Common IDMS Deployment Scenarios
PIV-I Credentialing
Derived credential issuance with external issued credential:
In this scenario, the IDMS will search an external directory for a previously issued credential. The setting for this configuration is in the credential policy where the Auto Enroll From External Source is configured to Yes.
Credential production reporting
Enables the IDMS to serve a reporting platform for CMS even if IDMS does not directly manage the user. To configure, go to features and enable the "CMS Event Insert user". Next, go the LDAP the user is located in and set the search filter to "samaccountname". Finally, add the "mail" attribute to LDAP Attribute To Be Validated.
Automated account linking
Enables the IDMS to insert the PIV Authentication certificate into the user's directory. See more here: AltSecurityIdentity Certificate Publishing
Custom Printing
The custom printing option enables the operator to define custom print objects to be printed on the ID Badge
| Step | Reference |
|---|---|
| 1 | Configure the credential policy to use the custom credential |
| 2 | Update the AsureId Policy |
Automated printing and encoding when the user is only in Active Directory
This scenario allows an organization to automatically encode and print users that are only in the organization's active directory and not in IDMS.
| Step | Reference |
|---|---|
| 1 | Auto-provisioning (sending data straight from AD – turn off all the ID enrollment requirements |
| 2 | Give the operator the requestor, approval officer and enrollment officer roles |
| 3 | Set up the credential policy to encode and print (turn off verify documents during issuance)
|
| 4 | Assign another operator the bulk operator and credential issuer role |
Print without inserting the card into a reader
This scenario allows an organization to print without having to insert the card into the reader. This is useful for when an organization wants to pre-print badges when they do not have the smart card encoder.
| Step | Reference |
|---|---|
| 1 | Within the credential policy, select "NO" for Perform Inline Encoding During print
|
Specifying a Printer to be used a certain location
This scenario allows an organization to dedicate a specific printer to print specific users. This is helpful when the organization wants to print a series of credentials at one site (for example, all print all users in Boston office with the Boston printer)
| Step | Reference |
|---|---|
| 1 | Add a printer with the printer's serial number |
| 2 | Within the credential type policy, specify the printer |
| 3 | Assign this credential type to the user. |
Remote Enrollment with 3rd party service
This scenario enables an applicant to have their identity enrolled using a 3rd party service
| Step | Reference |
|---|---|
| 1 | Configure a background investigation service to perform the identity enrollment |
| 2 | Configure the credential type to specify the background investigation. See configuring credential types,Background investigation service section |
| 3 | Set a request for the user using the credential type specified in previous step. |
| 4 | Go to the identity proofing portal and process the applicant |