Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Getting Started

Solution Description and Components

search

Solution Description and Components

This section provides a high-level overview of the SafeNet IDPrime Virtual Server/Client solution.

Virtual Smart Cards emulate the functionality of physical smart cards. The SafeNet IDPrime Virtual (IDPV) solution offers comparable security benefits to physical smart cards by using client/server technology. To improve the solution’s security level, all Virtual Smart Card certificates are stored on a remote server located in a secured location and protected by a Hardware Security Module (HSM).

Today, most applications are cloud-based. With the multiplication of devices, you need a solution that can meet your security requirements and enable all use cases (VDI, BYOD, contractors, backup, and mobility) on selected device. IDPV Smart Card is available on a user’s device to be used in any PKI application.

With IDPV, users can carry out PKI-based operations on the selected device, without the need for a physical smart card or USB token. Virtual smart cards enable users to access apps that require PKI-based authentication – even on devices that don’t support PKI smart cards.

As part of the security design of the IDPV solution, logging into a virtual smart card from two different SafeNet Authentication Clients (SAC) causes the first smart card to log out from the SAC. Therefore, if it is required to update virtual smart card again from the first client, you must to re-insert the virtual smart card on the first client to refresh its state.

SafeNet IDPrime Virtual Architecture

The following diagram illustrates the interactive overviwew of IDPV components:

Interactive Components overview

SafeNet IDPrime Virtual solution provides the following components:

Server Components

  • IDPrime Virtual, Signature Server (Server): The component that manages the smart cards and the keys on the backend.

  • SafeNet IDPrime Virtual Server Supported Databases:

    • MariaDB Database
    • MSSQL Database
    • MySQL Database
    • PostgreSQL Database
    • Oracle Database Enterprise and Express Edition

  • SafeNet IDPrime Virtual Server Supported HSMs:

    • Protects SafeNet IDPrime Virtual Database
    • SafeNet Luna 6/7.3/7.7 Support
    • KeySecure
    • DPoD

  • SafeNet IDPrime Virtual Server Supported Identity Providers:

    • SafeNet Trusted Access
    • PingFederate
    • Okta
    • Keycloak Agent for SAS PCE
    • Keycloak Server
    • DigiD
Client Components
  • Safenet IDPrime Virtual Client (Smart card): The smart card present on the desktop (Windows and Linux) and mobile applications (Android).
  • Middleware and Virtual Reader (SAC or Minidriver): The component that intereacts with the smart card.
Optional Components
  • SafeNet IDPrime Virtual SDK: For developers who want to build proprietary apps

The following diagram illustrates the detailed interaction of IDPV key components:

Detailed Components Interaction

The below process flow ensures secure and authenticated interactions between a user, smartcard, and IDPV key components involved in a Public Key Infrastructure (PKI) operation, such as signing a document or encrypting data.

  1. Connecting to a token

    1. A user connects to the smartcard on the system via the IDPV system tray (Systray).
    2. Systray initiates the authentication process using a configured Identity Provider (IdP).
    3. Upon successful authentication, the IdP provides a JSON Web Token (JWT) to the systray.
    4. The systray sends JWT to the IDPV client service.
    5. Service sends the get token request to server and fetches user tokens and loads them on the system.

  2. Performing a PKI operation

    1. The user’s request is forwarded to SAC. A PIN prompt for smart card logon is displayed.
    2. SAC sends an Application Protocol Data Unit (APDU) command to the smart card through the virtual Personal Computer/Smart Card (PCSC) reader.
    3. A session is established on the smart card using challenge response mechanism with the IDPV server.
    4. The IDPV server communicates with its database to retrieve the required wrapped keys for the operation depending on tenant configuration.
    5. The required data is sent back from the IDPV server to the IDPV client service.
    6. The IDPV client service forwards the data to the virtual PCSC reader.
    7. The virtual PCSC reader sends the response to SAC.
    8. The user selects the appropriate certificate and completes the PKI operation.


The SafeNet IDPrime Virtual solution provides the following services:

On this page