Introduction
Organizations increasingly need to manage both PKI certificates and passkey credentials on the same hardware security key. This is often required when, for instance, a certificate is used for on-premises authentication and a separate passkey is needed for cloud services like Microsoft 365 Copilot. This article describes different options within vSEC:CMS on how you can achieve this.
Configure Support
We will demonstrate vSEC:CMS's capability with a straightforward use case: managing a Hybrid Identity user synchronized across Microsoft Entra ID and on-premises Active Directory (AD).
Successful user identification requires a shared, unique attribute value across both directories. In this article we will use a scenario where the user's AD on-premises UPN value is stored in Entra ID.
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.
Additionally, you should have configured support for managing passkeys with Microsoft Entra ID as described here.
Create Variable
Log onto the Admin console as an operator who has the permissions to create credential templates and navigate to Options - Variables. Add a new variable similar to the below example.
Configure LDAP Connection
We will use a LDAP query to retrieve the AD on-premises user from the selected Entra ID user at the start of the issuance process. Therefore it will be required to setup an LDAP connector.
1. From Options - Connections click the Configure button and make sure that LDAP Server is in the Selected window.
2. Then from Options - Connections click LDAP Server to add a template.
3. Enter a template name and enter the hostname for the LDAP along with the port, protocol and enable SSL/TLS if a secure connection is required. Click the Test Connection button to ensure that the system that the vSEC:CMS is running on is reachable. If simple authentication parameters are required enable this option and provide the necessary username and password to connect to the LDAP. Click Save button when complete.
Configure Template
Navigate to Templates - Credential Templates. Click Add. Select Edit beside General.
Enter a template name and click Detect. Make sure that you have the credential attached that you will manage with this template. If you have more than one credential attached select the correct one from the drop-down list. You should see more details presented in the pane below about the credential and select Ok to close.
Enable Enable FIDO2 and Supports multiple role(s) checkboxes and leave all other settings as is. Click Ok at the bottom of the dialog to save and close.
Click the Edit link for Issue Credential. In this article we will be issuing on-behalf of so select Issue by Operator(s). Enable Assign user ID and select your Entra ID connector already configured.
Click the Manage button. The Entra ID connector should be automatically selected and click Edit. Click Add. Enter a name and a filter. The filter will be used when searching for users from your Entra ID when performing operations on credentials. We recommend that you use similar to below filter of (displayname=%s*). Click Ok to save and close.
Click the Edit button.
Select the variable created earlier and click the Get button. Select a user from Entra ID and then select the attribute that contains the on-premises UPN of the user. Click Ok to save the selection and then Ok button to save and closeout of this section.
Click Save to save and close out.
Click the Roles button and then the Add button. Enter a template name and select From query (Run LDAP query to retrieve ID) from the dop-down list. From the drop-down list Query and verify user ID using select the LDAP connection created earlier.
Click the Add button. Enter a name for the template and click the Get button. Select the BaseDNs to use and in the Filter enter (userPrincipalName=${EntraID-OnPrem-UPN}), where userPrincipalName is the attribute name in AD and ${EntraID-OnPrem-UPN} is the variable name created earlier in this article. Click Ok to save and close.
Leave all other settings as is and click Save to close and save.
Select the template from Role templates and click Add. Click Ok to close.
In the Enroll Certificate Options section enable the Enroll certificate(s) check box. Click the Add button.
In the User ID drop-down field select the template created earlier. You can enable the Fail if role account does not exist which will not continue with the credential issuance if a user cannot be found on the on-premises AD. Select your CA from the drop-down list and select the certificate template that is to be issued. If the credential type is PIV then select the card key container. Click Ok to save and close.
Enable FIDO2 Enrollment and select your FIDO2 template already configured.
Leave all other settings as is and click the Ok button at the end of the dialog to save and close.
Click the Edit link for Initiate Credential and enable Update Credentials at FIDO2 IdP. This will push the passkey for the user to Entra ID when setting the FIDO2 PIN on the credential.
Click the Edit link for Inactivate Credential and enable Update Credentials at FIDO2 IdP. This will remove the passkey on the IdP. You might do this if a user is on leave and you want to disable their passkey.
You cannot temporarily disable a passkey with the IdP. Therefore, if you disable a credential, you must reissue it entirely, i.e. revoke - retire - unregister and issue again.
Click the Edit link for Revoke Credential and enable Update Credentials at FIDO2 IdP. This will update the IdP when the authenticator is revoked. Additionally, enable Force FIDO2 Authenticator data deletion at IdP which will cancel the credential revocation process if the FIDO2 passkey could not be removed from the IdP.
Click Ok so save and close the configuration for the template.
Issue Credential Centrally
The credential can be issued either using the vSEC:CMS Admin or Agent applications. For either of these application refer to these articles Install Admin Application and Install Agent Application for instructions on how to set these up.
In this guide we will use the Agent Application.
Navigate to the Life Cycle tab and with a credential attached select the Issued oval along with the template from the available drop-down list and click Execute.
This will trigger the issuance flow. You will be prompted to select a user from your Entra ID directory who the token will be issued to. During the flow the user's on-premises AD UPN will be retrieved from an attribute in Entra ID. Then using this value an LDAP query will be run against the on-premises AD to get the user's DN. The certificate will then be issued to that person with the retrieved DN from the LDAP query.
At the end of the issuance the token will be Issued. You can activate the token by selecting Active and have the end user set a PIN for the certificate credential and then a PIN for the FIDO2 credential.
Issue Credential via Self-Service
Self-service issuance of the items described above is possible through a user-friendly, self-service flow. For example, this feature is ideal when remote end-users need to perform the issuance themselves. We will build upon our existing central issuance capabilities to demonstrate how to configure and utilize this self-service use case.
Add Self-Service Issuance
You can either clone (from Templates - Credential Templates and select the template and click the Clone button) or extend the existing template we created in the section Configure Template above. Navigate to the General section. Click the Manage button in the Self-service using the following template section.
Select the template created earlier and click Edit. Enable Self-issuance enabled check box and click Save to close and save. Close the dialog and select Cancel at the bottom of the General dialog.
Select Edit in the Issue Credential section.
Enable Automatically initiate credentials after issuance and Issue by User(s). Click the Configure button. In the User ID from drop-down select the Entra ID template where the user will be selected from. In the Authenticate user using drop-down select the Entra ID OAuth template that will be used to authenticate the user during credential issuance. Click Ok to save the changes and close.
Click Ok to save and close.
Click Ok to complete and close the template configuration.
Issue from vSEC:CMS User Application
On a client open the vSEC:CMS User application that is already configured to connect to the backend service. Navigate to the Credential tab and select the correct reader that the credential is connected to and click Issue.
From the Credential template select the template created earlier and click Issue.
Follow the on-screen prompts to authenticate with your OAuth credential and set PINs for both FIDO2 and certificate credentials. Once complete you should be able to perform certificate based authentication and FIDO2 passkey authentication.