Axidian CertiFlow is designed to deploy, manage and control user authentication cards (USB tokens and smart cards) enterprise-wide. Axidian CertiFlow enables centralized management of authentication cards throughout their lifecycle, controls the cryptographic protection means and logs their usage. The system also provides for quick solving of user problems on their own, including the situations beyond the enterprise bounds, without addressing the administrators. Moreover, the system ensures quick and independent resolution of user issues, including those outside the enterprise, without contacting company's IT administrators.

Tasks

Reduce expenses for the following routine PKI maintenance operations:

  • Issuing certificates.
    Axidian CertiFlow automatically generates the list of certificates for issue based on PKI usage policies. All users within the same policy get an identical set of settings and certificates. Operations of certificate request creation, issue and writing certificates to smart cards are performed in automated mode.
  • Self-service operations for users.
    Common users can benefit from a self-service web app tool to issue and update certificates on their own (if allowed by the usage policy), reducing the workload of the IT department.
  • Sending email notifications about system events to administrators and users.
    For example, administrator and/or user can get a notification when a certificate is about to expire, making it possible to renew the certificate in time and avoid downtime. 
  • Unlocking a locked smart card with no need to contact the administrator.
    Users can unlock the smart card before or after logging into the operating system, and with or without explicit involvement of an administrator.
  • Integrating with third party systems.
    Axidian CertiFlow offers an application programming interface (API) to integrate with third party applications. Such integration expands the scope for automating the certificate and smart card management workflows. For example, the software can revoke a certificate from a terminated employee based on an event from Identity Management class system.
  • Accounting of certificates issued by third parties.
    If your organization uses certificates issued by third party certification authorities, Axidian CertiFlow can add such certificates to the solution database and timely remind the administrator and the user about certificates due to expire. As a result, you can avoid downtime when working with banks and trading platforms.

Increase your company's IT security:

  • Centralized application of PIN policies.
    When a smart card is issued, it records certain PIN requirements, such as complexity, change interval, history depth, etc.  the settings set depends on the card type. All policies are stored and distributed centrally, so that administrators do not need to specify policies for every single card.
  • Smart card accounting.
    Each card is assigned to a responsible employee. Only Axidian CertiFlow administrator or the card owner can issue or update certificates for the card.
  • Timely revoking of terminated employees’ certificates.
    To promptly block access to the corporate resources for terminated employees, the system has a dedicated service that checks the user directory at scheduled periods of time and revokes certificates from users marked as terminated.
  • Flexible configuration of privileges for system operations.
    The system enables companies to define their own security roles with a customizable list of allowed operations. This way, administrators can bring the Axidian CertiFlow role model into compliance with the company's business processes.
  • Monitoring smart card usage on users’ PCs. 
    With Axidian CertiFlow, companies can track what smart cards are connected to the organization's PCs and by whom. Administrator can assign smart cards to specific users or PCs. If the system detects an incompatibility (e.g. a smart card is connected within an unauthorized user's session or to an unauthorized PC), the smart card can be locked.

Components

The system comprises a server part and a client part. As a means for storing the solution data and configuration, Microsoft SQL or PostgreSQL databases are used.

Server components

Axidian CertiFlow Server is the central component that manages the solution logic. It includes the following web applications and auxiliary tools:

Web applications:

  • Management Console – a management interface for system administrators and operators.
  • Self-Service – a user interface.
  • Remote Self-Service – a remote self-service console for non-domain users.
  • CredProvAPI – a service for smart card online unlocking and disabling.
  • API – a service for smart card lifecycle management (for integration with third-party software). 
  • Axidian CertiFlow Сonfiguration Wizard – a configuration wizard for web applications and smart card state monitoring services (Card Monitor).
  • OpenID Connect Server – an add-on component that configures user authentication to system's web-applications via OpenID Connect protocol.
  • MSCA Proxy – an add-on component that allows you to configure integration with Microsoft Enterprise CAs from outside the domain where Axidian CertiFlow is deployed.
  • Event Log Proxy – an add-on component that allows you to register events from one or more system servers to Windows Event Log.
  • Log Server – an add-on component that allows you to register events from one or more system servers to Windows Event Log, Microsoft SQL or PostgreSQL databases and SysLog.
  • Axidian CertiFlow Agent  a service for client agents registration and for performing the following remote tasks: locking and resetting user PIN, changing administrator PIN, updating the smart card contents, clearing or initiating the smart card when revoked.

Auxiliary tools:

  • Cm.CardMonitor.exe – a tool for smart card status monitoring.
  • Cm.Agent.Cert.Generator – a tool for creating the client agent certificates.
  • Cm.CertEnroll.MsCA.exe – a tool for issuing an "Enrollment Agent" certificate for a service account with Microsoft Enterprise CA.
  • Storage.sql  – a script for populating the Microsoft SQL database which stores the system data.
  • Storage-Postgre.sql – a script for populating the PostgreSQL database which stores the system data.

Client components

Axidian CertiFlow Middleware offers a single interface to the other components of the system to manage the smart cards connected to a workstation.

Axidian CertiFlow Client Tools:

  • Credential Provider enables offline and online unlocking of smart cards used for authentication in Windows OS.
  • Axidian CertiFlow Unblock enables to unlock the smart cards during the OS session.

Axidian CertiFlow Agent allows you to perform the following remote tasks: locking, resetting the user PIN, updating the smart card contents, wiping or initiating the smart card when revoked, changing the administrator PIN on users' smart cards.

Axidian CertiFlow Client Browser Extension is used for maintaining multiple user sessions on a terminal server.

Components interaction scheme


  • No labels