About the Identity Management System
The Identity Management System (IDMS) enables organizations to perform a wide range of identity proofing and multi-factor authentication (MFA) credentials issuance activities necessary to meet a wide spectrum of MFA needs. Built on the Personal Identity Verification (PIV) digital identity standards compatibility standards set forth by the National Institute of Standards and Technologies (NIST), IDMS enables organizations to implement security controls necessary to efficiently identify and credential their employees and other resources all in a way that is standard and interoperable. The IDMS provides the following features:
Manage and track the user’s identity proofing lifecycle states
Enforce separation of duties to ensure security in the credential production process
Acquire identification attributes such as photo, fingerprints and identity documents
Provide a single interface for management different identity repositories
Provide an interface to the HID Card Management System to automate the provisioning of data and credential production
Issue and management multiple credentials for a one user
Provide automated certificate management and renewal alerts
Features
Existing IDMS Enterprise Integration
IDMS plugs into to existing identity management repositories to accelerate the issuance process. For example, IDMS can connect to active directory, existing databases and even external credential issuance platforms to retrieve existing identity data. This feature enables organizations to save time by using existing data.
Complete Turn-Key Package
The IDMS platform integrates all of the required identity proofing and credential issuance components into one, easy to install system.
Local and Remote Issuance Models
Depending on the needs of the organization, issuance can be conducted locally in a central facility or can be delegated to remote sites.
Onsite Credential Printing
Credentials can be printed onsite to accelerate issuance.
Data export
User data can securely be exported via application programming interface (API) or direct database extraction. The information is presented in the JSON format for interoperable processing on different computing platforms.
IDMS Components
IDMS is comprised of both workstation software and server software. The workstation software (known as the Personal Credential Assistant) is installed on a desktop or laptop and provides the software to capture fingerprints, print credentials and encode credentials. The server software is installed on a web server and provides the central location to track process the identity transactions and interface with external systems.
Identity Lifecycle Management System
The ILMS is responsible for managing and tracking the identity proofing and credentialing lifecycle for the user as then progress through the PIV credentialing phases. The ILMS serves a hub between the different systems enable the 1) secure retrieval and submission of biometric data from external systems, 2) credential printing and 3) credential activation. Finally, the ILMS an extensive REST based API set to enable authorized operators to request credentials, approve credential applications and monitor system activity.
Credential Management System
The credential management system (by HID Global™) is responsible for managing, securing and electronically encoding the physical smart cards. This system also serves as a hub as it interacts directly with the organization’s identity repositories, certificate authorities and card activation stations.
Biometric Capture Station
The biometric capture station (BCS) provides the hardware and software necessary to enroll the user’s biometric attributes and identity documentation. The BCS biometric acquisition system was carefully designed to be easy to use, flexible for different identity proofing and enrollment scenarios. BCS utilizes FBI/NIST approved components and provides numerous options for mobile, high speed and document and biometric acquisition to provide a wide array of options for different deployment scenarios.
Biometric features
Automatic scoring and segmentation in accordance with NIST Standards
Sequence checking
ANSI standard output for biometric standards 378, 381, 385
Credential Print Station
The credential print station physically prints the user’s identity attributes onto the smart card in accordance with PIV specifications. With this capability, on demand printing can be performed to ensure the user receives their credential in the fastest time possible. Additionally, the print station has built-in security and card inventory controls to ensure only authorized credentials can be printed by authorized printers.
Features
Real-time card serial number read and validation to ensure only authorized cards can be printed
Automatic error notification
Consumable monitoring
Printer registration to ensure only authorized printers can perform print jobs
Batch mode capability to print large numbers of cards
Credential Activation Station
The Personal Credential Assistant (PCA) is a PIV credential platform that enables organizations to simplify PIV credential issuance and management processes. With its intuitive screens, search automation and detailed logging capabilities, PCA provides a better way for users' to securely manage their credential in a manner that is convenient to them and meets organization security requirements. PCA can perform the entire spectrum of credential issuance and management activities including: activation, update, renewal and unlock from their own computer at a time of their choosing.
Credential Activation Station Features
Customized branding and messaging: The PCA user interface (GUI) has been designed to be easy to use and provide maximum branding and messaging options for organizations. With PCA, organizations can place their logos, messages and even custom content into the application. These features provide the ability for organizations to maintain a consistent look for all of their identity proofing and credentialing applications.
Automated search: PCA will automatically retrieve user and credential information based on the PIV credential number. This feature eliminates the need for lengthy searching.
Streamlined biometric validation: In addition to supporting multiple GSA APL vendor biometric readers and algorithms, PCA is designed to reduce the incidents of false rejections. Specifically, PCA performs validation of the live capture template before the matching process begins. This validation reduces the times the user is required to provide their fingerprint during the activation process and enables PCA to securely match a high quality live capture image against the server and off the card with only one capture from the user in a manner that better manages the identity verification process while also decreasing the burden on the end user.
Improved auditing: PCA produces much richer logs including; card personalization details, biometric matching information and total activation times to help diagnose errors and provide information to help continuously improve the activation infrastructure. Furthermore, PCA is able to uniquely identify the workstation it is operating from in order to help generate meaningful usage statistics. Using this workstation level information, more effective troubleshooting can be performed to expedite error recovery.
Real-time marquees: During the credential encoding, PCA will display custom content that can be used to provide instant training for the end user.
Id Data Exchange (IDMS)
The ILMS data bridge will link the organization’s identity management system in order to accelerate the PIV credentialing process. For example, when connected, the ILMS can retrieve the person’s base biographic data to eliminate the need for manual data entry. The following interfaces are supported:
REST/SOAP
Active Directory
Service Interface Provider
MSSQL
Server software
The server software is installed on Microsoft IIS and serves as the central processing hub that interfaces with external systems and processes the identity management transactions.
Component | |
|---|---|
Web portal | Provides a web-based user interface to enable authorized operators to request credentials, approve credential applications and monitor system activity. |
Web API | Provides an application interface to interact with the IDMS business logic to enable the 1) secure submission of biometric data, 2) credential printing and 3) credential activation. |
Server software external system connections
The IDMS server software connects to three external systems in order to process identity transactions
Active Directory | This is the Active Directory currently in use by the customer that contains the user identity information for the user to be processed. IDMS uses the Active Directory system to retrieve existing user information. |
SQL Server | IDMS saves identity information and tracks lifecycle state information using the SQL server platform. |
HID Credential Management system | IDMS interfaces with the HID CMS to provision identity information for the credentialing process. |
Server software optional system connections
In addition to the base system interfaces described above, IDMS can be configured to interface with existing Human Resource Systems, Physical Access Control systems and background investigation systems.
Workstation software
The workstation software is installed on Windows 7, 8.1 or 10 and provides the means to control the hardware and software required to capture identity attributes, print credentials and encode credentials.
The workstation software modes of operation
Component | Description |
|---|---|
 | Provides a mechanism to collect a user's identity attributes such as photo, fingerprints and identity documents. |
 | Provides a mechanism to securely print a credential. |
 | Provides a secure self-service mechanism to activate and manage smart card PIV credentials. |
How IDMS Works After Installation
Once the IDMS workstation and server components have been installed, organizations will utilize the two components to perform the requisite identity proofing and management transaction for required for credential issuance. The diagrams below provide a view of the completed installation and the transaction sequence of the system when in operation.
Installation view
Transaction sequence
