Enable Axiad Confirm

To enable Axiad Confirm, you must complete the following steps in Axiad Conductor and the Identity Provider.

Add the properties below in the UCMS config.properties to support the Axiad confirm feature. This will be required when deploying “UCMS 4.26” and “UP 2.21” versions.

Pre-requisites

Required Access

1. Administrative access to UCMS Operator Portal

2. Domain Administrator access to Active Directory (if deploying on premise AD)

3. SSH/root access to UCMS server

4. Jumio tenant credentials (Client ID and Client Secret)

Information to Gather Before Starting

1. UCMS base URL (e.g., https://your-ucms.example.com/ucms/)

2. User Portal URL (e.g., https://your-portal.example.com/user/)

3. AD Domain Controller hostname and IP address

4. Jumio Authentication Token URL

5. Jumio Account URL

6. Jumio Retrieval URL

7. Jumio Client ID and Client Secret

Update Role Management

Update Role Management in UCMS as follows:

1. Grant Read and Modify privileges to screens / functionalities to the operator role

   1. Configuration: Verification Server List

   2. Configuration: Verification Servers - Create/Edit Jumio Verification Server

2. Grant Allow access privileges to REST APIs to the UCMS_API role

   1. POST /api/v2/users/{uid}/verification This allows UP or an external system to initiate the Identity Verification process

   2. GET /api/v2/users/{uid}/verification/status This allows UP or an external system to retrieve the Identity Verification status

   3. GET /api/v3/users/IdVerification/reports This allows UP or an external system to display the transaction consumption

   4. Reset User ID Verification Status: allows to delete a user’s transactions in Jumio

   5. GET /api/v2/users/{uid}/password: allows to reset AD password

Note

These privileges can also be given to a custom API role if you would like to integrate your own tool with Axiad Confirm

Upcoming

API documentation for these APIs will be part of the next Confirm release

3. Grant additional privileges to other actions to the required roles

   1. IdConfirmationStatus This enables the help desk operator to see an additional column in the Unified Portal (UP)with the ID Confirmation status

   2. ConfirmID This enables the help desk operator to initiate an Identity Verification for users, with the “Confirm ID” action in UP

   3. DeleteConfirmId

Integrate Identity Provider

Currently, Axiad Confirm supports only Microsoft Entra ID. Connect Entra ID to Axiad Conductor using the integration guides.

Create / Update SCIM User Source

Axiad Confirm uses a few attributes to send emails to users and to define from which country and state they are for default selection of the government-issued ID. In the next release, the onboard date will allow you to automatically send an email to the user on their first day.

1. Create or edit an existing SCIM User Source

2. Add the following as Custom Attributes:

Update Entra ID Attribute Mapping

1. In the Microsoft Entra admin center, navigate to the Axiad Conductor Enterprise application

2. In the Manage menu, click Provision

3. In the Manage menu, click on Attribute mapping (Preview)

4. Click Provision Azure Active Directory Users

5. Click Show advanced options

6. Click Edit attribute list for <Axiad Conductor Enterprise Application>

7. Add the following attributes at the bottom of the page:

8. Save the settings

9. Click Add New Mapping

Required

Only provisioning the country attribute is mandatory, but Axiad recommends provisioning all attributes if possible

Active Directory Attributes Mapping

Reset the user’s AD password once verification is successful Once verification is successful in Axiad-Confirm, the user's password will be reset in AD.

1. Configure UCMS to Use AD Hostname

In UCMS → AD Configuration, replace the IP address with the AD hostname.

2. Update UCMS Server Hosts File

   a. Get the AD server hostname by running nslookup on the AD server:

bash

Add the following entry:

3. Export and Import AD Certificate

   3. Export the certificate from AD (run on UCMS server or any machine with OpenSSL): bash

openssl s_client -connect SRV01DC.domain.local:636 -showcerts </dev/null | \ sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > dc-cert.cer

2. Verify the certificate was exported: bash

bash

keytool -import -trustcacerts -alias dc-cert \ -file dc-cert.cer \ -keystore /opt/java/jre/lib/security/cacerts

Note: The keystore path may vary depending on your Java installation.

4. Restart UCMS service.

4. Delegate Password Reset Permissions in AD

The User Bind DN account configured in UCMS must have permission to reset user passwords in AD.

On the Domain Controller:

1. Open Active Directory Users and Computers

2. Right-click on the domain → Select Delegate Control

3. Select the User Bind DN account used in UCMS AD configuration

4. Grant the following permission:

   • ✅ Reset user passwords and force password change at next logon

5. Complete the wizard

Create Verification Server

A verification server is required to connect to the identity verification service used by Axiad Confirm. Following the configuration steps in the Create a Verification Server guide.

Create / Update Credential Workflow

1. Create or edit a Credential Workflow

2. In the Configure Workflow Steps section, select Confirm Outcome in the left-side menu

3. Select the Identity Provider from the dropdown

4. Click Done

5. Save the configuration

Optional: Update Notification Template

You can modify the content in the emails sent to users during the Axiad Confirm process.

1. In the Axiad Conductor Operator Portal, navigate to Configuration > Notifications > Notification Templates

2. Locate the Mail to user about Identity Verification template and click the Edit icon

3. Make any preferred changes and Save the template