- Created by Mikhail Yakovlev, last modified by Daliya Agletdinova on May 14, 2024
Axidian CertiFlow can be integrated into other Axidian products – Axidian Access and Axidian Access Enterprise Single Sign-On. Integration allows for combining the operations of smart card issue, certificate requesting and writing, as well as authenticator registration into a single process.
The smart cards issued in this way can be used both for authentication in domain and SSO applications and for digital signature or access to resources that require personal certificates. Integration between systems is possible at any stage, irrespective to what product has been deployed first.
The setup of integration of Axidian CertiFlow and Axidian Access & Enterprise Single Sign-On comprises two stages:
- Installation and setup of the required software
- Configuration of integration parameters
The first stage requires installation of the following components:
- Axidian Administration Tools (or Axidian Admin Pack) to each CertiFlow server
- Axidian Extended Security Provider for each Access server
- Axidian SmartCard + PIN Provider for each Access server
Axidian Administration Tools is a part of Axidian Access system installation package.
Axidian Extended Security Provider and Axidian SmartCard + PIN Provider is supplied by Axidian Technical Support on request.
It is also necessary to setup the Extended Security Provider:
- Create Axidian Enrollment Admins security group as per Installation and operation manual for Axidian Extended Security Provider.
- Add service account (‘servicecm’) to Axidian User Admins and Axidian Enrollment Admins security groups.
The second stage requires setting of integration parameters in the smart card usage policy of Axidian CertiFlow. Open the Axidian Access section in the selected policy configuration and define the parameters.
Integration parameters for Axidian Access.
| Parameter | Description |
|---|---|
Enable integration with Axidian Access | If enabled, there will be simultaneous issuance of smart card in the CertiFlow system and of authenticator "Smart card or USB token + PIN" in Axidian Access systems. |
| Use Axidian Access proxy server | If enabled, Axidian CertiFlow will address Axidian Access proxy, which, in turn, redirects the request to Axidian Access servers. The proxy is mandatory, if the CertiFlow servers are beyond the domain of Axidian Access system. |
| Proxy URL | The address of Axidian Access Proxy Server. |
User name and Password | Credentials (username and domain password) of the user, which is a member of Axidian User Admins and Axidian Enrollment Admins security groups. |
Allow usage of Axidian Access Windows Logon | If enabled, then the user is allowed to use Axidian technology for authentication in domain using Axidian Access Windows Logon component after a smart card issuance in the CertiFlow system. |
| Allow usage of Axidian Access Enterprise Single Sign-On | If enabled, then the user is allowed to use Axidian technology for authentication in applications using Axidian Access Enterprise SSO Agent component after a smart card issuance in the CertiFlow system. |
Generate Windows account random password | If enabled, a random domain password is generated when a smart card is issued in the CertiFlow system. In this case, when current password expires, a new random one is generated, known only to Axidian Access system. |
Permissions for Axidian Access Windows Logon, Enterprise Single Sign-On and random password generation are disabled, if the last registered user authenticator is removed.
For example, if a user had no authenticator in the Axidian Access system and no cards in the CertiFlow system, then after issuance of a smart card with defined integration parameters this user would CertiFlow have one authenticator ("Smart card or USB token + PIN") in the Axidian Access system and one card (for instance, eToken) in the CertiFlow system.
If the smart card is deleted from the CertiFlow system, the authenticator in the Axidian Access is deleted as well, and, since there is no other trained authenticator, the permissions for Axidian Access Windows Logon, Enterprise Single Sign-On and random password generation are disabled (of course, if active at the moment of revocation).
- No labels