Importing operator credentials

3.11 Importing operator credentials

As part of a user import, you can import a smart card that has been issued on an external system so that it can be used, unchanged, as an operator card in MyID. If the user account already exists, the operator card is added to the user's record.

You must create a credential profile that will be assigned to imported operator credentials. This credential profile must have the Contact capability and must be configured to use the Imported Authentication certificate policy in the Unmanaged certificate authority for MyID signing.

To import a device, you need to know the following details about the device:

The credential profile name you want to use for the imported credential – specify in the CardProfile node.
Serial number – specify in the SerialNumber node.
Device type name – specify in the DeviceType node.
The container name on the card that the certificate is stored in – specify in the Container node.
The Base 64-encoded public part of the certificate to be used for signing – specify in the Certificate node.

The certificate must have a valid date; it cannot have expired, and cannot be valid from a future date. MyID does not carry out a CRL check.

If the Validate logon certificate option (on the Logon page of the Security Settings workflow) is set, the MyID application server must trust the issuing CA and have access to the CRL.

You must set the Migrated Non-archived Certificate Policy option (on the Import & Export page of the Operation Settings workflow) to the following value:

Imported Authentication

This information is passed in through the Card node; a sample import may look like this:

Copy

<Card>
  <CardProfile>Imported Card</CardProfile>
  <ImportCard>true</ImportCard>
  <SerialNumber>1324657980</SerialNumber>
  <DeviceType>Oberthur ID-One PIV</DeviceType>
  <Container>5FC105</Container>
  <Certificate>MIIGlDCCBXygA … =</Certificate>
</Card>

An imported card will have an expiry date that is the soonest of that defined in the credential profile and the expiry date of the provided certificate.

The imported card will be blocked from card lifecycle operations such as Reset Card PIN and Erase Card. You can still cancel the imported card using the Cancel Credential workflow; this prevents the card from being used to access MyID, but does not affect the content of the card or revoke its certificates.

Once imported, the device allows authentication to MyID. You can provide the imported user account with the appropriate permissions to access workflows.

Note: If the import of the operator device fails (for example, if the certificate has expired) or if you carry out a card lifecycle operation that is not allowed for imported cards (for example, requesting a replacement card) you may find that the license count has temporarily increased by one; the license count is recalculated every few hours, at which point the license count is set to the correct value.