3.5 Creating the mobile identity document credential profile

You must create a credential profile that contains the details of the mobile identity documents you want to provision to the wallet app.

Note: You can also set up credential profiles to issue mobile identity documents as derived credentials; see the Creating a mobile identity document credential profile section in the Derived Credentials Self-Service Request Portal guide.

To set up a mobile identity document credential profile:

  1. From the Configuration category, select Credential Profiles.

    You can also launch this workflow from the Credential Configuration section of the More category in the MyID Operator Client. See the Using Credential Configuration workflows section in the MyID Operator Client guide for details.

  2. Click New.

  3. Type a Name and optional Description for the credential profile.

  4. In Card Encoding, select Mobile Identity Document.

  5. Click the Issuance Settings section.

    The issuance settings you can use for mobile identity documents is restricted. You can use the following:

    • Validate Issuance

    • Validate Cancellation

    • Lifetime

    • Credential Group

    • Exclusive Group

    • Block Multiple Requests for Credential Group

    • Cancel Previously Issued Device

    • Enforce Photo at Issuance

    • Notification Scheme – select one of the following:

      • Default – MyID sends the collection URL as an email, the authentication code as a separate email, and the authentication code as an SMS.

      • None – MyID does not send any notifications. You must use the Request Mobile (View Auth Code) option in the MyID Operator Client to display the collection URL and authentication code on screen.

      • Mobile Only – Auth Code Via Email – MyID sends the collection URL as an email, and the authentication code as a separate email.

      • Mobile Only – Auth Code Via SMS – MyID sends the collection URL as an email, and the authentication code as an SMS.

      Note: Notification schemes are relevant only for mobile devices requested through the MyID Operator Client or the MyID Core API. They do not affect the notifications sent when you request mobile devices through MyID Desktop or the Credential Web Service API.

      See section 3.4.1, Configuring SMS and email notifications for the MyID Operator Client.

      The complexity of the authentication codes is determined by the Certificate Recovery Password Complexity configuration option (on the Certificates page of the Operation Settings workflow). See section 3.2.2, Setting the authentication code complexity for details.

    • Require user data to be approved

    • Generate Code on Request – select one of the following:

      • None – no logon code is generated.
      • Simple Logon Code – the logon code is generated using the complexity rules as defined by the Simple Logon Code Complexity configuration option.
      • Complex Logon Code – the logon code is generated using the complexity rules as defined by the Complex Logon Code Complexity configuration option.

    See the Issuance Settings section of the Administration Guide for details of these options.

    Note: The Mail Documents section is available in the credential profile, but is not currently supported for mobile identity documents.

  6. Click the MDM Restrictions section.

    Set the following options:

    • MDM Status – Select one of the following:

      • Unrestricted – MyID does not carry out any checks against the MDM at collection.

      • Must be registered – The mobile device must:

        • Have an external mobile ID, and:

          Must be present in the connected MDM system.

      • Must not be registered – The device must either:

        • Have no external mobile ID registered in MyID, or:

        • Not be found in the connected MDM system.

    • MDM External System – If you have set the MDM Status to Must be registered or Must not be registered, you must select an MDM external system from the drop-down list. If you have only one MDM external system configured, it is automatically selected.

    • Required MDM Attributes – If you have set the MDM Status to Must be registered, you can specify any required attributes in the MDM, and MyID checks that the mobile device fulfills these requirements.

      Specify the required attributes as:

      [field]=[value]

      For example:

      jailBroken=False

      Important: The attributes and values are case sensitive.

      You can specify multiple conditions by separating them with a comma.

      Note: For nested JSON attributes, use a dot (.) to separate the components; for example:

      platform_info.platform_name=iOS

      At collection, the MDM entry for the mobile device must meet all the required conditions.

  7. Click the Device Profiles section.

    You must select a Document Format that defines the content of the mobile identity document.

    This release provides the following document format file:

    • Partial-ISO-18013-5.xml – a partial implementation of the ISO-18013-5 standard, and allows you to use a third-party verifier app to carry out verification on a mobile identity document provisioned to the MyID Wallet app.

    For information on customizing the document format or adding your own document format, contact Intercede customer support quoting reference SUP-381.

    Note: If your document format contains mandatory attributes (for example, a user portrait or an email address) you can configure the credential profile to require these attributes; for user portraits, you can use the Enforce Photo at Issuance option in the Issuance Settings section, and for email addresses you can use the Requisite User Data section. If the recipient does not have the attributes required by the document format, and you have not configured the credential profile to require them, MyID allows you to attempt to issue the mobile identity document but displays an error similar to:

    REST007 – Unrecoverable error has occurred

    If this error occurs, you can check the audit to determine which attributes are missing.

  8. Click the Requisite User Data section.

    This section contains a list of user attributes that must be present for this credential profile to be issued.

    See the Requisite User Data section of the Administration Guide for details.

  9. Click Next.

  10. On the Select Roles screen, select the roles you want to be able to issue and receive mobile identity documents using this credential profile.

    • The Can Receive option determines which roles can receive mobile identity documents issued using this credential profile.

    • The Can Request option determines which roles can request mobile identity documents using this credential profile; for example, using Request ID for operator requests or Request My ID for self-service requests.

    • The Can Validate option determines which roles can validate requests for mobile identity documents using this credential profile using the Validate Request workflow.

    • The Can Collect option determines which roles can collect mobile identity documents using this credential profile; any user who is to receive a mobile identity document must have both the Can Receive and the Can Collect options.

    Note: Not all options may be available, depending on your system configuration. See the Working with credential profiles section in the Administration Guide for details.

    Note: Any role you want to receive mobile identity documents must have the Issue Device option selected in the Cards category within the Edit Roles workflow.

  11. Click Next.

  12. Select the card layouts you want to make available to the mobile device.

    Badges based on these layouts will be transferred to the mobile device as part of the mobile identity document. When you select a card layout, its associated reverse layout (the _back layout, if preset) will also be available on the mobile device.

    Note: If you include card layouts, there must be a default layout; also, you must ensure that there is no more than one associated reverse layout. Otherwise, an error similar to the following occurs:

    PS81: "Layout selection invalid. Either no default front layout, or multiple back layouts present"

    You can include user photographs, organization logos, text information from the person's user account in MyID, and barcodes (both 1D and 2D) on these card layouts. For information on using the Card Layout Editor to design layouts to use in your mobile identity documents, see the Designing card layouts section in the Administration Guide for details.

  13. Click Next.
  14. Type your Comments and click Next to complete the workflow.

3.5.1 Controlling the provisioning of multiple mobile identity documents

You can issue a mobile identity document to the same person more than once using the same credential profile. This means that the same document may appear multiple times on the person's device, or on more than one device belonging to the person.

If necessary, you can control the provisioning of multiple mobile identity documents by disabling or canceling the previously-issued document using the Credential Group and Cancel Previously Issued Device options in the credential profile. See the Credential group section in the Administration Guide for details.

You can also use the Issue Over Existing Credential option; if the credential profile being issued is the same as previously-issued mobile identity document, the previous document is canceled, and a new document is issued. This does not affect the previous document on the mobile device. See the Issue over Existing Credential section in the Administration Guide for details.