Configure smart credential definitions
A smart credential has two types of digital IDs:
card—Identifies the card.
card holder—Identifies the user who owns the card.
A smart credential sets the digital ID types, if required.
When you create a smart credential, that smart credential definition will have values for the digital ID configurations that it will use. If the smart credential definition had defaults for those values then the new smart credential will have those values set. Otherwise, it will not have values set.
Before you can create the smart credential for a user, the following must be true:
If the type of digital ID is marked as required in the smart credential definition then it must be set in the user smart credential.
Create smart credential definitions
Click 
> Resources > Smart Credential Definitions. The Smart Credentials Definitions page appears.
Click Add. The Add Smart Credential Definition page appears.
Enter a Name for your smart credential definition.
Set Lifetime to the number of months before the smart credential expires. The default value is 60 (five years). The value can range between 1 month and 120 months (ten years).
Select the PIV Applet Config from the drop-down list. This setting specifies how information is encoded into the smart credential. The options include:
PIV with Challenge Response PIN unblock
Yubico YubiKey PIV
PIV with PIN multi use
You can create a smart credential definition without a card holder or card holder digital ID. However, if you want to use a smart credential for Windows SCLO or Identity as a Service smart credential push authentication, your smart credential must have a card holder digital ID.
If you want your smart credential to have a digital ID, do the following.
Select the Default Card Digital ID from the drop-down list. Your configured CA on Identity as a Service contains the digital ID card. If you do not want to create a digital ID, select Not Set.
Select Digital ID is required to require your smart credential definition to have a digital ID. Do not select this option if you do not want to assign a digital ID to a smart credential.
Select Card Digital ID is Required to require that a card digital ID is selected before the smart credential definition can be encoded.
Select the Default Card Holder Digital ID from the drop-down list.
Select Card Holder Digital ID is Required to require that a Card Holder digital ID is selected as a Default Card Holder Digital ID before the smart credential definition can be encoded. This setting specifies the CA that contains the PIV Content Signer.
Optionally, select an explicit CA that contains the PIV content signer from the drop-down list.
Note: If you create a smart credential without a digital ID you must select the CA that contains the PIV content signer.
Set Generated Card PIN Length to the number of characters required in each PIN. Users are automatically assigned a system-generated PIN when they are assigned a mobile smart credential.
Set Card PIN Minimum Length to the minimum number of characters required in each PIN. After a user logs in to their mobile smart credential application account for the first time, they can change their PIN
Set Card PIN Maximum Length to the maximum number of characters in a customized PIN.
In the Digits drop-down list, select Allowed, Required, Not Allowed, or Not Set (which applies no limitation to the setting).
In the Uppercase Letters drop-down list, select whether upper care letters are Allowed, Required, Not Allowed, or Not Set (which applies no limitation to the setting).
In the Lowercase Letters drop-down list, select whether lower case letters are Allowed, Required, Not Allowed, or Not Set (which applies no limitation to the setting).
In the Special Characters drop-down list, select whether special characters are Allowed, Required, Not Allowed, or Not Set (which applies no limitation to the setting).
Set Maximum Uses After Admin Reset to the number of times a user can login using a newly-encoded PIN or a PIN provided to unlock their account before they must change it. The default value is -1. The -1 value indicates that the PIN can be used any number of times.
Set Maximum Allowed Attempts to the number of failed login attempts required to lock a user out of their mobile Smart Credential authenticator application.
These are the PINs for mobile smart credential application user accounts. These settings define what can and cannot be included in a user PIN.
Define the Definition VariablesDefine the Definition Variables.
Click Add.
Select the type variable definition from the drop-down list. The options are:
The Smart Credential Definition Variable dialog box appears.
Enter a Name for the definition variable.
This is the name of the variable that corresponds with the certificate authority. The name is referenced in the Identity as a Service CA digital ID configuration definitions, including in the variables, subject alt names, and CA DN. The certificate authority references this name when completing transactions related to the mobile smart credential for Identity as a Service.
Enter a Prompt value that clearly represents the meaning of the variable.
This is the name that represents the variable in the details of the smart credential variable. The name is listed on the Authenticators page. The name must distinguish the variable you create from all others in the smart credential definition.
Note: Depending on the Type of variable you selected in step b, you may not be able to modify these next settings.
Enter the Random Value Generation Settings.
Select Generate to generate a random value as the initial value for the variable. You may want to select this field if the variable being created is a universally unique identifier (UUID).
Set Generate Length (Required) to the number of characters included in the value that is generated when Generate is selected.
Enter the Character Restrictions. These settings limit what information can be entered as the variable value for the variable.
Set the Restriction Minimum. If the variable type is String, this setting defines the minimum length of the string required. If the variable type is Integer, this setting defines the minimum value integer that can be entered.
Set the Restriction Maximum. If the variable type is String, this setting defines the maximum length of the string required. If the variable type is Integer, this setting defines the maximum value integer that can be entered.
In Restriction Regex, enter an expression that the variable value must match. For example, an email address variable value with the regex restriction .+@.+\\..+ must have one or more characters followed by @ followed by one or more characters followed by . followed by one or more characters.
In the Digits drop-down list, select Allowed, Required, Not Allowed, or Not Set (which applies no limitation to the setting).
In the Uppercase Letters drop-down list, select Allowed, Required, Not Allowed, or Not Set (which applies no limitation to the setting).
In the Lowercase Letters drop-down list, select Allowed, Required, Not Allowed, or Not Set (which applies no limitation to the setting).
In the Special Characters drop-down list, select Allowed, Required, Not Allowed, or Not Set (which applies no limitation to the setting).
Enter values for the Uniqueness settings. The Uniqueness settings define how other variables can share values with the one being created.
Select Global, User or None as the Uniqueness level.
From the Scope drop-down list, select the name of the variable that you want to apply to this uniqueness level.
For example, in the default Identity as a Service smart credential definition, lastname is specified as User unique for the Scope of the firstname variable. This means that two smart credentials for the same user can have the same firstname and lastname. However, two smart credentials for two different users can have the same firstname or the same lastname but cannot have the same firstname and lastname.
Note: A variable can only be selected as the uniqueness Scope of a new variable if another variable has already been created and saved to the smart credential definition. The uniqueness scope of the first variable created for a new smart credential definition has no variables available for selection because none exist yet. At least one variable must be created and saved to the smart credential before any Scope choices are available for selection.
The Definition Variables are used to generate the mobile smart credential. For a smart credential definition to function properly, you must add all of the variables listed in the certificate authority associated with a smart credential definition.
Enter values for the Other settings.
For the Default Value, enter the default value for the variable This is the name of the user attribute, constant value, or multiple user attribute names that appear if no other value is entered for the variable. Enter the value enclosed in angle brackets.
Example: Setting Default to <User Principal Name> would cause an Identity as a Service user attribute with the name UPN to auto-populate any smart credential created with the UPN value from the profile information of the user being assigned a smart credential. The Default field is not case sensitive.
Select Is Required to require that a value be provided for this variable when a smart credential is configured.
Select Is Displayable to allow the value of this variable to be viewed by others.
Select Is Modifiable to allow the value of this variable to be modified after a value is entered for the variable.
Click Add. The variable is appears in the smart credential definition list.
After you have added all of the definition variables, click Save. The definition appears on the Smart Credential Definitions page.
The smart credential definition is ready to be applied to a mobile smart credential. You can assign mobile smart credential to your users provided that at least one certificate authority is also ready for use. See Manage Certificate Authorities for more information.