Configuring Smart Card as an Identity Provider

The EmpowerID SSO framework allows you to configure a Smart Card connection as an identity provider (IDP) for EmpowerID.

For your users to be able to access EmpowerID with a smart card, the account store containing your user identities must be named after the issuer of the smart card certificate associated with the IDP connection.
The root certificate for your smart card issuer must be installed in the Trusted Root Certification Authorities certificate store on the EmpowerID Web server.
Prerequisites

Before setting up smart card registration, you must do the following on the EmpowerIDWebIdPSmartCard application in IIS:

  1. Enable Anonymous Authentication
  2. Set the SSL Settings to Require SSL and Require Client certificates
  3. Click Edit Permissions in the Actions pane and give Read & execute, List folder contents and Read permissions to the Users, IIS_IUSR and ANONYMOUS LOGON groups

This topic describes how to configure an IDP connection for smart cards and is divided into the following activities:

Once the IDP Connection has been set up for smart cards, you can create a link similar to the one below to allow users to login to EmpowerID using their smart cards.

Be sure to replace "sso.empowerID.com" with the FQDN of the EmpowerID Web server in your environment and "SmartCard" with the name of the smart card IDP connection you create in EmpowerID.

https://sso.empowerid.com/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/SmartCard?returnUrl=%2FEmpowerIDWebIdPForms%2F

To configure an IDP connection for a smart card

  1. From the Navigation Sidebar, navigate to SAML Connections management page by expanding Admin > Applications and Directories > SSO Connections and clicking SAML.
  2. From the SAML Connections tab of the SAML Connections management page, search for Smart, click the drop-dwon arrow for Login using Smart Card and then click the Editlink.
  3. From the Actions pane of Application Manager, click the Create SAML Connection action link.
  4. From the General tab of the Connection Details form, scroll to the Account Information section and select the appropriate account store from the Account Directory drop-down.
  5. The FQN of the Account Directory must match the Root CA CN of the smart card certificate issuer for EmpowerID to authenticate the smart card user.
  6. In the Certificates section, select the signing and verifying certificates for your environment from the Signing Certificate and Verifying Certificate drop-downs.
  7. Leave all other fields as is.
  8. Click the Domains tab and then click the Add (+) button in the Assigned Domains section.
  9. In the Add Domain dialog that appears, type the name of the existing EmpowerID domain for which you want a SmartCard login tile to appear on the Login page and then click the tile for that domain.
  10. Alternately, you can create a new domain by selecting Create a New Domain and entering the appropriate information. The domain must be resolvable within your environment.
  11. Click Add to close the Add Domain dialog.
  12. Back in the Connections Details page, click Save to save your changes.

Now that the IDP Connection is configured, you can test it by following the procedure outlined below.

To test the Smart Card connection

  1. Insert your Smart Card reader on a machine and then launch your web browser, pointing it to the domain name you configured for the Smart Card ID Connection.
  2. Click the Login using your SmartCard button.
  3. In the Select a certificate dialog that appears, select the appropriate authenticating certificate and then click OK.
  4. In the Check for EmpowerID Login page the appears, click Yes if you wish to link the smart card to an existing user or No if you wish to link the smart card to a new user.
  5. Users without an EmpowerID Person can request EmpowerID accounts by clicking No. This initiates the Create User Account workflow, which displays a form in the browser to allow the user to fill in the appropriate information. If a user submits the request, EmpowerID routes that request to those individuals in your environment with the ability to approve or deny the request and returns the user to the EmpowerID web login.
    The Check for EmpowerID Login page only appears the first time you log in to EmpowerID with your smart card.
  6. Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
  7. Check your email for the one-time password.
  8. Back in the EmpowerID Web application, type the one-time password into the Password form and click Submit.
  9. Upon successful submission of your one-time password, EmpowerID logs you in to the Web application. Your smart card account is now linked to your EmpowerID Person. The next time you select smart card as the login option, EmpowerID will grant you access without requiring your identifying information.