ID Wallet Configurations

This tutorial helps you to learn more about the available options in the ID Wallet section while creating a workflow. This option enables you to configure the required policies to issue mobile digital identities on the Unifyia ID Wallet app. This section is visible only upon selecting to issue Mobile or DMobile ID identity type and the corresponding device profiles under the General section.

Hardware Backed Authentication

Select Enforce Hardware Backed Authentication option to mandate users to enable and be authenticated using a subset of their secure lock screen credentials such as Pattern/PIN/Password/Fingerprint/Face. This enables the users to use the existing device access security feature to log in to the ID Wallet application.

Digital Identity Issuance Configuration

This section allows you to configure the type of mobile identity credentials to be issued. Additionally, you can configure certificates and set notifications for expiring certificates issued on mobile devices.

  • Issue Mobile Identities: If you have already selected the option to add the Mobile Wallet to the workflow, the Issue Mobile Identities option is automatically selected.
  • Create a friendly name for this identity: Provide a name for the new wallet identity being created.

There are four credentials that you can issue for each identity.

  1. Push Verify: Select this option if you want the ID wallet app to support push-based user authentication to multiple integrated applications.
  2. Soft OTP: Select this option if you wish to implement an OTP-based login for various integrated applications. This facilitates multi-factor authentication and is also used for offline login purposes.
  3. FIDO2: Select this option to enable custom Webauthn passwordless authentication to applications.
  4. Certificates: This enables the Unifyia ID Wallet - Push Verify with PKI option for authentication on the platform. Select the option Configure Certificates to issue with ID Wallet to issue certificates for enabling consent based login using PKI credentials. You can issue four types of certificates. Follow the steps below to configure the certificates for the smart devices:
    • Certificate Type: Select the type of the certificate to be issued. There are four types of certificates that you can issue – Card Authentication, PIV Authentication, Digital Signature, and Encryption.
    • CA Server: Select the Certificate Authority from which the certificate needs to be issued.
    • Certificate Profile: Select the certificate profile created in the Certification Authority.
    • Escrow: This option is available only for the encryption (Key Management) certificate. Select this option if the encryption or the key management certificate needs to be escrowed and moved to the retired containers. Enabling this option allows you to support key and certificate recovery during future device issuances leveraging the same workflow. Key Escrow for the Key Management certificate occurs at the certificate authority. Key Escrow for the other 3 certificates is not available for security best practice.
    • Disable Revocation: This option is available only for the encryption (Key Management) certificate. Select this option if you want to disable the revocation of key management certificates on the expiry of the identity device.
    • Algorithm: Select the algorithm type, e.g., ECDSA, RSA.
    • Key Size: Select the key size based on the selected algorithm, e.g., 256, 2048. Currently, the platform supports ECDSA 256 and RSA 2048 key sizes.
    • Subject DN: Select Subject Distinguished Name (Subject DN) attributes to define a format for the DN pattern for each certificate. Check the boxes for the required attribtues. Currently, the application supports common name (cn), organizational unit (ou), organization (o), and email address (emailAddress). Based on the selected attribtues the subject DN format is defined. For example, if you have selected common name (cn), organizational unit (ou), and organization (o). then the subject DN format is cn,ou,o.
    • SAN: Select the list icon under the Subject Alternative Name (SAN) and define the identifiers that you require to be included in the X.509 certificate to identify the person the certificate represents. You may select one or more Subject Alternative Name (SAN) entries. The following are the supported SAN entries:
      • Other Name (UPN): Other Name genereally refers to a flexible and extensible field that allows for the inclusion of alternative identities not covered by standard SAN types. Other Name (UPN) option enables you to include the UPN in the certificate to identify the person the certificate represents.
      • Other Name (FASC-N): Other Name (FASC-N) option enables you to include the FASC-N in the certificate to identify the person the certificate represents.
      • RFC822 Name: Refers to an email address.
      • Uniform Resource Identifier (URI): It is a string that uniquely identifies a particular resource. Can be a URL (Uniform Resource Locator) or URN (Uniform Resource Name).
    • Actions: Select the Plus icon to add a row to configure another certificate type and set the values as explained above. You can add a maximum of four certificate types. Select the Cross icon to delete a row.

    Additional Configurations

      NOTE
      The userPrincipalName user attribute mapper must be added while configuring the directory to read the UPN and map it to UPN attribute of the authentication certificate.
    • Read the UPN value from the user's parent directory and map it to the UPN attribute of the authentication certificate: User Principal Name (UPN) is used to uniquely identify a user. Enabling this checkbox will ensure that the UPN attribute is read from the user’s parent directory and mapped to the User Principal Name (UPN) attribute of the authentication certificate to support integrated authentication scenarios. The UPN is formatted much like an email address and typically consists of the user's logon name, the "@" symbol, and the domain name, e.g., jdoe@domain.com
    • Save the issuance status of the credential to the selected directories: Enabling this checkbox will allow the issuance status of the newly issued credentials to be written back to the selected directory using the selected user attribute post-issuance. Depending on the certificate attribute format selected, the corresponding value will be prepared and subsequently written back to the directory. You may specify a single directory or multiple directories, the respective user attribute mappers and certificate attribute formats to write back to the LDAP directories.

      For example, you have set the first user attribute mapper (e.g., username) and certificate attribute as X09:<I>{ISSUER_DN}<SR>{SUBJECT_SERIAL_NUMBER} with the directory LDAPAD1. Select the + icon to add another row and select the second directory, for instance, LDAPAD2, then select the second user attribute mapper (e.g., lastname) and the corresponding certificate attribute for it as X09:<I>{ISSUER_DN}<SR>{SUBJECT_SERIAL_NUMBER}. Based on the above configuration, the issuance status of the derived credential is updated in both the selected directories.

      • Directory: Select the name of the directory to which the issuance status of the credential must be written back.
      • User Attribute Mapper: You can manually map the issued certificates to a user in the directory by selecting the user attribute mapper. The issuance status in the selected certificate attribtue format will be written back to the directory.
      • Certificate Attribute: Select the format in which the issued certificate attribute value must be prepared and subsequently written back to the directory. The below format is recommended as this is considered one of the strong mapping types recommended by Microsoft.

        • Format: X09:<I>{ISSUER_DN}<SR>{SUBJECT_SERIAL_NUMBER}

      • Reverse certificate mapping as recommended by Microsoft for altSecurityIdentities: This option allows you to mandate the reverse certificate mapping method to build the value for the Certificate attribute. Microsoft recommends this as a best practice.
      • Search User Attribute: Select the user attribute using which the user must be searched while writing back to the directory. The available options are email and UPN. It is advisable to use UPN as it is unique per user in a specific directory.
    • Sign data written to the mobile containers with the issuer signing certificate: Select this option to sign the data written to mobile containers with the issuer signing certificate for additional security. For this to be executed, ensure to upload the Content Signing Certificate.
    • Notify users of any certificates expiring in: Select a value to specify when to start sending notifications to the user regarding expiring certificates. For instance, if the value is set to 5, notifications will be sent to the user 5 days before the certificates expire, warning them about the impending expiration of the certificate issued on the mobile device.
    • Email Notification Frequency: Select a value to set the frequency of sending the notifications.

    You have completed the workflow configurations to issue mobile crededntials. The next step is to configure the parameters for Derived Credentials.


    Back Next
On this page
Related Links