SafeNet IDPrime Virtual (IDPV) and Components

The SafeNet IDPrime Virtual (IDPV) solution offers virtual smart cards that emulate the functionality of physical cards, enabling users to securely access digital resources and authenticate their identities without the need for physical smart cards. SafeNet IDPV enhances security by using the client/server technology, where all Virtual Smart Card certificates are stored on a remote server that is secured by a Hardware Security Module (HSM).

The IDPV solution is cost-effective, flexible, and ideal for organizations requiring strong authentication and compliance with security regulations. With SafeNet IDPrime Virtual, users can access their credentials on Windows and Linux devices and organizations can remotely manage and revoke credentials. It is particularly beneficial for remote workers and cloud-based applications where the usage of traditional physical smart cards may not be practical.

Nowadays, the majority of applications are cloud-based. As the number of devices increases, it's essential to have the IDPV solution that meets your security needs and supports various use cases such as VDI, BYOD, contractors, backup, and mobility, on specific devices. The IDPV Smart Card is available on a user's device for use in any PKI application.

With IDPV, users can perform PKI-based operations on their chosen device without needing a physical smart card or USB token. Virtual smart cards allow users to access applications that require PKI-based authentication, even on devices that don’t natively support PKI smart cards.

SafeNet IDPV Components

The SafeNet IDPV client emulates IDPrime smartcard on the user’s machine, whereas the private key operations are done within the remote HSM managed by IDPrime Virtual server.

SafeNet IDPV consists of IDPV Client components and IDPV Server components.

Client Components

The IDPV client consists of the following components:

Server Components

IDPV server consists of the following components:

SafeNet IDPV Process Flow

The IDPV process flow ensures secure and authenticated interactions between a user, smartcard, and IDPV key components involved in a Public Key Infrastructure (PKI) operation, such as signing a document or encrypting data.

The IDPV process flow is divided in to two parts, connecting to a token and performing a PKI operation.

1. Connecting to a token

   1. A user connects to the smartcard on the system via the IDPV system tray (Systray).
   2. Systray initiates the authentication process using a configured Identity Provider (IdP).
   3. Upon successful authentication, the IdP provides a JSON Web Token (JWT) to the systray.
   4. The systray sends JWT to the IDPV client service.
   5. Service sends the get token request to server and fetches user tokens and loads them on the system.

2. Performing a PKI operation

   1. The user’s request is forwarded to SAC. A PIN prompt for smart card logon is displayed.
   2. SAC sends an Application Protocol Data Unit (APDU) command to the smart card through the virtual Personal Computer/Smart Card (PCSC) reader.
   3. A session is established on the smart card using challenge response mechanism with the IDPV server.
   4. The IDPV server communicates with its database to retrieve the required wrapped keys for the operation depending on tenant configuration.
   5. The required data is sent back from the IDPV server to the IDPV client service.
   6. The IDPV client service forwards the data to the virtual PCSC reader.
   7. The virtual PCSC reader sends the response to SAC.
   8. The user selects the appropriate certificate and completes the PKI operation.

The SafeNet IDPrime Virtual solution provides the following services:

• Self Service Portal

• SafeNet IDPrime Virtual Server