General Settings

The General Settings menu enables organizations to configure various policies and settings. This tutorial provides a comprehensive guide to all the configurations you can manage at the organization level.

Log in to the Unifyia platform as an administrator. On the Dashboard, navigate to Configurations > General Settings. You will find three tabs, one each for General Information, Policies and Settings, and Certificates.

The General Settings option on the Unifyia platform enables you to configure the following:

  • General organizational details and endpoints configuration details of the Unifyia platform.
  • Policies and Settings such as signing events digtally for security audit, session sign out, biometrics validity expiration, card expiration, and PIV verifications policy.
  • Certificate Settings related to FASC-N for PIV, PIV-I, and CIV IDs and Subject DN attributes.

General Information

Under the General Information tab, you can view the following organizational details. Select Update to save the changes.

  1. Organization Name: View the name of your organization. Your organization name and the account name are the same.
  2. Contact Email: View the email address with which your organization is registered with the Unifyia platform.
  3. Contact First Name: View the first name of the contact person for your organization. You can edit this field if required.
  4. Contact Last Name: View the last name of the contact person for your organization. You can edit this field if required.

Endpoints

The following is a list of SAML and OIDC endpoints that the organization publishes. These endpoints can be used to communicate with the platform.

OpenID Endpoint Configuration: This link contains the IdP (platform) endpoint configuration details for the service providers to configure it as an SSO in the relying party application. It contains the authentication, token, and certificate URLs and user endpoint details.

SAML 2.0 Identity Provider Metadata: SAML is an XML-based protocol used for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP). Access this link for the organization metadata (Unifyia platform metadata) required for the service providers to integrate it as an IdP using the SAML Protocol.

Policies and Settings

Navigate to the Policies and Settings tab. The following are the policies and settings that can be configured to comply with the set security standards of your organization:

Policy and Settings Type Available Options Description
General Read Name from Certificate Common Name during Onboarding with PIV ID: Enable/Disable Organizations can enable this feature if they need to read and capture the user's common name from the PIV card during the onboarding process using PIV ID.
ITAR Country List Check: Enable/Disable The U.S. government keeps a list of countries and entities that are either restricted or prohibited from receiving items controlled under the International Traffic in Arms Regulations (ITAR). Enabling this option will exclude ITAR-restricted countries from the list of countries shown during the enrollment process.
Enable Digital Signing: Enable/Disable To guarantee the integrity and authenticity of the submitted data, organizations can enable the option to sign the event using the PIV digital signature certificate of the logged in user. For instance, when an logged in operator updates the user's enrollment data, the system prompts the operator to digitally sign the event using the PIV card. For more information, refer to Security Audit.
Show Identity Providers on the Sign-In Page: Enable/Disable Once an IdP is set up, its name or logo will appear as a button on the Unifyia platform's sign-in page. You can use this feature to display or hide the button on the sign-in page.
  1. Enabled: The integrated IdP's name or logo appears on the sign-in page.
  2. Disabled: When disabled, the integrated IdP's name or logo is not displayed on the sign-in page.
    1. For first-time IdP users, since their account does not yet exist in the Unifyia platform, attempting to log in with IdP credentials will result in a message indicating that the user does not exist. At this stage, the platform presents the option to either proceed with IdP credentials or use certificate-based login.
    2. Once the user has been successfully onboarded into the Unifyia platform, they can log in using their IdP credentials as outlined in the steps below:
      1. Launch the Unifyia platform using a URL in a web browser on a computer and select Sign In.
      2. On the sign in page, provide the username or email and select Sign In.
      3. The list of configured authentication methods are displayed. Select Single Sign-On and choose Continue.
      4. The Sign-in page of the IdP is displayed.
      5. The user enters credentials.
      6. On successful verification, the user is logged into the Unifyia platform.
Session Sign Out You can set the session sign-out policy that ensures that users are automatically logged off after a specified period of inactivity. You can also set the time at which a warning message will be triggered to inform the user about the impending sign-out. This prevents unauthorized access, loss of sensitive data when the system is left unattended, and also complies with privacy and security standards of regulated industries.
Sign-out inactive users after Specify the number of minutes the system must wait during inactivity. Once this time expires, users will be automatically logged out of the platform.
Give users this much notice before signing them out Specify the number of minutes before the system triggers a warning to the user about an impending sign-off due to inactivity. For example, if the inactivity time before sign-out is set to five minutes and the warning time is set to two minutes, the system will trigger the warning two minutes before the user is signed out.
Subscriber Agreement Display Subscriber Agreement During Activation: Enable/Disable Organizations can enable this option if the user (subscriber) agreement to the terms and conditions is required before activating a smart card or security key. Customized subscriber agreement can be pasted in the provided text area. The word limit is 1000 characters. When the user activates the smart card or security key, the agreement will be displayed, and the user must agree to proceed with the activation. Learn more about activation.
Enrollment Policy Biometrics Validity Expiration: Enable/Disable Organizations may have a policy to reenroll biometrics after a specified period. They can turn on this option to enforce a policy that expires the validity of collected biometrics. The user will be required to reenroll their biometrics after the specified validity period.
Select Expiration Days Select the expiration period of the collected biometrics.
Notify operators of biometric expiration set to expire in (days) Select a value to specify when notifications must be sent alerting operators and users about the expiring and expired biometrics validity. For example, if the value is set to 5, then
  • 5 days before the expiration of the biometrics validity:
    • The operators receive a list of users with expiring biometrics validity.
    • Users are notified about their expiring biometrics validity.
  • After the biometrics validity has expired:
    • The operators receive a list of users whose biometrics have expired.
    • The users are notified that their account has been suspended due to the expired biometrics validity.
Email Notification Frequency Select a value to set the frequency of sending notifications to the operators and users about the expiring and expired biometrics validity.
Biometrics Expiry Check Scheduler Specify the cron expression to trigger a scheduler that runs periodically to check expiring biometrics. For more information, refer to the section How to set a cron expression? This job generates reports and triggers notifications.
Reports to Operators via Emails: Operators are emailed a list of users whose biometrics validity is expiring and another list of users whose biometrics validity expired.
User Notifications: The users are sent email and SMS informing about the expiring and expired biometrics validity.
Card Expiration Policy Card Expiry Check: Enable/Disable Smart cards and certificates both have expiration dates. When issuing or reissuing certificates, it is crucial to ensure that the certificate's validity period does not exceed the expiration date of the smart card. Enable this option to check the card's expiration date during certificate issuance. If the certificate's validity extends beyond the card's expiration, the issuance will be flagged.
PIV Verification Policy Allowed OIDs for Verification Specify the OIDs, separated by commas, that are allowed by the system for validating the user's identity during the PIV verification process. OIDs, as defined in NIST SP 800-73-4, are used in the X.509 certificates to identify specific attributes or extensions related to the cardholder's identity, access privileges, and encryption keys. In PIV certificates, OIDs are used to represent specific information such as:
  • Key usage (e.g., digital signature, non-repudiation, key agreement).
  • Extended key usage (e.g., client authentication, email protection).
  • Biometric data (e.g., fingerprint, iris, face recognition).
  • Certificate policies (e.g., to enforce standards and security requirements).

How to Set a Cron Expression?

A cron expression is a string used to define a schedule for running tasks or jobs automatically at specified intervals. It's commonly used in job schedulers like Cron to schedule repetitive tasks such as backups, system maintenance, or sending emails. The platform leverages a cron expression to fetch the list of users whose biometrics are expiring and expired. Cron expressions provide flexible, precise control over task scheduling.

A cron expression may consist of up to seven fields, each representing a unit of time, and it can be formatted as follows: The schedule component of the syntax is broken down into 5 different fields, which are written in the following order:

Field Allowed Values Allowed Characters
Second 0-59 * , - /
Minute 0-59 * , - /
Hour 0-23 * , - /
Day of the month 1-31 * , - ? /
Month 1-12 or JAN-DEC * , - /
Day of the week 0-6 or SUN-SAT * , - ? /

Together, tasks scheduled in a crontab are structured like this:

minute hour day_of_month month day_of_week [command_to_run]

Example Cron Expressions:

Here are some more examples of how to use cron's scheduling component:

Expression Description
* * * * * Run the command every minute.
12 * * * * Run the command 12 minutes after every hour.
0,15,30,45 * * * * Run the command every 15 minutes.
*/15 * * * * Run the command every 15 minutes.
0 4 * * * Run the command every day at 4:00 AM.
0 4 * * 2-4 Run the command every Tuesday, Wednesday, and Thursday at 4:00 AM.
20,40 */8 * 7-12 * Run the command on the 20th and 40th minute of every 8th hour every day of the last 6 months of the year.

Wildcards:

  • *: Represents "every" (e.g., every minute, every day, etc.).
  • ,: Specifies multiple values (e.g., "1,3,5" for specific days of the week).
  • -: Defines a range of values (e.g., "1-5" for Monday through Friday).
  • /: Specifies step intervals (e.g., "*/10" means every 10 units, such as every 10 minutes).

Certificate Settings

FASC-N (Federal Agency Smart Card Number) and Subject DN (Distinguished Name) are both crucial components of PIV (Personal Identity Verification) ID certificates. While the FASC-N uniquely identifies the PIV card, card holder, and ensures it's issued by an authorized agency, the Subject DN provides detailed identity information that ties the PIV certificate to the individual cardholder. These elements play important roles in ensuring secure, accurate identification, and authentication of federal employees or contractors who use PIV cards. FIPS 201-3 standard mandates the use of FASC-N.

The Unifyia platform allows you to configure the FASC-N and Subject DN values that would be embedded in the certificates as a part of credential issuance. Navigate to the Certificate Settings tab. You will notice two tabs - one for FASC-N and another for Subject DN settings.

FASC-N Settings

Select the FASC-N tab to configure the FASC-N contents for PIV, PIV-I, and CIV identities. There are three tabs, one each for the PIV, PIV-I, and CIV identities. Select the required tab and configure the FASC-N settings. For PIV and PIV-I identities, the FASC-N is mandatory, whereas for a CIV ID, it is optional. If your organization requires FASC-N for a CIV ID as well, enable FASCN-N Encoding option under the CIV section and configure the values as required. For all the ID types, the configurable FASC-N parameters are same. The following table describes the available parameters (fields), their character length, and the possible values.

Configurable FASC-N Contents
Category Field Name Length Field Description
UUID 6 Select the required number of digits for the system to generate a universally unique identifier for the user during personalization. Possible values are 1, 5, and 6.
Parameters to uniquely identify the card Agency Code 4 Provide the 4-digit agency code, as listed in the NIST SP 800- 87 document, to identify the government agency issuing the credential.

Agency Code is a unique identifier assigned to an agency or organization issuing the PIV credentials. It helps to distinguish credentials issued by different agencies within the federal government or other entities.
System Code 4 Provide the 4-digit system code that identifies the system the card is enrolled in. This number is unique for each site.

System Code is a specific identifier that represents the system or environment within which the PIV credential is being used. It helps to ensure the credential is valid in the context of the particular security system.
Credential Number 6 Indicates that a 6-digit unique credential number will be randomly generated by the system to identify the card during personalization.

The Credential Number is a unique identifier assigned to an individual PIV credential. It distinguishes one credential from another within a given system and is typically used for tracking and management purposes.
Credential Series (Series Code) 1 Select the 1-digit series number that reflects major changes or upgrades to the system.
Parameters to uniquely identify the card holder Organization Category 1 Select the category of the organization the individual is affiliated with. The possible values are:
  • 1 - Federal Government
  • 2 - State Government
  • 3 - Commercial Enterprise
  • 4 - Foreign Government
The Organization Category specifies the type or classification of the organization that issues the PIV credentials. This could include categories such as federal/state government agencies, contractors, or other groups based on the nature of the organization.
Organization Identifier 4 Select the identifier that identifies the organization the individual is affiliated. It depends on the organization category chosen.
  • OC=1, then provide NIST Agency Code (Refer FIPS 800-87)
  • OC=2, then provide State Code
  • OC=3, then provide Company Code
  • OC=4, then provide Numeric Country Code
The Organization Identifier is a unique code assigned to an issuing organization. It is used to differentiate between various organizations or entities that may issue PIV credentials, providing clear identification of the credential's source.

Subject DN Settings

The platform allows you to configure Subject DN attributes for certificates. To configure, navigate to the Subject DN tab under the Certificate Settings tab. Currently, the platform supports the following attributes:

  • Common Name: This is the primary identifier for an individual. A dropdown that lists the available formats for the common name is enabled. Select the required format. This ensures that the selected common name format is included in the Subject DN of the certificates. Available common name formats are:
    • CN=firstname lastname, e.g., Jane Smith
    • CN=firstname lastname intended usage short, e.g., Jane Smith Auth
    • CN=firstname lastname intended usage, e.g., Jane Smith Authentication
    • CN=firstname lastname (Affiliate), e.g., Jane Smith (Affiliate)
    • CN=firstname initial. Lastname, e.g., Jane A. Smith
    • CN=firstname middlename lastname, e.g., Jane Alex Smith
    • CN=lastname.firstname.middlename, e.g., Smith.Jane.Alex
    • CN=firstname lastname - intended usage – expiry, e.g., Jane Smith - Signature - Expires 01/15/2025
    • CN=firstname lastname - intended usage - agency identifier, e.g., Jane Smith - Signature – 123456
    • CN=firstname lastname - intended usage - SKI identifier, e.g., Jane Smith - Authentication – 123456
  • Organizational Unit (OU): Identifies a department or division within the organization (e.g., IT Department, Security Division). It provides a way to further qualify the organization. It helps distinguish certificates within the same organization.
  • Organization (O): This is the full legal name of the organization or company (e.g., Unifyia). This must be a legally registered name and verifiable when used in public certificates.
  • Country (C): This is a two-letter ISO 3166 country code representing the country in which the organization is legally based (e.g., US for United States, DE for Germany, FR for France). It may be noted that only one country code is allowed in a subject DN.
  • Email Address (emailAddress): A user attribute used to identify or contact the subject via email. This is often included in certificates for individuals or roles.
  • State or Province Name (ST): The full name of the state or province (e.g., California).
  • Locality Name (L): The city or locality (e.g., San Francisco).
  • Street Address (STREET): The physical street address of the subject.
  • Unique Identifier (UID): A unique identifier for the user, such as a username or ID number.

Select the cross icon to remove an attribute. Select the plus icon to add an attribute. The selected attributes will be displayed in the Subject DN list when configuring certificates in the workflow.


Back Next
On this page