Register Domain

Prerequisites

  1. If you are enabling smart card authentication, you must have a Certificate Authority either by Creating an EZCA CA or Creating a ADCS CA
  2. If you are enabling either FIDO2 or Phone Authentication, you must Register the EZSmartCard App in the tenant you are registering

Introduction

Once your organization wide settings are set, you can register a new domain or manage your existing domains. In this document we will go over how to register a new domain, set the domain requirements and connect a CA.

Creating a New Domain

  1. Navigate to your EZSmartCard instance and select “Domain Settings”

    You must be an administrator for this option to appear.

    Domains Menu
  2. Enter your domain ID (Azure Tenant ID)
  3. Enter domain name.

    Domain name is all the text after the @, for example for jake@keytos.io the domain name is keytos.io

  4. Set your clearance requirements for this tenant.

    Clearances are set by you in the HR database, this can be from certain background checks, to actual government clearances. Anyone that doesn’t meet the clearance requirements will not be able to see the domain.

  5. The “Allowed Bootstrapping Credentials” section enables you to select which credential types are allowed to create a smart card for this domain. Depending on your plan you will have some of the following options:
    1. Government ID and Face Recognition The user scans their face and a government ID, EZSmartCard uses AI to validate the validity of the ID as well as the match with the user.
    2. Multi-factor Authentication The user can use their existing domain credentials to create a smart card for this domain. (This option should be enabled for renewals and can also be leveraged by existing domains that are moving to passwordless authentication)
    3. Other Domain Multi-factor Authentication If like Keytos, your organization uses Identity Isolation to protect their environments, you can enable the user’s identity from your other domains to create a smart card for this domain.
    4. IT Desk Smart Card Creation For highly regulated industries, physical presence and verification is required to create the smart card, this option enables your IT desk to create the Smart Card on behalf of the user. Passwordless bootstrap identities
  6. For multi-tenant organizations the aliases of a secondary domain might not match the aliases of the main domain, to solve this issue EZSmartCard supports user mapping. To enable this select the “Use custom UPNs for this domain option. Custom UPN for domain
  7. Select the cryptographic key type required for this domain.
  8. Select the authentication methods you would like to enable in this tenant. Watch this video to learn about different authentication methods and help decide which one is best for you. Enable Azure passwordless authentication
    1. SmartCard SmartCard Authentication is the oldest unphishable authentication method, this uses a Certificate Authority to create a smart card certificate that then is used for certificate authentication. In the past, this authentication method was mostly used by governments or organizations that have high security methods. However, now that Azure Certificate based authentication and EZSmartCard make it easier to use smart card authentication, more organizations are moving to FIDO2 + SmartCard Authentication. SmartCard Authentication Before EZSmartCard and Azure CBA
    2. FIDO2 Since SmartCard Authentication required a lot of infrastructure to setup, the FIDO alliance created an easier to implement cryptographic authentication method where instead of needing such a large infrastructure deployment, organizations could easily adopt by using a cloud based identity provider such as Azure.

      We recommend enabling both FIDO2 and SmartCard authentication, giving your users the ability to use the most convenient authentication method when using they hardware token, since in some cases it might not be possible to use a FIDO2 key or a SmartCard and this way they always have a hardware protected credential to use.

    3. Phone Authentication Due to it’s convenience, phone authentication has become the most popular passwordless authentication method, while it is not as secure as FIDO2 keys or SmartCard, it offers great security at a lower cost.

Connecting Your CA

If you selected SmartCard as one of the authentication methods, you will have to connect a CA. EZSmartCard Supports connecting EZCA an Azure Based PKI and Windows ADCS CAs for certificate creation.

Connecting EZCA CA

  1. Enter https://portal.ezca.io as the agent URL.
  2. Open EZCA in another tab.
  3. Navigate to Certificate Authorities
  4. Click “View Requirements” on your SmartCard CA EZCA SmartCard CA
  5. Copy your CAID EZCA SmartCard CA Details
  6. Go back to your EZSmartCard Tab
  7. Paste the CAID in the CA Details CAID field. EZSmartCard EZCA connection
  8. Click “Test Connection”
  9. If the connection is successful add the CA EZSmartCard EZCA add Certificate Authority
  10. Repeat these steps for all your CAs.
  11. Save the domain by clicking “Register Domain at the top. EZSmartCard Save new domain

Connecting ADCS CA

  1. Enter your public facing agent URL.
  2. Enter the CA name with the format fqdn\CA Name
  3. Enter the template name of the smart card template you created. EZSmartCard ADCS CA connection
  4. Click “Test Connection”
  5. If the connection is successful add the CA EZSmartCard EZCA add Certificate Authority
  6. Repeat these steps for all your CAs.
  7. Save the domain by clicking “Register Domain at the top. EZSmartCard Save new domain