Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
The Indeed Certificate Manager system can be integrated into other Indeed products – Indeed Access Manager and Indeed AM Enterprise Single Sign-On. Integration allows for combining the operations of smart card issue, certificate requesting and writing, as well as authenticator registration into a single process.
The smart cards issued in this way can be used both for authentication in domain and SSO applications and for digital signature or access to resources that require personal certificates. Integration between systems is possible at any stage, irrespective to what product has been deployed first.
The setup of integration of Indeed CM and Indeed Access Manager & Indeed AM Enterprise Single Sign-On comprises two stages:
- Installation and setup of the required software
- Configuration of integration parameters
The first stage requires installation of the following components:
- Indeed-Id Administration Tools (or Indeed-Id Admin Pack) to each Indeed CM server
- Indeed-Id Extended Security Provider for each Indeed EA AM server
- Indeed-Id SmartCard + PIN Provider for each Indeed EA AM server
Tip |
---|
Indeed-Id Administration Tools is a part of Indeed-Id Enterprise Authentication Access Manager system installation package. |
It is also necessary to setup the Extended Security Provider:
- Create Indeed-ID Enrollment Admins security group as per Installation and operation manual for Indeed-Id Extended Security Provider.
- Add service account (‘servicecm’) to Indeed-ID User Admins and Indeed-ID Enrollment Admins security groups.
The second stage requires setting of integration parameters in the smart card usage policy of Indeed Certificate Manager. Open the Indeed EA & ESSOAM section in the selected policy configuration and define the parameters for Indeed EA & ESSO AM (Table 3).
Scroll Pagebreak |
---|
Table 3 – Integration parameters for Indeed
EA & ESSOAM.
Parameter | Description |
---|---|
Enable |
integration with Indeed AM | If enabled, there will be simultaneous issuance of smart card in the Indeed CM system and of authenticator "Smart card or USB token + PIN" in Indeed |
AM systems. |
Use Indeed |
AM proxy server | If enabled, the Indeed CM will address Indeed |
AM proxy, which, in turn, redirects the request to Indeed |
AM servers. The proxy is mandatory, if the Indeed CM servers are beyond the domain of Indeed |
AM system. | |
Proxy URL | The address of Indeed |
AM Proxy Server. |
User name and Password | Credentials (username and domain password) of the user, which is a member of Indeed-ID User Admins and Indeed-ID Enrollment Admins security groups. |
Allow |
usage of Indeed AM Windows Logon | If enabled, then the user is allowed to use Indeed technology for authentication in domain using Indeed |
AM Windows Logon component after a smart card issuance in the Indeed CM system. |
Allow |
usage of Indeed AM Enterprise Single Sign-On | If enabled, then the user is allowed to use Indeed technology for authentication in applications using Indeed |
AM Enterprise SSO Agent component after a smart card issuance in the Indeed CM system. |
Generate |
Windows account random password | If enabled, a random domain password is generated when a smart card is issued in the Indeed CM system. In this |
case, when current password expires, a new random one is generated, known only to Indeed |
AM system. |
Permissions for Enterprise Authentication, Enterprise SSO Indeed AM Windows Logon, Indeed AM Enterprise Single Sign-On and random password generation are disabled, if the last registered user authenticator is removed.
Info | ||
---|---|---|
| ||
For example | :If , if a user had no authenticator in the Indeed EA AM system and no cards in the Indeed CM system, then after issuance of a smart card with defined integration parameters this user would Indeed Certificate Manager have one authenticator ("Smart card or USB token + PIN") in the Indeed EA AM system and one card (for instance, eToken) in the Indeed CM system. If the smart card is deleted from the Indeed CM system, the authenticator in the Indeed EA AM is deleted as well, and, since there is no other trained authenticator, the permissions for Enterprise Authenticationfor Indeed AM Windows Logon, Indeed -Id Enterprise SSO AM Enterprise Single Sign-On and random password generation are disabled (of course, if active at the moment of revocation). |