profile for issuing derived credentials as Microsoft VSCs:

  1. From the Configuration category, select Credential profiles.
  2. Click New.
  3. Type a Name for the credential profile.

  4. For the Card Encoding, select Microsoft Virtual Smart Card and Derived Credential.

  5. In Services, make sure MyID Logon and MyID Encryption are selected.

  6. In Issuance Settings, set the following options:

    • Generate Code on Request – select one of the following:

      • None – no logon code is generated.
      • Simple Logon Code – the logon code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option.
      • Complex Logon Code – the logon code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option on the Auth Code tab of the Security Settings workflow.

      Note: To be FIPS 201-3 compliant, you must select Simple or Complex. See the Setting up logon codes section in the Administration Guide for details of configuring the logon code complexity.

    • Credential Group – if you want to restrict users to have a single derived credential VSC, type an identifier here; for example:

      DC VSC

      If you set the Active credential profiles per person configuration option (on the Issuance Processes page of the Operation Settings workflow) to One per credential group, MyID ensures that the user can have only one credential with the same Credential Group name.

    • Cancel Previously Issued Device

      This option works in conjunction with the Credential Group setting. Select this option, and MyID cancels any previously-issued credentials instead of disabling them. When you collect the new VSC using the Self-Service App (and you have the Erase Unused VSCs permission for your role, as configured in the Edit Roles workflow) the Self-Service App will delete any of the canceled VSCs on your device.

    For more information on these options, see the Working with credential profiles section in the Administration Guide.

  7. Set the PIN to 16 numeric digits.

    This is required for FIPS 201-3 compliance.

    1. In PIN Settings, set the Maximum PIN Length and Minimum PIN Length options to 16.
    2. In PIN Characters, set Numeric to Mandatory, and Lowercase, Uppercase, and Symbol to Not Allowed.

  8. In Device Profiles, from the Card Format drop-down list select PIVDerivedCredential.xml.

    Select a different option only if you have a customized data model that you must use for your system.

  9. Set the Requisite User Data options.

    Note: This section appears only if you have selected the Requisite User Data option on the Issuance Processes tab of the Operation Settings workflow.

    This section contains a list of user attributes that must be present for this credential profile to be issued.

    For example, if your VSC derived credential is to be used for email signing, you must select Email from the list, and provide an appropriate certificate for email signing – only users who have the Email attribute mapped in their user account will be able to receive a derived credential VSC based on this credential profile.

    Similarly, if your VSC derived credential is to be used for Windows Logon, you must select User Principal Name from this list, and provide an appropriate certificate for logging on to Windows.

    For more information see the Requisite User Data section in the Administration Guide.

  10. Click Next.

  11. Select the certificates you want to make available.

    • For credential profiles that use a PIV data model, select the PIV containers for the certificates. To allow online unlocking, you must include a certificate in the PIV Card Authentication Certificate container.

    • For credential profiles that do not use a PIV data model, do not select any containers.

    All of the certificates you select here will be issued to your VSC.

    You can select the archived and historic certificate options on this screen. See the Selecting certificates section of the Administration Guide for details of the Issue new, Use existing, and Historic Only options

  12. Click Next and proceed to the Select Roles screen.

  13. Select the roles you want to be able to issue this credential profile, and the roles you want to be able to be issued this credential profile.

    Note: Any role to which you want to issue derived credentials must have the following configured in the Edit Roles workflow:

    • Select the Issue Device option in the list of workflows.

    • Select the Collect My Card option in the list of workflows.

    • Select the Password option in the Logon Methods.

  14. Click Next.
  15. Click Next.
  16. Type your Comments and complete the workflow.