Smart ID Messaging - Standard service tasks in Identity Manager
This article includes updates for Identity Manager 5.1.0.
Mobile App: Create Key
Description
Use this task to provision a new profile or update an existing one, overwriting existing keys. The task will create the keys needed for the "Mobile App: Install certificates" task.
The task will generate the following PKCS#10 request templates:
Signature Certificate (optional)
Authentication Certificate (optional)
Device Encryption (used to secure the communication with Smart ID Mobile App)
These requests will then be sent to the mobile phone and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests userid will then be sent to the message catching intermediate event identified by the parameter 'messageName'. Identity Manager will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR", "AUTH_P10_VAR" and "DEVICE_ENC_P10_VAR". If a new profile was created, Identity Manager will also put the new profileId into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field.
After this task is executed, you need to request certificates using the requests stored in the process variables "SIG_P10_VAR" and "AUTH_P10_VAR" before proceeding to the "Mobile App: Install certificates" task. Store the requested certificates into the process map.
Smart ID Mobile App will sign the request data and Identity Manager will verify the mobile client's data signature using the attestation key. The attestation key is configured in the task's attestationKeySet parameter and in the Sign and encrypt engine in Identity Manager.
If the verification fails, the task will not accept the data but set two process variables instead:
The errorTypeField (see the parameters below) will be set to "HERMOD_ERROR_JWT_SIGNATURE". Use this in your process design to react to validation errors.
The errorMessageField (see the parameters below) will contain a more descriptive message
Configuration
To use this task, configure the following delegate expression in your service task:
${hermodKeyCreationTask}The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
|---|---|---|---|
messagingServer | Example value:
| The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. | |
messageName | Example value:
| The name of the intermediate message catching event that will be triggered by Smart ID Messaging. | |
userid | Example value:
| ID representing the user on the messaging server. This will be displayed in the profile on the mobile app to verify the correct data is provided. A common approach is to use the user's email address. | |
errorMessageField | Example value:
| Process variable to put the error message in case of failure. | |
errorTypeField | Example value:
| Process variable to put the error type in case of failure. | |
signCertificateTemplate | - |
| Signature certificate template. |
authCertificateTemplate | - |
| Authentication certificate template. |
profileName | If new profile | Leave empty (when updating a profile) | Profile name for Smart ID Messaging. Will be displayed in the Smart ID Mobile App. Leave empty if you want to update an existing profile. |
serverName | If new profile | Example value:
| Name of the server that issued the provisioning request. This is for the user to understand where the profile comes from. |
attestationKeySet | - (If not set will default to "ATTESTATION") | Example value:
| The name of the attestation key that will be used for signing (by the client) and validating (by Identity Manager) the mobile client's data. The available values are the names of the descriptors in the sign and encrypt engine that start with "att_", without this prefix. An attestation key with the same name must be defined in Smart ID Mobile App/MDM device. Default value is "ATTESTATION" when no descriptor value is provided. |
qrResultField | If new profile | Example value:
| Process variable to put the resulting url. This url may be converted to a QR-Code for the Smart ID Mobile App by using GenerateQRCodeParametrizedAction. |
profileId | If update profile | Leave empty (for new profile) | Id of the Smart ID Mobile App profile that will be updated with new keys. Leave empty if you want to provision a new profile. |
storagePriority | Valid values:
| Storage priority of certificates. MDM is replaced by EXT, however MDM is still supported. | |
visualIdLayout | If using visual ID | Example value:
| The layout to be used for creating the visual ID. If there is a juel expression configured for the front or backside image, this will take precedence over the statically configured image. If there is no image found for the juel expression, and there is no statically configured image, the task will fail. |
cardDatapool | If using visual ID | Example value:
| The datapool used for saving the mobile ID profile. |
contentId | If using visual ID | Example value:
| A unique ID in UUID format, which will be associated with the personal mobile profile. Can be generated with the service task "MISC: Generate Random GUID into Data Map Field". |
biometricsAllowed | - (If not set will default to true, It can be only set to false explicitly.) | Example value:
| Allow the biometrics authentication in the Smart ID Mobile App for this profile. |
Mobile App: Install Certificates
Description
Use this task to request and install certificates that were prepared using the "Mobile App: Create Key" task.
As a prerequisite
you must already have requested certificates with the authentication and signature certification requests generated by the "Mobile App: Create Key" task and stored them as process variables.
if you want to perform certificate recovery, you must prepare the data for that using 'Cert: Load Key History List'.
Use this task to install a number of certificates on the mobile phone:
Signature Certificate, will be bound to the key pair created by "Mobile App: Create Key".
Authentication Certificate, will be bound to the key pair created by "Mobile App: Create Key".
Device Encryption Certificate, will be bound to the key pair created by "Mobile App: Create Key".
Encryption Certificate created with key archival.
Any number of recovered certificates.
Configuration
To use this task, configure the following delegate expression in your service task:
${hermodInstallCertificatesTask}The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
|---|---|---|---|
messagingServer |
| The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. | |
messageName | p10FinishedCallback | The name of the intermediate message catching event that will be triggered by Smart ID Messaging. | |
userid | ${Person_Email} | ID representing the user on the messaging server. This must match the userid provided when the profile was requested. | |
errorMessageField | ErrorMessage | Process variable to put the error message in case of failure. | |
errorTypeField | ErrorType | Process variable to put the error type in case of failure. | |
signatureCertificate | - | ${SIG_VAR} | The signature certificate. |
authenticationCertificate | - | ${AUTH_VAR} | The authentication certificate. |
deviceEncryptionP10 | ${DEVICE_ENC_P10_VAR} | The PKCS#10 request for the Device Encryption Certificate, created by the "Mobile App: Create Key" task. | |
profileId | ${profileId} | The id of the profile under which to store the certificates. This is initially provided by the "Mobile App: Create Key" task. | |
encryptionCertificate | - |
| Encryption certificate template. |
recoveryCertificate | - |
| Recovery certificate template. |
processVariable | - | Certificate_CoreObjects | Variable name which holds Core object ids list or Core object descriptor list of certificates to be recovered. |
p12PasswordField | profilePassword | Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords. | |
storagePriority | Valid values:
| Storage priority of encryption certificates. MDM is replaced by EXT, however MDM is still supported. |
Mobile App: Install Certificates Into Android OS
Description
Use this task to request and install certificates and associated keypairs into the Android OS KeyChain.
As a prerequisite
you must already have provisioned a profile via the "Mobile App: Create Key" task, paying special attention to the following settings:
storagePriority: APP
visualIdLayout: leave empty
cardDatapool: leave empty
contentId: leave empty
authCertificateTemplate: leave empty
signCertificateTemplate: leave empty
any remaining parameter needs to be configured as documented in "Mobile App: Create Key"
if you want to perform certificate recovery, you must prepare the data for that using 'Cert: Load Key History List'.
Use this task to install a number of certificates on the mobile phone:
One certificate created with key archival (usually for encryption).
Any number of recovered certificates.
Any number of certificates created with non-archival plain request (CA generates keypair, but does not archive).
Configuration
To use this task, configure the following delegate expression in your service task:
${pmHermodP12Task}The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
|---|
Parameter | Mandatory | Value | Description |
|---|---|---|---|
messagingServer |
| The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. | |
userid | ${Person_Email} | ID representing the user on the messaging server. This must match the userid provided when the profile was requested. | |
errorMessageField | ErrorMessage | Process variable to put the error message in case of failure. | |
errorTypeField | ErrorType | Process variable to put the error type in case of failure. | |
deviceEncryptionP10 | ${DEVICE_ENC_P10_VAR} | The PKCS#10 request for the Device Encryption Certificate, created by the "Mobile App: Create Key" task. The P12 password will be encrypted with its public key. | |
profileId | ${profileId} | The id of the profile under which to store the certificates. This is initially provided by the "Mobile App: Create Key" task. | |
archivalCertTemplate | - |
| Archival certificate template. |
plainCertTemplate | - |
| You can define multiple certificate templates for non-archival P12 requests using parameters prefixed with plainCertTemplate. |
recoveryCertTemplate | - |
| Recovery certificate template. |
recoveryCoreObejcts | - | Certificate_CoreObjects | Variable name which holds Core object ids list or Core object descriptor list of certificates to be recovered. |
p12PasswordField | profilePassword | Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords. |
Mobile App: Delete Profile
Description
Use this task to delete a profile managed by Smart ID Desktop App. It can also delete all Smart ID Messaging mailboxes for a specific user id.
This task can be used in the following ways:
Delete profile on Smart ID Mobile App and Smart ID Messaging
Executed the task on a card profile which contains information about the profile id.
Specify a profile id and set the confirmation flag to true. All other parameters must be provided as well.
The request will be sent to Smart ID Mobile App, which will delete the profile identified by the specified profile id.
The result will be sent to the message catching intermediate event identified by the parameter 'messageName'.
After receiving a successful response from Smart ID Mobile App, Smart ID Messaging also deletes the mailbox and forwards the same response back to Identity Manager.
Delete mailbox on Smart ID Messaging only
Set the confirmation flag to false.
Smart ID Messaging will delete either a specific mailbox when a profile id is provided or all mailboxes of the specified user id when the profile id is absent.
The profiles themselves in their respective apps will be retained, as the deletion request will not be forwarded.
Configuration
To use this task, configure the following delegate expression in your service task:
${pmHermodDeleteProfileTask}The following parameters can be configured in Identity Manager Admin:
Parameter | Mandatory | Value | Description |
|---|---|---|---|
messagingServer |
| The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection. | |
messageName |
| The name of the intermediate message catching event that will be triggered by Smart ID Messaging. | |
errorMessageField | ErrorMessage | Process variable to put the error message in case of failure. | |
errorTypeField | ErrorType | Process variable to put the error type in case of failure. | |
profileId | when confirmation flag is true | ${Card_ProfileId} | ID of the profile to be deleted, as created via 'Mobile App: Create Key'. |
userid | ${Person_Email} | ID representing the user on the messaging server. This must match the userid provided when the profile was requested. | |
confirmation | Valid values:
| Messaging Server will forward the profile deletion request to Smart ID Mobile App when set to true. |
Desktop App: Create Virtual Smart Card Key
Description
Use this task to create up to template PKCS#10 requests that can be used to request certificates needed for the "Desktop App: Install Certificates on Virtual Smart Card" task.
Use this task to create one or more template PKCS#10 requests:
Signature Certificate (if template name is provided)
Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions