Create Workflow for an External CMS
The workflow module allows you to create workflows for an integrated external CMS for PIV ID issuance.
This tutorial helps you to learn how to configure a workflow for an integrated external
credential management system to enroll users, issue PIV identities, and manage issued credentials from
the Unifyia platform.
Overview of the Workflow Sections
This section offers a concise overview of the various segments in the workflow. Some segments appear
depending on the chosen identity type and device profiles. This table is designed to help you understand
all the segments and available configurations, making it easier for you to configure a workflow
according to your identity issuance policies.
| Overview of the Workflow Sections |
| Section |
Possible Configurations |
Descriptions |
| General Configurations
|
|
In this segment you provide a name and description, specify the identity type to be
issued, select required device profiles, select the integrated external CMS, select the
groups for which this workflow
is being created, select the policies that need to be applied for the identity being
issued, and determine which roles have visibility of this workflow. |
|
Device Validity and Expiration Policies
|
You can set the identity validity, certificate validity, and specify the number of
devices that can be
issued to a single applicant.
|
|
Data and Biometrics Enrollment
|
|
You can set the identity validity, certificate validity, and specify the number of
devices that can be issued to a single applicant. Additionally, you can set minimum
device and maximum certificate validity for update.
|
|
|
ID Proofing
|
Select this option if ID proofing is required and set the required ID proofing
documents to be collected during enrollment.
|
|
Enrollment
|
Selected this option to capture user information. The form fields for capturing user
data are automatically populated based on the selected identity type. However, you
can remove fields and choose which ones are mandatory or optional.
|
|
Face
|
Select this option if face capture is required and set the preferred crop size window
to capture the face and define if you require image transparency.
|
|
Iris
|
Select this option to capture the irises of the user. The default mode is dual.
|
|
Fingerprint
|
Select this option to capture fingerprints and define whether you need to capture
rolled or flat fingerprints, set fingerprint threshold quality, and the minimum
number of fingerprints - 2, 4, or 10 to be captured.
|
|
Signature
|
Select this option to capture the user's signature.
|
|
Approval
|
Select this option if adjudication is required and define which group(s) can review and
approve enrollment. If this option is checked, the platform will enable the option to
upload the background and biometrics investigation results. These results have to be
review and approved to complete enrollment.
|
|
Smart Card/Security Key Credential
Issuance
|
|
This segment allows you to configure various options to issue identities on a smart
card or security key.
Note: The chip personalization option is enabled only if at least
one smart card or security key device profile is selected under the General section.
|
|
Chip Personalization and Printing
|
Set issuance options and define which groups can issue the selected identity devices.
Available options are Enable Chip Personalization, Enable Chip Personalization + Visual
ID Printing, and Enable Visual ID Printing.
|
|
Visual Designs
|
This section is visible only if the identity type is a smart card and you have
selected to print an ID. The Groups and the Visual Design fields are auto-populated
with the group(s) and the identity type selected under the General section.
|
|
Activation
|
Select Require verification before activation option if activation of the issued
identity device is mandatory and set
the verification policy. Currently, only verification with PIN is supported.
|
Prerequisites
Before creating a workflow, you must
- create groups.
- configure connection parameters for the external CMS.
- configured CPR policies for the external CMS.
- configure policies for issuance
- add and configure required device profiles.
Follow the below steps to create a workflow:
Log in to the Unifyia platform. On the dashboard, navigate to Configuration >
Workflows. On the List of Workflows page, select + Create
Workflow. If the external credential management system is already integrated, you will be
prompted
to confirm if you wish to create a workflow for it. Select Yes to proceed.
The Create Workflow page displays the three main sections - General, Data and
Biometrics
Enrollment, and Smart Card/Security Key Credential Issuance. You need to
enter the
required data as per your organization's policies to
complete the configuration of the workflow.
General Configurations
What can you do in this section?
- Select the identity model. Supported identities are PIV, PIV-I, and CIV.
- Select the external CMS.
- Select the groups that the workflow must be assigned to.
- Set the permissible number of devices for a user in the selected groups.
- Define the expiration date for the selected identity type and certificates.
- Define the minimum device and certificate validity for update.
- Select to which role(s) the workflow must be visible.
- Select the policy to be applied for this workflow.
Workflow Details
Provide the below details to complete the general workflow details:
- Workflow Name: Provide a name for the workflow. This could be a simple text
that identifies the reason the workflow is being created for. For instance, PIV ID (ABC
Organization).
- Description: Provide a brief description of the workflow.
- Display Name: Enter a display name for the workflow. This workflow name will be displayed
during issuance if more that one workflow is configured for the user.
- Identity Type: From the drop-down list, select an identity type, for example,
PIV.
- External CMS: Select the external CMS for which this workflow is being created.
- Assign to Group(s): You must have groups created before this step. Select the
group(s) for which this workflow is being created. You can select multiple groups. Once you
select certain groups for a workflow, the same groups will not be available for other workflows.
- Assign to Role(s): Select the roles that can view this workflow. This ensures
that only these roles can issue identity devices for this workflow.
- Policies: Select the policy that needs to be applied for the identity being
Device Validity and Expiration Policies
Provide the below details to complete the device validity and expiration details:
NOTE
- Make sure that the certificate expiration date does not exceed the device expiration
date.
- Enforce maximum allowed devices per user:If you need to enforce a maximum limit of
allowed devices per user, check the box and set an integer value to define the number of allowed
devices.
- Device Expiration:Set the expiration period for the device. Select the number of
years, months, days, and hours for device validity.
- Certificate Expiration:Set the expiration period for the certificates. Select the
number of years, months, days, and hours for device validity.
- Minimum Device Validity for Update:Set the minimum validity period
required for a device to be eligible for updates. Specify the period in years, months, days, and
hours. For example,
- If the minimum validity is set to 12 months, and the device has less than 12 months
remaining before expiration, updates cannot be performed. In such cases, the device must be
renewed or replaced first.
- If the device has more than 12 months of validity remaining, device update is allowed.
- Maximum Certificate Validity for Update Set the maximum remaining validity period
after which a certificate can be updated (renewed or reissued). Specify the period in years, months,
days, and hours.
- If the maximum validity for updates is set to 10 days, and a certificate has 20 days left
until expiration, updates cannot be performed at this time. You will need to wait until the
remaining validity is less than 10 days.
- When the certificate has exactly 10 days remaining, you can proceed with the update or
renewal process.
Data and Biometrics Enrollment
This tutorial helps you to learn more about the available options in the Data and Biometrics section
while creating a workflow.
Check the box Data and Biometrics Enrollment to enable the capability to customize the enrollment
steps for capturing necessary user
data and biometrics. This section allows organizations to manage identity proofing and registration
requirements that meet the FIPS 201-3 and Identity Assurance Level (IAL) 1, 2, and 3 compliances for
issuance of identity devices. The platform allows in-person, attended enrollment via a workstation or a
tablet supervised by an authorized operator.
You have the flexibility to select or deselect enrollment parameters as required. For instance, if you
do not need to collect identity (ID) proofing documents during enrollment, deselect the box to eliminate
the ID Proofing step. This section of the workflow allows you to configure the following options:
- ID Proofing
- Enrollment Form
- Face
- Iris
- Fingerprints
- Signature
- Approval
ID Proofing
Select this checkbox if capturing ID Proofing documents during the enrollment process is mandatory for
each user. Configure the following information:
- Allowed Existing IDs: Select at least one existing ID
type allowed for proofing purposes. These selected ID(s) will appear in the selection list
during enrollment. You can select one or more of the allowed identities.
The following is the list of I-9 documents supported for ID Proofing
| List of I-9 Documents |
|
Accepted Receipt for ID Document Replacement Receipt
|
|
Agency ID Card
|
|
Alien Registration Receipt Card (Form I-551/PRC)
|
|
Birth Certificate
|
|
Birth Report Certificate
|
|
Canadian Driver's License
|
|
Clinic, doctor, or hospital record (under age 18)
|
|
Consular Report of Birth Abroad
|
|
Day-care or nursery school record (under age 18)
|
|
Driver's License
|
|
Employment Authorization Document (Form I-766)
|
|
Federal ID Card
|
|
Foreign passport (I-551 or ADIT Stamp)
|
|
Foreign passport (I-551 or MRIV)
|
|
Merchant Mariner Card
|
|
Military Dependent's ID Card
|
|
Native American Tribal Document
|
|
Permanent Resident Card (PRC)
|
|
Receipt: Form I-94 w/I-551 stamp, photo
|
|
Receipt: Form I-94 w/refugee stamp
|
|
School Photo ID
|
|
School record or report card (under age 18)
|
|
Social Security Card
|
|
State ID
|
|
U.S. Citizen ID
|
|
U.S. Military Card or Draft Record
|
|
U.S. Passport or U.S. Passport Card
|
|
Voter's Registration Card
|
Select the form fields that are to be displayed during the enrollment of an applicant. Generally,
fields allowed are predefined by the organization based on the selected identity type.
NOTE
- If you require additional fields or labels, you can contact your administrator to add or
modify the
existing fields.
- If you have chosen PIV or PIV-I as the identity type, ensure that you select the First Name,
Last Name, Email, Person Association, and Employee Affiliation fields, as these are the
minimum required
for successful issuance.
- Form Fields: Select all the applicable form fields as per your requirement
for the workflow. If you need to remove a field from the form, select the cross
- Required: Select this option if the field is mandatory. Otherwise, you can
leave it as is.
Face
Select this option if the workflow requires a face verification to be performed. Configure
the following face capture settings.
- Crop Size in Pixels: Select the size of the cropper window to be displayed
during the face capture process.
- Transparency Allowed: Check this option, if you want to enforce the use of a
transparent face image during the printing of the card. After the face image is captured, the
entire background around the face is removed and only the face is saved for a transparent image.
Iris
If you need to capture iris images as a part of the enrollment process, check this option. The mode
is auto-selected to Dual.
- Mode - Dual: By default, the platform allows for the capture of both irises
during enrollment using a supported iris scanner.
Fingerprint
If you need to capture flat or rolled fingerprint images as a part of the enrollment process, check
this option and configure the following fingerprint capture settings.
- Minimum Fingers Required: Select the number of fingers to be captured
during
enrollment. The available options are 2, 4, or 10 fingerprints.
- Minimum Threshold: Select the minimum threshold for the fingerprint image
quality from the listed values in the dropdown, e.g., 60%.
- Enable Rolled Fingerprints: Check this option if you require capturing
rolled fingerprints. When enabled, it permits the operator to capture 10 rolled fingerprints of
the user.
- If you set the minimum fingers required option to 2 or 4 fingers and also enable the
rolled fingerprints option, the enrollment process will prompt the 10 rolled
fingerprints capturing wizard. This is necessary because 10 fingerprints must be
captured for the rolled fingerprints option. Therefore, ensure that you configure your
settings following your organization's requirements.
Signature
Check this option if you intend to capture the signature of the applicant during enrollment using a
touch screen or a supported signature pad.
Smart Card/Security Key Credential Issuance
The Unifyia platform complies with the National Institute of Standards and Technology (NIST) and FIPS
201-3 standards for the Personal Identity Verification (PIV), Commercial Identity Verification (CIV),
Derived PIV (DPIV), and Derived FIDO
(DFIDO) credential issuance on smart cards and security keys. You can do the following configurations in
this section:
- Configure personalization and printing options.
- If printing is to be done, then select visual designs based on the Identity type selected.
Chip Personalization and Printing
This section allows you to configure the chip personalization and ID printing options. You must choose at
least one option to proceed.
- Enable Chip Personalization: Check this option if you only want to allow the
personalization of devices like smartcards or security keys. Select the group(s) that should be
granted access to perform chip personalization.
- Enable Chip Personalization + Visual ID Printing: Check this option if you
intend to allow personalization and printing cards. Select the group(s) that should be granted
access to perform this action.
- Enable Visual ID Printing: Check this option to enable the printing of visual
identities. Select the group(s) that should be granted access to print IDs.
Activation
Check the Require verification before activation if verification is necessary before activating
the PIV device,
particularly when the issuance is conducted by an operator without the user being present. As a security
measure, devices are locked before being sent to the customer, and users are required to activate the
device upon receipt. This section also allows you to configure verification policy options for
activation. If
you only check the Require verification before activation option without selecting any
verification policy, the Verify
with PIN option will be chosen by default. Currently, the platform supports activation
using PIN only.
- Verify with PIN: This option is checked by default. This enables activation of the
identity device by
entering the activation PIN sent to the registered email of the ID holder.
You have completed the workflow for enrollment, issuing PIV credentials, and activation.