Customizing HID DigitalPersona Enrollment
Enabling and Disabling the Approval Workflow
The Approval workflow for credential enrollment is disabled by default. This means that enrolled DigitalPersona credentials that are used to authenticate the Third party applications need no specific approval in order to use them for authentication.
Enable the Approval Workflow
-
Open the AppSettings.config file located on the WMC Server at C:\Program Files\DigitalPersona\Web Management Components\DP Web Admin\DPAdminUI\
-
Set the approvalWorkflow key value to true and save the file.
-
Create a new user on the DigitalPersona Server and enroll at least one credential.
-
Log on to the Web Administration Console as a Domain Admin user and confirm that the newly created user is listed when filtering for Non-approved users.
Disable the Approval Workflow
-
Open the AppSettings.config file located on the WMC Server at C:\Program Files\DigitalPersona\Web Management Components\DP Web Admin\DPAdminUI\
-
Set the approvalWorkflow key value to false and save the file.
-
Create a new user on the DigitalPersona Server and enroll at least one credential.
-
Log on to the Web Administration Console as a Domain Admin user and confirm that the Non-approved users filter is not available from the drop-down menu.
Fingerprint Enrollment Approval Workflow
In addition to previously implemented user enrollment approval by an approver, administrators may also require an approver to verify a user's enrolled fingerprints in person prior to them actually being enrolled.
Once configured, the approval process is as follows:
-
The approver launches the DigitalPersona Administration Console.
-
The approver logs in (authenticates).
-
The approver select a user and clicks Show details, then clicks the Approve enrollment button.
-
A window displays showing a list of the user's enrolled fingerprints. The window has an Approve button which is initially disabled.
-
The will verify their enrolled fingerprints by scanning them on the fingerprint reader in the presence of the approver.
-
As each fingerprint is scanned and successfully matched a green checkmark appears on the screen, over the fingerprint.
-
Once the required number of fingerprints have been matched, the Approve button is enabled.
-
The Approver presses the Approve button and the user gets approved. The result of the user approval is the same as in previous versions. The only difference between the previous approach and the new one is that for fingerprints to be approved, the user needs to scan the required number of fingerprints in front of the approver and have the approved finalize the enrollment.
If the user has fewer enrolled fingerprints than required by the authentication policy in effect, a warning message is shown and approval is not possible.
-
Enable the fingerprint enrollment approval feature:
This additional feature is enabled by adding a following value in the DPAdminUI/AppSettings.config file:
<add key="approvalWorkflowFp" value="true" /> *
Important: Make sure the Fp at the end of the key name is present.This value is separate from the previous key approvalWorkflow, which is ignored if the new approvalWorkflowFp value is set.
If the new value is present but not set to true, the approvalWorkflow key is utilized,
-
Define the number of fingerprints to match:
If the GPO setting MinNumberOfFingerprints is set, then verification and approval of the specified number of fingerprints is required.
However, that setting can be overridden by adding to the following key to the DPAdminUI/AppSettings.config file:
<add key="approvalWorkflowNumFp" value="6"/>
The minimum and maximum values for this key are 2 and 10.
-
If the value is set to less than 1, then the minimum number (2) is used.
-
If the value is set to more than 10, then the maximum number (10) is used.
-
If the key is present but no value is set, then the minimum number (2) is used.
-
Sample configuration file with new keys
<?xml version="1.0"?>
<appSettings>
<add key="userCount" value="50" />
<add key="approvalWorkflow" value="false" />
<add key="approvalWorkflowFp" value="true" />
<add key="approvalWorkflowNumFp" value="3" />
<add key="wsFederationMetadataAddress" value="https://websts.igorm.testdomain.com/dppassivests/wsfed/metadata" />
<add key="wsFederationWtrealm" value="urn:webadmin" />
<add key="dataProtectionCertificateThumbprint" value="38F139B3CC04BBAB823B691F192DE42CA8E2AAAC" />
<add key="wsFederationWreply" value="https://webadmin.igorm.testdomain.com/dpadminui" />
<add key="enrollUrl" value="https://webaccess.igorm.testdomain.com/DPWebEnroll/DPWebEnrollService.svc" />
<add key="authUrl" value="https://webaccess.igorm.testdomain.com/DPWebAUTH/DPWebAuthService.svc" />
<add key="policyUrl" value="https://webaccess.igorm.testdomain.com/DPWebPolicies/DPWebPolicyService.svc" />
<add key="adminUrl" value="https://webaccess.igorm.testdomain.com/DPWebAdmin/DPWebAdminService.svc" />
<add key="webEnrollmentUri" value="https://webenroll.igorm.testdomain.com/dpenrollment" />
<add key="delegatedAdminGroups" value="*" />
<add key="searchBaseDN" value="CN=Users,DC=IgorM,DC=TestDomain,DC=com" />
</appSettings>