Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.


This article describes standard service tasks that can be used with Smart ID Identity Manager.

The default values below are only examples. The values must be configured for the desired behavior of the task.

Expand/Collapse All

Parameters and values

Mandatory parameters must not be deleted when you configure a Standard service task. Otherwise the task will fail at runtime. (This is because, currently Identity Manager Admin does not check the existence of mandatory parameters.)

For some parameters of the Standard service tasks, default values at design time are documented here. Those default values are only relevant when configuring a new Service task in Identity Manager Admin. The default value is at this time automatically added as parameter value. It may be changed or the parameter may be deleted by the process designer. In that case, the default value at design time does not have any effect at runtime.

A parameter which is not mandatory may be deleted at design time. At runtime the following default values are in effect, depending on the parameter type:

TypeDefault value at runtime
DateCurrent date, measured to the nearest millisecond
Booleanfalse
(other)null

Standard service tasks

Card Production


Description

Use this task to perform "GET requests" towards the Nexus GO Cards ordering API and extract any attributes from the response.

Configuration

To use this task, configure the following delegate expression in your service task:

${caasRestClientAction}

The parameters in the examples below can be configured in Identity Manager Admin.

Nexus GO Cards Ordering API

All the attributes that you want to extract have to match the Nexus GO Cards schema exactly. See Nexus GO Cards ordering for more information.

Important details

  • All parameters that are included in the URL, for example {cardId}, {orderId}, {email}, must be defined with the prefix "param_" since some of these values are also returned in the server response. This variable will not be written to the process map.
  • All query parameters that you want to define must be prefixed with "queryParam_". If not defined, the default will be used. This variable will not be written to the process map.

Get order info:

ParameterMandatoryValueDescription
URL

/api/order/{orderId}

The endpoint to call.

param_orderId

(for this endpoint)

Example value:

  • OD123

Will replace the {orderId} value from the URL.

costCentre-

Example value:

  • costCentre_Output
Will add the variable with the name costCentre_Output to the process map. The value will be taken from the response body.
orderer.email-

Example value:

  • ordererEmail_Output
Will add the variable with the name ordererEmail_Output to the process map. The value will be taken from the response body.
cardIds-

Example value:

  • cardIds_Output

Will add the variable with the name cardIds_Output to the process map as a list. The value will be taken from the response body.

accessories.articleId-

Example value:

  • accessories_articleIds_Output

Will add the variable with the name accessories_articleIds_Output to the process map as a list. The value will be taken from the response body.

Get available accessories:

ParameterMandatoryValueDescription
URL

/api/accessoryThe endpoint to call.
queryParam_showDetails-Valid values:
  • true (default)
  • false
You can override the default query parameters by setting them yourself, or keep the default.
queryParam_languageId-Valid values:
  • DE
  • EN (default)
  • FR
  • SV
You can override the default query parameters by setting them yourself, or keep the default.
articleId-

Example value:

  • articleId_Output
Will add the variable with the name articleId_Output to the process map as a list. The value will be taken from the response body.
price-

Example value:

  • price_Output
Will add the variable with the name price to the process map as a list. The value will be taken from the response body.

Error cases

There are three major error cases:

  • Wrong URL
  • Mandatory parameter not defined, for example {cardId}
  • Resource not found, for example {cardId} does not exist

For these three error cases you will find two variables in the process map that describe what happened:

  • HTTP_STATUS_CODE
  • requestErrorMessage

You can use these variables to adjust your process flow accordingly.

Description

Use this task to execute card productions on the server side. The service tasks supports execution of encodings via Card SDK or the JPKIEncoder integrated in Identity Manager. Printing is currently not supported.

Configuration

To use this task, configure the following delegate expression in your service task:

${serverSideCardOperationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
encodingName

Example value:

PcmEncProduceEmployeeCard

Name of the encoding description to be executed
cardSDK-

Valid values:

  • true (default)
  • false
Flag to configure if the encoding should be executed through the Identity Manager server directly or through Card SDK. Default is true, which means that the encoding is executed through Card SDK.

Certificates


Description 

Use this task to trigger a republishing or unpublishing action for a specific certificate on the Smart ID Certificate Manager (CM) based on the configured publication procedure.

Configuration

To use this task, configure the following delegate expression in your service task:

${certificatesPublicationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
publicationProcedure

Example value:

  • CertEP CA Certificate to AD (Enrollment Services)
Publication procedure defined on Smart ID Certificate Manager (CM).
serialnumberField

Certificate_CertSerialName of the field containing the serial number in the datamap.
DataPoolName_Certificate

CertificateDatapool name of certificate.
serialNumberIsDecimal-

Valid values:

  • true (default)
  • false

Indicates that the serial number is in decimal format already.

If this field is set to "false" or left out, the serial number will be interpreted as hex format.

Description

Use this task to create an ACME pre-registration order in Smart ID Certificate Manager (CM). You need to use Smart ID Certificate Manager 8.1 or later.

If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${acmePreRegistrationTask}


The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
hmackey


The shared secret to secure the further communication
keyid


Identifies the account
alloweddomains

-


A comma-separated list of domains, that the account is allowed to order certificates for.

certificateTemplate


Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Example: ACME configuration in Protocol Gateway.

Description 

Use this task to register or de-register CMP order requests in Smart ID Certificate Manager (CM).

The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) CMP enrollment request from specified clients. This service task parameters can be extended for other certificate attributes, which are listed below.

If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${cmpOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
certTemplate

Example:
  • MyCmpRegTemplate
Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.
commonName

Example value:

Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com"

password

-


Optional password used to verify CMP enrollment requests sent by clients later. So it will be the same password which will be used by clients in CMP enrollment request.

state

Valid values:

  • Open (default)
  • Closed

This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM).

It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default.

validity-

Valid values:

  • always (default if not set)
  • number of days
Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.

Info

Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.

  • country
  • commonname
  • emailaddress
  • dmd
  • givenname
  • initials
  • keyprocedureid
  • locality
  • organisation
  • organizationidentifier
  • pseudonym
  • title
  • uniqueidentifier
  • surname
  • telephonenumber
  • street
  • stateorprovince
  • postalcode
  • encoding
  • othernameoid
  • othernameencoding
  • othernamevalue

Following attributes can be provided as single value or multiple values as comma separated values.

  • organisationunit
  • postaladdress
  • sanemailaddress
  • ipaddress
  • dns
  • directory
  • uri
  • registeredid

Description 

Use this task to register or de-register Enrollment over Secure Transport (EST) order requests to Smart ID Certificate Manager (CM).

The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) EST enrollment request from specified clients. This service task parameters can be extended for other  certificate attributes which is listed below.

If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${estOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
certTemplate

Example value:

  • ScmCtServerCertificateP10
Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.
commonName

Example value:

Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com"

userName

-


User name which is allowed to make EST request.
password


Password is used to verify EST enrollment requests sent by clients later. So it will be the same password which will be used by clients in EST enrollment request.

state

Valid values:

  • Open (default)
  • Closed

This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM).

It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default.

validity-

Valid values:

  • always (default if not set)
  • number of days
Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.
realm-

Example value:

  • est-realm
realm details

Info

Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.

  • country
  • commonname
  • emailaddress
  • dmd
  • givenname
  • initials
  • keyprocedureid
  • locality
  • organisation
  • organizationidentifier
  • pseudonym
  • title
  • uniqueidentifier
  • surname
  • telephonenumber
  • street
  • stateorprovince
  • postalcode
  • encoding
  • othernameoid
  • othernameencoding
  • othernamevalue

Following attributes can be provided as single value or multiple values as comma separated values.

  • organisationunit
  • postaladdress
  • sanemailaddress
  • ipaddress
  • dns
  • directory
  • uri
  • registeredid

Description 

Use this task to register or de-register Simple Certificate Enrollment Protocol (SCEP) order requests to Smart ID Certificate Manager (CM). 

The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration)  SCEP enrolment request from specified clients. This service task parameters can be extended for other  certificate attributes which is listed below.

Configuration

To use this task, configure the following delegate expression in your service task:

${scepOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
certTemplate


Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.
commonName


Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com"

enrollReg

Valid values:

  • true
  • false
Registration enrolment flag (true/false).
password


Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request.

cpmState

Valid values:

  • 1000
  • 1001

This value decides whether this is a registration or a de-registration order request at Smart ID Certificate Manager (CM).

Set to 1000 to trigger a registration, 1001 to trigger a de-registration

validity

Valid values:

  • always (default)
  • <number of days>
Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.
emailAddress

Email address of the responsible person.
ipAddress

IP address of the server of machine.
serialNumber

Serial number of the device if available. It is not mandatory so it can be blank.

Info

Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.

  • country
  • commonname
  • emailaddress
  • dmd
  • givenname
  • initials
  • keyprocedureid
  • locality
  • organisation
  • organizationidentifier
  • pseudonym
  • title
  • uniqueidentifier
  • surname
  • telephonenumber
  • street
  • stateorprovince
  • postalcode
  • encoding
  • othernameoid
  • othernameencoding
  • othernamevalue

Following attributes can be provided as single value or multiple values as comma separated values.

  • organisationunit
  • postaladdress
  • sanemailaddress
  • ipaddress
  • dns
  • directory
  • uri
  • registeredid

Description

Use this task to send a PKCS#10 to the configured CA. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePKCS10RequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
P10RequestFormEntry

Example value:

  • p10input
Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.
P10RequestFormResult

Example value:

  • certResult
Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.
P7ResponseField-

Example value:

  • certChain
Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.
certTemplate

Example value:

  • ScmCtServerCertificateP10
Certificate template name.
booleanResultWithPEMHeaders-

Example value:

  • true
Configures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.

There are three types of BPMN error thrown when we have issue while requesting certificate from CA.

  • Error Code = CaConnectionFailed 
            - This BPMN Error code appears when we have any connection issue with CA.
  • Error Code = CaRequestFailed
           - This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.
  • Error Code = CommonError
           - This BPMN Error code appears when there is a problem with crafting the p10 request.

In versions 3.12.5 and 20.06.0 this task was named Cert: Execute Plain Request with delegate expression ${executePlainRequestTask} .

Processes referencing the old expression have to be adjusted when updating to a newer version like 3.12.8 / 20.06.1 / 3.13.0.

Description

Note

This task works with Smart ID Certificate Manager (CM) only. Other certificate authorities are not compatible.

Use this task to send a certificate request based on extracted PKCS#10 data (via Cert: Extract PKCS#10 Attributes From Request) combined with certificate template data. Mapped Certificate data-pool field values in the certificate template can be populated with extracted PKCS#10 data or set to custom values. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.

Configuration

To use this task, configure the following delegate expression in your service task:

${executeModifiedPKCS10RequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
P10RequestFormEntry

Example value:

  • p10input
Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.
P10RequestFormResult

Example value:

  • certResult
Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.
certTemplate

Example value:

  • ScmCtServerCertificateP10
Certificate template name.
booleanResultWithPEMHeaders-

Example value:

  • true
Configures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.
P7ResponseField        -

Example value:

  • certChain
Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.

There are three types of BPMN error thrown when we have issue while requesting certificate from CA.

  • Error Code = CaConnectionFailed 
            - This BPMN Error code appears when we have any connection issue with CA.
  • Error Code = CaRequestFailed
           - This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.
  • Error Code = CommonError
           - This BPMN Error code appears when there is a problem with crafting the p10 request.

Description

Use this task to extract attributes from a certificate. 

Configuration

To use this task, configure the following delegate expression in your service task:

${extractCertAttributesTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryExample ValueDescription
X509Field

Certificate_DataThe name of the field containing the certificate as binary data. It must be contained in the process map.
RSAPublicExponent-CERTpublicExponentField to store the public exponent of RSA certificates as BigInteger. Null for ECC certificates.
keySize-CERTkeySizeField to store the key size of the certificate's public key as Integer.
keyType*-CERTkeyTypeField to store the keyType description. For EC keys this also includes the curve name. Note: the format is subject to change!
keyUsage*-CERTkeyUsageField to store the key usages.
extKeyUsage*-CERTextKeyUsageField to store the extended key usages.
hashAlgorithm*-CERThashAlgorithmField to store the hash algorithm name.
validFrom-CERTvalidFromField to store the start date of the validity period as Date.
validTo-CERTvalidToField to store the end date of the validity period as Date.
subjectDN-CERTsubjectDNField to store the subject distinguished name.
issuerDN-CERTissuerDNField to store the issuer distinguished name.
certSerialNumber-CERTserialNumberField to store the serial number.
cdpUrls*-CERTcdpUrlsField to store a concatenated string of all CRL distribution point URLs in. They are comma-space-separated.
ocspUrls*-CERTocspUrlsField to store a concatenated string of all OCSP responder URLs in. They are comma-space-separated.
SAN_EMAIL-CERTsanEmailField to store the SAN email addresses.
SAN_UPN-CERTsanUpnField to store the SAN user principal names.
SAN_DNS-CERTsanDnsField to store the SAN dns names.
SAN_IP-CERTsanIpField to store the SAN ip addresses.
SAN_URI-CERTsanUriField to store the SAN uniform resource identifiers.
SAN_GUID-CERTsanGuidField to store the SAN globally unique identifiers.
SAN_RID-CERTsanRidField to store the SAN registered IDs.
SAN_KRB5PRINCIPALNAME-CERTsanKrb5Principal

Field to store the SAN Kerberos 5 principal names.
The result is a "comma-space"-separated list of JSON objects, each representing one Kerberos 5 principal name, as shown in the example below:

{"realm":"DATACENTER","nameType":4,"nameComponents":["myservice","myhost"]}, {"realm":"DEV","nameType":1,"nameComponents":["alice"]}, {"realm":"DEV","nameType":1,"nameComponents":["bob"]}

NameTypes are defined in RFC-4120, section 7.5.8 .

GIVENNAME-CertDnGIVENNAMEField to store the given name.
SURNAME-CertDnSURNAMEField to store the surname.
NAME-CertDnNAMEField to store the name.
GENERATION-CertDnGENERATIONField to store the generation.
C-CertDnCField to store the country.
CN-CertDnCNField to store the common name.
L-CertDnLField to store the locality.
O-CertDnOField to store the organization.
OU-CertDnOUField to store the organizational unit.
ST-CertDnSTField to store the state.
INITIALS-CertDnINITIALSField to store the initials.
TITLE-CertDnTITLEField to store the title.
E-CertDnEMAILField to store the email adress (from DN).
PSEUDONYM-CertDnPSEUDONYMField to store the pseudonym.
DNQ-CertDnDNQField to store the DN qualifier.
USER_ID-CertDnUSERIDField to store the user ID.
TELEPHONE_NUMBER-CertDnTELField to store the telephone number.
POSTAL_CODE-CertDnPOSTALCODEField to store the postal code.
POSTAL_ADDRESS-CertDnPOSTALADDRField to store the postal address.
STREET-CertDnSTREETField to store the street.
NAME-CertDnNAMEField to st
UNIQUE_IDENTIFIER-CertDnUNIQUEIDField to store the unique identifier.
SN-CertDnSERIALField to store the DN serial number.
ORGANIZATION_IDENTIFIER-CertDnORGIDField to store the organisation identifier.
DC-CertDnDCField to store the domain component.

If non-datapool target fields are used for extracted attributes, then you will run into problems when extracting multiple instances of the same attribute (e.g. multiple OUs).

Example:

Your DN is as follows: DN=hello, OU=firstOrg, OU=secondOrg

Your target variable for the OU parameter is: DnOrgUnit

This results in two variable assignments:

  • DnOrgUnit = firstOrg
  • DnOrgUnit_1 = secondOrg

The issue here is that DnOrgUnit_1 contains an underscore despite not being a Datapool-field.
This will cause it being misinterpreted as being field 1 of the datapool DnOrgUnit instead of a a standard process variable named DnOrgUnit_1.

To avoid this, either make sure all your target fields are datapool fields, or use additional service tasks that copy the values into proper named fields before further processing.

You can, for example, use the Process: Set Value of Variable in Process Map task and set the following parameters:

  • variableName: DNattrOU1
  • variableValue: ${DNattrOU_1}

In case of error

The following parameters are set in case of error:

ParameterMandatoryValueDescription
ExtractionResult*

-

Valid values:

  • success (default)
  • error

The value is default set to "success".

If one of the following errors occurs, the value is set to "error":

  • The field containing the certificate is empty.
  • One of the attributes exceeds 2000 characters (limitation by Activiti).
ExtractionResultErrorMsg*-

Valid values:

  • "Certificate data is empty"
  • "The attribute 'xy' exceeded 2000 characters."
If one of the errors in "ExtractionResult" occurs, this variable is set to "Certificate data is empty" or to "The attribute 'xy' exceeded 2000 characters."

* - These parameters require PRIME 3.12.4 or later.

Description

Use this task to extract all subject DN attributes, as well as the SAN attributes from a PKCS#10 request. The parameter value of P10RequestFormEntry has to match the symbolic name of the field in the PKCS10RequestEntryForm where the CSR file is uploaded. The extracted attributes will be put into the process data map under keys <valueOfP10RequestFormEntry><attributeName>, for example, PKCS10RequestFormEntryCn for the default value of P10RequestFormEntry and CN attribute or PKCS10RequestFormEntrySANEMAIL for San Email.

Configuration

To use this task, configure the following delegate expression in your service task:

${extractPKCS10AttributesFromRequestTask}

The following parameters can be configured in Identity Manager Admin

ParameterMandatoryValueDescription
P10RequestFormEntry

Example value:

  • p10input

Process variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary.

Extracted attributes

Subject DN attributesPrefixResult
  • Email = E
  • Common Name = CN
  • Country = C
  • Organisation = O
  • Title = T
  • Surname = SURNAME
  • State = ST
  • Given Name = GIVENNAME
  • Organisation Unit = OU
  • Serial Number = SN
  • Unique Identifier = UID
  • Street = STREET

PKCS10RequestFormEntry

  • PKCS10RequestFormEntryE
  • PKCS10RequestFormEntryCN
  • PKCS10RequestFormEntryC
  • PKCS10RequestFormEntryO
  • PKCS10RequestFormEntryT
  • PKCS10RequestFormEntrySURNAME
  • PKCS10RequestFormEntryST
  • PKCS10RequestFormEntryGIVENNAME
  • PKCS10RequestFormEntryOU
  • PKCS10RequestFormEntrySN
  • PKCS10RequestFormEntryUID
  • PKCS10RequestFormEntrySTREET

SAN attributes

PrefixResult
  • SAN EMAIL = SANEMAIL
  • SAN GUID = SANGUID
  • SAN DNS = SANDNS
  • SAN UPN = SANUPN
  • SAN IP = SANIP
  • SAN RID = SANRID
  • SAN KRB5PRINCIPALNAME = SANKRB5PRINCIPALNAME
PKCS10RequestFormEntry
  • PKCS10RequestFormEntrySANEMAIL
  • PKCS10RequestFormEntrySANGUID
  • PKCS10RequestFormEntrySANDNS
  • PKCS10RequestFormEntrySANUPN
  • PKCS10RequestFormEntrySANIP
  • PKCS10RequestFormEntrySANRID
  • PKCS10RequestFormEntrySANKRB5PRINCIPALNAME
    • The result is a "comma-space"-separated list of JSON objects, each representing one Kerberos 5 principal name, as shown in the example below:

      {"realm":"DATACENTER","nameType":4,"nameComponents":["myservice","myhost"]}, {"realm":"DEV","nameType":1,"nameComponents":["alice"]}, {"realm":"DEV","nameType":1,"nameComponents":["bob"]}

      NameTypes are defined in RFC-4120, section 7.5.8 .

Other attributesPrefixResult
  • Key size
  • Algorithm (+ curve)*
  • HashAlgorithm
  • (as boolean) = the signature is valid
PKCS10RequestFormEntry
  • PKCS10RequestFormEntryKeySize
  • PKCS10RequestFormEntryKeyType
  • PKCS10RequestFormEntryHashAlgorithm
  • PKCS10RequestFormEntrySignatureValid

*Extracting the curve name currently does not work if Identity Manager and Identity Manager Admin run on the same Tomcat instance due to a classloader issue with JCE providers. In that case only the algorithm name is shown ("ECDSA") without the curve appended.

Description

Loads the certificate history of a user, as a list of the certificates' Core Object IDs, into the process map, in order to recover these certificates in a later step. The relevant certificates are identified by the <certTemplates> types and the ObjectRelations either directly to the user, or via a related card. The list is ordered by 'validTo'-date descending, and the number of provided certificates can be limited by <count>. The task is intended to be a simple way to implement standard recovery cases. More special cases can be done via SearchConfigurations. Recovery supports simple Core Object ID lists, like provided here, or CoreObjectDescriptor-lists provided by Processes: Execute Search Tasks.

SKI (Secure Key Injection): It will look for associated cards of the person and retrieve thumbprint information if the card ICCSN is provided in the process map. This thumbprint will be saved into the process map if it is available in the database. 

Configuration

To use this task, configure the following delegate expression in your service task:

${prepareDataForCertificateKeyRecoveryTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
certTemplates


A comma separated list of the certificate core template names of the certificates to be recovered.
count


Maximum number of certificate ids to be provided via this task.

processVariable

Certificate_CoreObjects or PcmDpCertificate_CoreObjects

Variable name in the process map, where the certificate Core Object IDs should be provided for subsequent recovery.

DataPoolName_Certificate


The datapool name of the Certificate core object.
DataPoolName_Person


The datapool name of the Person core object.
DataPoolName_Card


The datapool name of the Card core object.
ObjectRelationType
Example value: 
  • Default, Deputy

A comma separated list of related object types between Persons, Cards and Certificates (e.g. Default, Deputy).

When this value is provided then the task will load only a person's certificates with matching relations into the process variable, otherwise it will load certificates with all available relation types.

This is a general white-list, which does not distinguish between the objects involved in a relation, like Person<>Card, Person<>Certificate, Card<>Certificate, etc. Therefore you have to be very careful in constructing the relations to avoid accidental recovery of unwanted certificates.

Example

Let's assume that no direct Person<>Certificate relations exist (because no soft tokens and only cards were produced) and all Person<>Card relations use the type "Default". Then "Default" has to be part of the list. Otherwise no card could be found, and thus also no certificates of the card.

Let's also assume that some Card<>Certificate relations also use the type "Default", but you only want to recover those with type "User".

Then you will have a problem, because ObjectRelationType=Default, User will recover both types, and ObjectRelationType=User will recover nothing, as the parent relation between Person<>Card does not match.

To avoid this, make sure that all Card<>Certificate relations use a dedicated type. Soft token certificates related directly to a person will always use the default type, so they should not use the same certificate template as the ones on a card, if you do not want to include them.

To use this task, select it in Identity Manager Admin and configure the above parameters. No bean configuration is required. In a later action you must perform the Key Recovery.

Description

Use this task to archive and/or recover PGP certificates from Smart ID Certificate Manager (CM).

When new certificates are requested, the values will be taken from the certificate template configured under "archivalTemplate". The following attributes can be set:

AttributeDescription

Common Name (CN)

Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager.

Email (SAN_EMAIL)

Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager.

Surname (SURNAME)

Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager.

Givenname (GIVENNAME)

Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePgpSoftTokenAction}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
requestAndArchive

Valid values:

  • true (default)
  • false
If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived)
passwordField

Person_PasswordRefName of secret field in which the password for encrypting the secret keyrings is provided
archivalTemplateif requestAndArchive true PkiBoPgpCert

Name of the PGP archival certificate template configured in Identity Manager, must match the config of ${prepareDataForCertificateKeyRecoveryTask}

archivalSubjectSerialNumberPrefix-${Person_UPN}Expression that defines an optional prefix for the generated subjectSerialNumber, so the final SSN may look something like this: "MyResolvedPrefixc97cb0de-
4774-454c-8568-82fbcd6ee710"
recover

Valid values:

  • true (default)
  • false
If true, then existing PGP keys for the user will be recovered
recoveryTemplateif recover truePkiBoPgpRecoveryName of the PGP recovery certificate template configured in Identity Manager
certificatesForRecoveryif recover true Certificate_CoreObjects

Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover

mailDefinitionNameif publicKeyringsField and secretKeyringsField missing PGP Softtoken MailName of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing)
mailEncryptionCertificates- Certificate_EncProcess var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail.
publicKeyringsFieldif mailDefinitionName missingPublicPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap)
secretKeyringsFieldif mailDefinitionName missing SecretPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap)
errorMessageField

ErrorMessage (default value)Name of the process var into which the BpmnError message is saved if one is thrown
errorTypeField

ErrorType (default value)Name of the process var into which the BpmnError type is saved if one is thrown
ssnsIssuedNotPropagatedField

SubjectSerialNumbersIssuedNotPropagated (default value)Name of the process var into which a list of issued but not propagated subjectSerialNumbers is saved if a BpmnError is thrown (you could use this information to unpublish, this might require additional lookups in Smart ID Certificate Manager (CM), though)

Description

Use this task to query a certificate from a certificate authority, put it into a PKCS#12 Container and either save it to secret field store or send it via email. There are two ways to query the data base:

  • Recover the certificates found in process variable.
  • Request a new certificate (using a plain request).

Both methods can be combined or used independently. If no certificate is queried the task will fail.

Due to [https://bugs.openjdk.java.net/browse/JDK-8214513] the generated PKCS#12 keystores can not be opened with java < 11.0.3 unless BouncyCastle (BC) is used as a KeyStore provider.

  • Windows can open the generated P12.
  • Java with Boucycastle can open the generated P12.
  • Java >= 11.0.3 without BC can open the generated keystores, however the encoding parameters selected in the softtoken task must be supported by the SUN KeyStore provider. The defaults are not supported. You must use for example:
    • Encryption algorithm: PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)
    • PRF: HMac with SHA-1 (OID: 1.2.840.113549.2.7)
    • Hashing algorithm: SHA-1 (OID: 1.3.14.3.2.26)
  • Nexus Personal Desktop Client can import the generated P12, however versions up to at least 5.2.3 require the weaker algorithms shown above for Java without BC
  • Nexus Personal Desktop App can import the generated P12, however versions up to at least 1.3.6 require the weaker algorithms shown above for Java without BC

Configuration

To use this task, configure the following delegate expression in your service task:

${executeSoftTokenRequestAndRecovery2}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
p12PasswordField

Example value:

  • Person_PasswordRef
Password variable field for the generated PKCS#12 container. There are actions to create one.
recoverCerts

Valid values:

  • true (default)
  • false
Whether recovery should be executed.
processVariableIf recoverCerts = true

Example value:

  • Certificate_CoreObjects
Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. 
recoveryTemplate-

Example value:

  • Revocery
Certificate template used for recovery. Not necessary for some CAs.
requestCert

Valid values:

  • true (default)
  • false
Whether a new certificate should be requested (Plain request).
certTemplateIf requestCert = true

Example value:

  • MyCertTemplate
Certificate template used for requesting the new certificate.
includeChain-

Valid values:

  • true (default)
  • false
If present and set to false, the certificate chain is skipped and only end-entity certificates will be included.
keyArchival

Valid values:

  • true (default)
  • false
Whether the created key are archived in the CA.
mailDefinitionName-

Example value:

  • MyMailDefinition
If empty, no mail is sent.
encryptionCertificates-


The core object descriptor list of the certificates used for email encryption.
p12RefField-

Example value:

  • Person_Softtoken
Field to store PKCS#12 container in Base64 encoding.
errorMessageField

Example value:

  • ErrorMessage
Field to store the human readable message in case of error.
errorTypeField

Example value:

  • ErrorType
Field to store error type (ERROR, CA_ERROR or MAIL_ERROR).
certsToRevokeField

Example value:

  • CertsToRevoke
In case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired.
p12EncryptionAlgo-

Valid values:

  • PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)
  • AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)

Default value:

  • AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)
The encryption algorithm to use for the PKCS#12 keystore.
p12EncryptionIterations-

Default value:

  • 100000
The encryption iterations
p12PseudoRandomFunction-

Valid values:

  • HMac with SHA-1 (OID: 1.2.840.113549.2.7)
    HMac with SHA-256 (OID: 1.2.840.113549.2.9)

Default value:

  • HMac with SHA-256 (OID: 1.2.840.113549.2.9)
The PRF to use for the PKCS#12 keystore
p12HashAlgo-

Valid values:

  • SHA-1 (OID: 1.3.14.3.2.26)
  • SHA-256 (OID: 2.16.840.1.101.3.4.2.1)

Default value:

  • SHA-256 (OID: 2.16.840.1.101.3.4.2.1)
The hashing (MAC) algorithm to use for the PKCS#12 keystore
p12HashIterations-

Default value:

  • 100000
The hashing (MAC) iterations

Description

Use this task to update the certificate state against the certificate CRL distribution point. This task takes the CoreObjectDescriptor list for the Certificate object and updates each certificate state based upon the provided CRL distribution points. 

Configuration

To use this task, configure the following delegate expression in your service task:

${updateCertificateStateFromCRLTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
coreObjectDescriptorList

Example value (resolved from variable):

  • ${Certificate_CoreObjectDescriptors}
Core object descriptor list of the Certificate Object.

Revocation State Mapping

Revocation reasons must be configured in Identity Manager Operator before using this feature. Transitions must be aligned with the certificate state graph. Identity Manager validates the transition for each CRL entry based upon specified system property mapping and state graph.

Follow these steps in Identity Manager Operator to open the revocation reason mapping settings:

  1. Go to the ADMIN tab.
  2. Select Configure system properties.
  3. Select CA Revocation Reason Mapping

This configuration is tenant-specific, but not stategraph-specific! It is highly recommended to use a common state graph for all certificate configs within one tenant.

Keep your certificate state graph as simple as possible to avoid ambiguities, as you can map from multiple IDM states to the same revocation reason, but for the reverse mapping of revocation reason to IDM state you have to pick a single value.

For example, if you have both inactive and locked as IDM states and they both map to the revocation reason unspecified, then you have to decide whether an incoming CRL entry with reason unspecified shall set the IDM state to inactive or locked.
In such a case it is best to consolidate to a single IDM state per relevant revocation reason.

Example:

Revocation statePossible IDM Certificate state Mapping
Certificate or key compromisedinactive
Temporary revokedtemporary.inactive
Certificate supersededinactive
Reason not specifiedinactive
Remove certificate from listactive
Certification Authority compromisedinactive
 Information about certificate has changedinactive
Certificate is no longer usedinactive
Right withdrawninactive

Description

Use this task to revoke an existing certificate. This task needs to be executed on a Certificate object or with Certificate data available in the process map.

Configuration

To use this task, configure the following delegate expression in your service task:

${revokeCertificateTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

certificateDataPool

Example value (fixed):

  • Certificate

Example value (resolved from variable):

  • ${certDataPool}
Certificate data pool name. Default Certificate data pool is "Certificate".

targetState

Example value (fixed):

  • Temporary Inactive

Example value (resolved from variable):

  • ${certState}

Target state of certificate

Description

Use this task to trigger a republishing or unpublishing action for a specific PGP certificate on Smart ID Certificate Manager (CM), based on the configured publication procedure.

PGP publication requires either CM 7.18.0 with hotfix 7.18.0.2 applied, CM 7.18.1 with hotfix 7.18.1.1 applied or any later version. Officially supported in PRIME 3.10.

Configuration

To use this task, configure the following delegate expression in your service task:

${pgpCertificatesPublicationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)Publication- or unpublication procedure defined on Smart ID Certificate Manager (CM).
serialnumberField

Certificate_CertSerial

Name of the field containing the serial number in the datamap. This is the subject serial number which Identity Manager assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the Identity Manager certificate object.

DataPoolName_Certificate

CertificateDatapool name of certificate.

Description

Use this task to check against Online Certificate Status Protocol (OCSP)/Certificate Revocation Lists (CRL) that a certificate is valid. OCSP and/or CRL information must be included in a valid certificate. For OCSP, the issuer must be trusted by Identity Manager Operator.

Configuration

To use this task, configure the following delegate expression in your service task:

${checkX509ValidityTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

certificateBinary

Example value:

  • Certificate_Data

Field of the datamap where the certificates binary is placed.

isValidityConfirmed

Example value:

  • isValidityConfirmed

Name of the field where the result is written into the datamap.

Possible values:

  • true (Certificate validity confirmed)
  • false (Certificate validity not confirmed)

revocationDate


Example value:

  • revocationDate
Name of the field where the revocation date is written into the datamap if the certificate is revoked.

resultInfo


Example value:

  • resultInfo

Name of the field where the message from the validation result is written into the datamap.

The resultInfo can contain the following content:

  • The certificate is valid.

  • The certificate is revoked.
  • The certificate is invalid or could not be validated.

resultInfoOCSP


Example value:

  • resultInfoOCSP

Name of the field where the message from the validation result of the OCSP is written into the datamap (if available).

The resultInfoOCSP can contain the following content: 

  • OCSP_NO_AUTHORITY_INFO_ACCESS: No responder URI in the certificate.

  • OCSP_RESPONDER_UNREACHABLE: The OCSP responder is offline.

  • OCSP_CERTIFICATE_TO_BE_CHECKED_INVALID: CA or entity certificate is broken.
  • OCSP_INVALID_URL: The OCSP URL is invalid.
  • OCSP_INVALID_ANSWER: The OCSP response is broken.
  • CERT_STATUS_REVOKED: The certificate is revoked.
  • CERT_STATUS_UNKNOWN: The certificate is unknown.

resultInfoCRL


Example values:

  • resultInfoCRL

Name of the field where the message from the validation result of the CRL is written into the datamap (if available).

The resultInfoCRL can contain the following content: 

  • CERT_ERROR_CRLLOCATION: Could not fetch or create CRL from the given location.
  • CERT_REVOKED: The CRL check resulted in a revoked certificate.
  • CRL_ERROR_VERIFICATION: The CRL signature could not be verified because of a broken truststore.
  • CRL_UNTRUSTED: The CRL is untrusted.
  • CRL_ERROR_VERIFICATION: An exception was thrown while trying to verify the CRL signature.
  • CRL_COULD_NOT_BE_FETCHED_FROM_CDP_URI: The CRL could not be fetched from CDP URI.

Cert QuoVadis PKI


Description

Use this task to create a new domain request in the QuoVadis Certificate Authority. It is saved as a request core-object in a dedicated data-pool.

Prerequisites

Data-pool

  1. The data-pool must have the fields shown below. Pay special attention to the name of the Meta_CoreObjectState_-field which needs to end with the matching data-pool name:
  2. Note the field TransactionId which is used to store a UUID assigned by QuoVadis to each domain request. It is required to later query the status of the request.
    Usually the internal Requests table is used as data-source as shown below:

State-graph

  1. The state-graph must contain at least the following states: pending/approved/rejected (case-insensitive), with transitions from pending to both approved and rejected.
  2. If you want to disambiguate requests that did not yet have their state queried at the CA from those which are pending according to the CA, then add a start state sent before pending, as shown below, but this is optional (pending will be the start state when not using sent).

Request core-template

  1. You need a request core-template which uses the above data-pool and state-graph definitions:

Search-configuration (optional)

  1. Optionally you may configure a search-configuration for your request core-objects, for example, like this:

Configuration

To use this task, configure the following delegate expression in your service task:

${quoVadisRequestDomainParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
quoVadisConnection

Example value:

  • MyQvConnectorConfig
QuoVadis connection name.
organisation

Example value:

  • My QV Organisation
QuoVadis organisation name.
adminEmail

Example value:

  • qvadmin@mycompany.com
QuoVadis administrator e-mail address.
domain

Example value:

  • my.new.domain.com
Domain or IP-address for which to issue the request.
isEV

Valid values:

  • true
  • false
Whether you want to use extended validation with this domain.
requestTemplate

Example value:

  • QvDomainRequest
The core template name which should be used for the new QuoVadis domain request core objects.
errorMsgField

ErrorMsgThe name of the field in which to save the error message for errors that happen during CA request or when saving of the core-object.
If no such error happened, then this field is not set.
errorCodeField

ErrorCodeThe name of the field in which to save the error code for errors that happen during CA request or when saving of the core-object.
This can be either of the following:
  • caRequestFailed
    → could not issue the domain request at the CA
  • saveFailed
    → domain request was successful, but creating the request core-object failed

If no such error happened, then this field is not set.

Description

Use this task to query the status of a QuoVadis domain request in the Certificate Authority and update the state of the request core-object in Identity Manager accordingly.
This task requires a QuoVadis domain request core-object to be loaded into the process map before execution.

The QuoVadis API does not allow any other kind of interaction with a created domain request besides querying its status. For example, to cancel a request is not supported.

Prerequisites

The prerequisites of the Cert QuoVadis PKI: Create domain request task above also apply here.

Configuration

To use this task, configure the following delegate expression in your service task:

${quoVadisUpdateDomainRequestStatusParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
quoVadisConnection

Example value:

  • MyQvConnectorConfig
QuoVadis connection name.
organisation

Example value:

  • My QV Organisation
QuoVadis organisation name.
requestDataPool

Example value:

  • DpQuoVadisDomainRequest
Data-pool for QuoVadis domain requests.
errorMsgField

ErrorMsgThe name of the field in which to save the error message for errors that happen during CA request or when saving of the core-object.
If no such error happened, then this field is not set.
errorCodeField

ErrorCodeThe name of the field in which to save the error code for errors that happen during CA request or when saving of the core-object.
This can be either of the following:
  • caRequestFailed
    → could not query the domain request status at the CA
  • saveFailed
    → querying the request status was successful, but could not update the state of the request core-object

If no such error happened, then this field is not set.

Description

Use this task to save account domain list from QuoVadis Certificate Authority into Identity Manager lookup table. This task deletes the old domain list entry and creates a fresh entry in the configured lookup table.

Prerequisites

Create a lookup table-based datapool and core template name for storing the domain list information into Identity Manager.

Datapool

  1. The datapool must have the fields with the described names as shown in this figure. This field names are fixed and taken from DomainInfo response.

  2. Configure the datapool datasource as lookup table as shown in this figure:

       

Lookup table

  1. Create a lookup table which belongs to the Domain data pool. Any state graph can be assigned to this lookup table. 

       

Configuration

To use this task, configure the following delegate expression in your service task:

${quoVadisDomainListUpdateParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
quoVadisConnection


QuoVadis connection name.
coreTemplateName


The core template name which should be used for the new core objects. This core template should consist of lookup table type DomainList Datapool.

Core Objects


Description

Use this task to check if a relation between two core objects exists. The names of both data pools have to be provided. The direction of the relation is not relevant, meaning that source and destination may be exchanged.

Configuration

To use this task, configure the following delegate expression in your service task:

${checkObjectRelationParametrizedTask}


The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
sourceDataPoolName


The name of the source data pool that is used to check the relation with the destination data pool.

destinationDataPoolName


The name of the destination data pool that is used to check the relation with the source data pool.
resultVariable

Valid values:

  • true
  • false

The name of the field indicating if a relation between the source and destination data pool exists. Contains either a "true" or "false" value.

"True" means that the objects are related to each other. "False" means that there is no relation between them.

Description

Use this task to create a relation between two core objects.

Object Relations tab

In this tab you manage the object relation types. A default entry is already set per tenant. Exactly one configuration must be the default configuration which is used when saving data, see Set up process in Identity Manager, the Save Data task.

Include these two fields in an object relations configuration:

  • Name: name of the object relation type
  • Default: determines if this configuration should be the default configuration

Configuration

To use this task, configure the following delegate expression in your service task:

${createRelationParametrizedJavaDelegate}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

source


Data pool name of the source of the relation, which has to be created. The core template name of this data pool will be saved in the database.

destination


Data pool name of the target of the relation, which has to be created. The core template name of this data pool will be saved in the database.

includeRelationTypeToCompareOfObjects

Valid values:

  • true
  • false (default at design time) 

Flag indicating if the relation type should be included when searching if the relation already exists. If you want to create multiple relations of different types between two core objects this parameter has to be set to true.

Example: A relation Card → Certificate already exists in the database with the relation type "OldRelation"

Use case 1

  1. Input:
    1. includeRelationTypeToCompareOfObjects = true
    2. Relation type = "NewRelation"
  2. Expected output:
    1. New relationship (relation type - "NewRelation") added for the relation Card → Certificate

Use case 2

  1. Input:
    1. includeRelationTypeToCompareOfObjects = false
    2. Relation type = "NewRelation"
  2. Expected output:
    1. No changes as a relation is already found.

exceptionIsThrownIfRelationAlreadyExists

Valid values:

  • true (default at design time)
  • false

Flag indicating how the application reacts if the relation already exists. If set to "true" then throw Exception, else do nothing.

relationType

Default
Type of the relation. The object relation type must exist or an exception is thrown.

Description

Use this task to remove existing relations between objects. The removal applies for all relations between one specific object and either:

  • a single second object, or
  • all other objects belonging to the named Data Pool
  • all other objects belonging to the named template.

Furthermore, it is independently possible to restrict the removal to relations of a specific type.

Example: An employee started working with a replacement card. Later he or she receives an employee card. The connection to the reusable replacement card can then be removed.

  • Single: Both objects must be loaded into the process map before the relation can be dropped.
  • Either secondDataPoolName, secondDataPoolNameDropAll, or coreTemplateName must be provided. Only one of them is allowed. The ones that are not used must be deleted.

Configuration

To use this task, configure the following delegate expression in your service task: 

${dropRelationsParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

dataPoolName


Data pool name of the object whose relation shall be removed.

secondDataPoolName-


(warning) Only one of these three parameters is allowed to be filled!

Single Drop: Data pool name of the second single object. This object has to be available inside the Process Map.
secondDataPoolNameDropAll-Data pool Drop: Name of a Data pool. Relations to all objects belonging to this data pool are removed.
coreTemplateName-Core Template Drop: Name of a Core template. Relations to all objects belonging to this template are removed.

objectType



Deprecated. This parameter has the same meaning as coreTemplateName and is only provided for downgrade compatibility.

relationType-
When configured, only relations of the specified type are removed.

Description

Use this task to find core objects (for example, soft tokens), that will expire within a given time range.

Configuration

To use this task, configure the following delegate expression in your service task:

${coreObjectExpiryCheckParameterizedTask}

 The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

coreTemplateNameList


Comma separated list of core template names that shall be the base of the search.
fieldName

Example value:

  • ValidTo
Name of the data pool field that indicates the expiration date, for example, ValidTo. The data pool must belong to the core template(s) mentioned above.
offsetInDays

Example value:

  • 30 (see also the description to the right)

The offset in days before the related core objects expire.

The base is the field specified by fieldName, for example ValidTo. If you provide a value for offsetInDays, then logically it is

ValidTo - offsetInDays = dateToFindSofttoken

  • If dateToFindSofttokens is still in the future compared to the currentDate, then the soft token will not be found.
  • If dateToFindSofttokens is equal to the current date or if it is in the past, then the soft tokens will be found.

Example:

Expiry date of a soft token is 31st March 2017. If the offsetInDays is set to 30, the service task will only find the soft token with the beginning of 1st March 2017.

coreObjectIdListVariableName-

Example value:

  • PcmDpCertificate_Coreobjects
  • CoreObject_Ids

Name of the variable containing the core objects that were found during the search. It contains only the core object ids.

Meta_CoreObjectState_Field

Example values:

  • Meta_CoreObjectState_PstmDpCertificate
  • Meta_CoreObjectState_BaseDpEmployee

Name of the data pool field that indicates the state of the core object. The data pool must belong to the core template(s) mentioned above.

Meta_CoreObjectState_Value

Example values:

  • issued
  • active
  • etc.

The actual state that shall be used for filtering the search.

Credentials


Description 

Use this task to generate a response using the card manager key and a challenge for the offline unblocking process.

Configuration

To use this task, configure the following delegate expression in your service task:

${challengeResponseGeneratorTask}

 The following parameter can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
CardManagerKeyField

Example value:

  • Card_CardManagerKey
The name of the field that needs to hold the reference value to the card manager key (for example, Card_CardManagerKey). Must be a reference field.
ChallengeField

Example value:

  • "CV act sc interface manager" in case of Cryptovision
The challenge provided by Windows or a 3rd party tool.
ResponseField


The response is generated by this task to support unblocking.
DisableDerivation-

Valid values:

  • true
  • false

Set to "true" if you want to use the CardManagerKey directly as challenge/response key instead of deriving one.

This is relevant for non-Cryptovision middlewares (for example, CardOS or Gemalto), where we directly use a 3DES CardManagerKey instead of a 2DES key from which the actual challenge/response key is derived.

If the field is absent, derivation is enabled and a 2DES CardManagerKey is expected.

DisableDerivationField-

If present, points to a field containing the (override) value of DisableDerivation.

If both DisableDerivation and DisableDerivationField are present and the referenced field contains a value, the latter takes precedence. This is mainly intended for deployments that deal with multiple middlewares, which require different DisableDerivation values (for example CV + CardOS).

The following dependencies must be configured in the Spring configuration:

DependencyDescription

secretFieldsArchiver

Responsible for archiving the secrets into the secret field store.

Description 

Use this task to generate a 2DES / 3DES key as card manager key for minidriver compatible cards. The value generated is saved in an encrypted field.

Configuration

To use this task, configure the following delegate expression in your service task:

${cardManagerKeyProviderTask}

 The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
passwordFieldName

Example value:

  • Card_CardManagerKey
The name of the field that should hold the reference value to the card manager key (for example, Card_CardManagerKey). Must be a reference field.
blockCount-

Valid values:

  • 2 (default)
  • 3
Desired key length in blocks of 8 bytes. By default 2DES keys (2 blocks, 16 bytes) are generated.
If you generate keys for CardOS or Gemalto, set the parameter to 3 so 3DES keys (3 blocks, 24 bytes) are generated instead.
This distinction is needed since for Cryptovision, multiple keys are derived, including the challenge/response key from a 2DES key.
For CardOS and Gemalto the challenge/response key is generated directly, and the key needs to be 3DES.
blockCountFieldName-
If given, it points to a field containing the (override) value of blockCount.
If both blockCount and blockCountFieldName are present and the referenced field contains a value, the latter takes precedence.
This is mainly intended for deployments that deal with multiple middlewares which require different blockCount values (for example, CV + CardOS).

The following dependencies must be configured in the Spring configuration:

DependencyDescription
secretRefValueGeneratorResponsible for generating the reference value that is used to keep the reference to the secret value in the secret field store.

secretFieldsArchiver

Responsible for archiving the secrets into the secret field store.

Description

Use this task to generate a value for PIN and PUK according to certain rules (length, allowed characters) and to archive those values for later retrieval during card production or for PIN letter printing.

Configuration

To use this task, configure the following delegate expression in your service task:

${generateAndArchivePinAndPukParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
pinFieldName


The name of the field that shall hold the reference value to the archived PIN.
pukFieldName


The name of the field that shall hold the reference value to the archived PUK.
pinLength-

Example value:

  • 4
The desired length of the PIN.
pukLength

Example value:

  • 8
The desired length of the PUK.
pinAllowedCharacters

Valid values:

  • 0123456789
Describes the characters to be used for generating the PIN value.
pukAllowedCharacters-

Valid values:

  • 0123456789
Describes the characters to be used for generating the PUK value.

Description

Use this task to generate a password or another secret and to archive the value for later retrieval during card production or for PIN letter printing. The secret value is also hashed and stored in a separate field for easier comparison. The hash algorithm is defined in Spring since it must be the same as the one that is used for checking the passwords during login.

Configuration

To use this task, configure the following delegate expression in your service task:

${generateAndArchivePasswordWithMaxLengthAndAllowedCharactersTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
passwordFieldName-
The name of the field that should hold the reference value to the archived password. Must be a reference field.

passwordHashFieldName

-
The name of the field that should hold the hashed value of the password. The hash algorithm is defined in Spring. The data pool field must be of type password
passwordLength

Example value:

  • 8
The desired length of the generated password.
passwordAllowedCharacters

Valid values:

  • 0123456789
Describes the characters to be used for generating the password value.

The following dependencies must be configured in Spring:

DependencyDescription
passwordHashGeneratorThe generator that is responsible for generating the hash value of the secret value. This is the place to define the hash algorithm.

secretRefValueGenerator

Responsible for generating the reference value that is used to keep the reference to the secret value in the secret field store.

secretFieldsArchiver

Responsible for archiving the secrets into the secret field store.

Description

Use this task to decrypt values that were encrypted using the INSIDE server.

Configuration

To use this task, configure the following delegate expression in your service task:

${decryptFieldsUsingInsideMiParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

Parameter nameMandatoryValueDescription

encryptKeyLabel

Example value:

  • KTEXCHANGE

The value represent a key label that is present in the HSM.

padding

Valid values:

  • PAD_NULL
  • PAD_ISO9797_1
  • PAD_ISO9797_2

Padding scheme to be used.

iv

Default value:

  • 00000000
Initialization Vector, value must be a multiple of 8.
<Processmap_Field>-
Allowed multiple times for each field of the processmap that should be decrypted. The field should contain a secret reference. After decryption the value for the reference will be updated if successful.
aleaPin

 

Value:

  • JUEL expression

Example value:

  • ${PcmDpEmployeeCard_aleaPin}

PIN used in the decryption workflow in order to get the correct plain values for PIN and PUK. 

The corresponding value is a JUEL expression consisting of DataPool (for example PcmDpEmployeeCard) followed by the field name of aleaPin (for example aleaPin). 

Digital Access (Hybrid Access Gateway)


Description

Use this task to provision a user to Smart ID Digital Access component The task consists of two phases:

  • In the first phase the user will be created or updated. This will always be done.

    If you do not set a validFrom field, the user always gets the current date as a valid from value in Digital Access.

  • The second phase is about locking or unlocking the user:
    1. If the current state of the CoreObject matches a state in the lockedStates configuration, the user will be locked.
      • If Smart ID Mobile App (Personal Mobile)is configured, all Smart ID Mobile App profiles that the user has will be deleted.

        Deletion of authentication methods SYNC and OATH are not implemented yet.


    2. If the current state of the CoreObject matches a state in the unlockedStates configuration, the user will be unlocked.
      • If Smart ID Mobile App is configured, the binary array of the barcode image (jpg) will be available in "personalimage". If unlocking of the user failed, the processmap will not contain the barcode.
      • If OATH is configured, the binary array of the barcode image (jpg) will be available in "oathActivationBarcode". If unlocking the user failed, the processmap will not contain the barcode.
      • If SYNC is configured, SYNC will be activated on Digital Access.

Configuration

To use this task, configure the following delegate expression in your service task:

${provisionUserToHagParameterizedTask}

The following parameters can be configured in PRIME Designer:

 ParameterMandatoryValueDescription

coreTemplateName

Example value:

  • Employee
The name of the coreTemplate from which the current coreObject state shall be retrieved.
challengePin-

Example value:

  • 111111 (default)
The default PIN for synchronized authentication of the user in Digital Access.
emailField-

Example value:

  • Employee_Email
The name of the datamap field which contains the email of the user.
hagUrl

Example value:

  • https://xpiimport.nexusgroup.com:4443/
URL of Digital Access system.
locationDNField-
The datamap field which contains the ldap dn to the desired user. If this is set the user will be connected to LDAP in Digital Access as well.
lockedStates

Example value:

  • "disabled,blacklisted,arrested"
A comma separated list of states from the stategraph of the user which mean "locked" in Digital Access.
unlockedStates

Example value:

  • "active"
A comma separated list of states from the stategraph of the user which mean "unlocked" in Digital Access.
userEnabledPerDefault-

Valid values:

  • true (default)
  • false
If set to "true" the user will automatically be enabled in Digital Access. If not set it is handled as "true".
userNameField

Example value:

  • Employee_LastName
The datamap field which contains the user name that shall be provisioned to Digital Access.
smsNumberField-

Example value:

  • Employee_SmsNumber
The datamap field which contains the phone/sms number of the user.
validFromField-

Example value:

  • Employee_ValidFrom
The datamap field which contains the validFrom information. If it's not set or the value of the field is null the current Date will be used as this is a mandatory parameter in Digital Access.
validToField-

Example value:

  • Employee_ValidTo
The datamap field which contains the validTo information.

authenticationMethods

-

Valid values:

  • Empty string (default)
  • SYNC
  • PM
  • OATH

The authentication methods which will be provided to Digital Access. Allowed are empty string (default), SYNC (= SYNChronized Authentication), PM (= Personal Mobile, that is, Smart ID Mobile App) and OATH (= Open AuTHentication).

Only one authentication method can be selected.

  • If an empty string is configured, a user account will be created without an authentication method.
  • If PM is configured, the barcode Image (jpg) from the Digital Access response will be put to the process map with the fixed key "personalimage". If the creation fails, the field in the process map is not touched.
  • If OATH is configured, the barcode Image (jpg) from the Digital Access response will be put to the process map with the fixed key "oathActivationBarcode". If the creation fails, the field in the process map is not touched.
pmStatus

-

Valid values:

  • Empty string (default)
  • activate

  • deactivate

What status Personal Mobile, that is, Smart ID Mobile App, should get. If an invalid status is configured, the status in PM is not changed.

This parameter is only mandatory if the authentication method is configured as PM. Otherwise it can remain empty.

OATHProvider-

Example values:

  • Empty string (default)
  • Predefined_hotp_HmacSHA1
  • Predefined_hotp_HmacSHA256
  • Predefined_hotp_HmacSHA512
  • Predefined_totp_HmacSHA1
  • Predefined_totp_HmacSHA256
  • Predefined_totp_HmacSHA512

The providers are configured in the Digital Access system. To find out which providers are configured on your Digital Access system, go to Digital Access Admin > Manage System > OATH Configuration > Manage OATH Providers.

For more info, see: Set up OATH tokens in Digital Access.

This parameter is only mandatory if the authentication method is configured as OATH. Otherwise it can remain empty.

Login


Description

Use this task to finalize a process that is going to be used as a post-login process.

Execute the service task at the end of a post-login process in order to mark the post-login process as successfully finished. It will not work without this. Do not use this task outside a post-login process.

Calling this task more than once within a post-login process will result in a failure.

Configuration

There are no parameters to configure.

Description

Use this task to search for a core object and create an AuthenticatedUser which is passed to the datamap with the key "AuthenticatedUser".

Configuration

To use this task, configure the following delegate expression in your service task:

${findAndAuthenticateCoreObjectParameterizedDelegate}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
principalFieldName

Example value:

  • Email
The field name of the unique identifier of the CoreObject.
coreTemplateNames

Example value:

  • "Person,Employee,CleanupPerson"
The CoreTemplate names in which the CoreObject shall be searched for. The search starts with the first name in the list.

The task can be defined as follows:

Spring configuration
    <bean name="findAndAuthenticateCoreObjectParameterizedAction" class="de.vps.act.action.login.FindAndAuthenticateCoreObjectParameterizedAction">
        <property name="coreObjectSearchManager" ref="coreObjectSearchManager"/>
        <property name="authenticationProvider" ref="userPasswordCoreObjectAuthenticationProvider" />
        <property name="authProfileProvider" ref="authProfileProvider" />
        <property name="dataPoolProvider" ref="dataPoolProvider" />
        <property name="coreTemplateProvider" ref="coreTemplateProvider" />
    </bean>

    <bean id="findAndAuthenticateCoreObjectParameterizedDelegate" class="de.vps.act.processexecution.delegation.TaskParametrizedActionBasedJavaDelegate">
        <property name="taskParameterExtractor" ref="taskParameterExtractor" />
        <property name="action" ref="findAndAuthenticateCoreObjectParameterizedAction" />
    </bean>

PACS


Description

Use this task to assign an entitlement to a person.

The task works on three different core objects:

  • The 'Person'. This is the identity which gets an entitlement assigned.
  • The 'Entitlement'. This is an entity in Identity Manager which represents an entitlement (or 'access profile') at the PACS system.
  • The 'Assignment'. This is an entity that stores properties of the assignment request and attributes returned from the PACS system (like the external id). Usually an 'Assignment' will be stored as Request.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsAssignEntitlementParametrizedTask}

The following parameters can be configured in Identity Manager Admin: 

 ParameterMandatoryValueDescription
pacsName


The name of the PACS system to communicate with.
entitlementAssignmentDataPoolName

Example value:

  • Request
The name of the data pool for core objects, that stores the assignment, for example, 'Request'.
entitlementAssignmentExternalIdFieldName

Example value:

  • ExternalId

The field name of the above data pool, where the external id of the assignment is stored, for example, 'ExternalId'.

targetEntity

Example values:

  • 'person' or 'PERSON' (for a person)
  • other values (for an access rule)

The assignment is done on either a person or an access rule. By providing values such as 'person' or 'PERSON' (all letter are handled as lower case) the assignment is done on the person entity. By providing any other values, the assignment is done on the access rule.

relatedEntitlementsCoreObjectDescriptorList



Contains a list of entitlements related to the entitlement to be assigned. Mostly used to associate a room with a time zone.

Description

Use this task to create a group membership in Smart ID Physical Access component. Group membership means, assigning an existing person to an existing group.

The task works on three different core objects:

  • The 'Person'. This is the identity which gets a group assigned.
  • The 'Group'. This is an entity in Identity Manager which represents an group at the PACS system.
  • The 'Membership'. This is an entity that stores properties of the membership request and attributes returned from the PACS system (like the external id).

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsCreateGroupMembershipParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
pacsName


The name of the PACS system to communicate with.

groupMembershipDataPoolName

Example value:

  • Request
The name of the data pool for core objects, that stores the group membership.
groupMembershipExternalIdFieldName

Example value:

  • ExternalId

The field name of the above data pool, where the external id of the membership is stored.

Description 

Use this task to send a request to PACS to create (if non existent) or to update (if exists) a card.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsCreateOrUpdateCardParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

pacsName


The name of the PACS system to communicate with.

cardStateFieldName

Example value:

  • Meta_CoreObjectState_PcmDpEmployeeCard
The card data pool field name where Identity Manager stores the state of the person.

cardActiveStates

Example value:

  • 'active,enabled'
A comma separated list of supported active card states in Identity Manager.
cardType-

Valid values:

  • 'mifare'
  • 'em'
Optional. The type of a card. Physical Access component accepts two types: 'mifare' and 'em'.

Description

Use this action to send a request to PACS to create (if non existent) or to update (if exists) a person.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsCreateOrUpdatePersonParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

pacsName


The name of the PACS system to communicate with.

personStateFieldName

Example value:

  • Meta_CoreObjectState_BaseDpEmployee
The person data pool field name where Identity Manager stores the state of the person.

personStates

Example value:

  • 'active,enabled'
A comma separated list of supported active person states in Identity Manager.

Description

Use this action to fetch entitlements of a given type or several types from a PACS system. Currently supported: Physical Access component. The fetched entitlements are stored as core objects.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsFetchEntitlementsParametrizedTask}

 The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
coreTemplateName


The name of the core template in which the entitlements shall be stored.
entitlementTypesField-

Example value:

  • Request

The name of the data pool for core objects, that store the assignment with the external id.

listOfEntitlementTypes-

Valid values:

  • DEFAULT
  • ZP
  • ZPC
  • RZ_TZ
  • DG_TZ
  • D_TZ

Zero or more comma separated values from the list: DEFAULT, ZP, ZPC, RZ_TZ, DG_TZ, D_TZ

coreObjectDescriptorOutputField-
List of the core objects that were saved into the database. In this service task, the list contains entitlement objects, since the task saves entitlements into the database.

Description

Use this task to send a request to PACS to create (if non existent), update (if exists) and delete (if exists) a group.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsDealWithGroupParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
pacsName


The name of the core template in which the entitlements shall be stored.
deleteFlag

Valid values:

  • true
  • false
Flag for indicating whether the group should be created/updated (false) or if the group should be deleted (true).

Description

Use this task to send a request to PACS to create (if non existent), update (if exists) and delete (if exists) an access rule.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsDealWithAccessRuleParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
pacsName


The name of the PACS system to communicate with.
deleteFlag

Valid values:

  • true
  • false
Flag for indicating whether the access rule should be created/updated (false) or if the access rule should be deleted (true).

Description

Use this task to withdraw an entitlement from a person.

  • For Physical Access component there has to be a Request with the entitlement assignment id in the process map.

The task works only on the core object 'Assignment'. This is an entity that stores the external id of the EntitlementAssignment within Physical Access component. Usually a Request is used to hold this information.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsWithdrawEntitlementParametrizedTask}

The following parameters can be configured in Identity Manager Admin: 

 ParameterMandatoryValueDescription
pacsName


The name of the PACS system to communicate with.
entitlementAssignmentDataPoolName

Example value:

  • Request
The name of the data pool for core objects, that store the assignment with the external id.
entitlementAssignmentExternalIdFieldName

Example value:

  • ExternalId

The field name of the above data pool, where the external id of the assignment is stored.

targetEntity

Example values:

  • 'person' or 'PERSON' (for a person)
  • other values (for an access rule)

The withdrawal is done on either a person or an access rule. By providing values such as 'person' or 'PERSON' (all letter are handled as lower case) the withdrawal is done on the person entity. By providing any other values, the withdrawal is done on the access rule.

Description

Use this task to withdraw a group membership in Physical Access component.

Configuration

To use this task, configure the following delegate expression in your service task. There has to be a Request with the group membership id in the process map.

${pacsWithdrawGroupMembershipParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
pacsName


The name of the PACS system to communicate with.

groupMembershipDataPoolName

Example value:

  • Request
The name of the data pool for core objects, that stores the group membership.
groupMembershipExternalIdFieldName

Example value:

  • ExternalId

The field name of the above data pool, where the external id of the membership is stored.

Process


Description

Use this task to run a search configuration and trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed" if a uniqueness criteria is not met. The event might cause a different process flow.

Configuration

To use this task, configure the following delegate expression in your service task:

${assertUniquenessParameterizedTask}

 The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
searchConfigName


Defines the search configuration that should be used to count objects.

During process execution the user must have the permission to execute the search configuration. It is possible to use a search configuration that searches over multiple levels.

minCount-

The minimum number of objects that should be found.

If the search finds less than minCount objects, the action will trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed". Although neither minCount nor maxCount are mandatory, at least one of them must be specified.

maxCount-

The maximum number of objects that should be found.

If the search finds more than maxCount objects, the action will trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed". Although neither minCount nor maxCount are mandatory, at least one of them must be specified.

resultVariableName-

resultCount (used if nothing is specified)

Specifies where the number of found objects will be stored in the data map. 

The value is stored whether the condition is met or not. If no resultVariableName is specified, 'resultCount' is used as a default name.

<Datapool_Field>-

For configuring search fields, add a parameter for each search field. The name of the parameter should be the full name of the datapool field. The value has to contain the filter condition and value, separated by a colon symbol.

For example:

EQUALS:${Person_PersonnelNumber}
GREATER_THAN:${now}
CONTAINS:st

If the underlying data source of the search configuration does not allow to query just the number of result objects, only as less objects as possible are fetched, but enough to find violations of minCount or maxCount. If the number of found objects equals to the upper limit, that was searched for, it is not possible to decide whether there are more objects. In such cases a hint is logged in debug mode:

"The search has been restricted to 2 object(s) for performance reasons, but there might exist more objects".

Description

Use this task to load pack binary data objects into a ZIP file. A CoreObjectDescriptor is needed (loaded in a service task before) to have a list with core objects which contain the binary data fields. Different binaries belonging to one core object can be packed together into one ZIP file (for example photo and signature). Reference-fields can also be added into zip, if they represent a binaryData (like softtoken).

Configuration

To use this task, configure the following delegate expression in your service task:

 ${buildZipFileFromBinariesParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
resultVariableNameZipFile

Fieldname in the datamap where the builded zipFile is written to.
resultVariableNameZipName-
Fieldname in the datamap where the name of the zipFile is written to.
zipfileName
  
Example value:
  • ${Person_LastName}_${Person_FirstName}_Binaries.zip
How the zipFile shall be named. fileExtension like '.zip' is needed.
coreObjectDescriptorList


coreObjectDescriptor which contains a list of CoreObjects with binaryData
<name of the zipFile-Entry>

 (minimum 1)

<name of binaryField to save into zipFIle>

Example value:

  • ${Person_LastName}_${Person_FirstName}_Photo.jpg
    ← Person_Photo
  • ${Person_LastName}_${Person_FirstName}_Softtoken.p12
    ← Person_Softtoken
  • Additional parameter, added with "+"
  • Combination zipEntryName ← BinaryFieldName

Description

Use this task to copy information about the currently logged in user to the process data map. Since the parameters are optional, only those parameters where a value is provided are copied to the process data map.

Configuration

To use this task, configure the following delegate expression in your service task:

${copyValuesOfLoggedInUserToProcessMapParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

userNameOutputField

-

userinfoUsername

The output field of the datamap which will contain the user name.

userFullNameOutputField

-

userinfoUserFullName

The output field of the datamap which will contain the user's full name.

userIdOutputField

-

userinfoUserid

The output field of the datamap which will contain the user id.

userIpAdressOutputField

-

userinfoIpAddress

The output field of the datamap which will contain the user's IP address.

userAuthProfileTypeOutputField

-

userinfoAuthprofileType

The output field of the datamap which will contain the users AuthProfileType (Enum is passed).

userExplorerInstanceIdOutputField

-

userinfoExplorerInstanceId

The output field of the datamap which will contain the user's explorer instance ID if logged in through explorer.

userUsspInstanceIdOutputField

-

userinfoUsspInstanceId

The output field of the datamap which will contain the user's Smart ID Self-Service instance ID if logged in through Smart ID Self-Service.
userRolesOutputField-userinfoUserRoles

The output field of the datamap which will contain the user's assigned roles as a list. This is not meant to be used for the GUI and may result in issues. Use this, for example, in gateways like this:

${userinfoUserRoles.contains("Administrator") == true}
userSamlTokenIDOutputField-userinfoSamlTokenIDThe output field of the datamap which will contain the user's SAML Token ID.
userSamlIssueInstantOutputField-userinfoSamlIssueInstantThe output field of the datamap which will contain the user's SAML IssueInstant.
userLocaleOutputField-userinfoLocaleThe output field of the datamap which will contain the user's selected Locale.

Description

Use this task to delete a secret field from secret field store and clear the reference to it.

Configuration

To use this task, configure the following delegate expression in your service task:

${deleteSecretField}

 The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
referenceField


The field to be deleted in secret field store.

Description

Use this task to execute a script and put the result variables to the process map.

Configuration

To use this task, configure the following delegate expression in your service task: 

${executeScriptTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

scriptName


The name of the script.

Description

Use this task to run a search configuration and put the result to the map as core object descriptor list or as the complete object.

Searches in external datapools, such as LDAP, SCIM or JDBC, need to be based on a CoreTemplate.

If the number of search results is equal to or more than maxCount this is logged in the Tomcat log file.

A process variable executeSearchResultCount will hold the number of the found entities.

Configuration

To use this task, configure the following delegate expression in your service task:

${executeSearchParameterizedTask}

 The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
searchConfigName

-


Defines the search configuration that should be used to count objects.

During process execution the user must have the permission to execute the search configuration. It is possible to use a search configuration that searches over multiple levels.

The binary data fields will not be loaded into the process map unless the search configuration has at least one binary data field in the result columns.

maxCount


The maximum number of objects that should be found.
resultVariableName-
  • CoreObjectDescriptorList

Specifies the name of a variable of the data map, where the CoreObjectDescriptorList of the found objects is stored.

copyValuesOfFirstResult-

Valid values:

  • true
  • false (default)
This parameter decides whether the first found object is put completely to the map (true) or if the CoreObjectDescriptorList is put to the map (false). If set to true, resultVariableName will be ignored. maxCount will be ignored too and set to 1.

fullResultListField

-

<variableName>

Variable in which the full search result will be stored inside the process map. Will be ignored if it is empty.

TargetPrefix

-

<Prefix>

Example: Manager_

If the found objects fields should be added to the process map with a special prefix. It replaces the <Datapool_>, which is otherwise at this position. With this function, conflicting entries can be avoided.

Example: Instead of "Person_Email" the data map will get an additional entry: "Manager_Email".

sortColumn
-

<ColumnName> Example: FirstName

This parameter is the column name of the dataset, which is taken to order the search result.
sortOrder
-

Valid values:

  • ASC (default)
  • DESC
Combo box to select if the search result is ordered ascending or descending. Default is ascending.
<Datapool_Field>-

<CONDITION>:<value>

Examples:

  • EQUALS:true
  • STARTS_WITH:${processVariable}

Valid CONDITIONS:

  • EQUALS
  • NOT_EQUALS
  • GREATER_THAN
  • GREATER_EQUALS
  • LESS_THAN
  • LESS_EQUALS
  • STARTS_WITH
  • ENDS_WITH
  • CONTAINS
  • SOUNDEX
  • EMPTY
  • NOT_EMPTY
  • Allowed multiple times, for each search field of the search config. Filter condition and value shall be separated by a colon symbol, like this, <CONDITION>:<value>.

    • Drag&drop a datapool-field into the Service Task definition, to create a filter, for example, OrderNumber, see (1) in the screenshot.
    • To make it work, you must add the datapool field name as a prefix, for example, SclmDpOrder_OrderNumbersee (2) in the screenshot.

      Every filter that is added as <Datapool_Field> MUST exist in the used SearchConfig, otherwise it will not be added when the search task is executed.

    • For the value, a condition is needed, in the screenshot "EQUALS".


Also the conjunctions AND and OR can be used. For example:
EQUALS:Active _OR_ temporary.inactive

searchUniqueId

-

<value>

Example: ${<Datapool>_Id}

It is the Unique ID (<Datapool>_Id) used to store records in the underlying database. The value can be a literal or a JUEL expression. This filter always uses equals to identify the record. In case of a related search, this is used to identify the Source Object.
resultUniqueId

-

<value>

Example: ${<Datapool>_Id}

It is the Unique ID (<Datapool>_Id) used to store records in the underlying database. The value can be a literal or a JUEL expression. This filter always uses equals to identify the record. In case of a related search, this is used to identify the Result Object.

This action works only in context with batch orders.

Description

Use this task to find the next possible/valid states to a given core object state. If the multiple selected core objects (in a batch order) do have different states (for example active, inactive), an ErrorBoundaryEvent will be triggered.

 Configuration

To use this task, configure the following delegate expression in your service task:

${findNextPossibleStates}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription

dataPoolName


The datapool name of the underlying batch order.
resturnField


The name of the variable containing all the possible states (which were found).

The task can be defined as follows:

Spring configuration
<bean id="findNextPossibleStatesAction" class="de.vps.act.processexecution.state.FindNextPossibleStatesAction">
   <property name="coreTemplateProvider" ref="coreTemplateProvider"/>
   <property name="stateGraphDefinitionManager" ref="stateGraphDefinitionManager"/>
   <property name="coreObjectDAO" ref="coreObjectDAO"/>
</bean>

<bean id="findNextPossibleStates" parent="parameterizedTask">
   <property name="action" ref="findNextPossibleStatesAction" />
</bean>

Description

Use this task to load an entity into the process map.

Given a datapool, a field, the field's value and optionally a core template, the matching entity will be loaded. If more than one entity matches, no entities will be added to the process map. A process variable loadEntityResultCount will hold the number of the found entities. Any value other than 1 can be considered an error.

Configuration

To use this task, configure the following delegate expression in your service task:

${loadEntityParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
EntityDataPool

PersonThe name of the entity's datapool.
EntityAttribute

EmailThe attribute of the entity that must match a certain value.
EntityAttributeValue

${Person_Email} or ${user.Person_Email}The value that EntityAttribute must match. Most of the time, an expression will be used here. Also special expressions like ${user.*} are possible, to use values from the authenticated User or from system.properties (${sysprop.*}
EntityCoreObject



The core template of the entity. This limits the search to objects of this core template.

EntityCoreObjectIdField


coreObjectIdThe field in which the CoreObjectId is added in the process map.

EntityCoreObjectDescField


coreObjectDescriptorThe field in which the CoreObjectDescriptor is added in the process map.

EntityRolesField


rolesThe field in which the roles of the object is added in the process map.

ExclusiveLoadFields


FirstName,LastName,EmailIf not the complete dataset should be loaded, only the ones defined here are loaded/added in the process map.

TargetPrefix


Manager_

If the found objects fields should be added to the process map with a special prefix. It replaces the <Datapool_>, which is otherwise at this position. With this function, conflicting entries can be avoided.

Example: Instead of "Person_Email" the data map will get an additional entry: "Manager_Email".

Description 

This task expects a certificate in the process map and loads an entity from the DB, based on a value of the certificate. You configure what kind of entity (Person, Server etc) and which certificate field should match which field of the entity. A case insensitive search is performed. If exactly one entity is found, it will be added to the process map. If more that one entity is found, no entities will be added to the process map. A process variable loadCertificateMatchingEntityResultCount will hold the number of the found entities. Any value other than 1 can be considered an error.

This task can be used to establish an objectRelation between the certificate and an entity.

Configuration

To use this task, configure the following delegate expression in your service task:

${loadCertificateMatchingEntityParameterizedTask}

 The following parameters can be configured in Identity Manager Admin: 

Values are case sensitive.

 

ParameterMandatoryValueDescription

certificateDataPoolName

CertificateThe name of the certificate's datapool.

certificateDataFieldName

DataThe name of the field of the certificate's datapool that holds the binary certificate.
certificateAttribute

Example value:

  • SAN_UPN
The field of the certificate whose value must match the entity. SAN values are prefixed with "SAN_". Possible values: any one of de.nexus.pkiutils.certificate.DNs or any one of de.nexus.pkiutils.certificate.SANs. Currently that allows the following possibilities: DN_C, DN_CN, DN_DNQ, DN_E, DN_L, DN_O, DN_OU, DN_SN, DN_ST, DN_UID, DN_STREET, DN_INITIALS, DN_POSTAL_ADDRESS, DN_POSTAL_CODE, DN_TELEPHONE_NUMBER, DN_TITLE, DN_SURNAME, DN_GIVENNAME, SAN_EMAIL, SAN_UPN, SAN_DNS, SAN_IP, SAN_URI, SAN_GUID, SAN_RID.
entityDataPoolName

PersonThe datapool of the entity to loadCertificateMatchingEntityParameterizedTask
entityDataPoolFieldName

EmailThe name of the field of the entity's datapool that must match the certificate's field value.
entityCoreTemplateName-PersonThe core template of the entity. This limits the search to objects of this core template.

Description

Use this task to load one or more values of SystemProperties, which are configured in the Admin tab in Identity Manager, into fields of the process map.

Configuration

To use this task, configure the following delegate expression in your service task:

${loadSystemPropertyIntoProcessmapParametrizedTask}

 The following parameters can be configured in Identity Manager Admin, they can be added with the '+'-button, each row sets one system property into the target field:

ParameterMandatoryValueDescription

targetFieldName

Name of systemProperty to load

Combination of target field and system property.

A system property is defined of <contextid>.<propertyName>.

Description

Use this task to log something in the logfile. The results will not be visible to an end user.

Configuration

To use this task, configure the following delegate expression in your service task:

${loggingParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription

loggerName

Any String, but typically a java package optionally followed by a class name.

Example values:

  • MyLogger
  • de.nexus
  • de.nexus.MyClass
In the log4j configuration, defined loggers have a name, typically a package name or a class, however any String is valid. This attribute specifies to which logger this task will write. You can use this to route the log message to a file, the console or any other appender.

loglevel

Valid values:

  • TRACE
  • DEBUG
  • INFO
  • WARN
  • ERROR
Use this to describe the severity of the log entry. It will appear in the logfile. Loggers and/or appenders typically ignore entries under a configurable threshold.

message

Any String or JUEL expression.

Example values:

  • This is a message
  • ${Person_Name} just executed this task
  • ${Person_Name.toUpperCase()} just executed this task
The message that will be logged. You can use Expression Language and methods from the String API. Expressions will be evaluated against the process map.

ignoreKeyNotFound

Valid values:

  • true
  • false

If this is set to true, expressions from the message that can't be resolved to a key in the process map will be ignored. If it is set to false, an exception will be thrown.

Description

Use this task to put the process instance ID of the current process in a variable of the data map.

Configuration

To use this task, configure the following delegate expression in your service task:

${putProcessInstanceIdInDatamapParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
OutputVariableName


Specifies the name of a variable of the data map, in which the process instance ID should be put. 

Description

Use this task to remove an entity from the process map. Given a name of a datapool, all fields from the datamap will be removed. If the given name does not match a datapool, no fields will be removed.

Configuration

To use this task, configure the following delegate expression in your service task:

${removeEntityFromDatamapParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
EntityDatapoolName


The name of the entity's datapool.

Description

Use this task to remove a variable from the data map of the process.

Configuration

To use this task, configure the following delegate expression in your service task:

${variableRemovingParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
variableName


The name of the variable, which should be removed from the process map

To remove more than one variable, add lines to the list and set the parameter value to a higher number.

Example:

 ParameterValue
variableNameDatapool_Field1
variableName2Datapool_Field2
variableName3Datapool_Field3
......

Description

Use this task to compare two secret fields. If they are equal, the service task will return true, otherwise, false. The comparator is case sensitive, so only exact matches will return true. Note that blank values are not considered valid.

Passing secret fields directly into the data map is a security issue, so the service task will only expect UIDs of valid, already stored, secret fields.

Configuration

To use this task, configure the following delegate expression in your service task:

${compareSecretsParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

Parameter

Mandatory

Value

Description

firstSecretFieldName

String value

UID of the first secret field

secondSecretFieldName

String value

UID of the second secret field

resultFieldName

String value

Default value: secretsAreEqual

The name of the variable in the processMap that will contain the result of the comparison.

Description

Use this task to set a variable to a desired value, including an empty string or null.

Configuration

To use this task, configure the following delegate expression in your service task:

${setValueOfVariableInProcessMapParameterizedTask}

The following parameters can be configured in PRIME Designer:

 ParameterMandatoryValueDescription
variableName


The name of the variable whose value should change in the process map
variableValue-
The new value for the variable. It may contain JUEL expressions like ${Person_FirstName}.
setToNull-

Valid values:

  • true
  • false
If set to true, the variable's value will be set to null.
setToEmptyString-

Valid values:

  • true
  • false
If set to true, the variable's value will be set to an empty string.

Be sure to configure exactly only one of variableValue, setToNull and setToEmptyString. Otherwise an Exception is thrown.

JUEL expressions

Unresolvable JUEL expressions in variableValue are ignored by default.

If you want an exception to be thrown instead, add the following bean definitions to your custom-beans.xml:

 <bean id="keyNotFoundThrowingSpelResolver" class="de.vps.act.juel.SpelExpressionResolver">
        <constructor-arg name="expressionPrefix" value="${" />
        <constructor-arg name="expressionSuffix" value="}" />
        <constructor-arg name="keyNotFoundSafe" value="false" />
    </bean>

    <bean id="setValueOfVariableInProcessMapParameterizedAction"
          class="de.vps.act.action.datamap.modification.SetValueOfVariableInProcessMapParameterizedAction">
        <property name="juelExpressionResolver" ref="keyNotFoundThrowingSpelResolver" />
    </bean>

Description

Use this task to execute a searchConfig and search in a list of X509-certificates for the newest Encryption Certificate.

If one is found it is saved in the database (if it`s not existing already under the configured core template name) and loaded into the processMap as CoreObjectDescriptor.
If the certificate is found in the database but under a different core template name, a second entry will be saved under the configured core template name.

This task is useful, for example, when a field of a LDAP-datapool contains a (multi-value binary) list of certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${searchNewestEncCertParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription

searchConfigName

Select in drop-down listThe searchConfig, which is executed to search the list of X509-Certificates

encCertResultCoreTemplate

Select in drop-down list

The name of a CoreTemplate to store the found encryptionCertificate in the Database, if it does not already exist with this CoreTemplate name.

Note: The name must be based on CertificateDAO-dataPool

Note: If the certificate already exists with a different CoreTemplate name, a second entry will be saved with the encCertResultCoreTemplate. It is recommended to use these additional entries only temporarily and remove them after use.

encCertResultDescriptorName

String valueThe name of the variable in the processMap where the found encryptionCert is put as CoreObjectDescriptor

X509ListFieldInSearchResult

String value

The field in the result of the searchConfig with the list of certificates.

Note: This field should be a multi-value binary field in the datapool (LDAP-datapool)

<Datapool_Field>-

Additional Filter-Field for the searchConfig, added with '+'-Button

See description in Process: Execute Search Task.

Description

Use this task to set a variable to a desired value, including an empty string or null.

Configuration

To use this task, configure the following delegate expression in your service task:

${setVariablesParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
setEmptyAsNull

Valid values:

  • true
  • false (default)
Defines if a variable without a value should stay empty or null.

<variableName>

-<variableValue> 

The name and value of the variable. It can be also a combination of expressions that gets resolved from current values of the process map.

Example:

  • Person_Name
  • MyTestVar
  • ${part1} ${part2}
<variableName2> -

<variableValue2> 


...-

...

Fill in as many variables as needed.

Description

Use this task to validate a value in the process data map against a regular expression. The result is saved as true/false in the process data map.

Configuration

To use this task, configure the following delegate expression in your service task:

${validateFieldWithRegexParameterizedTask}

The following parameters can be configured in Identity Manager Admin:

 ParameterMandatoryValueDescription
variableName

Example value:

  • Text string, free of choice

Field in the process data map whose value (or list of values) is checked with the regular expression.

resultVariableName

Example value:

  • Text string, free of choice, example: "ProcessVarCNRegexResult"

Field in the process data map where the result of the validation is saved as Boolean ("true" when regex matches, "false" if not).

regex

Example value:

  • See examples in drop down list
  • Can also be edited free
The regular expression, which the field value must match.
variableMustExist-

Valid values (Boolean):

  • true
  • false (default at design time)
If true, validation fails if map has no entry for the variable described in variableName.
delimiter-

Example values:

  • "," (colon)
  • ";" (semi colon)

Can be defined if the value in variableName contains a list which is separated with a delimiter. For example: "value1; value2; value3"

If delimiter is defined, the value is treated as a list of multiple values, and every value is validated.

trim-

Valid values (Boolean):

  • true
  • false (default at design time)

If true, any whitespace before and after the value in variableName is removed before validation.

Example:

  • if " value " then "value" is validated. Every value in a list is trimmed, if delimiter is defined.
caseSensitive-

Valid values (Boolean):

  • true (default at design time)
  • false

If true, the validation does differentiate between lowercase and uppercase characters.

Smart ID Messaging


Description

Use this task to provision a new profile or update an existing one, overwriting existing keys. The task will create the keys needed for the "Mobile App: Install certificates" task.

The task will generate the following PKCS#10 request templates:

  • Signature Certificate (optional)
  • Authentication Certificate (optional)
  • Device Encryption (used to secure the communication with Smart ID Mobile App)

These requests will then be sent to the mobile phone and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests userid will then be sent to the message catching intermediate event identified by the parameter 'messageName'. Identity Manager will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR", "AUTH_P10_VAR" and "DEVICE_ENC_P10_VAR". If a new profile was created, Identity Manager will also put the new profileId into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field.

After this task is executed, you need to request certificates using the requests stored in the process variables "SIG_P10_VAR" and "AUTH_P10_VAR" before proceeding to the "Mobile App: Install certificates" task. Store the requested certificates into the process map.

Attestation key

Smart ID Mobile App will sign the request data and Identity Manager will verify the mobile client's data signature using the attestation key. The attestation key is configured in the task's attestationKeySet parameter and in the Sign and encrypt engine in Identity Manager.

If the verification fails, the task will not accept the data but set two process variables instead:

  • The errorTypeField (see the parameters below) will be set to "HERMOD_ERROR_JWT_SIGNATURE". Use this in your process design to react to validation errors.
  • The errorMessageField (see the parameters below) will contain a more descriptive message

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodKeyCreationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

Example value:

  • p10PreparationCallback
The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

Example value:

  • ${Person_Email}

ID representing the user on the messaging server. This will be displayed in the profile on the mobile app to verify the correct data is provided.

A common approach is to use the user's email address.

errorMessageField

Example value:

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
signCertificateTemplate-
Signature certificate template.
authCertificateTemplate-
Authentication certificate template.
profileName

If new profile

Leave empty (when updating a profile)

Profile name for Smart ID Messaging. Will be displayed in the Smart ID Mobile App. Leave empty if you want to update an existing profile.
serverName

If new profile

Example value: 

  • Smart ID
Name of the server that issued the provisioning request. This is for the user to understand where the profile comes from. 
attestationKeySet

-

(If not set will default to "ATTESTATION")

Example value:

  • ATTESTATION (default value)

The name of the attestation key that will be used for signing (by the client) and validating (by Identity Manager) the mobile client's data. The available values are the names of the descriptors in the sign and encrypt engine that start with "att_", without this prefix. An attestation key with the same name must be defined in Smart ID Mobile App/MDM device.

Default value is "ATTESTATION" when no descriptor value is provided.

qrResultField

If new profile

Example value:

  • QR_CODE_VAR
Process variable to put the resulting url. This url may be converted to a QR-Code for the Smart ID Mobile App by using GenerateQRCodeParametrizedAction.
profileIdIf update profile

Leave empty (for new profile)

Id of the Smart ID Mobile App profile that will be updated with new keys. Leave empty if you want to provision a new profile.

storagePriority

Valid values:

  • APP (for Smart ID Mobile App, default)
  • EXT (for Mobile Iron device)
  • MDM (replaced by EXT, but still supported)
Storage priority of certificates. MDM is replaced by EXT, however MDM is still supported.
visualIdLayout

If using visual ID

Example value:

  • Default Layout
The layout to be used for creating the visual ID. If there is a juel expression configured for the front or backside image, this will take precedence over the statically configured image. If there is no image found for the juel expression, and there is no statically configured image, the task will fail.
cardDatapool

If using visual ID

Example value:

  • PcmDpPersonalMobile
 The datapool used for saving the mobile ID profile.
contentId

If using visual ID

Example value:

  • ${GeneratedContentId}
 A unique ID in UUID format, which will be associated with the personal mobile profile. Can be generated with the service task "MISC: Generate Random GUID into Data Map Field".

Description 

Use this task to request and install certificates that were prepared using the "Mobile App: Create Key" task.

As a prerequisite

  • you must already have requested certificates with the authentication and signature certification requests generated by the "Mobile App: Create Key" task and stored them as process variables.
  • if you want to perform certificate recovery, you must prepare the data for that using 'Cert: Load Key History List'.

Use this task to install a number of certificates on the mobile phone:

  • Signature Certificate, will be bound to the key pair created by "Mobile App: Create Key".
  • Authentication Certificate, will be bound to the key pair created by "Mobile App: Create Key".
  • Device Encryption Certificate, will be bound to the key pair created by "Mobile App: Create Key".
  • Encryption Certificate created with key archival.
  • Any number of recovered certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodInstallCertificatesTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

p10FinishedCallbackThe name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

${Person_Email}ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
errorMessageField

ErrorMessage

Process variable to put the error message in case of failure.
errorTypeField

ErrorType

Process variable to put the error type in case of failure.
signatureCertificate-

${SIG_VAR}

The signature certificate.
authenticationCertificate-

${AUTH_VAR}

The authentication certificate.
deviceEncryptionP10

${DEVICE_ENC_P10_VAR}

The PKCS#10 request for the Device Encryption Certificate, created by the "Mobile App: Create Key" task.
profileId

${profileId}

The id of the profile under which to store the certificates. This is initially provided by the "Mobile App: Create Key" task.
encryptionCertificate-
Encryption certificate template.
recoveryCertificate-
Recovery certificate template.
processVariable-Certificate_CoreObjectsVariable name which holds Core object ids list or Core object descriptor list of certificates to be recovered.
p12PasswordField

profilePasswordReference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords.
storagePriority

Valid values:

  • APP (for Smart ID Mobile App, default)
  • EXT (for Mobile Iron device)
  • MDM (replaced by EXT, but still supported)
Storage priority of encryption certificates. MDM is replaced by EXT, however MDM is still supported.

Description

Use this task to delete a profile managed by Smart ID Desktop App. It can also delete all Smart ID Messaging mailboxes for a specific user id.

This task can be used in the following ways:

Delete profile on Smart ID Mobile App and Smart ID Messaging

Executed the task on a card profile which contains information about the profile id.

  1. Specify a profile id and set the confirmation flag to true. All other parameters must be provided as well.
  2. The request will be sent to Smart ID Mobile App, which will delete the profile identified by the specified profile id.
    • The result will be sent to the message catching intermediate event identified by the parameter 'messageName'.
    • After receiving a successful response from Smart ID Mobile App, Smart ID Messaging also deletes the mailbox and forwards the same response back to Identity Manager.

Delete mailbox on Smart ID Messaging only

  1. Set the confirmation flag to false.

    Even if the confirmation flag is set to false, you need to set the 'messageName' parameter to a dummy value to be able to delete the mailbox(es).

  2. Smart ID Messaging will delete either a specific mailbox when a profile id is provided or all mailboxes of the specified user id when the profile id is absent.
    The profiles themselves in their respective apps will be retained, as the deletion request will not be forwarded.

Configuration

To use this task, configure the following delegate expression in your service task:

${pmHermodDeleteProfileTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
messageName


The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

when confirmation flag is true

${Card_ProfileId}

ID of the profile to be deleted, as created via 'Mobile App: Create Key'.

userid

${Person_Email}

ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
confirmation

Valid values:

  • true
  • false

Messaging Server will forward the profile deletion request to Smart ID Mobile App when set to true.

Description

Use this task to create up to three template PKCS#10 requests that can be used to request certificates needed for the "Desktop App: Install Certificates on Virtual Smart Card" task.

Use this task to create up to three template PKCS#10 requests:

  • Signature Certificate (if template name is provided)
  • Authentication Certificate (if template name is provided)
  • Device Encryption (always, used to secure the communication with Smart ID Desktop App)

These requests will then be sent to Smart ID Desktop App and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests will then be sent to the message catching intermediate event identified by the parameter 'messageName'. Identity Manager will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR" and "AUTH_P10_VAR". Identity Manager will also put the new profile id into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field.

This task can only provision a new profile - updating an existing profile is currently only supported in Smart ID Mobile App at this time, not in Smart ID Desktop App.

Attestation Key

Smart ID Desktop App will sign the request data and Identity Manager will verify the client's data signature using the attestation key. The attestation key is configured in the task's attestationKeySet parameter and in the Sign and encrypt engine in Identity Manager.

If the verification fails, the task will not accept the data but set two process variables instead:

  • The errorTypeField (see the parameters below) will be set to "HERMOD_ERROR_JWT_SIGNATURE". Use this in your process design to react to validation errors.
  • The errorMessageField (see the parameters below) will contain a more descriptive message

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodKeyCreationTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

Example value:

  • p10PreparationCallback
The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

Example value:

  • ${Person_Email}

ID representing the user on the messaging server. This will be displayed in the profile(-list) on the desktop app to verify the correct data is provided.

A common approach is to use the user's email address.

errorMesageField

Example value: 

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
signCertificateTemplate-

Example value:

  • Sign-Certificate
Certificate template of the signature certificate.
authCertificateTemplate-

Example value:

  • Authentication-Certificate
Certificate template of the authentication certificate.
profileName

Example value:

  • VSC 1
Profile name for Smart ID Messaging. Will be displayed in Smart ID Desktop App as the heading of the profile.
serverName

Example value:

  • Smart ID

Name of the server that issued the provisioning request. This is for the user to understand where the profile comes from.

attestationKeySet

-

(If not set will default to "ATTESTATION")

Example value:

  • FIXED (default value)

The name of the attestation key that will be used for signing (by the client) and validating (by Identity Manager) the client's data. The available values are the names of the descriptors in the sign and encrypt engine that start with "att_", without this prefix. An attestation key with the same name must be defined in Smart ID Desktop App.

Currently, Smart ID Desktop App accepts only default key set named "FIXED".

plugoutResultField

If new profile

Example value: 

  • plugoutUri
Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine.
adminKey

Example value: 

  • ${Card_CardManagerKey}

The secret field reference of 24-byte 3DES admin key in HEX format. The key can also be set directly as plain hex value for testing.

Note: Smart ID Desktop App.s own default is 123456781234567812345678123456781234567812345678, but you must make sure Identity Manager always defines the value!

smartCardId

Example Value: 

  • ${Card_VscId}
Virtual smart card id. Usually it will be created via a dedicated number-range.
provisionReader


Valid values:

  • CreateTPM
  • FreeTPM
  • RenewTPM 
  • 0TPM/1TPM..../15TPM
  • CreateTPM (create a new VSC on the TPM) 
  • FreeTPM (use first free VSC on the TPM) .
  • RenewTPM Use this option to renew existing TPM certificates.
  • 0TPM / 1TPM / ... / 15TPM  Specific VSC on the TPM can be also used for installing certificates.

The value is passed as-is to Smart ID Desktop App.

pinMinLength

Example value:

  • 6
Min. length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.minlength)
pinMaxLength

Example value:

  • 15
Max length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.maxlength)
pinUppercase

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether uppercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinLowercase

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether lowercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinDigits

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether digits in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinSpecialChars

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether special chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
hybridProfile-

Valid values:

  • FALSE (default)
  • TRUE

oldAdminKey-

-

This field only makes sense in case the "FreeTPM" provisionReader is configured. If provided, it will change the VSC's admin key. "oldAdminkey" must hold the old admin key and "adminKey" must hold the new admin key.

For example, default admin key of 010203040506070801020304050607080102030405060708 when you create VSC from Tpmvscmgr tool.

storagePriority

Valid values (version-dependent, Smart ID Desktop App or Smart ID Messaging update may be required for some):

  • VSC (TPM-based virtual smart card, default)
  • TPM (direct TPM storage, depending on the version of Smart ID Desktop App, it might have same meaning as VSC)
  • YUBI (Yubico YubiKey 5 PIV Token, since Identity Manager 3.12.5)
  • OS (operating system certificate store)

Storage priority - defines where certificates and keys are stored. Usually just a single value.
If hybridProfile is TRUE, then this may be a comma-separated list.

Example:

VSC, OS would mean: try to write to a virtual smart card first, and if that fails, use the OS certificate store instead.

desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.

Description

This task requests and installs certificates that were prepared using the "Desktop App: Create Virtual Smart Card Key" task.

As a prerequisite

  • you must already have requested certificates with the authentication and signature certification requests generated by the "Desktop App: Create Virtual Smart Card Key" task. Store the certificates as process variables.
  • if you want to perform certificate recovery, you must prepare the data for that using 'Cert: Load Key History List'.

Use this task to install a number of certificates on a profile maintained by the Smart ID Desktop App:

  • Signature Certificate, will be bound to the key pair created by 'Desktop App: Create Virtual Smart Card Key'.
  • Authentication Certificate, will be bound to the key pair created by 'Desktop App: Create Virtual Smart Card Key'.
  • Device Encryption Certificate, will be bound to the key pair created by 'Desktop App: Create Virtual Smart Card Key'.
  • Encryption Certificate created with key archival.
  • Any number of recovered certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodInstallCertificatesTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

p10FinishedCallbackThe name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

${Person_Email}ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
errorMessageField

ErrorMessage

Process variable to put the error message in case of failure.
errorTypeField

ErrorType

Process variable to put the error type in case of failure.
signatureCertificate

${SIG_VAR}

The signature certificate.
authenticationCertificate

${AUTH_VAR}

The authentication certificate.
deviceEncryptionP10

${DEVICE_ENC_P10_VAR}

The PKCS#10 request for the Device Encryption Certificate, created by the "Desktop App: Create Virtual Smart Card Key" task.
profileId

${profileId}

The id of the profile under which to store the certificates. This is initially provided by the 'Desktop App: Create Virtual Smart Card Key' task.
encryptionCertificate

Encryption certificate template.
recoveryCertificate

Recovery certificate template.
processVariable
Certificate_CoreObjectsVariable name which holds Core object ids list or Core object descriptor list of certificates to be recovered.
p12PasswordField

p12passwordReference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords.
smartCardId

${Card_VscId}

Virtual smart card id. Usually it will be created via a dedicated number-range.
storagePriority

Valid values (version-dependent, Smart ID Desktop App or Smart ID Messaging update may be required for some):

  • VSC (TPM-based virtual smart card, default)
  • TPM (direct TPM storage, depending on the version of Smart ID Desktop App, it might have same meaning as VSC)
  • YUBI (Yubico YubiKey 5 PIV Token, since Identity Manager 3.12.5)
  • OS (operating system certificate store)

Storage priority - defines where certificates and keys are stored. Usually just a single value.

If the profile was created with hybridProfile set to TRUE (see 'Desktop App: Create Virtual Smart Card Key'), then this may be a comma-separated list.

Example:

VSC, OS would mean: try to write to a virtual smart card first, and if that fails, use the OS certificate store instead.

desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.

Description

Use this task to delete a virtual smart card profile managed by Smart ID Desktop App on a TPM and also to delete all Smart ID Messaging mailboxes for a specific user id.

This task can be used in the following ways:

Delete Virtual Smart card profile on Smart ID Desktop App and Smart ID Messaging

Execute this task on a smart card profile which contains information about smart card id, profile id and card manager key (admin key).

  1. Specify a profile id and set the confirmation flag to true. All other parameters must be provided as well.
  2. The request will be sent to Smart ID Desktop App, which will delete the profile identified by the specified profile id and smart card id. Smart ID Desktop App will also change the card's admin key to the new value provided.
    • The result will be sent to the message catching intermediate event identified by the parameter 'messageName'.
    • After receiving a successful response from Smart ID Desktop App, Smart ID Messaging also deletes the mailbox and forwards the same response back to Identity Manager.

Delete mailbox on Smart ID Messaging only

  1. Set the confirmation flag to false. Smart card id and keys can be omitted.
  2. Smart ID Messaging will delete either a specific mailbox when a profile id is provided or all mailboxes of the specified user id when the profile id is absent.
    • The profiles themselves, in their respective apps, will be retained, as the deletion request will not be forwarded.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodDeleteProfileTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
messageName

deleteSmartCardCallbackThe name of the intermediate message catching event that will be triggered by Smart ID Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

when confirmation flag is true

${Card_ProfileId}

ID of the profile to be deleted, as created via 'Desktop App: Create Virtual Smart Card Key'.

smartCardId

when profileId provided and confirmation flag is true

${Card_VscId}ID of the virtual smart card, as created via 'Desktop App: Create Virtual Smart Card Key'.
plugoutUrl

when profileId provided and confirmation flag is true

plugoutUrl

Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine.

userid

${Person_Email}

ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
adminKey

when profileId provided and confirmation flag is true


The secret field reference of the new 24-byte 3DES admin key to be set, in HEX format. The key can also be set directly as plain hex value for testing.

oldAdminKey

when profileId provided and confirmation flag is true

${Card_CardManagerKey}

The secret field reference of the 24-byte 3DES current admin key, in HEX format. The key can also be set directly as plain hex value for testing.

confirmation

Valid values:

  • true (default)
  • false

Messaging Server will forward the delete profile request to Smart ID Desktop App when this set to true.

Description

Use this task to create a template PKCS#10 request that can be used to request the certificate needed for the "Desktop App: Install Certificates On Windows Cert Store" task:

  • Device Encryption (used to secure the communication with Smart ID Desktop App)

Identity Manager will also put the new profileId into the process map under the key "profileId". In order to save the profile id you will need to copy it into a data pool field.

This task can only provision a new profile - updating an existing profile is currently only supported in Smart ID Mobile App at this time, it is not supported in Smart ID Desktop App.


Attestation Key

Smart ID Desktop App will sign the request data and Identity Manager will verify the client's data signature using the attestation key. The attestation key is configured in the task's attestationKeySet parameter and in the Sign and encrypt engine in Identity Manager.

If the verification fails, the task will not accept the data but set two process variables instead:

  • The errorTypeField (see the parameters below) will be set to "HERMOD_ERROR_JWT_SIGNATURE". Use this in your process design to react to validation errors.
  • The errorMessageField (see the parameters below) will contain a more descriptive message

Configuration

To use this task, configure the following delegate expression in your service task:

${pxOsHermodKeyCreationTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

Example value:

  • p10PreparationCallback
The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

Example value:

  • ${Person_Email}

ID representing the user on the messaging server. This will be displayed in the profile(-list) on the desktop app to verify the correct data is provided.

A common approach is to use the user's email address.

errorMesageField

Example value: 

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
profileName

Example value:

  • Windows Certs
Profile name for Smart ID Messaging. Will be displayed in Smart ID Desktop App as heading of the profile.
serverName

Example value:

  • Smart ID

Name of the server that issued the provisioning request. Will be displayed in Smart ID Desktop App so the user can understand where this profile comes from. 

plugoutResultField

Example value: 

  • plugoutUri
Process variable to put the resulting Smart ID Plugout URI that will open Smart ID Desktop App on the client machine.
desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.
attestationKeySet

-

(If not set will default to "ATTESTATION")

Example value:

  • FIXED (default value)

The name of the attestation key that will be used for signing (by the client) and validating (by Identity Manager) the client's data. The available values are the names of the descriptors in the sign and encrypt engine that start with "att_", without this prefix. An attestation key with the same name must be defined in Smart ID Desktop App.

Currently Smart ID Desktop App accepts only only default key set named "FIXED".


If new profile



Description

Use this task to request and install certificates that were prepared using the "Desktop App: Create Windows Cert Store Key" task.

As a prerequisite

  • you must already have requested certificates with the authentication and signature certification requests generated by the "Desktop App: Create Virtual Smart Card Key" task. Store the certificates as process variables.
  • if you want to perform certificate recovery, you must prepare the data for that using 'Cert: Load Key History List'.

Use this task to install a number of certificates on the Windows Certificate store:

  • Device Encryption Certificate, will be bound to the key pair created by 'Desktop App: Create Windows Cert Store Key' task.
  • Softtoken certificate created with key archival.
  • Any number of recovered certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxOsHermodInstallCertificatesTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

p10FinishedCallback

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

${Person_Email}

ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
errorMessageField

ErrorMessage

Process variable to put the error message in case of failure.
errorTypeField

ErrorType

Process variable to put the error type in case of failure.
deviceEncryptionP10

${DEVICE_ENC_P10_VAR}

The PKCS#10 request for the Device Encryption Certificate, created by the "Desktop App: Create Virtual Smart Card Key" task.
profileId

${profileId}

The id of the profile under which to store the certificates. This is initially provided by the 'Desktop App: Create Virtual Smart Card Key' task.
softttokenCertificate

Softtoken certificate template.
recoveryCertificate

Recovery certificate template.
processVariable
Certificate_CoreObjectsVariable name which holds Core object ids list or Core object descriptor list of certificates to be recovered.
p12PasswordField

p12PasswordReference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords.
desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.

Description

Use this task to start a connection to Smart ID Messaging. With this connection, scripts can be executed. Finally, the connection needs to be closed.

Once the connection is established you receive a boxId and a plugoutUrl which can be used to start Smart ID Desktop App and connect it to the corresponding box on Smart ID Messaging.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodStartConnectionParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
boxId


Process variable to put the boxId.
plugoutUrl


Process variable to put the plugout url.
messageToUser

An optional message to the user which will be displayed in Smart ID Desktop App.
messageName

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.

Description

Use this service task to execute a script in Smart ID Desktop App. The script needs to be passed as a JSON array (for example: [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}]

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodExecuteScriptParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
boxId


Process variable to put the boxId.
scriptCommands

Example value:

  • [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}]
Process variable containing the script commands. The commands need to be formatted as a JSON array.
messageToUser

An optional message to the user which will be displayed in Smart ID  Desktop App.
messageName


The name of the intermediate message catching event that will be triggered by Smart ID Messaging.

Description

Use this service task to close a scripting connection to Smart ID Messaging.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodEndConnectionParametrizedTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
boxId


Process variable to put the boxId.
messageToUser

An optional message to the user which will be displayed in Smart ID Desktop App.
messageName


The name of the intermediate message catching event that will be triggered by Smart ID Messaging.

Description

Use this task to encrypt the pin or card manager key that is sent during a pin operation. The corresponding app while provide this one time key in the callback message when the operation is requested.

Configuration

To use this task, configure the following delegate expression in your service task:

${jweEncryptTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
jweAlgorithm

${transportKeyType}The value as provided by the corresponding app via a callback message. In most cases the default value should be used. RSA-OAEP, RSA-OAEP-256, and RSA1-5 are supported. 
key

${transportKey}The value as provided by the corresponding app via a callback message. In most cases the default value should be used. Supports only X509 encoded RSA key in byte array.
sourceData

${Card_CardManagerKey}The secret to be encrypted. 
targetField

${encryptedSecret}Process variable to hand over the encrypted secret to the acknowledge task.

Description

Use this task to initiate a pin reset on a virtual smart card.

Once the operation is confirmed by the user through the Smart ID Desktop App, Identity Manager will receive a challenge that needs to be encrypted via the card manager key in order to authorize the pin reset. The challenge will be set in the process variable "challenge".

After this task is executed, use the 'Credentials: Calculate Minidriver Offline Unblocking Response' task to encrypt the challenge stored in the process variable "challenge" and store the encrypted challenge in the process variable "encryptedChallenge". Then you can proceed to the "Desktop App: Acknowledge PIN Reset on Virtual Smart Card" task.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodStartPinResetTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

startPinResetCallback

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
userid

 ${Person_Email}

ID representing the user on the messaging server. This must match the userid provided when the profile was requested.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

 ${Card_ProfileId}Id of the profile whose pin to change, as created via 'Desktop App: Create Virtual Smart Card Key'.
smartCardId

 ${Card_VscId}Id of the virtual smart card, as created via 'Desktop App: Create Virtual Smart Card Key'.
boxId

 boxIdProcess variable to put the boxId. This will be needed to complete the pin reset.
plugoutUrl

 plugoutUrl

Process variable to put the plugout url.

Description

Use this task to initiate a pin reset on a physical smart card.

The Smart ID Desktop App, will in turn provide a challenge and a transport security key, so that the actual pin operation can be executed.

Supported operations are:

  • Reset the pin
  • Change the card manager key

The challenge Identity Manager will receive, needs to be encrypted via the card manager key in order to authorize the pin operation. The challenge will be set in the process variable "challenge" by a callback message.

The transport security key can be used to encrypt the new card manager key, when it is changed.

After this task is executed, use the 'Credentials: Calculate Minidriver Offline Unblocking Response' task to encrypt the challenge stored in the process variable "challenge" and store the encrypted challenge in the process variable "encryptedChallenge". Then you can proceed to the "Desktop App: Acknowledge PIN Reset on Virtual Smart Card" task.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodStartScPinResetTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

startPinResetCallback

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
operation

 resetPIN

  • resetPIN: reset the user pin
  • changeAdminKey: set a new card manager key
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
driverType

MiniDriverWhat kind of driver is used for the operation. At the moment only MiniDriver is supported.
driverName

 CardOSName of the driver to be used .

Description

Use this task to complete a pin reset on a virtual smart card. Once the pin is reset by Smart ID Desktop App, Identity Manager will receive an event indicating success or failure of the operation.

As a prerequisite you must have encrypted the challenge received in the "Desktop App: Request PIN Reset on Virtual Smart Card" task.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodEndPinResetTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

endPinResetCallback

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

${Card_ProfileId}Id of the profile whose pin to change, as created via 'Desktop App: Create Virtual Smart Card Key'.
smartCardId

${Card_VscId}Id of the virtual smart card, as created via 'Desktop App: Create Virtual Smart Card Key.
boxId

${boxId}The boxId that was created with 'Desktop App: Request PIN Reset on Virtual Smart Card'
response

${encryptedChallenge}The challenge received in the callback of 'Desktop App: Request PIN Reset on Virtual Smart Card' encrypted with the card manager key of this VSC using 'Credentials: Calculate Minidriver Offline Unblocking Response'.

Description

Use this task to complete a pin operation on a virtual smart card. Once the pin is changed by Smart ID Desktop App, Identity Manager will receive an event indicating success or failure of the operation.

As a prerequisite you must have encrypted the challenge received in the "Desktop App: Request PIN Reset on Virtual Smart Card" task, and, if the pin (or card manager key) is provided by the Identity Manager is has to be encrypted for secure transport using the "Desktop/Mobile App: Encrypt Secret for Transport" task. 

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodScEndPinResetAction}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.

messageName

endPinResetCallback

The name of the intermediate message catching event that will be triggered by Smart ID Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
encryptedSecret


${encryptedSecret}Only required, if the secret (like card manager key or pin) in managed by Identity Manager. It is encrypted using the "Desktop/Mobile App: Encrypt Secret for Transport" task. If the secret is entered by the user into the app, this can be omitted.
boxId

${boxId}The boxId that was created with 'Desktop App: Request PIN Reset on Virtual Smart Card'.
response

${encryptedChallenge}The challenge received in the callback of 'Desktop App: Request PIN Reset on Virtual Smart Card', encrypted with the card manager key of this VSC using 'Credentials: Calculate Minidriver Offline Unblocking Response'.

Description

Use this task to retrieve profile and device information of virtual smart cards that are managed by Smart ID Desktop App.

You can request information of a virtual smart card or of a single virtual smart card profile.

The task will put a "commandId" value into a process variable which must be used for polling the response using "Desktop App: Poll meta data from client".

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodPingRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId


${Card_ProfileId}If provided, restrict requested information to this profile. ProfileId values are created in the 'Desktop App: Create Virtual Smart Card Key' task.
plugoutUrl

 plugoutUrl

Process variable to put the plugout url.

userid


Valid values:

  • If profileid is set: provided userid 
  • Otherwise: any value

ID representing the user on the messaging server. If a profileId parameter is set, this must match the userid provided when the profile was requested. Otherwise any value will do.

deviceInfo

Valid values:

  • true (default)
  • false

Request device information.

profileInfo

Valid values:

  • true (default)
  • false

Request profile information.

commandId

commandIdProcess variable to put the commandId value, which is needed for polling in the "Desktop App: Poll meta data from client" task.

Description

Use this task to poll a ping response from Smart ID Messaging based upon the 'commandId' (which was created at the ping request to Smart ID Messaging).

Execute this task after a ping request to Smart ID Messaging. It polls the message from Smart ID Messaging, based upon the provided command id. After receiving the response from Smart ID Messaging it stores the profile and device Information into configured service task parameters. 

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodPingResponsePollingTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
messagingServer


The name of the Smart ID Messaging configuration as defined in Identity Manager Admin. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Smart ID Messaging connection.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
commandId

${commandId}CommandId which was received by the "Desktop App: Ping Virtual Smart card profile" task, needed for polling.
profileInfo

profileInfoProcess variable to put the profile information.
deviceInfo

deviceInfoProcess variable to put the device information.

Miscellaneous


Description

Use this task to send a new request to SPAR server and receive information about a person.

Prerequisites

The environment variables below must be set. If some of them are missing, there will be an error logged with the names of the missing variables (comma-separated list) and also a BPMN error with the names of the variables as the message.

Setting the com.nexus.prime.spar.SparEnvironmentVariables logger in log4j to DEBUG level will log all the variables and values when loaded. The variables will be loaded only the first time.

Environment variables
smartid_spar_url
smartid_spar_certificate_location
smartid_spar_certificate_pin
smartid_spar_truststore_location
smartid_spar_truststore_password

smartid_spar_iden_KundNrLeveransMottagare
smartid_spar_iden_KundNrSlutkund
smartid_spar_iden_UppdragId
smartid_spar_iden_SlutAnvandarId

Configuration

To use this task, configure the following delegate expression in your service task:

${sparPersonsokTask}

The name of the task in the Identity Manager Admin is "SPAR: get Person info from SPAR".

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
ssnFieldName

-

The name of the process variable where the SSN for the searched person is stored.
personFoundFieldName

Default value:

  • SPAR_PersonFound

The name of the result variable where to put info if person was found or not. 

resultsPrefix

Default value:

  • SPAR
The prefix for all the result variable names.
isVisibleNamn

Default value:

  • false
Boolean value. If true, the info from "namn" will be returned. See Result below for more info.
isVisiblePersondetaljer

Default value:

  • false
Boolean value. If true, the info from "persondetaljer" will be returned. See Result below for more info.
isVisibleFolkbokforing

Default value:

  • false
Boolean value. If true, the info from "folkbokforing" will be returned. See Result below for more info.
isVisibleUtlandsadress

Default value:

  • false
Boolean value. If true, the info from "utlandsadress" will be returned. See Result below for more info.

Result

The following variables may be returned to the process data. Please note that some variables may be missing even if the condition is affirmative, if there is no result from the server for them.

For understanding what each result represents, please see the SPAR documentation here: https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/aviseringpost/

In the table below, all the variables are set with the default prefix (SPAR) and default names (SPAR_PersonFound):

VariableConditionDescription
SPAR_PersonFoundalways

If the person was found or not. Boolean value.

If the SSN is invalid, instead of this result, a BMPN error will be thrown (SPAR_VALIDATION). See "BPMN errors" below.
SPAR_Namn_AviseringsnamnisVisibleNamn = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/namn/

SPAR_Namn_FornamnisVisibleNamn = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/namn/

SPAR_Namn_TilltalsnamnisVisibleNamn = true

Integer value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/namn/

SPAR_Namn_MellannamnisVisibleNamn = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/namn/

SPAR_Namn_EfternamnisVisibleNamn = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/namn/

SPAR_Persondetaljer_SekretessmarkeringisVisiblePersondetaljer = true

Boolean value (not "JA", "NEJ" as in the SOAP response)

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/persondetaljer/

SPAR_Persondetaljer_SekretessmarkeringSattAvSPARisVisiblePersondetaljer = true

Boolean value (not "JA", "NEJ"  as in the SOAP response)

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/persondetaljer/

SPAR_Persondetaljer_SkyddadFolkbokforingisVisiblePersondetaljer = true

Boolean value (not "JA", "NEJ"  as in the SOAP response)

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/persondetaljer/

SPAR_Persondetaljer_AvregistreringsorsakKodisVisiblePersondetaljer = true

String value.

If the person is deceased, this variable will tell by a special code.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/persondetaljer/

SPAR_Persondetaljer_FodelsedatumisVisiblePersondetaljer = true

XMLGregorianCalendar value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/persondetaljer/

SPAR_Persondetaljer_FodelselanKodisVisiblePersondetaljer = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/persondetaljer/

SPAR_Persondetaljer_FodelseforsamlingisVisiblePersondetaljer = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/persondetaljer/

SPAR_Persondetaljer_KonisVisiblePersondetaljer = true

String value.

see documentation at https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/persondetaljer/

SPAR_Persondetaljer_SvenskMedborgareisVisiblePersondetaljer = true

Boolean value (not "JA", "NEJ"  as in the SOAP response)

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/persondetaljer/

SPAR_Folkbokforing_DatumFromisVisibleFolkbokforing = true

XMLGregorianCalendar value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/folkbokfoering/

SPAR_Folkbokforing_FolkbokfordLanKodisVisibleFolkbokforing = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/folkbokfoering/

SPAR_Folkbokforing_FolkbokfordKommunKodisVisibleFolkbokforing = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/folkbokfoering/

SPAR_Folkbokforing_Hemvist

isVisibleFolkbokforing = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/folkbokfoering/

SPAR_Folkbokforing_Folkbokforingsdatum

isVisibleFolkbokforing = true

XMLGregorianCalendar value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/folkbokfoering/

SPAR_Folkbokforing_DistriktKod

isVisibleFolkbokforing = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/folkbokfoering/

SPAR_Utlandsadress_Utdelningsadress1

isVisibleUtlandsadress = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/internationell-adress/

SPAR_Utlandsadress_Utdelningsadress2

isVisibleUtlandsadress = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/internationell-adress/

SPAR_Utlandsadress_Utdelningsadress3

isVisibleUtlandsadress = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/internationell-adress/

SPAR_Utlandsadress_Land

isVisibleUtlandsadress = true

String value.

For more information, see https://www.statenspersonadressregister.se/master/start/teknisk-info/xml-scheman/20211/internationell-adress/

BPMN errors

Error name/codeDescription
SPAR_VALIDATION

If there is a SOAP Fault with a validation error for the request sent. This means that either the SSN or some "iden" values (see the last four environment variables in "Prerequisites" above) are in the wrong format.

SPAR_CERTIFICATEIf the connection certificate file cannot be found, opened, or is invalid.
SPAR_TRUST_STOREIf the trust store cannot be found or opened.
SPAR_COMMUNICATIONIf there is any other communication issue while sending the request or there is any SOAP fault response other than validation.
SPAR_MISSING_CONFIG_VARIABLESIf any of the required environment variables (see "Prerequisites" above) is missing. The message of the error has the comma-separated list of the missing variables.

Description

Use this task to create a request for the IN Groupe connector and place it in the process map.

Configuration

To use this task, configure the following delegate expression in your service task: 

${createINGroupeRequestParameterizedTask}

 The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
CoreObjectListFieldName

Example value:

  • Card_CoreObjectDescriptorList
Name of the variable in the process map, which contains a list of CoreObjectDescriptors, that should be used to create the request.
OutputFieldName

Example value:

  • Output
Name of the variable in the process map, where the request xml should be output to.
ConfigurationFilePath

Example value:

  • C:\export_mapping.properties
Absolute file path of the configuration file, that should be used to create the request. The configuration file needs to be encoded in UTF-8, to ensure language specific characters are displayed correctly.

statusAfterExport

-

Example value:

  • ordered
Status that a card can take when the exporting was successfully done. 
statusOnError

-

Example value:

  • errorInProduction
Status that a card can take when the exporting was not successfully done. 
SchemaVersion

Example value:

  • 04 or 05
The Schema Version the file must be created as.

Configuration file 

The configuration file is needed for Identity Manager to know which tag of the IN Groupe request schema should be mapped with the corresponding value from the core object. Format the configuration file as a .properties file. 

To set the value of a tag, specify the type name of the parent tag and the tag you want to modify, for example:

Example: Set a value of a tag
BatchRequestType_globalSchema = DEMANDES_2.1.XSD

The value can also be a juel expression which is available in the process map. If the expression can not be resolved it will result in an empty string.

Expressions that are always available:

  • ${CurrentDate} that resolves to the current date in "yyyyddMMhhmm" format, and
  • ${NumberOfIteration} which is a number that starts at 1 and is increased each time a core object is processed.

To set the "reference" attribute that is needed for, for example, "PersoDataType", configure as follows: 

Example: Set reference attribute
CardType_PersoDataType|Numero_carte = 123456789

The part after the "|" symbol represents the reference value.

Description

Use this task to read all IN Groupe report files from a folder and update any cards found inside.

Configuration

To use this task, configure the following delegate expression in your service task: 

${importINGroupeReportsParameterizedTask}

 The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
InputFolder

Example value:

  • C:\Input
The folder which contains all the XML files.
ImportedFolder

Example value:

  • C:\Imported
The folder which stores already imported XML files.
ProblemFolder

Example value:

  • C:\Problem
The folder which contains XML files that could not be imported.

ConfigurationFilePath

Example value:

  • C:\import_mapping.properties
The absolute path to the mapping file.
UniqueFieldName

Example value:

  • Card_CardNumber
The name of the field by which each card can be identified.
StatusMappingFieldName

Example value:

  • StatusMapping

The name of the field that references a map, containing all the available mappings between a request status and a card status.

Note: The card status values must be present in the state graph, and the transitions from one state to another must be valid.

ImportFilesRegexPattern

-

Default value:

  • ((DR_)|(CR_))\w{3}\d{10}\d{14}(?:_R)\.xml

The regular expression for importing files.

DescriptorsListOfModifiedObjects

-

Default value:

  • DescriptorsListOfModifiedObjects

The name of the list in the process map that contains the modified objects after task execution.
When empty, no list will be provided.

Configuration file 

The configuration file is needed for Identity Manager to know, which field of the IN Groupe report schema should be mapped with the corresponding value from the core object. The configuration file has to be formatted as a .properties file. 

To set the value of a tag, you specify the type name of the parent tag and the tag you want to modify (EntRecTypeReport_unRef in the example below). And, on the right side of the equals we have the datapool and the field where the value needs to be written (Card_UniqueReference in the example below).

Example: Set a value of a tag
EntRecTypeReport_unRef = Card_UniqueReference

In the import mapping you also have constructs referring to complex objects from a list.  To set the "reference" attribute that is needed for, for example, "InfoType", configure as follows: 

Example: Set reference attribute
InfoType|Serial_Number_CT = Card_CardNumber

The left part of the "|" symbol shows the "InfoType" tag, which is a list containing some complex objects. The right part of the "|" symbol identifies which complex objects you will take the value from, for example "Serial_Number_CT". The value will then be added to the "CardNumber" field of the Card datapool.

Description

Use this task to create an .ics file and store it in the data map.  

Configuration

To use this task, configure the following delegate expression in your service task: 

${createIcsFileParametrizedTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatory

Value

Description
subject


The subject of the event.
location


The location of the event.
startTime


The start time of the event.
endTime


The end time of the event.
targetField-

Example value:

  • ics_calendar
Specified where the .ics file shall be stored in the data map.
allDayEvent-

Valid values:

  • true
  • false (default)
If set to "true" the event will be shown as an allDay event.
content


Defines the content of the event.

See following example as a reference:


Description

Use this task to create a pdf and store it in the datamap. The pdf will be generated from a Jasper Reports template.

Configuration

To use this task, configure the following delegate expression in your service task:

${generatePdfParametrizedTask}

 The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
reportName


The name of the Jasper Report. Must be available in Identity Manager Admin.

It can also be a JUEL Expression (for example, ${myDatapool_myReportNameField}. In this way, the template names from the process map are used dynamically.

fieldName


The datamap field to which the pdf will be stored (as a byte[]).

Description 

Use this task to take a valid URL from the datamap and generate a QR code from it. 

Configuration

To use this task, configure the following delegate expression in your service task:

${generateQRCodeTask}

 The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription

QRCodeLinkField

Example value:

  • Person_Homepage
Describes the data map field in which the link is stored to create a QR code from.

QRCodeOutputField

Example value:

  • output
The name of the output field to which the QR code ("jpg", byte[]) will be stored.

Description

Use this task to export a binary file from the datamap into a file location on the hard drive (Server side).

Configuration

To use this task, configure the following delegate expression in your service task: 

${exportBinaryParametrizedTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
exportFilePath

Example value:

  • C:/TEMP
Defines the folder into which the binary file shall be exported.
exportFileName

Example value:

  • ${Person_FirstName}_${Person_LastName}.txt
Defines the name of the exported binary. 
exportDataMapTargetField

Example value:

  • Person_Signature
Defines the datamap field from which the action should export the binary file.

Description

Use this task to export an image from the datamap into a file location on the hard drive (Server side). The file extension will be automatically set depending on the image format.

Configuration

To use this task, configure the following delegate expression in your service task: 

${exportImageJavaDelegate}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
exportFilePath

Example value:

  • C:/TEMP
Defines the folder into which the image shall be exported.
exportFileBaseName

Example value:

  • ${Person_FirstName}_${Person_LastName}
Defines the base of the exported image. The export will append a time stamp so that it will result in, for example: John_Doe_2019-11-20_10-52-19.jpg
exportDataMapTargetField

Example value:

  • Person_Photo
Defines the datamap field from which the action should export the image.

Description

Use this task to define a ParametrizedAction which is capable of downsizing pictures inside of a Process.

Configuration

To use this task, configure the following delegate expression in your service task:

${resizeImageJavaDelegate}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryDefault valueDescription
dataPoolSourceField


The datapool field in which the source image is stored.
dataPoolTargetField


The datapool field in which the target image shall be stored.
imageWidthInPx


The desired image width of the target image in px.
imageHeightInPx


The desired image height of the target image in px.
maxBinarySizeInKB-

Defines the maximum size the output file shall be. When the resize doesn't lead to the desired size, the action will perform a quality shrink (defined by spring parameter "qualityStep") as long as the size matches the size given by this parameter.

keepRatio

Valid values:

  • true (default)
  • false

Boolean flag which indicates weather the aspect ratio of the image should be kept or not.

  • If set to true and the picture is in landscape format the dimensions are: (width = imageWithInPx | height = smaller than imageHeightInPx)
  • If set to true and the picture is in portrait format the dimensions are: (width = smaller than imageWidthInPx | height = imageHeightInPx)
qualityDescreaseStep-0.05Indicates the quality decrease step when trying to minimize the quality to reach the desired maxBinarySizeInKB.


This is a flowchart of the task:

Description

Use this task to import all rows from a CSV file as core objects.

The following must apply:

  • The file must exist in the data map as byte array.
    • To achieve this, upload a CSV file in a prior user task.
    • As form field, use either a data pool field with data type "Binary Data" or a "Variable Binary Field". The "Binary Data Definition" should be "CSV" in both cases.

Whenever there is a problem with the import, no objects will be imported at all. An exception will be thrown with a message identifying the row or even the cell that caused the problem. This message will be logged, too.

Configuration

To use this task, configure the following delegate expression in your service task:

${importIdentitiesFromCSVTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
csvField

Valid values::

  • Binary Field
  • Variable Binary Field
The field which contains the CSV file as byte array. You can use a Binary Field or a Variable Binary Field.
targetCoreTemplateName


The core template name which should be used for the new core objects. This should be based on a DAO based Datapool.

commaSeparatedListOfUniqueIdentifiers


Comma separated list of the fields which identify one unique core object.
maxNumberOfEntriesInCSV

This can be used to limit the number of core objects. If it's set and there are more entries in the CSV, an Exception will be thrown.

createdCoreObjectDescriptorListVarName

When used, the variable with the configured name will contain a list of CoreObjectDescriptors after the execution. The list describes the core objects that had been newly created by the action. Thus it's possible to perform subsequent operations on those core objects later in the process.
updatedCoreObjectDescriptorListVarName

Same as for createdCoreObjectDescriptorListVarName except that the list will contain the modified core objects.

When you configure the same name as for createdCoreObjectDescriptorListVarName the resulting list will contain descriptors for both types of core objects: newly created as well as modified.

mapping

Specifying a mapping provides manifold possibilities to configure the content of the CSV file. Without a mapping the following restrictions apply:

  • The CSV file must contain a header line.
  • The column headers must be literally equal to the datapool field names of the datapool of the target core template.
  • The delimiter must be a comma.

  • The format for dates must be dd-mm-yyyy.

  • The format for time values must be hh:mm:ss.
  • The format for datetime values must be dd-mm-yyyy-hh-mm-ss.

Also consider this:

  • When providing a mapping, its source data pool describes the CSV file while it's target data pool must be the datapool of the target core template.
  • The source data pool must have a data source of type "CSV File".
  • At the data source of the source data pool you can configure, whether the CSV file contains a header row or not.
  • At the data source of the source data pool you can configure the delimiter character used in the CSV file.
  • You may leave the data source's file name empty.
  • The data pool fields of the source data pool must match the columns of the CSV file in the correct order. All fields must be of type "Text". The field names can be chosen arbitrary.
  • The field mappings of the mapping define which columns of the CSV file are imported. You may omit fields of the source data pool. All fields of the target data pool that are contained in the commaSeparatedListOfUniqueIdentifiers must be mapped.
  • If the CSV file contains columns that are mapped to data fields of the target data pool of type date, time or datetime, you must configure the format with the field mapping.
  • See here for information about creating a new or editing an existing data pool.
  • See here for information about creating a new or editing an existing mapping.
errorMessageField
ErrorMessageIf this field is provided and an error occurs, a message containing the cause is not only logged but additionally put into the variable with the specified name.

If you need to use this service task, please contact Nexus.

Description

Use this task to validate the uploaded photos. This task is compatible with FaceVACS-SDK 9.4.0.

Follow these steps:

  1. Install FaceVACS-SDK 9.4.0 on server.
  2. Import the valid license to sdk, see FaceVACS documentation.
  3. Copy the frsdkjava-9.4.0.jar in %TOMCATE_DIR%/lib. Normally the jar file is located in %FVSDK_9_4_0_DIR%/lib/x86_64/msc_14.1-sse4_crtdll/.
  4. The native library jfrsdkjni-9.4.0.dll has to be setup in TOMCAT. For example, set the CATALINA_OPTS in catalina.bat:
    • SET CATALINA_OPTS=-Djava.library.path="C:\FVSDK_9_4_0\lib\x86_64\msc_14.1-sse4_crtdll;C:/FVSDK_9_4_0/lib/x86_64/share"

Configuration

To use this task, configure the following delegate expression in your service task:

${cognitecFaceVACSValidationParametrizedTask}

The FRSDK configuration file have to be configured in the faceVACSObjectsCreater bean (needed at runtime). This file can be located in "%INSTALLDIR%/etc/frsdk.cfg".

Example
<bean id="cognitecFaceVACSValidationParametrizedAction" class="de.vps.act.action.photo.validation.CognitecFaceVACSValidationParametrizedAction">
    <property name="faceVACSChecker">
        <bean class="de.vps.act.action.photo.validation.FaceVACSChecker">
            <property name="faceVACSObjectsCreator" ref="faceVACSObjectsCreator" />
        </bean>
    </property>
</bean>
 
<bean id="faceVACSObjectsCreator" class="de.vps.act.action.photo.validation.FaceVACSObjectsCreator">
    <constructor-arg value="C:/FVSDK_9_4_0/etc/frsdk.cfg" />
</bean>

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
outputFieldName


On which variable the result of checking will be available in data map.
photoFieldName


Photo field name in data map.
checkColor-

Valid values:

  • true
  • false
Returns true if the portrait characteristics are based on color and false if they are based on Gray scale (intensity) image.
checkNaturalSkinColour-

Valid values:

  • true
  • false
Natural colours in face region. Returns true if the face region has natural colors, otherwise false.
checkFrontal-

Valid values:

  • true
  • false
The face is considered frontal if the rotation of the head is less than +/-5 degrees from frontal for yaw and pitch and if roll angle of head is less then +/-8 degrees.
checkEyesOpen-

Valid values:

  • true
  • false
Returns true if both eyes of the person are open.
checkEyesGazeFrontal-

Valid values:

  • true
  • false
Returns true if the person’s eyes are looking frontal to the camera.
checkEyesNotRed-

Valid values:

  • true
  • false
Returns true if both eyes pupils are not detected as red.
checkNoTintedGlasses-

Valid values:

  • true
  • false
According to ISO 19794-5:2005 section 7.2.11 and best recommendations glasses should not be tinted.
checkSharp-

Valid values:

  • true
  • false
Returns true if the face area (from chin to crown and from left to right ear) fits the focus and depth in field characteristics(see ISO 19794-5:2005 section 7.3.3).
checkMouthClosed-

Valid values:

  • true
  • false
Returns true if mouth is closed according to ISO 19794-5:2005 section 7.2.3 and appendix A 2.2.1

Important!

Applicable for Smart ID 23.10.2 and higher: The HTTP Client Task replaces the Rest Call Service Task. For more information, see Set up Http Clients in Identity Manager.

Description

Use this task to call a rest endpoint from a BPMN process in Identity Manager, for example, to push certificate, card or user data to a REST end point of a third party system. This service task will always send a POST request.

The service task will compile the resolved data into an XML, similar to the format used in the REST Process API:

<data>
   <field name="myField01">value01</field>
   <field name="myCertificate01">Base64EncodedBinary01</field>
</data>

Only the extra parameters of the service task will be added to the request body (see the table below). You need to add the fields you want to export as parameters by clicking the + button next to the service task and adding the parameters with values.

The password field will be hidden with dots in Identity Manager Admin.

  • If the password is entered in plain text, then it will be encrypted when saving the service task and decrypted at runtime using the generated UUID as a reference, due to security reasons.
  • If the password is entered as a JUEL expression, then it will be stored as it is and resolved at runtime.

Configuration

To use this task, configure the following delegate expression in your service task: 

${restCallTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription

Url

Any String or JUEL expression

The URL endpoint where the data will be sent.

username

Any String or JUEL expression

The username for the HttpBasicAuth.

password

Any String or JUEL expression

This will be a secret field containing the password for the HttpBasicAuth.

myfield01

 

Any String or JUEL expression

This parameter is added as shown in the example above and will be added to the request body.

myCertificate01

 

Any String or JUEL expression

This parameter is added as shown in the example above and will be added to the request body.

includeHttpResponseBodyInProcessMap

 

Valid values:

  • true
  • false (default)

If the value is set to true, this parameter defines if the HTTP response body should be added to the process map. 

The parameter is only added if the HTTP status is successful (200).

httpResponseBodyVariableName

 

Example value:

  • httpResponseBody

This parameter is added if the parameter includeHttpResponseBodyInProcessMap is set to true. It defines the name of the variable to use in the process map and it must be provided as a string. 

You can use the HTTP response body afterwards in a script task using the variable name that you defined.

Task parameters with null values are not allowed.


Accepted status codes

These are the accepted status codes and reactions:

Status codeReaction
200Success
300No exception and no reaction inside code
400Throws Htppclientexception
500Throws BPMNError

202 and 204 are not recognized as success and cause an exception.

Description

Use this task to generate a random GUID and store it in the data pool.

Configuration

To use this task, configure the following delegate expression in your service task: 

${generateGUIDForEntityParameterizedTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
GuidDataPoolField

Example value:

  • Card_Guid
Which data pool field to store the GUID in.

Troubleshooting 

For more information, see the following links: