Placeholder

Disable Net iD SSO for a specific application

The SSO feature in Net iD is highly appreciated. But in some scenarios you want a specific application to always prompt for PIN.

Web

In a web scenario with mutual TLS/SSL in IE you can use the Net iD Plugin to logout from the card before the negotiation starts.

<script type="text/javascript">

function logoutonpageload() {

if((navigator.userAgent.indexOf("MSIE") != -1 ) || (!!document.documentMode == true )) {

iid_Invoke('Logout');

document.execCommand("ClearAuthenticationCache");

window.location = "/netid/demo/ssl";

}

else {

iid_Invoke('Logout');

window.location = "/netid/demo/ssl";

}

}

</script>

Test it here: check_for_smartcard_clearpin.html

Note: Make sure that your Logout-operation does not interfere with other running applications

Traditional clients (exe)

One method is of course to build you own PIN-dialog and enforce that so the user has to enter PIN no matter if the PIN is cached by Net iD SSO.

You could also call the Net iD Plugin (COM-object) to do Logout just like in the web scenario described above.

But maybe the best method is to change the configuration of Net iD to exclude the binary itself from the SSO system

HKEY_LOCAL_MACHINE\SOFTWARE\SecMaker\NetiD\Enterprise\SingleSignOn
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SecMaker\NetiD\Enterprise\SingleSignOn

Disable Net iD SSO for a specific application

*If using GPO to control Net iD configuration, “Policies” key is read first:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SecMaker\NetiD\Enterprise\SingleSignOn

Disable Net iD SSO for a specific application

Example:

Net iD SSO active, no PIN required

Disable Net iD SSO for a specific application

Net iD SSO active, PIN required for wscript.exe even if the PIN is cached

Disable Net iD SSO for a specific application

Dela denna artikel

Relaterat