Automatic operations
The Axidian CertiFlow Client Agent can automatically perform the following operations:
- Add cards to Axidian CertiFlow and assign them to users
- Issue empty or assigned cards
- Resume cards issue or update operations
- Prompt a user PIN change according to the configured schedule
These operations are executed remotely on user workstations where agents are installed.
To control which operations agents can perform, configure the agent policy settings in Configuration → Agents → Workflow.
Add cards
When an unregistered card connects to a workstation, the agent can automatically add this card to Axidian CertiFlow. The card then binds to the agent installed on the workstation.
To configure agent to add cards automatically, enable the following options:
- Add card
- Add card without administrator PIN if provided PIN is incorrect
During card registration, the agent authenticates to access the card. It automatically applies the administrator PIN defined for the specific card type in policy settings (Agents → Workflow → Administrator PINs).
If you have not set a policy for the administrator PIN, the agent uses the default value from the card type settings.
The agent supports two methods for adding a card:
- Add a card and change the administrator PIN
- Add a card without the administrator PIN (PIN is left empty)
How to add a card and change the administrator PIN
Correct PIN scenario: If you enter a correct administrator PIN, the agent adds the card and sets a new administrator PIN. The new PIN is either random or matches the value specified in the Set non-random administrator PIN option in Configuration > Card Types.
Incorrect PIN scenario: If you enter an incorrect PIN, the PIN may be blocked. To prevent this, ensure the Add card without administrator PIN if provided PIN is incorrect option is enabled. In this case, the agent adds the card without storing or setting an administrator PIN.
About administrator PIN blocking
Each card has a counter for failed administrator PIN entry attempts. If you add a card which has only one attempt left and you enter an incorrect PIN, the PIN is blocked.
For some cards, a blocked administrator PIN cannot be unblocked. If the administrator PIN is blocked, you can only initialize the card, which erases all data stored on it.
How to add a card without the administrator PIN
Incorrect PIN scenario: If you enter an incorrect administrator PIN, the agent can add the card without an administrator PIN. To use this scenario, make sure the Add card without administrator PIN if provided PIN is incorrect option is enabled.
If agent added a card without the administrator PIN, you can set the PIN later:
- Manually in the card menu, if you have the Setting administrator PIN privilege (Configuration → Roles).
- Automatically during card issuance with initialization.
- Assigning a Change Administrator PIN task to the agent on the user workstation.
Correct PIN scenario: If you enter a correct administrator PIN, the agent adds the card and sets a new administrator PIN. The PIN is either random or matches the value configured in the Set non-random administrator PIN option in Configuration → Card Types.
Assign cards to users
The agent can automatically assign a card to a user when a card is added to Axidian CertiFlow. The card is assigned to the user logged in to the session.
To configure automatic card assignment, enable the following options:
- Add card
- Assign card
To automatically issue assigned cards, enable the Issue assigned card option.
Issue empty cards
The agent can automatically issue cards in Clean status (not assigned to a user). The card issuance settings are determined by the policy that applies to the user logged in to the session.
Use case: You need to issue a large number of new cards that you have distributed to users. The cards are not assigned to users. To prevent users from having to issue the cards manually in the Self-Service, you can configure automatic issuance using agents installed on user workstations.
To configure automatic issuance of empty cards, enable the Issue clean card option.
Once all cards have been issued, disable the Issue clean card option. This prevents a card from being reissued later in its lifecycle. For example, after the card has been revoked.
We recommend configuring the agent workflow so that only pre-assigned cards can be issued automatically.
Issue assigned cards
The agent can automatically issue cards in Assigned status. The card issuance settings are determined by the policy that applies to the user logged in to the session.
To configure automatic issuance of assigned cards, enable the Issue assigned card option.
When the agent issues an assigned card, it verifies that the user logged in to the session is bound to the card. The agent cannot issue a card assigned to another user.
Resume cards issuance or update operations
The agent can automatically resume issuing and updating cards in Pending status. To automatically resume card issue or update operations, enable the following options:
- Resume card issuing
- Resume card updating
Card issue or update operations are paused if your company's policy requires document verification for obtaining digital certificates. The agent resumes issuance or updating once you have approved the user's documents.
For more information, see Card issue documents check and Card update documents check.
Change user PIN
You can configure the validity period for a user PIN on a card.
To set the user PIN validity period:
- Enable the Request user PIN changing after (days) option.
- Specify the number of days a user PIN remains valid.
Once this period expires, the Card Monitor service creates a User PIN change task on the agent. When the user connects the card to the workstation, the agent opens a PIN change window.
Change the user PIN on first login
IDPrime and eToken cards support a hardware requirement to change the user PIN the first time the card is connected to a workstation.
To configure the PIN change requirement for IDPrime and eToken cards:
- Open the Configuration section, navigate to the policy settings and go to Issuance.
- Enable the User PIN must be changed on first logon option.
You can also configure the PIN change requirement outside Axidian CertiFlow. For example, in a PKI software.
When the user connects the card to a workstation for the first time, the agent opens a PIN change window.