Skip to main content
Skip table of contents

Hybrid Access Gateway - Standard service tasks in Identity Manager

HAG: User Provisioning

Description

Use this task to provision a user to Smart ID Digital Access component The task consists of two phases:

  • In the first phase the user will be created or updated. This will always be done.
    Note: If you do not set a validFrom field, the user always gets the current date as a valid from value in Digital Access

  • The second phase is about locking or unlocking the user:

  1. If the current state of the CoreObject matches a state in the lockedStates configuration, the user will be locked.

    • If Smart ID Mobile App (Personal Mobile)is configured, all Smart ID Mobile App profiles that the user has will be deleted.
      Note: Deletion of authentication methods SYNC and OATH are not implemented yet 

  2. If the current state of the CoreObject matches a state in the unlockedStates configuration, the user will be unlocked.

    • If Smart ID Mobile App is configured, the binary array of the barcode image (jpg) will be available in "personalimage". If unlocking of the user failed, the processmap will not contain the barcode.

    • If OATH is configured, the binary array of the barcode image (jpg) will be available in "oathActivationBarcode". If unlocking the user failed, the processmap will not contain the barcode.

    • If SYNC is configured, SYNC will be activated on Digital Access.

Configuration

To use this task, configure the following delegate expression in your service task:

CODE 
${provisionUserToHagParameterizedTask}

The following parameters can be configured in PRIME Designer:

 Parameter

Mandatory

Value

Description

coreTemplateName

(tick)

Example value:

  • Employee

The name of the coreTemplate from which the current coreObject state shall be retrieved.

challengePin

-

Example value:

  • 111111 (default)

The default PIN for synchronized authentication of the user in Digital Access.

emailField

-

Example value:

  • Employee_Email

The name of the datamap field which contains the email of the user.

hagUrl

(tick)

Example value:

URL of Digital Access system.

locationDNField

-


The datamap field which contains the ldap dn to the desired user. If this is set the user will be connected to LDAP in Digital Access as well.

lockedStates

(tick)

Example value:

  • "disabled,blacklisted,arrested"

A comma separated list of states from the stategraph of the user which mean "locked" in Digital Access.

unlockedStates

(tick)

Example value:

  • "active"

A comma separated list of states from the stategraph of the user which mean "unlocked" in Digital Access.

userEnabledPerDefault

-

Valid values:

  • true (default)

  • false

If set to "true" the user will automatically be enabled in Digital Access. If not set it is handled as "true".

userNameField

(tick)

Example value:

  • Employee_LastName

The datamap field which contains the user name that shall be provisioned to Digital Access.

smsNumberField

-

Example value:

  • Employee_SmsNumber

The datamap field which contains the phone/sms number of the user.

validFromField

-

Example value:

  • Employee_ValidFrom

The datamap field which contains the validFrom information. If it's not set or the value of the field is null the current Date will be used as this is a mandatory parameter in Digital Access.

validToField

-

Example value:

  • Employee_ValidTo

The datamap field which contains the validTo information.

authenticationMethods

-

Valid values:

  • Empty string (default)

  • SYNC

  • PM

  • OATH

The authentication methods which will be provided to Digital Access. Allowed are empty string (default), SYNC (= SYNChronized Authentication), PM (= Personal Mobile, that is, Smart ID Mobile App) and OATH (= Open AuTHentication).

Note: Only one authentication method can be selected.

  • If an empty string is configured, a user account will be created without an authentication method.

  • If PM is configured, the barcode Image (jpg) from the Digital Access response will be put to the process map with the fixed key "personalimage". If the creation fails, the field in the process map is not touched.

  • If OATH is configured, the barcode Image (jpg) from the Digital Access response will be put to the process map with the fixed key "oathActivationBarcode". If the creation fails, the field in the process map is not touched.

pmStatus

-

Valid values:

  • Empty string (default)

  • activate

  • deactivate

What status Personal Mobile, that is, Smart ID Mobile App, should get. If an invalid status is configured, the status in PM is not changed.

Note: This parameter is only mandatory if the authentication method is configured as PM. Otherwise it can remain empty.


OATHProvider

-

Example values:

  • Empty string (default)

  • Predefined_hotp_HmacSHA1

  • Predefined_hotp_HmacSHA256

  • Predefined_hotp_HmacSHA512

  • Predefined_totp_HmacSHA1

  • Predefined_totp_HmacSHA256

  • Predefined_totp_HmacSHA512

The providers are configured in the Digital Access system. To find out which providers are configured on your Digital Access system, go to Digital Access Admin > Manage System > OATH Configuration > Manage OATH Providers.

For more info, see: Set up OATH tokens in Digital Access.

Note: This parameter is only mandatory if the authentication method is configured as OATH. Otherwise it can remain empty.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close