Smart Identity is a ThinMan feature that enables the use of identification devices (e.g. smart cards, badges) to authenticate users on devices running Windows with Agile installed or ThinOX.
To use this feature, the device must be equipped with a connected smart card reader.
Smart Identity Users Authentication
ThinMan Smart Identity supports user authentication through an LDAP Server.Before enabling the ThinMan Smart Identity feature, it is essential to configure an LDAP Server.
Smart Identity on Agile devices
The Smart Identity functionality is compatible only with the following presentation modes: Desktop, Multi-Apps, SingleApp, QuickApp It is not compatible with the following presentation modes: Windows, Web
¶ How the Smart Identity Login works
¶ Case 1: Smart Identity as an authentication device
The Identification Device (smart card) is used as a complete authentication system. It is not necessary to insert additional information (password/pin).
 |
 |
| Agile Smart Identity Login panel | ThinOX Smart Identity Login panel |
The device is protected by the ThinMan Smart Identity panel. The user has to insert/tap its smart card on a reader connected to the endpoint. If the Identification Device (smart card) is active and is recognized by ThinMan, the user can access the device and its resources (see image below).
 |
 |
| Agile resources panel | ThinOX resources |
When removing/tapping the card on the reader, the user can either logout from the endpoint or lock it. This behavoir is configured on the Device Policy created for enabling the Smart Identity Feature (for more information, read Smart Identity Configuration and Smart Identity Device Policy Configuration).
¶ case 2: Smart Identity as an identification device with a second-factor of authentication (2FA)
In this case, the Identification Device (smart card) is used to identify the user. After inserting/tapping the smart card, it will be asked a second-factor authentication (user's PIN or user's LDAP Domain Password) to complete the authentication.
On the example below, the Smart Identity has been configured to ask the user his LDAP Domain Password as a second-factor authentication (for more information, read Smart Identity Configuration and Smart Identity Device Policy Configuration).
|
|
| Agile Smart Identity Login panel | ThinOX Smart Identity Login panel |
The device is protected by the ThinMan Smart Identity panel. The user has to insert or tap its smart card on a reader connected to the endpoint. If the Identification Device (smart card) is active and is recognized by ThinMan, it will be requested the second-factor authentication - 2FA (PIN or Password).
 |
 |
| Agile Password Request | ThinOX Password Request |
If the Password is validated by ThinMan, the user can access the device and its resources.
|
|
| Agile resources panel | ThinOX resources |
To pass the user credentials to the device/user connections, the credential passthrough option needs to be enabled on the resource.
Credentials Pass-Through
To pass the Smart Identity user credentials to the device/user connections, the credentials pass-through option needs to be enabled on the resource.For more information, read how to enable the credentials pass-through on:
When removing/tapping the card on the reader, the user can either logout from the endpoint or lock it. This behavoir is configured on the Device Policy created for enabling the Smart Identity Feature (for more information, read Smart Identity Configuration and Smart Identity Device Policy Configuration).
¶ Requirements and configuration steps
¶ Requirements
- ThinMan User+ Feature Pack
- ThinOX/ThinOX4PC/Agile/Agile4PC devices with an Identification Device reader attached
- Identification Devices (see Hardware list for Smart Identity)
- Interoperability:
- ThinMan version 7.8.0 or higher
- If used, ThinMan Gateway version 2.0.0 or higher.
- ThinOX/ThinOX4PC version 10.3.0 or higher.
- Agile/Agile4PC version 2.4.0 or higher.
¶ Configuration Steps
- Configure at least one LDAP on ThinMan server.
- Activate and configure the Smart identity functionality.
- Create a Device Policy that enables the Smart Identity on the devices
¶ How to enroll an Identification Device
The enrollment procedure allows to associate a user to a maximum of 5 smart cards (for more information about how to configure the maximum number of tokens per user, read Smart Identity Configuration).
A Device Policy must be created to enable enrollment on the devices where the procedure will take place . For more information, read Smart Identity - Device Policy Configuration).
The enrollment procedure can be performed by either the user or the administrator:
-
The user enrolls his Identification Device (smart card) on any of the devices configured by the administrator to proceed with the enrollment. The user will have to tap/insert his card on the device and write his username to enroll the card. Finally, the user will have to insert his password/pin in order to activate the card.
-
The administrator enrolls the Identification Device (smart card) and then delivers it to the user. The user completes the activation of the Identification Device (smart card) on an endpoint inserting his password/PIN.
¶ How does it happen?
When a device configured for enrollment starts up, the ThinMan Smart Identity window will appear. The administrator or user can then insert or tap the Identification Device (smart card) on a reader connected to the endpoint.
 |
 |
| Agile Enrollment window | ThinOX Enrollment window |
The endpoint asks the username to associate to the Identification Device (smart card). The administrator or the user inserts the username and clicks on Login/Enroll (or press Enter on the keyboard).
In the ThinMan Console, the new entry for the card is created on the Smart Identity tree. On the above image, the "Status" reports "Associated with user" while the "Security Policy" is set to "Smart Card + Password" (the default of the Smart Identity feature configuration).
|
 |
| Agile Activation window | ThinOX Activation window |
Once, the card has been enrolled, the endpoint will ask for a password that activates the Identification Device (smart card). The user will have to insert the password and click on Login/Activate (or press Enter on the keyboard).
Now, the card will appear on the Thinman Console with the status Active.
The operations that the administrator can execute on an Identification Device are explained in the chapter Smart Identity - Operations on Identification Device.