Introduction

From version 6.6 it is possible to configure vSEC:CMS to generate and extract a Temporary Access Pass (TAP) from an already configured Azure AD connection. TAP is a time-limited passcode that can be configured for multi or single use to allow users to onboard other authentication methods such as FIDO2 tokens. In this article we will describe how you can configure vSEC:CMS to generate and provide a TAP to a user when issuing a supported credential in vSEC:CMS.

Configure

We will create a basic template where we will issue a credential from Azure AD and export the TAP as part of the issuance flow.

Step 1 - Setup eMail Template

It will be required to configure an email template that will be used to send the TAP when the credential is issued. Look in the article Connection here and see the section Email for details on how you can setup an SMTP email connector.

Navigate to Options - Connections - Data Export and click Add. Enter a template name and select Email (Export to email) from the Target drop-down list. Enable Send email automatically and click Configure email button. Configure the email details and use vSEC:CMS variables that are mapped to attributes to retrieve the data needed when sending the TAP via email. For TAP you should use these variables: ${AadTapId} and ${AadTapCode}

For example:

Click Ok to save and close the settings.

Select the SMTP connector already configured from the SMTP server drop-down list.

Click Save to save and close out.

Step 2 - Create Credential Template

The next step is to create a basic credential template which will be used to issue your credential and send the TAP via email to the credential holder. 

You will need to have already configured a connector to Azure AD. See the article here and look in the section Configure AAD Connection for details on how to do that.

Navigate to Templates - Card Templates  and click Add.

Click the Edit link beside General. Enter a template name and attach a credential that is to be managed by this template and click the Detect button and wait for the vSEC:CMS to detect the credential type and click Ok.

Leave all other settings as default and click Ok to close and save.

2. Click the Edit link beside Issue Card. In the User ID Options section enable Assign user ID and select the Azure AD connection in the drop-down list.

In the Data Export section click the Configure button. From the drop-down box select the email data export template created above and click Add. Click Ok to save and close.

Leave all other settings as is and click Ok to save the settings.

3. Click Ok to save and close the template.

Issue Credential

From the Lifecycle page attach a blank credential to your host.

Click the Issued oval and select the template from Select card template drop-down list and click Execute.

You will be prompted to enter your Operator passcode before the issuance will begin. Then you will be prompted to select the user from Azure AD that the credential will be issued to. Select the user and at the end of the process you will get a short summary dialog of what operations were performed.

An email should be sent to the user email address as is set in Azure with the TAP.

Additionally, you can generate a new TAP from Actions - Smart Card Unblock and search for the user. Then you should see a button Request TAP Code and click this to generate a new TAP.