An operator can manage enterprise roles from left menu by navigating Enterprise > Manage > Roles.


  1. Click "Enterprises" from left menu, a sub-menu will appear in the drop-down. Navigate to "Registered" and click it to move to the next screen. 
  2. Click on the button against a specific enterprise and click "Manage" to manage its configurations. Then click "Roles". 


Two roles with the following titles will be added when a new enterprise is registered:


  1. Enterprise Users (Enterprise Registration/Email ID)
  2. Applicant Representative
  3. Default Role (User Registration/Citizen ID)


Create a new role:

  1. The operator can add a role by clicking on the button. 
  2. The operator then needs to enter the name and description, and can also set that role as default by ticking the check box "Default". 


 


Once an operator Adds or Edits a role, the module section form will appear with all allowed modules. It is on the discretion on the operator to allow read, add/edit and delete options against the allowed modules. The operator can set the role as 'Default'. 



An operator can add, update and delete enterprise roles. By default, only one role is created when an enterprise is registered. 


   


Click and then the Edit button to find the following sections on this screen:


  1. Module 
  2. Certificate Management 
  3. Enrolments 
  4. Certificate Access
  5. Login Authentications 


Following is the description oof each section in detail:


  1. Module 


When an operator creates a new role, all options to "Read, Add/Edit and Delete" against the allowed modules are unchecked. He can choose from these options to assign it with the role for allowed modules. Two screenshots are added below to display all the modules ( including Windows Enrolment):





  1. Certificate Management 


A user can create specific certificates by using different configurations and will be able to manage certificate key generation for the following:


  • Key Stores
    • Server-side keys and certificates 
    • Certificates with CSR






Key Stores

Field

Description 

Server-side Keys & Certificates

Select this check box to configure profiles for server-side keys and certificates. Then select the profiles from the drop down to that you want to allow for a role that belongs to an enterprise. 

Certificates with CSR 

Select this check box to configure profiles with CSR.Then select the profiles that you want to allow for a role that belongs to an enterprise. 

Virtual ID check box

Select this check box to configure profiles to enable Virtual ID.

Profiles to create certificates for Virtual ID (remote authorisation) 

Select the profiles that you want to use to create Virtual ID certificates.

Certificate profile for user registration (Virtual ID)

Select a profile to create a default Virtual ID certificate.

Enable Virtual ID Auto Registration

Select this check box to allow auto registration of Virtual ID in ADSS Server while user registration in ADSS Web RA Server. 

Desktop Signing check box

Select this check box to configure profiles to enable Desktop Signing.

Profiles to create certificates for Desktop Signing

Select the profiles that you want to use to create certificates for Desktop Signing.

Desktop Signing profile for user registration 

Select a profile that you want to use to register user and create a default certificate for Desktop Signing. 

Provision certificates in Desktop Signing 

Select this checkbox to allow certificate provisioning for Desktop Signing to users allowed in this role. 

SigningHub check box 

Select this check box to configure profiles to enable SigningHub. 

Default certificate profile for SigningHub

Select a profile that you want to use to register user and create a default certificate for SigningHub using Virtual ID. 

Enable SigningHub Auto Registration 

Select this check box to allow auto registration of user in SigningHub while user registration in ADSS Web RA Server. 


  1. Enrolments 


A user can create specific certificates by using different configurations and will be able to manage certificate key generation for the following:


  • Device Enrolment
    • SCEP
    • CMP
    • ACME
    • EST
  • Windows Enrolment 
    • WIndows User Enrolment 
    • Windows Device Enrolment 



  1. Certificate Access 


This section allows an enterprise owner to manage certificate access and certificate sharing amongst the enterprise users. 



  1. Login Authentications 


An operator can configure primary authentication and secondary authentication for login. 


(If Secondary Authentication is enabled in the service plan, it will also appear in the same section)


Advance Settings 

Field

Description

Primary Authentication Profiles

When primary authentication is configured as login authentication, it allows an enterprise RAO to login on ADSS Web RA User Portal through the authentication type that is configured in this profile. An operator can select from multiple primary authentication profiles here. 

Enable secondary authentication

Tick this check box to enable secondary authentication. 

Secondary Authentication Profiles 

When secondary authentication is configured as login authentication, it allows an Enterprise RAO to login to ADSS Web RA web portal through the authentication type that is configured in this profile.


The screenshot below displays primary password authentication and OIDC as secondary authentication, as an example:



Certificate Details


An administrator can control SDNs and SAN extensions for certificate requests in the "Role" section from the admin portal. This is based on the mechanism selected from the "Certificate Detail Provider" drop down. 


An operator can choose one of the following three mechanisms from the "Certificate Details" drop down: 


  1. None
  2. Operator
  3. Authentication (OIDC as primary authentication)


Certificate Detail

Field

Description 

Authentication

 If Authentication is selected from the drop down then SDN, values will be filled by the user login authentication mechanism. Currently ADSS WebRA is supporting the following login mechanisms:


  • User name /Password
  • SAML
  • Active Directory
  • Azure Active Directory 


Note:


  • In authentication, the system will not allow an operator to control SAN values. 
  • If any information (Name, Job title, etc.) is not present in authentication then user will be able to add manually while creating a new certificate request.

Operator 

 An administrator will control the values of SDNs.

None 

 If None is selected from the drop down then users can fill the SDN values manually.


Click "Roles", then click the tab "Login Authentications".


From the "Certificate Details Provider" drop down you can define the SDNs and SANs.


In case of None:


If an operator does not set any value to SDN in the certificate details, the user will set it while creating a certificate request. To enable this, select None. 



Click Save. 


In case of Operator:


If an operator wants to set and select SDNs and SANs, select Operator:



Values of Subject Distinguished Name (SDNs) which are present in user's authentication profile will be auto-filled from the selected authentication mechanism, if it exists while creating a certificate request.


Click Save.


In case of Authentication:


If an operator wants to set and select SDNs, select Authentication.:



Values of Subject Distinguished Name (SDNs) which are present in user's authentication profile will be auto-filled from the selected authentication mechanism, if it exists while creating a certificate request.


When Primary Authentication profile is OIDC, and you select Authentication as the Certificate Detail Provider



Certificate Detail

Field

Description 

Claims

Enter a claim. You can set multiple claims based on different SDNs.

Subject Distinguished Name (SDN) 

Select a SDN from the list and then click the + button to confirm your entry.


Click Save. 


Default Role (User Registration- Citizen ID)


When a user is registered through citizen ID, an operator will perform the following configurations: 


  1. Registration form claim mapping.
  2. Enable auto-registration for Virtual ID and SigningHub. 


Enable auto-registration for Virtual ID and SigningHub


Expand Enterprises > Registered > Enterprise Name > Manage > Roles. 


Then click Edit against the Default Role.



Click the Certificate Management tab.


Select the profiles from the Key Stores. 


Then select  the Virtual ID checkbox.


Virtual ID 

Field

Description 

Profiles to create certificates for Virtual ID (Remote authorisation)

Select a profile from the list to create Virtual ID certificates. 

Certificate profile for user registration (Virtual ID)

Select a profile to create a Virtual ID user and to create a default Virtual ID certificate.




Select the SigningHub check box


SigningHub (NCSC in this example)

Field

Description 

Default certificate profile for SigningHub

Select None from this drop down.

Enable SigningHub Auto Registration

Select this check box to enable auto registration of SigningHub.



Then click Save. 


Registration form claim mapping


Click Login Authentications.


Select a OIDC as Primary Authentication Profile from the drop down. 


Certificate Details 

Field

Description 

Certificate Details Provider 

Select authentication from this drop down.


Claims

Claim 

Subject Distinguished Name (SDN) 

Select a claim against the SDN

Click + and select SDN from the list. These fields include 


These claims will appear in the Sign up form under the SDN section. 




Claims

Claim 

Registration Fields

Select a claim against the registration fields

Click + and select SDN from the list. These fields include Name, Job Title, Virtual ID, Citizen ID, Default Capacity (for Signing purposes while provisioning certificate in SigningHub), CSP User Name, Email Address and Mobile Number. 


These claims will appear in the Sign up form under the user registration section. 



Once you have completed all configurations, click Save.