Page tree
Skip to end of metadata
Go to start of metadata

Nexus Smart ID Physical ID is a solution used for centralized identity and credential management. The module includes best practices use cases to personalize, issue and manage cards with visual ID and RFID during the full lifecycle. The solution ensures transparency and traceability in enabling qualitative permanent or temporary corporate ID cards for employees and consultants. The solution consists of administration tools, self-service, and delegated approval routines.

Features 


Features

Physical ID

Use cases
Identity management

Card management


Visual ID personalization


RFID encoding

Deliverables
Setup of one production system and one non-production system for test, training, and support. Each system contains the following software.

Installation and configuration of the Nexus Smart ID manager (PRIME) including:

  • PRIME Designer
  • PRIME Explorer
  • User Self-Service Portal

Nexus PRIME Card Production client via Nexus Card SDK

Integrations
Integration with one AD or HR system through standard PRIME connectors

One Nexus PRIME PACS connector.

For a description of the connector types and supported PACS systems, see PRIME requirements and interoperability.


Basic PACS connector

For an overview of connected systems and managing roles, see Smart ID manager overview

For information on the standard card layouts and technology, see Physical ID Card layouts and technology


Expand/Collapse All

Other features

 Branding

Basic branding is included in the Physical ID module, by displaying the customer logotype in PRIME Explorer and User Self-Service Portal.

 Email templates

Nexus provides basic templates for the email notifications included in the common use cases, for example when a card has been activated or is about to expire.

During the implementation project, Nexus consultants or partners adapt the email templates for the customer needs. When the Physical ID module is up and running, email templates can be updated by a user that has the Super user role. For more information, see Set up email template.

The following email templates are included: 

  • Activate employee card
  • Deactivate employee card
  • Employee card expires
  • Employee card has been locked
  • Produce employee card
  • Send certificate reminder
  • Send P12 to employee
 Reports

The following standard reports are included in the Smart ID solution: 

  • All employee cards
  • All external cards
  • All system users with connected roles
  • Locked cards with reason for locking
  • All active Personal Mobile users
  • All users that have Personal Mobile enabled but have not yet activated it

The reports are created using searches in PRIME Explorer. 
 Language support

Supported languages are listed in PRIME requirements and interoperability.

 Nexus User Self-Service Portal

As part of the Smart ID solution, the customer can choose to include the PRIME User Self-Service Portal (USSP). The available self-service tasks in the USSP can help minimizing administrative work.

The following self-service tasks are available in the User Self-Service Portal:

  • Activate Personal Mobile
  • Lock card
  • Change PKI PIN
  • Change PACS PIN
  • Renew card
  • Request replacement card
  • Unblock PIN
  • Upload photo

Installation requirements

 Installation requirements on server

The following installation requirements apply to the server in the Smart ID solution:  

  • Windows Server 2012 or later with 2 CPU and 12 Gb Ram and 20 Gb HD for the application and logs. (Extra disk)
  • SQL Server 2014 or later installed with TCP port 1433 enabled. The Standard edition is recommended. The Express edition is also supported but has limited storage capacity. For more information, see https://www.microsoft.com/en-sa/sql-server/sql-server-2017-editions.

  • SQL Management Studio installed
  • IIS Role installed on the server
  • Port 443, 8443 and 8080 opened in Local firewall on server
  • The above ports opened from the Admin client, card production client and enduser client. (It can also be the same computer)
  • Port 389/636 opened from PRIME server to a domain controller
  • To enable PACS integration, the PACS MIFARE number must be available as raw data (not encrypted, truncated, or similar).  

Requirements on Active Directory setup:

  • A Service account in AD who is a Domain User
  • Active Directory Tools installed on PRIME Server
  • The OU where PRIME shall get all needed users (example,  OU=Employee, DC=example, DC=com).PACS-specific user service account for PACS connector communication.

Requirements for ADCS setup:

  • All the CA certificates that are needed on file on Prime server (ex, ca1.cer, ca2.crt).
  • Two certificate templates for Smartcard created in ADCS, one for Smart Card Authentication and one for Digital signature is going to be created in the ADCS, we do this together with the customer
  • An SSL certificate with both certificate and key (pfx,p12) for PRIME saved on PRIME server, with Common Name and SAN name like prime.shb.se or similar.
  • An SSL certificate with both certificate and key (pfx,p12) for PRIME ADCS Connector saved on PRIME server, with Common Name and SAN name like primeinternal.shb.se or similar. This is only going to be used internally on PRIME Server.
  • A Certificate with both certificate and key (pfx,p12) for PRIME to use when authenticate from PRIME to the ADCS Connector, the certificate needs to have Client Authentication as Extended Key Usage.
  • RSASSA-PSS must not be used as the signature algorithm. This can be verified in a certificate, by checking the signature algorithm. SHA256 is the preferred signature algorithm, and SHA1 is also supported. 
 Installation requirements on client

The following installation requirements apply to the client in the Smart ID solution: 

  • Java 8 121 32 bit or later installed on Admin Client, Card Production client and end user client.

Workflow options

 Additional workflows

Additional workflows that are included in the price for the Smart ID solution:

  • PACS-adapted workflows, depending on what PACS system is used
  • More workflows for handling photos, for example upload the photo to AD
  • Workflows to manage additional certificates on card for IT administrators
  • Workflows to register and issue local SITHS cards (Swedish: tjänstekort)
  • User Self-Service Portal (USSP) workflows, see separate section above
  • Export card number to AD for using other applications, such as canteen, follow-me print, library
  • Signature pad workflows. The workflows are included in the solution, but the signature pad is an add-on, see Add-ons to the Smart ID solution.

These additional workflows must be specified during the implementation project, and will be implemented by Nexus consultants or partners.

 Options in standard workflows

These choices are available in the standard workflows:

  • PIN letter or email for distributing PIN codes
  • Approval step in card production or not
  • Self-service tasks available for users, if the User Self-Service Portal is used
  • How to connect a personal photo for card production: upload, capture, or import photo from Nexus Service Station (if the Nexus Service Station is used, see Add-ons to the Smart ID solution)
  • Manual or automatic workflow to inactivate or reactivate persons
  • Automatically activate and deactivate cards for activated and inactivated persons
  • Automatically produce cards for new employees
  • Let person sign on a signature pad when picking up a card (if a signature pad is used, see Add-ons to the Smart ID solution)
  • Automatically renew cards for active persons

These options must be specified during the implementation project, and will be implemented by Nexus consultants or partners.

 Nexus Service Station workflows

Optionally, Nexus Service Station can be used to collect employee photos. There are standard workflows for that purpose, that are included in the solution.

The Service Station hardware is an add-on, see Add-ons to the Smart ID solution.