ActivID CMS User Portal Services

This section lists all ActivID CMS User Portal services. The services you can use depend on the state of the device, how the ActivID CMS is configured, and if you are accessing the ActivID CMS User Portal via a URL (web address), or if you have been redirected to the ActivID CMS User Portal by ActivID ActivClient.

ActivID CMS User Portal for Card Auto-Update

The ActivID CMS User Portal for Card Auto-Update is a subset of the ActivID CMS User Portal functions. This second portal enables the execution of pending card update requests logged for an inserted card and detected by an ActivID ActivClient.

ActivID CMS User Portal for Card Auto-Update supports the same environments as the ActivID CMS User Portal and shares the same ActivID CMS User Portal configuration as present in the ActivID CMS. Users access this portal by being re-directed there by ActivID ActivClient. They do not access it via a URL, as they would when using the standard ActivID CMS User Portal.

  • When ActivID ActivClient is configured to enable card auto-update, and when a pending card update request is logged for the inserted card, a notification is displayed to the user.

  • When a user clicks Install these updates, the user is redirected to the ActivID CMS User Portal and will be asked to authenticate.

Use the ActivID CMS User Portal for Card Auto-Update to:

  • Self-issue a card (that is, to personalize the smart card with user information and credentials),

  • Get updates for a card, and

  • Unlock a card (when too many consecutive incorrect PINs have been entered).

    Note: These services are only available for credentials supported by both ActivID CMS and ActivID ActivClient.

Standard ActivID CMS User Portal Services

When users have direct access to the ActivID CMS User Portal, they have a few more functions available to them than they have when they are redirected by the ActivID ActivClient to the portal. They cannot perform the following operations, when they are redirected by ActivID ActivClient:

  • Device incident notification (report a new one or cancel a previous one),

  • Change of PIN,

  • Change of security question answers,

  • Download escrowed certificates,

  • Reset a forgotten PIN, and

  • Issue credentials (mobile app certificates) for a mobile device.

For all other standard features, the Card Auto-Update portal functionality is identical to that provided by the ActivID CMS User Portal, as listed in the following table. For information on how to configure ActivID ActivClient, refer to the ActivID ActivClient documentation.

ActivID CMS User Portal Services

Device State and ActivID CMS User Portal Configuration

Services Provided by the ActivID CMS User Portal

Device has not been bound and has not been issued

Blank device is inserted (for example, into card reader or USB port), but device binding has not been authorized for the user.

Not available (error message appears).

Blank device is inserted (for example, into card reader or USB port), and device binding has been authorized for the user. The authentication method is LDAP Lightweight Directory Access Protocol Password.

The User Portal binds the device to the user and executes a Device Issuance request or a Device Replacement request.

Device is bound, but device has not been issued

Blank device is inserted (for example, into card reader or USB port).

Configurable authentication methods are initial password, LDAP password, and security questions.

The User Portal executes a Device Issuance request or Device Replacement request.

Device is operational (bound and issued), but device is locked

Locked device is inserted (for example, into card reader or USB port). An ActivID CMS administrator can configure the ActivID CMS User Portal to allow the unlock process to be set as self-online only, Help-desk-assisted online only, or both. The configurable authentication methods are LDAP password, security questions, and emergency password The emergency password temporarily replaces an OTP (one-time password) where a user has either forgotten or lost his or her device. (for Assisted online mode only).

The User Portal executes a Device Unlock request (when a Device Update request is pending, the Unlock request is executed first). You do not have to manually delete the pending Device Update request.

Device is operational (bound and issued) and device user wants to reset a forgotten PIN

Device is inserted (for example, into card reader or USB port). An ActivID CMS administrator can configure User Portal user to allow resetting the PIN as self-online only, Help-desk-assisted online only, or both. The configurable authentication methods are LDAP password, security questions, and emergency password (for Assisted online mode only).

The User Portal executes a Device Reset PIN request. User can change the PIN even if the device is not locked.

Device is operational (bound and issued), but no device is inserted (for example, into card reader or USB port)

Configurable authentication methods are LDAP password and security questions.

The User Portal prompts users to enter a Device Incident (device was lost, stolen, damaged). When Device Incident report functionality is not configured, this service is not available.
Note: Reporting a lost device and/or requesting a replacement device can only be performed on a computer where there are no virtual smart cards.

Device is operational (bound, issued, not in a FORGOTTEN, LOST, STOLEN or DAMAGED state), and FIPS 196-based authentication is available*

Device is inserted (for example, into card reader or USB port). The authentication method is device PIN. The Applications Update / Device re-issuance / Security answer changes are protected by FIPS Federal Information Processing Standard 196.

The User Portal executes any pending Device Update requests. The Portal executes any pending Device Re-issuance requests.

Users can also change the PIN code and the answers to their security questions.

Users can issue mobile credentials (mobile app certificates) or get updates for an existing mobile device.

Device is operational (bound, issued, not in a FORGOTTEN, LOST, STOLEN or DAMAGED state), and FIPS 196-based authentication is NOT available**

Device is inserted (for example, into card reader or USB port). The authentication method is device PIN. The Applications Update is protected by Global Platform Secure Channel.

The User Portal executes any pending Device Update requests. User can also change the PIN code.

Device is operational (bound and issued), and device user wants to download escrowed certificates***

Device is inserted (for example, into card reader or USB port). The authentication method is device PIN.

User can download escrowed certificates.

* FIPS 196 authentication is available if at least one active digital certificate managed by the ActivID CMS and Public Key Infrastructure (PKI) key pair protected by a PIN is found on the device. This certificate should have Key Usage set with “Signature” attribute equal to “true” and “Non Repudiation” attribute equal to “false”. This certificate should also be active.

** When FIPS 196 authentication is not available, the ActivID CMS User Portal does not support the following services: device re-issuance requests, changes to security question answers, mobile app certificates issuance and updates. In these cases, ActivID CMS either disables the corresponding functionality or displays an error message.

*** Only supported for Microsoft CA and OpenTrust PKI certificates.