User Guide

The Unifyia platform is a future-proof, cloud-native, microservices-based, unified platform for identity and access management. It supports enrolling, issuing, authenticating, and managing user and partner identities. It supports role-based access to the platform defined as per the organization's policy.

In the Unifyia platform, a user is an individual to whom identities need to be issued. Users can access the self-service platform anytime and from anywhere, providing flexibility and convenience in managing their identities thus reducing dependency on IT support.

The Unifyia platform empowers users to

  • self-issue additional identities/credentials on different form factors such as smart cards, NFC cards, security keys, and mobile devices leveraging their existing credentials based on the configured workflows. These additional identities allow multi-factor authentication (MFA) of users for accessing multiple applications within an organization.
  • view and manage the issued credentials.
  • view the notifications regarding the expiring certificates and the new SSO applications that have been added or removed for them.
  • access approved SSO (Single Sign-On) applications that they can log into using the existing credentials.

Supported Browsers to access the Unifyia platform

  • Windows
    • Google Chrome on Windows
    • Microsoft Edge on Windows
    • Safari on macOS

Based on the permissions granted to you on the Unifyia platform, they may have access to the following screens:

  • Dashboard
  • Identities - to add new identities, view issued identities, and perform the granular lifecycle actions for the issued identities
  • Applications - The applications that can be accessed via single sign-on.
  • ID Reader - an option to read the contents of an issued smart ID.

Before You Begin

Install Unifyia User Client

The Unifyia User Client is an application running as a Windows and macOS service. It facilitates interactions with various types of card readers to execute requested operations on the connected identity devices. You will receive a client meant for users from your organization. Download and extract the Client application that was shared with you, on your local machine. Refer to the Unifyia User Client Guide for more information.

Prerequisites to Access the Unifyia Platform.
  • You must have received a PIV Identity. To receive a PIV identity, you need to
    • be sponsored as a user in the system.
    • complete identity document verification.
    • complete enrollment by providing user data, and biometrics such as face, fingerprint, iris, or signature.
    • get enrollment approval to issue identities.
    • receive a PIV ID via mail or collect it from a bureau by scheduling an appointment.
  • You must have access to the Unifyia platform as a user.

Activate Your Smart Card

NOTE
The Activation option is currently available only for the smart cards which are personalized with PIV credentials. You must not activate a smartcard which has both PIV+FIDO credentials. These smart cards are already activated once issued. Also, you cannot activate a PIV credential issued on a Yubikey.
Prerequisites
  • Have a smart card reader to read smart cards.
  • Have installed the Unifyia User Client on your system to access the connected devices.
  • Have a PIV ID to be activated.
  • Received an email with the activation PIN.
  • Knowledge of the email address registered during your enrollment

If you have received your PIV smart card from your organization, you need to activate it before logging into the Unifyia platform. Follow the below steps.

  1. Launch the platform. For example, the URL may be https://<organization_name>.unifyia.com
  2. Select the Activate Your Smart Cardoption on the login page.
  3. Enter the email address registered during your enrollment.
  4. Select Next.
  5. Select Activate against the identity device that you need to activate.
  6. Connect your PIV smart card reader to your computer and insert your PIV smart card into the card reader.
  7. Old PIN: Enter the activation PIN sent to your email. If you forgot or did not save your activation PIN, click on the link I forgot my PIN! An email will be sent to the registered email. Check the email and enter the activation PIN.
  8. New PIN: Provide a new PIN.
  9. Confirm PIN: Confirm the provided PIN.
  10. Select Activate. Your device is activated. Select Done to access the Sign In page.

Login Using the PIV Smart Card

Follow the below steps to log in:

  1. Launch the platform to access the sign-in page. For example, the URL may be https://.unifyia.com
  2. Connect your PIV smart card reader to your computer and insert your PIV smart card into the card reader. On the Sign-In page, select the option Use Smart Card.
  3. The system will detect your identity automatically and prompt you to select the certificate.
  4. Select a certificate.
  5. Enter your PIN when prompted to proceed.
  6. You are now logged in to the platform.

Dashboard

The dashboard is the screen that appears as soon as the user logs in. It lists the notifications received by the user, the applications that the user is allowed to access using Single Sign On (SSO), and the issued identity devices.

Typically, as a user, you may have access to the following menu options:

  1. Identities
  2. Applications
  3. ID Reader

You will see the following panels on the dashboard:

  1. Notifications
  2. Applications
  3. My Identity Devices
Notifications

In this panel, you can view the notifications related to expiring certificates and new identities approved for issuance.

Applications

This panel lists all the applications that you have access to login-using the single set of login credentials that you used to access the Unifyia platform.

My Identity Devices

This panel displays the list of the issued identities.

  • Identity Device: This denotes the issued identity device such as an IDEMIA Card, Yubikey 5, etc. This could be a Mobile, a FIDO2 Passkey, a YubiKey, or a smart card.
  • Workflow: The name of the assigned workflow.
  • Credentials: The type of credential issued.
  • Status: The status of the issued identity device.
  • Connections: This denotes whether the device is connected or not.
  • Actions: Option to manage the issued identities.

Issue Identities

Using the Identities option on the platform, you can -

  • add new identities.
  • manage the identity, application, and credential lifecycle.

Supported Identity Devices

The Unifyia platform supports the issuance of smart cards, security passkeys, and mobile identities in apps. The following models of Identity Devices are supported for issuance using the Unifyia Platform.

  • ID-One PIV v2.4.1 on Cosmo V8.1
  • ID-One PIV v2.4.2 on Cosmo V8.2
  • ID-One PIV v2.3.4 on Cosmo V7
  • G&D SCE 7.0 with PIV Applet V1.0
  • Thales IDPrime PIV v3.0
  • ZTPass on NXP P71D600
  • Yubikey????

Add Identity Devices

The available options to add new identities are governed by the organization's issuance policy. To add a new identity device, log in to the platform. On the dashboard, select + Add New. A list of allowed identity devices is displayed. Select one identity device and proceed to continue the issuance.

The following are the types of identities that you can self-issue if approved:

Authentication

The Unifyia platform supports the following authentication methods based on the issued identities:

  • Login using PIV ID, Derived PIV/FIDO2
  • Login using Federated PIV Identities
  • Login using Platform Authenticators - Passkeys (FIDO2)
  • Login using Cross-Platform Authenticators - External FIDO2 Security Keys
  • Login using Unifyia ID Wallet Credentials
    • Unifyia ID Wallet with PKI - Consent-based authentication method where a PKI credential stored on a mobile is used for signing the consent
    • Unifyia ID Wallet with Push Verify – Consent-based authentication method
    • Unifyia ID Wallet with OTP – Authentication method using One-Time Passwords
    • Unifyia ID Wallet with FIDO2 credential

To learn more about various authentication methods refer to Authentication.

Granular Lifecycle Management

The Identities option allows you to add new authenticators as well as manage the lifecycle of the lifecycle of identity devices, applications, and issued credentials as per the organization's policy. You can perform the following lifecycle actions:

  • Activate
  • Suspend
  • Reactivate
  • Renew
  • Change PIV PIN
  • Reset PIV PIN using PUK
  • Change FIDO PIN

To learn more about various identity lifecycle actions that you as a user can manage refer to Granular Lifecycle Management - Users.

Single-Sign-On

The Unifyia platform supports the Single Sign-On (SSO) feature if your organization has enabled it for you. When activated, you can view all available applications under the Applications option. You can access these applications using the same set of login credentials used for the Unifyia platform. With these credentials, you can log in to the integrated service providers as configured. Currently, the platform supports OKTA for SSO. Click on the Okta application and you will be directly logged in.

Read PIV ID

The Read PIV ID option allows you to read the contents of the PIV-supported devices or Security Keys. This is useful to verify if all the certificates have been loaded onto the device for authentication and verification.

  1. Select the ID Reader option from the menu on the dashboard.
  2. Connect a PIV identity device (smart card or security key) that has PIV credentials issued. The system detects the connected device.
  3. Enter the PIN of the device.
  4. Select OK to see the following details:
    1. Device Information: This is the ATR of the device, the serial number, and the model of the device.
    2. CHUID Information: CHUID stands for Cardholder Unique Identifier. This is a number that is stored electronically on a smart card.
    3. FASC-N: This is a primary identifier of the smart card for physical access control.
    4. Certificates: This section shows the details of the user and the certificates present inside the smart card. It displays the details of the below-mentioned certificates:
      1. Authentication
      2. Card Authentication
      3. Digital Signature
      4. Key Management
    5. User Biometrics: This section shows all the user biometrics captured as part of the enrollment process.  

Back Next
On this page
Related Links