Versions Compared

Version Old Version 39 New Version 40
Changes made by

Josefin Klang (Deactivated)

Josefin Klang (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info
This article includes updates for Smart ID 23.04.2. 

...

Expand
titleMobile App: Create Key

Description

Use this task to provision a new profile or update an existing one, overwriting existing keys. The task will create the keys needed for the "Mobile App: Install certificates" task.

The task will generate the following PKCS#10 request templates:

  • Signature Certificate (optional)
  • Authentication Certificate (optional)
  • Device Encryption (used to secure the communication with Smart ID Mobile App)

These requests will then be sent to the mobile phone and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests userid will then be sent to the message catching intermediate event identified by the parameter 'messageName'. Identity Manager will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR", "AUTH_P10_VAR" and "DEVICE_ENC_P10_VAR". If a new profile was created, Identity Manager will also put the new profileId into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field.

After this task is executed, you need to request certificates using the requests stored in the process variables "SIG_P10_VAR" and "AUTH_P10_VAR" before proceeding to the "Mobile App: Install certificates" task. Store the requested certificates into the process map.

Info!

Smart ID Mobile App will sign the request data and Identity Manager will verify the mobile client's data signature using the attestation key. The attestation key is configured in the task's attestationKeySet parameter and in the Sign and encrypt engine in Identity Manager.

If the verification fails, the task will not accept the data but set two process variables instead:

  • The errorTypeField (see the parameters below) will be set to "HERMOD_ERROR_JWT_SIGNATURE". Use this in your process design to react to validation errors.
  • The errorMessageField (see the parameters below) will contain a more descriptive message

Configuration

To use this task, configure the following delegate expression in your service task:

Code Block
${hermodKeyCreationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

Example value:

  • p10PreparationCallback
The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

Example value:

  • ${Person_Email}

ID representing the user on the messaging server. This will be displayed in the profile on the mobile app to verify the correct data is provided.

A common approach is to use the user's email address.

errorMessageField

Example value:

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
signCertificateTemplate-
Signature certificate template.
authCertificateTemplate-
Authentication certificate template.
profileName

If new profile

Leave empty (when updating a profile)

Profile name for Smart ID Messaging. Will be displayed in the Smart ID Mobile App. Leave empty if you want to update an existing profile.
serverName

If new profile

Example value: 

  • Smart ID
Name of the server that issued the provisioning request. This is for the user to understand where the profile comes from. 
attestationKeySet

-

(If not set will default to "ATTESTATION")

Example value:

  • ATTESTATION (default value)

The name of the attestation key that will be used for signing (by the client) and validating (by Identity Manager) the mobile client's data. The available values are the names of the descriptors in the sign and encrypt engine that start with "att_", without this prefix. An attestation key with the same name must be defined in Smart ID Mobile App/MDM device.

Default value is "ATTESTATION" when no descriptor value is provided.

qrResultField

If new profile

Example value:

  • QR_CODE_VAR
Process variable to put the resulting url. This url may be converted to a QR-Code for the Smart ID Mobile App by using GenerateQRCodeParametrizedAction.
profileIdIf update profile

Leave empty (for new profile)

Id of the Smart ID Mobile App profile that will be updated with new keys. Leave empty if you want to provision a new profile.

storagePriority

Valid values:

  • APP (for Smart ID Mobile App, default)
  • EXT (for Mobile Iron device)
  • MDM (replaced by EXT, but still supported)
Storage priority of certificates. MDM is replaced by EXT, however MDM is still supported.
visualIdLayout

If using visual ID

Example value:

  • Default Layout
The layout to be used for creating the visual ID. If there is a juel expression configured for the front or backside image, this will take precedence over the statically configured image. If there is no image found for the juel expression, and there is no statically configured image, the task will fail.
cardDatapool

If using visual ID

Example value:

  • PcmDpPersonalMobile
 The datapool used for saving the mobile ID profile.
contentId

If using visual ID

Example value:

  • ${GeneratedContentId}
 A unique ID in UUID format, which will be associated with the personal mobile profile. Can be generated with the service task "MISC: Generate Random GUID into Data Map Field".


...

Expand
titleMobile App: Delete Profile

Description

Use this task to delete a profile managed by Smart ID Desktop App. It can also delete all Smart ID Messaging mailboxes for a specific user id.

This task can be used in the following ways:

Delete profile on Smart ID Mobile App and Smart ID Messaging

Executed the task on a card profile which contains information about the profile id.

  1. Specify a profile id and set the confirmation flag to true. All other parameters must be provided as well.
  2. The request will be sent to Smart ID Mobile App, which will delete the profile identified by the specified profile id.
    • The result will be sent to the message catching intermediate event identified by the parameter 'messageName'.
    • After receiving a successful response from Smart ID Mobile App, Smart ID Messaging also deletes the mailbox and forwards the same response back to Identity Manager.

Delete mailbox on Smart ID Messaging only

  1. Set the confirmation flag to false.

    Note

    Even if the confirmation flag is set to false, you need to set the 'messageName' parameter to a dummy value to be able to delete the mailbox(es).


  2. Smart ID Messaging will delete either a specific mailbox when a profile id is provided or all mailboxes of the specified user id when the profile id is absent.
    The profiles themselves in their respective apps will be retained, as the deletion request will not be forwarded.

Configuration

To use this task, configure the following delegate expression in your service task:

Code Block
${pmHermodDeleteProfileTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
messageName


The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

when confirmation flag is true

${Card_ProfileId}

ID of the profile to be deleted, as created via 'Mobile App: Create Key'.

userid

${Person_Email}

ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
confirmation

Valid values:

  • true
  • false

Messaging Server will forward the profile deletion request to Smart ID Mobile App when set to true.


...

Expand
titleDesktop App: Create Virtual Smart Card Key

Description

Use this task to create up to three template PKCS#10 requests that can be used to request certificates needed for the "Desktop App: Install Certificates on Virtual Smart Card" task.

Use this task to create up to three template PKCS#10 requests:

  • Signature Certificate (if template name is provided)
  • Authentication Certificate (if template name is provided)
  • Device Encryption (always, used to secure the communication with Smart ID Desktop App)

These requests will then be sent to Smart ID Desktop App and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests will then be sent to the message catching intermediate event identified by the parameter 'messageName'. Identity Manager will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR" and "AUTH_P10_VAR". Identity Manager will also put the new profile id into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field.

This task can only provision a new profile - updating an existing profile is currently only supported in Smart ID Mobile App at this time, not in Smart ID Desktop App.


Info
titleAttestation Key

Smart ID Desktop App will sign the request data and Identity Manager will verify the client's data signature using the attestation key. The attestation key is configured in the task's attestationKeySet parameter and in the Sign and encrypt engine in Identity Manager.

If the verification fails, the task will not accept the data but set two process variables instead:

  • The errorTypeField (see the parameters below) will be set to "HERMOD_ERROR_JWT_SIGNATURE". Use this in your process design to react to validation errors.
  • The errorMessageField (see the parameters below) will contain a more descriptive message

Configuration

To use this task, configure the following delegate expression in your service task:

Code Block
${pxVscHermodKeyCreationTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

Example value:

  • p10PreparationCallback
The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

Example value:

  • ${Person_Email}

ID representing the user on the messaging server. This will be displayed in the profile(-list) on the desktop app to verify the correct data is provided.

A common approach is to use the user's email address.

errorMesageField

Example value: 

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
signCertificateTemplate-

Example value:

  • Sign-Certificate
Certificate template of the signature certificate.
authCertificateTemplate-

Example value:

  • Authentication-Certificate
Certificate template of the authentication certificate.
profileName

Example value:

  • VSC 1
Profile name for Smart ID Messaging. Will be displayed in Smart ID Desktop App as the heading of the profile.
serverName

Example value:

  • Smart ID

Name of the server that issued the provisioning request. This is for the user to understand where the profile comes from.

attestationKeySet

-

(If not set will default to "ATTESTATION")

Example value:

  • ATTESTATION (default value)

The name of the attestation key that will be used for signing (by the client) and validating (by Identity Manager) the client's data. The available values are the names of the descriptors in the sign and encrypt engine that start with "att_", without this prefix. An attestation key with the same name must be defined in Smart ID Desktop App.

Note

Currently, Smart ID Desktop App accepts only default key set named "ATTESTATION".


plugoutResultField

If new profile

Example value: 

  • plugoutUri
Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine.
adminKey

Example value: 

  • ${Card_CardManagerKey}

The secret field reference of 24-byte 3DES admin key in HEX format. The key can also be set directly as plain hex value for testing.

Note: Smart ID Desktop App.s own default is 123456781234567812345678123456781234567812345678, but you must make sure Identity Manager always defines the value!

smartCardId

Example Value: 

  • ${Card_VscId}
Virtual smart card id. Usually it will be created via a dedicated number-range.
provisionReader


Valid values:

  • CreateTPM
  • FreeTPM
  • RenewTPM 
  • 0TPM/1TPM..../15TPM
  • CreateTPM (create a new VSC on the TPM) 
  • FreeTPM (use first free VSC on the TPM) .
  • RenewTPM Use this option to renew existing TPM certificates.
  • 0TPM / 1TPM / ... / 15TPM  Specific VSC on the TPM can be also used for installing certificates.

The value is passed as-is to Smart ID Desktop App.

pinMinLength

Example value:

  • 6
Min. length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.minlength)
pinMaxLength

Example value:

  • 15
Max length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.maxlength)
pinUppercase

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether uppercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinLowercase

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether lowercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinDigits

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether digits in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinSpecialChars

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether special chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
hybridProfile-

Valid values:

  • FALSE (default)
  • TRUE

oldAdminKey-

-

This field only makes sense in case the "FreeTPM" provisionReader is configured. If provided, it will change the VSC's admin key. "oldAdminkey" must hold the old admin key and "adminKey" must hold the new admin key.

For example, default admin key of 010203040506070801020304050607080102030405060708 when you create VSC from Tpmvscmgr tool.

storagePriority

Valid values (version-dependent, Smart ID Desktop App or Smart ID Messaging update may be required for some):

  • VSC (TPM-based virtual smart card, default)
  • TPM (direct TPM storage, depending on the version of Smart ID Desktop App, it might have same meaning as VSC)
  • YUBI (Yubico YubiKey 5 PIV Token, since Identity Manager 3.12.5)
  • OS (operating system certificate store)

Storage priority - defines where certificates and keys are stored. Usually just a single value.
If hybridProfile is TRUE, then this may be a comma-separated list.

Example:

VSC, OS would mean: try to write to a virtual smart card first, and if that fails, use the OS certificate store instead.

desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.


...

Expand
titleDesktop App: Create Windows Cert Store Key

Description

Use this task to create a template PKCS#10 request that can be used to request the certificate needed for the "Desktop App: Install Certificates On Windows Cert Store" task:

  • Device Encryption (used to secure the communication with Smart ID Desktop App)

Identity Manager will also put the new profileId into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field.

This task can only provision a new profile - updating an existing profile is currently only supported in Smart ID Mobile App at this time, it is not supported in Smart ID Desktop App.

Info!

Smart ID Desktop App will sign the request data and Identity Manager will verify the client's data signature using the attestation key. The attestation key is configured in the task's attestationKeySet parameter and in the Sign and encrypt engine in Identity Manager.

If the verification fails, the task will not accept the data but set two process variables instead:

  • The errorTypeField (see the parameters below) will be set to "HERMOD_ERROR_JWT_SIGNATURE". Use this in your process design to react to validation errors.
  • The errorMessageField (see the parameters below) will contain a more descriptive message

Configuration

To use this task, configure the following delegate expression in your service task:

Code Block
${pxOsHermodKeyCreationTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

Example value:

  • p10PreparationCallback
The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

Example value:

  • ${Person_Email}

ID representing the user on the messaging server. This will be displayed in the profile(-list) on the desktop app to verify the correct data is provided.

A common approach is to use the user's email address.

errorMesageField

Example value: 

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
profileName

Example value:

  • Windows Certs
Profile name for Smart ID Messaging. Will be displayed in Smart ID Desktop App as heading of the profile.
serverName

Example value:

  • Smart ID

Name of the server that issued the provisioning request. Will be displayed in Smart ID Desktop App so the user can understand where this profile comes from. 

plugoutResultField

Example value: 

  • plugoutUri
Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine.
desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.
attestationKeySet

-

(If not set will default to "ATTESTATION")

Example value:

  • ATTESTATION (default value)

The name of the attestation key that will be used for signing (by the client) and validating (by Identity Manager) the client's data. The available values are the names of the descriptors in the sign and encrypt engine that start with "att_", without this prefix. An attestation key with the same name must be defined in Smart ID Desktop App.

Smart ID Desktop App only accepts the default key set named "ATTESTATION".


If new profile




...

Expand
titleDesktop App: Ping Virtual Smart Card profile

Description

Use this task to retrieve profile and device information of virtual smart cards that are managed by Smart ID Desktop App.

You can request information of a virtual smart card or of a single virtual smart card profile.

The task will put a "commandId" value into a process variable which must be used for polling the response using "Desktop App: Poll meta data from client".

Configuration

To use this task, configure the following delegate expression in your service task:

Code Block
${pxVscHermodPingRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId


${Card_ProfileId}If provided, restrict requested information to this profile. ProfileId values are created in the 'Desktop App: Create Virtual Smart Card Key' task.
plugoutUrl

 plugoutUrl

Process variable to put the plugout url.

userid


Valid values:

  • If profileid is set: provided userid 
  • Otherwise: any value

ID representing the user on the messaging server. If a profileId parameter is set, this must match the userid provided when the profile was requested. Otherwise any value will do.

deviceInfo

Valid values:

  • true (default)
  • false

Request device information.

profileInfo

Valid values:

  • true (default)
  • false

Request profile information.

commandId

commandIdProcess variable to put the commandId value, which is needed for polling in the "Desktop App: Poll meta data from client" task.


...

Expand
titleDesktop App: Poll meta data from client

Description

Use this task to poll a ping response from Smart ID Messaging based upon the 'commandId' (which was created at the ping request to Smart ID Messaging).

Execute this task after a ping request to Smart ID Messaging. It polls the message from Smart ID Messaging, based upon the provided command id. After receiving the response from Smart ID Messaging it stores the profile and device Information into configured service task parameters. 

Configuration

To use this task, configure the following delegate expression in your service task:

Code Block
${pxVscHermodPingResponsePollingTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
commandId

${commandId}CommandId which was received by the "Desktop App: Ping Virtual Smart card profile" task, needed for polling.
profileInfo

profileInfoProcess variable to put the profile information.
deviceInfo

deviceInfoProcess variable to put the device information.


...