Solution Architecture

This section describes architecture of the SafeNet IDPrime Vitual solution for windows.

SafeNet IDPrime Virtual Service

The SafeNet IDPrime Virtual (IDPV) Service runs under the Local System Account.

This service provides the smart card simulation and redirects crypto operations to the IDPV Server in online mode or to the TPM of the PC in offline mode.

SafeNet IDPrime Virtual Application

This application manages the following connections to the Identity Provider (IDP) service and associated JWTs:

• Communicates with the IDPV service via the Pipe.
• Receives the username and the IdP configuration (STA) from the IDPV service.
• Connects to the IdP service to receive a validation ticket (JWT) with a user authorization.

The application provides the following operations for the end-user:

• Connects the service to the server.
• Disconnects the service from the server.
• Connects and disconnects token.
• Receives JWT from the IdP service for connect and refresh JWT operations.
• Provides end-user notifications from the service.
• Supports on behalf provisioning.
• Checks status of connected tokens.

SafeNet IDPrime Virtual Server

The server has the following main components:

• HSM service (used to provide crypto operation and private key hosting)
• IdP server
  • Thales Products (STA, DigID, Keycloak Agent for SAS PCE)
  • Keycloak Server
  • Okta
  • PingFederate
• Database

The IDPV server performs the following functions:

• Manages the IDPV Tokens stored in the database.
• IDPV Token contains the user’s Private Key.
• Server is accessed, used, and managed via Server requests.
• Server requests have the following authorization levels:
  • User Access Control
  • Admin Access Control