Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Managing smart card certificates

Managing smart card certificates

The certificate is used to identify a user, it contains data that is also in the directory. It is a link between the card and the directory. This link can exist before the smart card use (an LDAP attribute of the user is already specified with the correct value) or this link can be created upon the assignment.

When the certificate is issued by an external authority, it cannot be managed from the EAM console.

NOTE: Any smart card type can be authorized as soon as it is described in the XML file.

In this section:

Administering smart card certificates

Administering smart card certificates

When a card is used within the EAM solution, it is possible to utilize the certificate stored in the card. Two cases are possible:

  • The certificate, issued by an external CMS, is already part of the card.

    If the card has already a certificate, EAM can use this certificate to authenticate the user (Public Key Authentication (PKA) configuration). This configuration is mainly used when the card is read-only.

    NOTE: For more information on this procedure, see Enabling the public key authentication method.
  • If the certificate is not yet stored in the card, which is of type Windows Smartlogon Compatible.

    If the card does not have a certificate, it is possible to interface with the Microsoft PKI to request one or more certificates to the Microsoft CA (and only this one). This configuration is done in the XML configuration file of the solution. In this case, the certificate can be managed from the console. (request, revocation...).

    To request such a certificate, the running Windows session account must own a certificate generated by the Microsoft CA based on the EnrollmentAgent template. If the certificate is not available in the user's certificate store on the workstation, then the certificate is automatically retrieved from the Microsoft CA.

NOTE: You will use the following interface to manage your smart card certificates:

In this section:

Importing a certification authority

Importing a certification authority

  1. In the Directory panel, click the Smart card tab.
  2. Select a smart card and click the Certificates tab.
  3. Click Import.
    • The Import file selection window appears.
  4. Select the file to import.
  5. Click OK.
    • The imported certification authority appears.

 

Deleting a certification authority

Deleting a certification authority

  1. In the Directory panel, click the Smart card tab.
  2. Select a smart card and click the Certificates tab.
  3. Select the certification authority to delete and click Delete.
    • The certification authority is removed from the list of certificates.
Related Documents