Nexus Documentation

Space shortcuts

Page tree

CURL vulnerability information (CVE-2023-38545)
Nexus awareness advisory on Microsoft's update KB5014754

Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.

This article describes how to configure the Interflex Service, to enable integration between Smart ID Identity Manager, Physical Access and the Interflex Service. 

Interflex is an Access Control System provided by Interflex Datensysteme GmbH and managed by a GUI and API to interact with Interflex. After integration, all administration of Users, Access Token and Entitlements (besides defining them) should be done in Identity Manager, never in Interflex.

For details on which data can be imported and exported from Interflex, see About import and export to Physical Access.


Expand/Collapse All

Prerequisites

The following prerequisites apply:

  • Physical Access and the Interflex Docker container/service are installed. See Deploy Smart ID.
  • The Interflex Service is currently using IF-6040 Open API version 12.1.1 to interact with Interflex.
  • The message queue server must be running.
  • If MIFARE card technology is used, the PACS MIFARE number must be available as raw data (not encrypted, truncated, or similar). 
  • A working network connection to the connected physical access control systems (PACS) must be in place. 

Configure Interflex Service data fields

The Interflex data is configured in the configuration table in the Physical Access database. All configuration is cached when the service starts so any configuration changes will require the service to be restarted in order to take effect.

To connect to a PACS system:

  1. Log in to Physical Access admin panel as an admin user.
    All configured PACS connector services are listed, as well as Generic configurations to define the messaging queue. 
  2. Click on a system to do updates.
    All database entries are listed. 
  3. To update an entry, click on the icon. Edit as needed and then click Update
  4. To create an entry, click on +Create. Select Group, enter Key, Value and Index, and then click Create

group: messagingqueue

keyData typeRequired or OptionalDescription
serverstringRequired

IP Address of Message Queue Server. If it is installed on the local server then we can use localhost. If we are accessing this server remotely then need to mention IP address.

usernamestringRequired

Username of message queue server.

Default value: “guest”

passwordstringRequired

Password of message queue server.

Default value: “guest”

systemstringRequired

Defines which messaging queue to be used, either "rabbitmq" or "azureservicebus".

Default value: "rabbitmq"

group: general

keyData typeRequired or OptionalDescription
deleteUserOnNoEntitlementstringOptional

Defines if the user shall be deleted if no active entitlement assignment are present for that user.

Valid values: true or false.

Default: true

deleteUserOnNoAccessTokenstringOptional

Defines if the user shall be deleted if no active access tokens are present for that user.

Valid values: true or false.

Default: true 

heartbeatInterval

intOptional

Heartbeat interval is the time difference between two successive heartbeats, and it is used to know if the system is in active (running) or in inactive (stopped) state.

Default value and minimum value: 60 seconds. If it is set less than 60 seconds, it will be considered as 60 seconds to update the status.

group: general

keyData typeRequired or OptionalDescription
updatesPerPollintOptional

The maximum number of messages read from the message queue.

Default: 100

group: interflex.system

keyData typeRequired or OptionalDescription
systemIdstringRequired

System id is a unique value which is sent with a request to identify rest client on server.

Default: “PHYSICAL-ACCESS-INTERFLEX-CLIENT”

usernamestringRequiredUsername to login into IF-6040 Rest API
passwordstringRequired

Password to login into IF-6040 Rest API

group: interflex.general

keyData typeRequired or OptionalDescription
apiUrlstringRequired

Base URL of IF-6040 rest API endpoint to import access element and export user details.

entitlementImportTypesstringRequired

EntitlementImportTypes is used to set which type of access elements Physical Access should import. Currently, these entitlementImportTypes are supported:

EntitlementImportTypesDescription
AccessProfile

If entitlementImportTypes is set to AccessProfile, only AccessProfile type access element are imported to Physical Access.

AccessZoneTimeProfileIf entitlementImportTypes is set to AccessZoneTimeProfile, AccessZone and TimeProfile type access element are imported to Physical Access.

To have support for both types, add it like “AccessProfile, AccessZoneTimeProfile”.

organizationUnitstringRequired

OrganizationUnit is the name of the default organization which can be used to create User or Card.

group: interflex.export

keyData typeRequired or OptionalDescription
cardNumberIdentifierTypestringRequired

This is a type of identifier in an access token. This setting indicates which type of identifier that is used for card number.

Default: “mifare”.

userIdentifierPrefixstringRequired

A prefix which is appended before Personnel Number of Person in Interflex.

Default: “PA”.

group: export

keyData typeRequired or OptionalDescription
userfieldmappingsstringOptional

The userfieldmappings is the combination of all additional fields that can be sent to Interflex. Currently, these fields can be configured:

  • EmailAddress
  • HomePhoneNumber
  • CellPhone
  • Country
  • Street
  • ZipCode
  • City
  • DateOfBirth
  • Sex

To export these fields to Interflex, add this configuration:

IdgroupindexkeysystemValue
1export0userfieldmappingsInterflexphone.home, HomePhoneNumber
2export0userfieldmappingsInterflexphone.mobile, CellPhone
3export0userfieldmappingsInterflexemail.Work, EmailAddress
4export0userfieldmappingsInterflexaddress.country, Country

The value in the configuration setting is a combination of table_name.value_of_type_column, property_name_of_cardholder. This configuration setting is the mapping between PA3 table field and Interflex cardholder model properties.

User column fields are sent by adding configuration like user.column_name_of_user_table, property_name_of_cardholder.

The service mainly transfers user data including related access tokens and entitlement assignments. In the service, default fields can be sent and additional fields can be mapped using extra field mappings.

User field mapping

By default, the following data is mapped between the USER table in the Physical Access and the Interflex service:  

SR NoPhysical Access field (Web API)Interflex field (UI)
1Id (Id) – Append with prefix as per configuration setting userIdentifierPrefixBasic Data -> Personnel number
2givenname (givenName)Basic Data -> FirstName (förnamn)
3familyname (FamilyName)Basic Data -> lastName (efternamn)
4Default organizationUnit defined in configurationBasic Data -> Belongs To (Organization)
5Check Type Configuration and then map actual email Type(emails-type-value)Contact -> Private email address

Access token field mapping

For access token field mapping, the ACCESSTOKEN and ACCESSTOKENIDENTIFIER tables from the Physical Access database are mapped to the Interflex service fields. All details are available under Person Record.

SR NoPhysical Access field (Web API)Interflex field (UI)
1CardNumber (identifiers-type-value)

Credentials ->Assigned

Credentials -> Column[Credential]

2Card ValidFrom and ValidTo decide internally

Credentials -> Assigned

Credentials -> Column[ValidFrom , ValidTo]

3User -> PinPIN Code

Entitlement assignment field mapping

For entitlement assignment field mapping, the ENTITLEMENTASSIGNMENT table from the Physical Access database is mapped to the Interflex service fields. All details are available under Person Record.

SR NoPhysical Access field (Web API)Interflex field (UI)
1DisplayName (entitlement-DisplayName)Access -> Personal Access Permission -> Access Element
2Valid From, Valid ToAccess -> Personal Access Permission -> [ValidFrom, ValidTo]

Restart service

  1. Restart the Interflex connector service:

    Restart Physical Access Interflex connector
    cd <SMARTIDHOME>/compose/physicalaccess
docker-compose restart smartid-pa-interflex

This article includes updates for Smart ID 23.04.2.

Related information

Integrate physical access control system (PACS) with Identity Manager

Copyright 2023 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions