Customizing HID DigitalPersona Enrollment

Enabling Self Enrollment

The Windows Authorization Manager is where you set up your AD Users and Non AD Users to enroll and manage their own DigitalPersona credentials.

To enable DigitalPersona users to enroll and manage their own DigitalPersona credentials:

  1. Launch Windows Authorization Manager.

    (If you are not on the LDS Server machine, see instructions for installing and setting up the Windows Authorization Manager.)

  2. Add the Enroll Self task to the predefined DigitalPersona AD Users and Non AD roles or to another separate role that you create.

Note: The term Altus Users has been deprecated and replaced with the term Non AD User, and the term Altus AD Users with AD Users in this documentation, except where the legacy UI specifically still uses the term as is this case in the Authorization Manager.

Enabling and Disabling the Approval Workflow

The Approval workflow for credential enrollment is disabled by default. This means that enrolled DigitalPersona credentials that are used to authenticate the Third party applications need no specific approval in order to use them for authentication.

Note: In this version of the product, the User Approval workflow is not available for non AD users.

Enable the Approval Workflow

  1. Open the AppSettings.config file located on the WMC Server at C:\Program Files\DigitalPersona\Web Management Components\DP Web Admin\DPAdminUI\

  2. Set the approvalWorkflow key value to true and save the file.

  3. Create a new AD user on the DigitalPersona Server and enroll at least one credential.

  4. Log on to the Web Administration Console as a Domain Admin user and confirm that the newly created user is listed when filtering for Non-approved users.

Disable the Approval Workflow

  1. Open the AppSettings.config file located on the WMC Server at C:\Program Files\DigitalPersona\Web Management Components\DP Web Admin\DPAdminUI\

  2. Set the approvalWorkflow key value to false and save the file.

  3. Create a new AD user on the DigitalPersona Server and enroll at least one credential.

  4. Log on to the Web Administration Console as a Domain Admin user and confirm that the Non-approved users filter is not available from the drop-down menu.

Fingerprint Enrollment Approval Workflow

In addition to previously implemented user enrollment approval by an approver, administrators may also require an approver to verify a user's enrolled fingerprints in person prior to them actually being enrolled.

Once configured, the approval process is as follows:

  1. The approver launches the DigitalPersona Administration Console.

  2. The approver logs in (authenticates).

  3. The approver select a user and clicks Show details, then clicks the Approve enrollment button.

  4. A window displays showing a list of the user's enrolled fingerprints. The window has an Approve button which is initially disabled.

  5. The will verify their enrolled fingerprints by scanning them on the fingerprint reader in the presence of the approver.

  6. As each fingerprint is scanned and successfully matched a green checkmark appears on the screen, over the fingerprint.

  7. Once the required number of fingerprints have been matched, the Approve button is enabled.

  8. The Approver presses the Approve button and the user gets approved. The result of the user approval is the same as in previous versions. The only difference between the previous approach and the new one is that for fingerprints to be approved, the user needs to scan the required number of fingerprints in front of the approver and have the approved finalize the enrollment.

If the user has fewer enrolled fingerprints than required by the authentication policy in effect, a warning message is shown and approval is not possible.

Note: The software is unable to display which of the enrolled fingerprints was matched to the fingerprint the user has scanned. Therefore, the administrator must ensure that the user scans different fingers each time.

  • Enable the fingerprint enrollment approval feature:

    This additional feature is enabled by adding a following value in the DPAdminUI/AppSettings.config file:

    <add key="approvalWorkflowFp" value="true" /> *

    Important: Make sure the Fp at the end of the key name is present.

    This value is separate from the previous key approvalWorkflow, which is ignored if the new approvalWorkflowFp value is set.

    If the new value is present but not set to true, the approvalWorkflow key is utilized,

  • Define the number of fingerprints to match:

    If the GPO setting MinNumberOfFingerprints is set, then verification and approval of the specified number of fingerprints is required.

    However, that setting can be overridden by adding to the following key to the DPAdminUI/AppSettings.config file:

    <add key="approvalWorkflowNumFp" value="6"/>

    The minimum and maximum values for this key are 2 and 10.

    • If the value is set to less than 1, then the minimum number (2) is used.

    • If the value is set to more than 10, then the maximum number (10) is used.

    • If the key is present but no value is set, then the minimum number (2) is used.

Copy

Sample configuration file with new keys

<?xml version="1.0"?>
<appSettings>
  <add key="userCount" value="50" />
  <add key="approvalWorkflow" value="false" />
  <add key="approvalWorkflowFp" value="true" />
  <add key="approvalWorkflowNumFp" value="3" />
  <add key="wsFederationMetadataAddress" value="https://websts.igorm.testdomain.com/dppassivests/wsfed/metadata" />
  <add key="wsFederationWtrealm" value="urn:webadmin" />
  <add key="dataProtectionCertificateThumbprint" value="38F139B3CC04BBAB823B691F192DE42CA8E2AAAC" />
  <add key="wsFederationWreply" value="https://webadmin.igorm.testdomain.com/dpadminui" />
  <add key="enrollUrl" value="https://webaccess.igorm.testdomain.com/DPWebEnroll/DPWebEnrollService.svc" />
  <add key="authUrl" value="https://webaccess.igorm.testdomain.com/DPWebAUTH/DPWebAuthService.svc" />
  <add key="policyUrl" value="https://webaccess.igorm.testdomain.com/DPWebPolicies/DPWebPolicyService.svc" />
  <add key="adminUrl" value="https://webaccess.igorm.testdomain.com/DPWebAdmin/DPWebAdminService.svc" />
  <add key="webEnrollmentUri" value="https://webenroll.igorm.testdomain.com/dpenrollment" />
  <add key="delegatedAdminGroups" value="*" />
  <add key="searchBaseDN" value="CN=Users,DC=IgorM,DC=TestDomain,DC=com" />
</appSettings>