Page tree
Skip to end of metadata
Go to start of metadata

Specifications for the separate Smart ID modules are included in the respective modules listed in Nexus Smart ID.

This specification is kept for reference.

This article provides a specification of what is included in the Smart ID management solution. 

This specification describes the setup and interfaces of the Smart ID manager. The smart cards are ordered separately. For more information, see Add-ons to the Smart ID solution.

Expand/Collapse All

Cards

 Card types

The following card types are included in the Smart ID solution:

Card typeDescriptionLayout
Employee cardFor employeesEmployee card
External card

For persons that are not employed, for example consultants and contractors.

Differences from Employee card:

  • Different layout for instant visual information
  • Shorter validity
External card
Employee temp card

Personal replacement card for a limited period of time.

A temporary card does not have a photo on it, but can have a certificate.

Temporary card
External temp card

Personal replacement card for a limited period of time.

A temporary card does not have a photo on it, but can have a certificate.

Temporary card
 Card layouts

Nexus provides standard templates for the three standard card types. As part of the Smart ID solution implementation project, Nexus consultants or partners do the following customizations of the layouts:

  • insert customer's logotype
  • change colors
  • change text fields
  • select orientation (landscape or portrait)

The following standard card layout templates are used.

In English (Open the files to see all layout options per card type):

In Swedish (Open the files to see all layout options per card type):

 RFID technology

Most common RFID technologies are supported in the Nexus Smart ID solution, both low frequency (125 kHz) and high frequency (13.56 MHz) technologies, for example:

  • Electro-marine (EM) - 125 kHz
  • MIFARE DESFire - 13,56 MHz
  • Legic - 13,56 MHz

Two RFID technologies can be combined on the same card. For a complete list of supported RFID technologies, see Card SDK interoperability data.

It is assumed that the customer provides the encoding details. As an additional service, Nexus can help out to find out the required encoding details.

 PKI chip

The following PKI chip technology is supported in the Nexus Smart ID solution:

  • ATOS CardOS 5.0
  • Nexus standard profile for PKCS#15 (ISO7816-15)

The PKI chip can include for example the following certificates:

  • one certificate for authentication
  • one certificate for signing
  • one certificate for encryption
  • optionally additional authentication certificates for IT administration access.

System integration

 Identity data source

The Smart ID solution includes one connector to an identity data source. The identity data source can be one of the following:

  • a Windows Active Directory (AD), integrated through the PRIME LDAP connector. This can also support follow-me printing and other functions. For more information on the supported LDAP protocol, see PRIME requirements and interoperability.
  • an HR system, integrated through the PRIME standard CSV connector, with a predefined mapping. Other connectors can be used as an add-on to the solution.

For an overview of connected systems and managing roles, see Smart ID manager overview

 PACS system

The Smart ID solution includes one connector to a PACS system, using any of the following integrations:

  • Basic PACS integration
  • Light entitlement PACS integration

For more information on the different types of PACS integration and the supported system versions, see PRIME requirements and interoperability.

For an overview of connected systems and managing roles, see Smart ID manager overview

 Certificate authority

The Smart ID solution includes one connector to a certificate authorities (CAs). The CA can be one of the following:

  • Nexus Certificate Manager (CM)
  • Microsoft Active Directory Certificate Services (AD CS)

For more information on the supported versions, see PRIME requirements and interoperability.

For an overview of connected systems and managing roles, see Smart ID manager overview

System roles

 Standard roles

The following standard roles are used for the normal workflows in the Smart ID solution: 

Role

Description

Card production administrator

Produces cards.

User administrator

Administrates person data and assigns Smart ID management roles.

Approver

Approves or initiates card issuing to employees. Normally a manager.

Card service desk

Helps users with card issues, for example card activation, temporary cards, and forgotten PIN.

Self-service user

User in the User Self-Service Portal (USSP). A person must have this role to be allowed to use USSP.

For an overview of connected systems and managing roles, see Smart ID manager overview.

 System administration roles

The following roles have permission to change configurations in PRIME Designer:

Role

Description

Super user

Has permission to change certain configurations in PRIME Designer, for example change email templates and system role permissions.

System administrator

Has permission to change all configurations in PRIME, for example processes, forms, and search configurations.

Nexus consultant or Nexus partner with access only to PRIME Designer.

For an overview of connected systems and managing roles, see Smart ID manager overview.

 Optional roles

The following roles can be added in the Smart ID solution: 

Additional roleDescriptionOption
Certificate administrator

Issues administrator certificates.

This role is used in the optional administrator certificates workflows.
SITHS card administrator

Registers and issues local SITHS cards (Swedish tjänstekort)

This role is used in the optional SITHS card workflows.

Other features

 Branding

Basic branding is included in the Smart ID solution, by displaying the customer logotype in PRIME Explorer and User Self-Service Portal.

 Email notification templates

Nexus provides basic templates for the email notifications included in the common use cases, for example when a card has been activated or is about to expire.

During the implementation project, Nexus consultants or partners adapt the email templates for the customer needs.

When the Smart ID solution is up and running, email templates can be updated by a user that has the Super user role. For more information, see Set up email template.

 Reports

The following standard reports are included in the Smart ID solution: 

  • All employee cards
  • All external cards
  • All system users with connected roles
  • Locked cards with reason for locking
  • All active Personal Mobile users
  • All users that have Personal Mobile enabled but have not yet activated it

The reports are created using searches in PRIME Explorer. 
 Language support

Supported languages are listed in PRIME requirements and interoperability.

 Nexus User Self-Service Portal

As part of the Smart ID solution, the customer can choose to include the PRIME User Self-Service Portal (USSP). The available self-service tasks in the USSP can help minimizing administrative work.

The following self-service tasks are available in the User Self-Service Portal:

  • Activate Personal Mobile
  • Lock card
  • Change PKI PIN
  • Change PACS PIN
  • Renew card
  • Request replacement card
  • Unblock PIN
  • Upload photo

Software deliverables

 Software deliverables

The Smart ID solution includes the setup of one test system and one production system.

Each system contains of the following software:

  • Nexus Smart ID manager installation, including the PRIME Designer, PRIME Explorer and User Self-Service Portal
  • Nexus Smart ID manager configuration
  • Integration with one AD or HR system through standard PRIME connectors
  • One Nexus PRIME CA connector for CM or ADCS
  • One Nexus PRIME PACS connector, either Basic PACS connector or Light entitlement PACS connector
    See description and supported PACS systems here: PRIME requirements and interoperability
  • Nexus PRIME Card Production client via Nexus Card SDK
  • Nexus Personal Desktop
  • Nexus Personal Mobile
 Installation requirements on server

The following installation requirements apply to the server in the Smart ID solution:  

  • Windows Server 2012 or later with 2 CPU and 12 Gb Ram and 20 Gb HD for the application and logs. (Extra disk)
  • SQL Server 2014 or later installed with TCP port 1433 enabled. The Standard edition is recommended. The Express edition is also supported but has limited storage capacity. For more information, see https://www.microsoft.com/en-sa/sql-server/sql-server-2017-editions.

  • SQL Management Studio installed
  • IIS Role installed on the server
  • A Service account in AD who is a Domain User
  • Port 443, 8443 and 8080 opened in Local firewall on server
  • The above ports opened from the Admin client, card production client and enduser client. (It can also be the same computer)
  • Port 389/636 opened from PRIME server to a domain controller
  • The OU where PRIME shall get all needed users (example,  OU=Employee, DC=example, DC=com).
  • Active Directory Tools installed on PRIME Server
  • PACS-specific user service account for PACS connector communication.
  • If an ADCS installation is used, then RSASSA-PSS must not be used as the signature algorithm. This can be verified in a certificate, by checking the signature algorithm. SHA256 is the preferred signature algorithm, and SHA1 is also supported. 
  • To enable PACS integration, the PACS MIFARE number must be available as raw data (not encrypted, truncated, or similar).  
 Installation requirements on client

The following installation requirements apply to the client in the Smart ID solution: 

  • Java 8 121 32 bit or later installed on Admin Client, Card Production client and end user client.

Workflow options

 Additional workflows

Additional workflows that are included in the price for the Smart ID solution:

  • PACS-adapted workflows, depending on what PACS system is used
  • More workflows for handling photos, for example upload the photo to AD
  • Workflows to manage additional certificates on card for IT administrators
  • Workflows to register and issue local SITHS cards (Swedish: tjänstekort)
  • User Self-Service Portal (USSP) workflows, see separate section above
  • Export card number to AD for using other applications, such as canteen, follow-me print, library
  • Signature pad workflows. The workflows are included in the solution, but the signature pad is an add-on, see Add-ons to the Smart ID solution.

These additional workflows must be specified during the implementation project, and will be implemented by Nexus consultants or partners.

 Options in standard workflows

These choices are available in the standard workflows:

  • PIN letter or email for distributing PIN codes
  • Approval step in card production or not
  • Self-service tasks available for users, if the User Self-Service Portal is used
  • How to connect a personal photo for card production: upload, capture, or import photo from Nexus Service Station (if the Nexus Service Station is used, see Add-ons to the Smart ID solution)
  • Manual or automatic workflow to inactivate or reactivate persons
  • Automatically activate and deactivate cards for activated and inactivated persons
  • Automatically produce cards for new employees
  • Let person sign on a signature pad when picking up a card (if a signature pad is used, see Add-ons to the Smart ID solution)
  • Automatically renew cards for active persons

These options must be specified during the implementation project, and will be implemented by Nexus consultants or partners.

 Nexus Service Station workflows

Optionally, Nexus Service Station can be used to collect employee photos. There are standard workflows for that purpose, that are included in the solution.

The Service Station hardware is an add-on, see Add-ons to the Smart ID solution.

Add-ons to the Smart ID solution

 Smart cards and accessories

Smart cards and accessories are not included in the price for the Smart ID solution.

To order cards, there are two alternatives:

For a specification of the standard card types and technologies, see Cards.

 Hardware add-ons

The following hardware add-ons are not included in the price for the Smart ID solution. See the complete assortment of available hardware in Nexus GO Webshop:

  • Nexus Service Station - stand-alone kiosk for photo and data capture, and some additional functions, such as change PIN.
  • Signature pad - including predefined workflows in the Smart ID manager
  • Card printer and encoder
  • Card printer accessories, such as color ribbons, transfer film, and protection laminate
  • PIN letter printer
  • Smart card readers
 Software add-ons

The following add-on services are not included in the price for the Smart ID solution, but can be added to provide extra functionality:

The following Smart ID add-ons are not included in the price, but can be added to provide extra functionality:

  • Entitlement management
  • Two-factor authentication (2FA) and single sign-on (SSO)
  • Enterprise PKI

The following Smart ID manager add-ons are not included in the price, but can be added to provide extra functionality:

  • Additional standard data connectors (CSV, LDAP, JDBC, SCIM)
  • Additional RFID encoding
  • Additional PACS basic or light integration
  • Additional tenant
  • Additional PKI connector

Contents

  • No labels