5.1 Requesting a VSC

MyID issues VSCs using a request/collect model, allowing role separation between each stage and more flexibility over the issuance process. The request creates a job, which defines the target user and (optionally) the device to receive the VSC and the credential profile to be used.

5.1.1 Policy control in MyID

Credential issuance in MyID is governed by a credential profile – this defines the lifetime and certificate policies to be provided, the PIN policy to be used, and technology types available to receive the certificates.

It can also determine the business process to be used for requesting and approving the request for credentials, and provides configuration of access control rules to the credential profile, using MyID roles.

MyID roles determine access to MyID workflows, and importantly which user accounts in MyID can receive a credential profile, and issue a credential profile.

This enables your organization's security policy to be enforced by MyID – ensuring that high security credentials can be received only by users entitled to them, and that they can be issued only by those with permissions to receive them and following appropriate approval procedures.

Critical to this is defining the roles available to a user account in MyID. These can be set manually by a MyID administrator, from an external system using the Lifecycle API, or by synchronizing Active Directory security groups to MyID. Synchronization offers the most streamlined approach, allowing access to credentials to be determined by central security policy, instead of requiring individual decisions to be made by MyID Administrators.

5.1.2 Configuring a credential profile for a VSC

You must configure MyID to support a VSC request before you can configure a credential profile for a VSC. See section 6, Configuring MyID for VSC issuance for details.

5.1.3 Targeting a device to receive the VSC

MyID allows a VSC request to be targeted at a named device. MyID uses full computer name of the device – for example mylaptop.mydomain.com. At collection of the VSC, the full computer name is read from the device used for collection and compared to the pre-registered value. If the values do not match, issuance does not continue.

This feature is optional, and works best when your organization uses fixed and predictable device name values. Environments where devices will be collecting VSCs outside of your organization's IT infrastructure (therefore the full computer name may differ from the pre-registered value) are not recommended to use this feature.

5.1.4 Adding devices to MyID

You can import device records from your Active Directory at the point of requesting a VSC. MyID returns a list of PCs in the specified branch of your directory that have a full computer name and are running a compatible version of Windows.

Note: The options available in this workflow depend on whether you have permission to import devices from your directory. See section 6.2, Setting the MyID configuration options for VSC issuance for details.

Alternatively, you can add a device manually by specifying its full computer name. See the Adding devices section in the Administration Guide for details of adding and editing devices.

The device information can be added separately, or at the same time as making a request for credentials using the APIs available in MyID. For details, see the Credential Web Service document.

5.1.5 Creating a VSC request for one person

The Request Card workflow in MyID allows an Administrator to select a user account to receive a VSC. The user account may be retrieved from Active Directory, or from the records that already exist in MyID database. The Administrator is then instructed to choose which credential profile to issue – the choices are restricted based on the MyID roles held by the Administrator and the target user account. If required, a fixed expiry date may also be selected at this point, instead of accepting the default lifespan determined by the credential profile. Optionally, a device can be selected as the target of the VSC.

To request a VSC:

  1. From the Cards category, select Request Card.
  2. Use the Find Person stage to search for the person to whom you want to issue a card.
  3. Select the person.

  4. Select the credential profile you want to use from the drop-down list.

    Select credential profile

  5. Do one of the following:

    • To request the card without specifying the device, click Request Card.

    • To pre-allocate a specific device to which the VSC will be issued, click Assign Device.

      This option is available only if the Allow device management from the MyID user interface option (on the Devices tab of the Operation Settings workflow) is set. See section 6.2, Setting the MyID configuration options for VSC issuance for details.

      You can then search for the device.

      If MyID is configured to allow it, you can search the LDAP directory to select a device you have not already added to the MyID database. The new device will be assigned to the VSC card request and added to the list of devices in the database.

      Note: Do not select the LDAP entry for a device you have already added to the MyID database. The devices in the database are listed above the devices in the directory in the search results screen.

  6. Click Finish.

5.1.6 Creating a batch of VSC requests

You can use the Batch Request Card workflow to request VSCs for multiple people in one operation. User accounts can be retrieved from MyID’s database, or a connected directory using common search criteria such as MyID Group, organizational unit, or role. Customized search criteria can be added to enable more specific searches.

During the operation, all requests can optionally be targeted at a single device – for example a shared terminal or tablet in an office, or factory shop floor.

Once the request is completed, a job is created for each user selected which can be collected independently.

5.1.7 Requesting a VSC from an external system

You can also use the Credential Web Service API to request a VSC for a person. This API allows other business systems to generate requests for credentials. The inputs required include the target user account, the credential profile, and (optionally) expiry date of the certificates. You can also provide the target device within this request. Once the request has been generated, it will follow the issuance process defined by the credential profile.

For more information, see the Credential Web Service document.