24.2 Setting up additional identities

To allow MyID to issue additional identities, you must set up the following:

• On the certificate authority, set up each certificate policy you want to use for additional identities to have the Subject Name set to Supply in the Request.

• In the Certificate Authorities workflow, for each certificate policy you want to use for additional identities:

  

  • Select the Enabled (Allow Issuance) option for the certificate policy.

  • Set the Allow Identity Mapping option on the certificate policy.

  • Make sure the Archive Keys option is set to None.

  • Click the Edit Attributes button:

    Note: If the attribute value is not set, the attribute will not be supplied for the certificate. The subsequent behavior depends on how the certificate is configured and the CA being used. Note also that choosing to remove an attribute for a user's issuance may result in the certificate being unusable for its intended purpose, or the certificate may not be issued at all, depending on the CA and the attribute.

    If the Edit Attributes button does not appear, you must run a stored procedure in the MyID database. See your CA integration guide for details.

    Set the UserPrincipalName, Email, and User Security Identifier mappings to be dynamically mapped to the User Principal Name, Email, and User Security Identifier user attributes.

    

    Note: The User Security Identifier attribute is available for Microsoft and PrimeKey EJBCA CAs.

  • Click Save.

• In the Credential Profiles workflow, select the credential profile that you want to use to issue additional identities then click Modify. In the Issuance Settings section, click the Issue Additional Identities option.

  

  You can set the Issue Additional Identities option for credential profiles that have their card encoding option set to Contact Chip or Microsoft Virtual Smart Cards.

  In the list of certificates, you do not need to select the additional identity policies – these certificates are automatically added to the card if you have selected the Issue Additional Identities option and set up an additional identity for the cardholder.

• If you want to create a card update job whenever an additional identity is modified, in the Operation Settings workflow, on the Issuance Processes tab, set the Automatically create card update jobs when additional identities are modified option to Yes.

• To set up a filter for the results returned from the LDAP when importing an additional identity from the directory, in the Operation Settings workflow, on the LDAP tab, set the following options:

  • Additional Identity LDAP Operator User Filter – set a query filter when importing an additional identity for another person.
  • Additional Identity LDAP Self-Service User Filter – set a query filter when importing an additional identity for your own account.

  For example:

  • (&(objectClass=user)(cn=*ADMIN)) – Only show user accounts where the common name ends with ADMIN.
  • (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=mydomain,DC=local)) – Show people who are members of the domain's admin group.

  For the Additional Identity LDAP Self-Service User Filter option, you can also include substitutions for the person's details; this allows you to restrict the available list of additional identities that a person can add to their own account.

  Use the format:

  [People.FieldName]]

  where the FieldName is a field in the vPeopleUserAccounts field in the MyID database. For example:

  • userPrincipalName=[[People.LogonName]]*

    This filters the list of directory entries to those with a userPrincipalName that begins with the user's logon name. For example, if you are logged on as Joan Smith, the filter becomes:

    userPrincipalName=Joan Smith*

    whereas if you are logged on as Susan Jones, the filter becomes:

    userPrincipalName=Susan Jones*

  • userPrincipalName=[[People.LogonName]]*@DOMAIN.com

    All users that have a UPN that starts with the logon name of the user and ends with DOMAIN.com.

  • userPrincipalName=[[People.LogonName]]*@[[People.Domain]].com

    All users that have a UPN that starts with the logon name of the user and ends with the user's domain, followed by .com.

  • SAMAccountName=[[People.LogonName]]*

    All users that have a SAMAccountName that starts with the user's logon name.

  • (&(ou=AdminAccounts)(sAMAccountName=[[People.LogonName]]*))

    All users that are part of the AdminAccounts OU and have a SAMAccountName that starts with the user's logon name.

  Useful fields that you may want to use from the vPeopleUserAccounts view are:

  • LogonName

  • Domain

  • CommonName

  • DistinguishedName

  • UserPrincipalName

  • SAMAccountName

  • OrganisationalUnit

  Important: These LDAP user filters are applicable only when using the Import Additional Identity feature in the MyID Operator Client; see the Importing an additional identity section in the MyID Operator Client guide. These settings do not affect the Manage Additional Identities workflow in MyID Desktop.