Concepts

A request to provision content into a device. Content includes credentials and any data specified by the device policy. The request is linked to:

  • A target Device, onto which the credentials are to be provisioned.

  • A Wallet, for which the credentials are to be provisioned.

A generic term for a piece of information that is certified by an authority used to authenticate an individual or a machine. Credentials are trusted pieces of data that attest to the identification or authentication of users (or other trusted identities). Credentials are classified according to the mechanisms by which they are consumed, by applications, and by the types of services they enable.

Typical credentials managed by ActivID CMS are cryptographic key pairs and their associated certificates, and OATH Open Authentication keys used to generate OTPs.

A hardware or software device capable of serving as a storage and execution platform for embedded applications, credentials, and their services (for example, smart cards, One-Time Password (OTP) tokens, USB keys such as Crescendo Keys, and Trusted Platform Modules (TPMs)).

This is the exact equivalent of the “Security Module” in the CCM Card and Credential Management API.

A Device Flow represents the complete personalization process of a device. It may include the content delivery initiated by the creation of a content request, but it also includes steps before and after that content delivery, like the collection of data or the device layout definition and printing.

Device policies enable organizations to enforce uniform applications and device policies on a per-user-group basis. A device policy defines the information used to personalize applications on a device during device issuance or a device update.

A group represents a population of users for whom you want to manage devices. User groups are defined as LDAP queries.

Synchronization is the operation in which a physical device is updated; this is the final step of the device issuance performed by ActivID CMS. The ActivID CMS Client drives the synchronization by opening a secure connection to the ActivID CMS server. A web front-end application can communicate with the ActivID CMS Client through the Chrome extension.

When synchronization is performed, the device is updated according to the actions queued for that device: for instance, a ContentRequest previously submitted to ActivID CMS, or a recycling action (in the case of a Device status update). For example, certificates may be loaded, key pairs may be generated and loaded, or data may be removed.

In ActivID CMS, a User instance represents an actual user of the organization. Each user is identified by a unique identifier. This identifier is an LDAP Lightweight Directory Access Protocol attribute which has been defined in ActivID CMS as the unique user identifier attribute (for example, the identifier might be the sAMAccountName, or UID.)

Note: Even though the definition is general, the REST API currently limits the users manipulation to the ActivID CMS operators. Other users are only available through their wallet (see below).

In ActivID CMS, a Wallet instance is a set of Devices and Credentials assigned to a User.