Derived Credential Configurations

This tutorial helps you to learn more about the available options in the Derived Credential Configuration section while creating a workflow. This panel is displayed only if you have selected the DPIV or DPIV+DFIDO2 identity type under the General section.

Primary Credential Verification Configuration

This section allows you to configure the parameters to verify the status of the primary credential before issuing the derived credential which could be a Derived PIV or a Derived FIDO.

If you have chosen the Identity Type as Derived PIV, selected a device profile(s) for issuance of DPIV, and checked the option for Smart Card/Security Key Credential Issuance, you need to configure the following parameters to enable the issuance of a Derived credential using the existing PIV ID:

  • Verify the issuance status of the primary credential prior to issuing the derived credential: Check this option to mandate the verification of the issuance status of the primary credential i.e. the PIV ID before the issuance of the derived credential. You must specify the directory, user attribute mapper, and user attribute values that will be used to confirm the issuance status.
    • Directory: Select the name of the directory configured for the organization from where user data is mapped.
    • User attribute mapper: Select the LDAP attribute mapper hspd12issuancestatus. This attribute will be cross-checked against the specified attribute value thus enabling the verification of the primary credential's issuance status.
    • User attribute Value: Enter the value as ACT. This prompts the server to verify if the selected user attribute mapper (hspd12issancestatus) contains the value ACT. If it does, the primary credential is considered successfully verified.
  • Apply the policy exclusively to users and if required, grant operators the ability to override it: Select this option if you want to enforce the verification of the primary credential solely for the user and grant operators the authority to override the verification if required.
  • Read and Authenticate the Primary Credential: This option is automatically enabled to facilitate the reading and authentication of the Primary Credential before the issuance of the derived credential.

Derived Credential Lifecycle Configurations

As the derived credential is derived from an active primary credential, it's essential to maintain synchronization with the primary credential's status. Thus, it's imperative to regularly monitor the LDAP database for updates and promptly update the Unifyia platform accordingly. The lifecycle actions for the derived credential include suspending, renewing certificates, and revoking them based on the status of the primary credential. This section facilitates the configuration of status check parameters to perform Renew and Update (Suspend, Revoke) actions on the derived credential based on the status of the primary credential to update the platform accordingly.

Renew/Update

  • Check the issuance status of the primary credential before proceeding with the renewal of the derived credential: Enable this option to validate the issuance status of the primary credential before proceeding with the renewal of the derived credential. You must select the directory, the User LDAP Attribute, and the User Attribute value LDAP that will be used to confirm the issuance status.
    • Directory: Select the name of the directory configured for the organization from where user data is mapped.
    • User attribute mapper: Select the LDAP attribute mapper hspd12issuancestatus. This attribute will be cross-checked against the specified attribute value thus enabling the verification of the primary credential's issuance status.
    • User attribute Value: Enter the value as ACT. This prompts the server to verify if the selected user attribute mapper (hspd12issancestatus) contains the value ACT. If it does, the primary credential is considered successfully verified.
    • Verify the Certificate Revocation List (CRL) to confirm the issuance status of the primary credential and suspend/revoke based on the status of the primary credential.
  • Place credential on suspension status in response to a status change in the source directory: Choose this option to align the status of the primary credential by leveraging LDAP user attributes. Employ User Attribute Mappers to monitor the directory for any changes and suspend the derived credential accordingly, mirroring the suspension status of the primary credential. Specify the directory, user attribute mapper, and user attribute value within LDAP to validate the issuance status. If the primary credential is suspended, ensure the derived credential status is updated accordingly to reflect the suspension in the Unifyia platform.
    • Directory: Select the name of the directory configured for the organization from where user data is mapped.
    • User attribute mapper: Select the LDAP attribute mapper hspd12issuancestatus. This attribute will be cross-checked against the specified attribute value thus enabling the verification of the primary credential's issuance status.
    • User attribute Valsue: Enter the value as TRM. This instructs the server to validate whether the selected user attribute mapper (hspd12issancestatus) includes the value TRM. If the validation returns true, then the status of the primary credential should be updated to suspended.
    • Verify Status Every: Specify the frequency for performing the status check by selecting a value from the drop-down.
  • Place credentials on suspension status in response to the primary credential certificates being suspended or revoked: Select this option to synchronize the status of the primary credential by checking the certificate revocation list published by the certificate authority at regular intervals. Provide the CRL URL to connect and check the status of the primary credential. If the primary credential is suspended/revoked, then update the status of the derived credential accordingly in the Unifyia platform.
    • Certificate Revocation List URL: Provide the Certificate Revocation List URL.
    • Verify Status Every: Specify the frequency for performing the status check by selecting a value from the drop-down.

You have learnt about all the available workflow configurations to issue the various identity types and crededntials. To save the workflow, select Save. You are now all set to proceed with the issuance of credentials. Learn more on how to issue multiple type of credentials using our Credential Management System.


Back Next
Related Links
Related Links