Conception and implementation of an overall solution for ID management and user authorization
IDExpert® SmartACT centrally manages all issud ID Media at our customer EURONICS
At the end of 2006, the present company ID card was introduced at Euronics in Ditzingen. It contains a contactless LEGIC transponder and also a contact-type JAVA chip. Whereas the LEGIC transponder was used from the beginning for the identification of people (e.g. employees, visitors, consultants, etc.) with the access control and time registration system, the JAVA chip initially remained unused. At the beginning of 2009, it was decided by Euronics to use the JAVA chip in future for the secure authentication of users by means of the Novell Client on the Novell eDirectory and on the Microsoft Active Directory.
From a technical perspective, the challenge consisted of finding a solution architecture that supported both the somewhat older specification of the existing JAVA chip and the use of new devices, such as USB crypto tokens. In addition, it was planned to implement a uniform administration process. Since a simple off-the-shelf solution was not the answer, the specialists of Peak Solution were commissioned with the planning and implementation of a suitable overall solution.
Today, the “IDExpert® SmartACT“ smart card management system from vps ID Systems is used as the central solution component for the administration of the ID media used. These are managed transparently throughout their entire life cycles with the help of defined workflows: from the company-specific printing on the ID cards via the initialization, personalization, issue and updating, down to blocking and possibly destroying. During the personalization of the preconfigured RFID cards, the Legic ID is read out and automatically and assigned to the personnel master records. The issue of temporary company ID cards and replacement media is also part of the workflow.
The digital certificates, which are necessary for the 2-factor authentication of users of the network, are requested via an interface to Microsoft Windows Server 2003 Enterprise CA (Certificate Authority). Appropriate middleware ensures that individual certificates are stored on the JAVA chip in the context of personalization and can be read from there with respect to user authentication.
This is supplemented by a Single-Sign-On mechanism which was integrated into the overall solution on the basis of the Novell SecureLogin product. This offers users additional convenience: After users have logged in to the system, they can quickly and securely – without having to enter passwords again – access a wide range of applications, even if these are not suitable directly for Smart Card authentication.
Currently some 250 employees at Euronics use this option of certificate-based PC authentication with the company ID card.
In addition, one fraction of users has the possibility of encrypting the contents of entire directories, including subdirectories, protecting them from unauthorized access. The actual directory structure is retained when this is done, so that existing backup concepts continue to work. Access rights can be granted either for individual users or entire groups. In combination with the certificate-based authentication of users, an optimal access protection is therefore guaranteed for centrally stored information.
The overall solution concept was designed by the specialists of Peak Solution in close cooperation with the IT department at Euronics and implemented gradually within a period of about six months. The scope of Peak Solution’s services included setting up a 2-layer public key infrastructure (PKI), putting into operation and customizing the solution components used, and migrating legacy data to the new system.
The fact that the existing company ID cards could still be used without problem in the new solution means that the project is a great success for those responsible at Euronics, including from an economic perspective. It almost goes without saying that in future, all new cards will be created and personalized by Euronics entirely on their own, via the central smart card management system.
The integration of further applications into the Single-Sign-On system is already being planned.
P +49 911 800927-70