Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The EmpowerID SSO framework allows you to configure a Smart Card connection as an identity provider (IDP) for EmpowerID.

Info

  • For your users to

be able to

  • access EmpowerID with a smart card, the account store containing your user identities must be named after the issuer of the smart card certificate associated with the IDP connection.

  • The FQN of the Account Directory must match the Root CA CN of the smart card certificate issuer for EmpowerID to authenticate the smart card user.

  • The root certificate for your smart card issuer must be installed in the Trusted Root Certification Authorities certificate store on the EmpowerID Web server.

Warning
iconfalse

Prerequisites — Before setting up smart card registration, you must do the following on the EmpowerIDWebIdPSmartCard application in IIS:

  1. Enable Anonymous Authentication
  2. Set the SSL Settings to Require SSL and Require Client certificates
  3. Click Edit Permissions in the Actions pane and give Read & execute, List folder contents and Read permissions to the Users, IIS_IUSR and ANONYMOUS LOGON groups



Tip

Once the IDP Connection has been set up for smart cards, you can create a link similar to the one below to allow users to login log in to EmpowerID using their smart cards.

Code Block
languagexml
https://sso.empowerid.com/WebIdPForms/Login/EmpowerIDWebSite/SmartCard?returnUrl=%2FWebIdPForms%2F
Warning
iconfalse

Be sure to replace "sso.empowerID.com" with the FQDN of the EmpowerID Web server in your environment and "SmartCard" with the name of the smart card IDP connection you create in EmpowerID.

To configure an IDP connection for a smart card

From the navigation sidebar, expand Admin > Applications and Directories


Configure the IDP Connection

  1. On the navbar, expand Apps and Authentication  > SSO Connections and click SAML.

From

  1. On the SAML Connections tab

of the SAML Connections management pageIn the Certificates section,

  1. , search for

Smart, click the drop-dwon arrow for Login using Smart Card and then click the Edit link.
  • From the Actions pane of Application Manager, click the Create SAML Connection action link.
    • From the General tab of the Connection Details form, scroll to the Account Information section and select the appropriate account store from the Account Directory drop-down.
    Info

    The FQN of the Account Directory must match the Root CA CN of the smart card certificate issuer for EmpowerID to authenticate the smart card user.

    Click

    1. smartcard and then click Login using SmartCard.

      Image Added


      This directs you to the View One page for the connection.

      Image Added

    2. Click the Display Name link to put the connection in Edit mode.

      Image Added

    3. On the Edit page for the connection, scroll to the Certificates section and select the signing and verifying certificates for your environment from the Signing Certificate and Verifying Certificate drop-downs.

  • Leave all other fields as is.
    1. Image Added

    2. Select the Domains tab and then click the Add

    (+)

    1. (blue star) button in the Assigned Domains section.

      Image Added

    2. In the Add Domain dialog that appears,

    type

    1. enter the name of the

    existing EmpowerID domain for which you want a

    1. domain where the SmartCard login tile

    to

    1. should appear on the Login page and then click the tile for that domain.

    Image Removed

    1. Click

    Add

    1. Save to close the

    Add Domain

    1. dialog.

      Image Added

    2. Back in the Connections Details page, click Save to save your changes.

    Now that the IDP Connection is configured, you can test it by following the procedure outlined below.

    To test

    Test the Smart Card connection

    1. Insert your Smart Card reader on a machine and then launch your web browser, pointing it to the domain name you configured for the Smart Card ID Connection.

    2. Click the Login using your SmartCard button.

    3. In the Select a certificate dialog that appears, select the appropriate authenticating certificate and then click OK.

    Image Removed
    Tip
    iconfalse

    The Check for EmpowerID Login page only appears the first time you log in to EmpowerID with your smart card.

    Type your EmpowerID Login

    1. In the Check for EmpowerID Login page the appears, click Yes if you wish to link the smart card to an existing user or No if you wish to link the smart card to a new user.

    InfoUsers without an EmpowerID Person can request EmpowerID accounts by clickingNo. This initiates theCreate User Accountworkflow, which displays a form in the browser to allow the user to fill in the appropriate information. If a user submits the request, EmpowerID routes that request to those individuals in your environment with the ability to approve or deny the request and returns the user to the EmpowerID web login.

    1. Enter your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.


    Image Removed

    2. Check your email for the one-time password.

    3. Back in the EmpowerID Web application, type the one-time password into the Password form and click Submit.

    Image Removed
    topicTOC
    Div
    class
    stylefloat:left; position:fixed; padding: 5px;
    idtocarticleNav

    IN THIS ARTICLE

    Table of Contents
    div
    Table of Contents
    maxLevel
    maxLevel
    stylefont-size: 1rem; margin-bottom: -65px; margin-left: 40px;text-transform: uppercase;

    On this page

    4
    minLevel2
    stylenone
    printablefalse