3.5.1 Creating an Identity Agent credential profile

To create a credential profile for issuing derived credentials to mobile devices:

  1. From the Configuration category, select Credential profiles.
  2. Click New.
  3. Type a Name for the credential profile.

  4. In Card Encoding, select Identity Agent and Derived Credential.

  5. In Services, make sure MyID Logon and MyID Encryption are selected.

    Note: If you select the Identity Agent option after you select the Derived Credential option, you cannot select the Services option; however, MyID Logon and MyID Encryption are automatically selected.

  6. In Issuance Settings, in the Mobile Device Restrictions drop-down list, select one of the following:

    • Any – The mobile identity can be loaded onto any mobile.

    • Known Mobiles – The mobile identity can be loaded onto any mobile that has already been registered with MyID. See the Setting up the Identity Agent credential profiles section in the Mobile Identity Management document for details.

    • My Mobiles Only – The mobile identity can be loaded only onto mobiles associated with the user's account.

  7. If you are issuing Identity Agent credentials for users associated with cards that were not issued by the current system, set the following option:

    • Require Facial Biometrics – Never Required.

  8. For mobile derived credentials issued through an MDM, if you want to issue the credential to a device that is already issued to the target user, set the following option:

    • Issue over Existing Credential – set this option, and if the device is already issued to the target user, it is automatically canceled and then the new device issued. Existing signing certificates are revoked, but existing archived certificates are not revoked. If the device is issued to a different user, the collection fails.

      Note: The credential profile used for the existing issuance does not affect this behavior; existing credentials are overwritten only if the credential profile for the new credential has the Issue over Existing Credential option set.

  9. In Device Profiles, from the Card Format drop-down list select PIVDerivedCredential.xml.

    Select a different option only if you have a customized data model that you must use for your system.

  10. If you want to display collection instructions specific to this credential profile to the user through the Self-Service Request Portal or the Self-Service Kiosk when the user is collecting their mobile identity document, in Collection Instructions, type plain text instructions into the box. If you leave this blank, the default text for collection instructions is shown instead.

  11. Click Next.

  12. Select the certificates you want to make available.

    • For credential profiles that use a PIV data model, select the PIV containers for the certificates. You must select a signing certificate. To allow online unlocking, you must include a certificate in the PIV Card Authentication Certificate container.

    • For credential profiles that do not use a PIV data model, do not select any containers.

    All of the certificates you select here will be issued to your mobile device.

    You can select the archived and historic certificate options on this screen. See the Selecting certificates section of the Administration Guide for details of the Issue new, Use existing, and Historic Only options.

  13. Click Next and proceed to the Select Roles screen.

  14. Select the roles you want to be able to issue this credential profile, and the roles you want to be able to be issued this credential profile.

    Note: Any role to which you want to issue derived credentials must have the Issue Device option selected in the Cards category within the Edit Roles workflow.

  15. Click Next.

  16. Select the card layouts you want to make available to the mobile device.

    Badges based on these layouts will be transferred to the mobile device as part of the mobile ID. Note, however, that the reverse sides of the selected layouts (the _back layouts) will not be available on the mobile device.

    Note: You must select at least one card layout. If you do not want to display personalized badge information on the mobile device, create a card layout containing default artwork and no user information.

  17. Select one of the layouts to be the default layout.

    This layout will be displayed by default when using the Identity Agent app, and will be used for phone-to-phone identity verification.

  18. Click Next.
  19. Type your Comments and complete the workflow.