SmartFace Station

Please see below advanced guides for the SmartFace Station. The guides are split into few categories:

Configuration

These guides are focusing at advanced configuration, actions and settings that are not covered in the SmartFace Station manuals.

Mounting a video as a camera source

In the SmartFace Station you can mount a video file instead of the RTSP stream if needed. To mount a video the video needs to be accessible to the browser accessing both the SmartFace Station and the video.

The easiest way to achieve availability of a video is to upload it into the SmartFace’s S3 bucket in the Min.IO object database.

Uploading a Video into Min.IO

To upload a video into the Min.IO please visit your Min.IO’s on the port 9000, if you are using the same machine as it is installed on the URL would look like: http://localhost:9000. You will be redirected to http://localhost:9001/login. Here you can log in using the default username minioadmin and password minioadmin. It is recommended to change this for security reasons.

Once you are logged in, you can click on the Create Bucket + button to create a new bucket. We will use this bucket to separate our additional videos from the internally managed data from the SmartFace platform.

In the Create Bucket page pick a name. For the example purposes we will use the name videos.

The newly created bucket will be now available in the list of buckets. Click the Browse -> button.

To upload a video, click on the click the Upload button. Uploaded files are visible.

To ensure we can use the videos for our intended purposes we need to adjust the access policy. The Default private policy might be the right one for us. Please click on the Manage button for the bucket. Then click on the Access Policy.

Pick the right policy. In our example we will use public.

Adding a Video as a RTSP camera source

To use the video in a new camera, click on REGISTER CAMERA button. In the camera configuration in the SmartFace Station. As a RTSP / VIDEO SOURCE use the full path to the uploaded video. Unless configured differently, for the URL please use the http://minio:9000/ then the name of the bucket and the name of the file. In such a case the full URL to be used will be http://minio:9000/videos/facetest.mp4.

How to disable video looping on video as a camera source

When you use a video as an input source, per default the video will be repeating on a loop. To avoid infinite looping we can set the video to run only once.

To disable looping, set ProcessVideoOnlyOnce parameter of a camera to true. It can be done via the REST API. This parameter is hidden and it will be not be visible as an option in the swagger. To change specific camera configuration, use PUT command of Camera endpoint.

A sample of an incomplete put command is below:

{
    "spoofDetectorResourceIds": [
      "none"
    ],
    "id": "53519cb1-c75e-4ad2-44cd-08da8fde8bfe",
    "name": "Video Input Camera",
    "source": "http://minio:9000/videos/facetest.mp4",
    "enabled": true,
    "ProcessVideoOnlyOnce": true,
    "faceDetectorConfig": {
      "minFaceSize": 20,
      "maxFaceSize": 300,
      "maxFaces": 20,
      "confidenceThreshold": 600
    },
    "pedestrianDetectorConfig": {
      "minPedestrianSize": 80,
      "maxPedestrianSize": 2000,
      "maxPedestrians": 20,
      "confidenceThreshold": 2500
    },
    "faceDetectorResourceId": "cpu",
    "templateGeneratorResourceId": "cpu",
    "pedestrianDetectorResourceId": "none",
    .
    .
    }
  }

How to use an USB Camera in the SmartFace

You can use USB cameras, such as web cameras with the SmartFace. The configuration does differ between the Windows and the Docker environments.

Windows Environment

In the Windows environment as long as the USB camera is recognized and the drivers are up to date, you can simply use the number of the camera in the Device Manager on Windows. Please note the count starts from 0. When registering a new camera, in our example we will put 0 as an RTSP/VIDEO SOURCE.

Linux Docker Environment

In the Linux Docker environment we are using gstreamer configuration string. If the camera is up and running correctly then we use the device’s mount point from the /dev/ directory. As an example we will use the device video0.

Update the docker-compose.yml

In the Linux Docker environment we need to allow the camera service to access the device. Please add these lines under the camera service:

devices:
      - /dev/video0:/dev/video0

For a sample camera SFCam2, the docker-compose.yml setup would look like this:

sf-cam-2:
    image: ${REGISTRY}sf-cam:${SF_VERSION}
    container_name: SFCam2
    command: --serviceName SFCam2
    ports:
      - 30002:${CameraDefaults__PreviewPort}
    restart: unless-stopped
    devices:
      - /dev/video0:/dev/video0
    environment:
      - RabbitMQ__Hostname
      - RabbitMQ__Username
      - RabbitMQ__Password
      - RabbitMQ__Port
      - RabbitMQ__VirtualHost
      - RabbitMQ__UseSsl
      - ConnectionStrings__CoreDbContext
      - Database__DbEngine
      - AppSettings__Log_RollingFile_Enabled=false
      - AppSettings__USE_JAEGER_APP_SETTINGS
      - JAEGER_AGENT_HOST
      - S3Bucket__Endpoint
      - S3Bucket__BucketName
      - S3Bucket__AccessKey
      - S3Bucket__SecretKey
    volumes:
      - "./iengine.lic:/etc/innovatrics/iengine.lic"

To apply changes use docker-compose up -d command.

Set source using the gstreamer string

Then a sample gstreamer string will be v4l2src device=/dev/video0 ! video/x-raw, format=YUY2, pixel-aspect-ratio=1/1, width=1280, height=720, framerate=10/1 ! videoconvert ! appsink.

Please add this string as an RTSP/VIDEO SOURCE for a camera.

How to enable video uploading for Rapid Video Investigation

The SmartFace Station is managing the interaction between the SmartFace Platform and the user web browser. During the installation the run.sh script sets the paths for the S3/Min.IO endpoint. This is set to your hostname. If the hostnames are not correcly set for the network and the machines on it, it is possible that in some cases the hostname set for the machine where the SmartFace Platform is running is not accesible to the machine running the browser. This means that the user’s browser can not see the Min.IO path correctly. In this case the upload of a video is not possible.

This situation was updated in the SmartFace Platform version 5.4.22. If you are using and older version and this happens to you, or you are using a newer version and this issue occurs to you, please adjust the S3_ENDPOINT to match your ip, that is accessible for both the SmartFace Station container and the user via a web browser.

To fix the issue for your installation please edit .env.sfstation and update the S3_ENDPOINT to match your ip address as below:

# Setup for S3 / MinIO API
S3_ENDPOINT=http://your-ip-address:9000

How to enable Identification tab

To enable the Identification tab, you need to enable it in the docker configuration and you need to have https certificate on your server.

Enablement in the docker configuration

Open the directory where your SmartFace Platform’s docker-compose.yml is located. Edit the file .env.sfstation and locate the lines below:

#Enabled Identification page
IDENTIFICATION_ENABLED=false

Adjust the IDENTIFICATION_ENABLED line to be true:

#Enabled Identification page
IDENTIFICATION_ENABLED=true

Restart the SFStation service. An easiest way to achieve it is to use this command in the same directory:

docker-compose up -d

Enabling of the HTTPS Certification

To enable the HTTP Certification please read the guide in here.

Testing the results of the enablement

Once you access the SF Station on the port 8000 again, then an additional tab is available:

ℹ️ This feature is available since the version SMARTFACE STATION v5_1.16 and SMARTFACE PLATFORM v5_4.19

How to enable local Camera usage

To enable camera usage in the Identification Dashboard and in the Watchlist Management tab, please ensure the secure https connection is enabled or your Chrome web browser considers your SmartFace Station to be trusted.

Then you can proceed with enabling the Camera usage in the .env.sfstation environment variables configuration file for the docker installation. Please find the configuration below and set the DOT_FACE_CAMERA_ENABLED to be true.

# DOT camera parameters (HTTPS is required)
DOT_FACE_CAMERA_ENABLED=true
DOT_FACE_CAMERA_FACE_CENTER_LIMIT=0.2
DOT_FACE_CAMERA_FACE_CONFIDENCE=0.06

Enabling HTTPS (Certification)

You can can enable and configure the HTTPS Certificate in the .env file. If it is enabled, the Smartface Station would run on https://your-domain. Please note that backend services behind the SmartFace Station server can still use http://.

Configuring the .env file

Please adjust (and add if necessary) values listed in the table below

Variable nameDescriptionExample value
HTTPS_ENABLEDDefine if this feature is enabled/disabledfalse
HTTPS_HOST_NAMEyour-server
HTTPS_KEY_FILEPath to private keyserver.key
HTTPS_CERT_FILEPath to public keyserver.cert

Please put your server.key and server.cert files next to .env file or specify a full path.

To apply the changes, please run the command:

docker compose up -d

Generating your own local certificate

Certificate have to be obtained from verified certificate authority or generated on local machine. For local testing and development purposes it is possible to generate your own certificate. If it is generated on local machine it can be considered by Internet browser as untrusted.

Become local certificate authority

To obtain myCA.key (your private key) and myCA.pem (your root certificate) use the terminal commands below.

mkdir ~/certs
cd ~/certs

//generate the private key to become a local CA
openssl genrsa -des3 -out myCA.key 2048

//generate a root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem -reqexts v3_req -extensions v3_ca
Apply the local certificates

The locally generated certificates can be applied to browsers. The steps differ depending on the device/OS you are using

Mac

Please run the command below using the myCa.pem file generated:

sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" myCA.pem
Windows

Please follow the below steps for adding the Root Certificate to Windows 10:

  1. Open the “Microsoft Management Console” by using the Windows + R keyboard combination, typing mmc and clicking Open
  2. Go to File > Add/Remove Snap-in
  3. Click Certificates and Add
  4. Select Computer Account and click Next
  5. Select Local Computer then click Finish
  6. Click OK to go back to the MMC window
  7. Double-click Certificates (local computer) to expand the view
  8. Select Trusted Root Certification Authorities, right-click on Certificates in the middle column under “Object Type” and select All Tasks then Import
  9. Click Next then Browse. Change the certificate extension dropdown next to the filename field to All Files (.) and locate the myCA.pem file, click Open, then Next
  10. Select Place all certificates in the following store. “Trusted Root Certification Authorities store” is the default. Click Next then click Finish to complete the wizard.
Linux

For Linux you can install certificate to google chrome (setting → security → manage certificates → add certificate authority → select myCA.pem) or you can add the root certificate. This guide is focusing on Ubuntu Linux distribution.

  1. If it isn’t already installed, install the ca-certificates package.
sudo apt-get install -y ca-certificates
  1. Copy the myCA.pem file to the /usr/local/share/ca-certificates directory as a myCA.crt file.
sudo cp ~/certs/myCA.pem /usr/local/share/ca-certificates/myCA.crt
  1. Update the certificate store.
sudo update-ca-certificates
iOS

Adding the Root Certificate to iOS 14 can be done by following these steps:

  1. Email the root certificate to yourself, so you can access it on your iOS device. Make sure to use the default Mail app to access the email.
  2. Tap on the attachment in the email on your iOS device. It will prompt you to review the profile in the Settings app.
  3. Open the Settings app and click Profile Downloaded near the top.
  4. Click Install in the top right, and then Install again on the Warning screen.
  5. Once installed, hit Close and go back to the main Settings page.
  6. Go to General > About.
  7. Scroll to the bottom and click on Certificate Trust Settings.
  8. Enable your root certificate under “ENABLE FULL TRUST FOR ROOT CERTIFICATES”.
Android

On Android devices, if you move the file manually via USB tether, you can go to Lock screen and security > Other security settings > Install from device storage, then navigate to the certificate file to install it. On older Android devices, the path might be Settings > Security & Screen Lock > Install from storage.

Creating CA-Signed Certificates for Smartface

As an alternative to locally generate and supply the certificates on the device/browser level you can also generate your own certificates that will be used directly by the SmartFace Station. To do so, please follow the steps below:

openssl genrsa -out smartface.test.key 2048

//create a CSR
openssl req -new -key smartface.test.key -out smartface.test.csr

Create smartface.test.ext (X509 V3 certificate extension config file, which is used to define the Subject Alternative Name (SAN) for the certificate)

smartface.test.ext should contain

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = your-hostname

Now we run the command to create the certificate: using our CSR, the CA private key, the CA certificate, and the config file:

openssl x509 -req -in smartface.test.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out smartface.test.crt -days 825 -sha256 -extfile smartface.test.ext

We now have two files: smartface.test.key (the private key) and smartface.test.crt (the signed certificate) which we can use in smartface (copy them next to .env and set HTTPS_KEY_FILE=smartface.test.key and HTTPS_CERT_FILE=smartface.test.crt)

Making SmartFace Station trusted for Chrome

For local development and for testing purposes it might be useful to make the SmartFace Station trusted for the Google Chrome web browser. For production environments we recommend to enable secure https connection. This would allow you to use the local computer’s camera functionality, such as the Identification Dashboard or to allow Watchlist member registration in the Watchlist Management Dashboard directly from the web browser using the web camera.

To make the SmartFace Station trusted in Chrome please follow these steps:

  1. Enter the following URL using your Google Chrome: chrome://flags/#unsafely-treat-insecure-origin-as-secure
  2. Find the section Insecure origins treated as secure. Add your URL including the port (default is port 8000). For example: http://smartface-installation:8000 or http://192.168.0.100:8000
  3. Change the dropdown button to Enabled
  4. Click Relaunch to apply changes

  1. You can check if the Camera Preview option is available in the Identification Dashboard. Please ensure the DOT_FACE_CAMERA_ENABLED is true as explained in the How to enable local Camera usage guide.

Logging in SmartFace Station

IYou can configure and enable loging in the .env file . By default Logging is enabled and logging to file is disabled.

Windows The location of the env file is C:\Program Files (x86)\SmartFace Station\.env.

Docker The location of the env file is .env.sfstation.

Variable nameDescriptionExample value
ENABLE_LOGGINGDefine if this feature is enabled/disabledtrue
LOG_TO_FILEDefine if logs are saved to fileyour-server
LOG_FORMAT_JSONLogs in plain text or in JSON formatfalse
LOG_FILE_PATHPath to log file“%PROGRAMDATA%\Innovatrics\SmartFace Station\sfs-station-%DATE%.log”
LOG_FILE_DATE_PATTERNDate format of log file name“YYYY-MM-DD”
LOG_FILE_MAX_SIZEMaximum size of single log file (in MB)“20m”
LOG_FILE_MAX_FILESNumber of day logs files are kept“1d”
LOG_LEVELVerbosity of logs - debug, info, error“info”

Personalization

These guides focus on personalizing the experience with the SmartFace Station and the SmartFace Station’s Feedback Display.

Branding

The SmartFace Station as a web user interface for the user can be branded to match your environment and the user experience you want to provide to users. Branding can be applied by changing configuration files and the media files used within the branding folder.

The branding folder has these files:

naming-product.json
logo-product.svg
logo-product-without-text.svg
logo-company.svg
feedback-display-top-image.svg
feedback-display-error.svg
feedback-display-bottom-image.svg
feedback-display-access-denied-not-identified.svg
feedback-display-access-denied-block-or-spoof.svg
favicon-product.ico
empty-display.gif

Set up branding in Windows

In a Windows installation, there is a branding folder located within the SmartFace Station installation folder. The default path is C:\Program Files (x86)\SmartFace Station\branding.

To apply the changes, restart the SmartFace Station service, within the Windows Services.

Set up branding in Docker

In Docker installation, you need to have branding folder in your file system and bind it in your docker-compose.yml file. The branding folder is not available in the GitHub presets, however it is included in the SFStation docker container. You can get it using the commands below:

Ensure the SFStation docker container is running. While in the directory containing the SmartFace services' docker-compose.yml file, run the commands:

mkdir branding
cd branding
docker cp SFStation:/build/branding/ ./branding/

Adding it within the volumes section of the SFStation, add lines the following lines into your docker-compose.yml file:

    volumes:
      - "./branding:/build/branding"

So the SFStation section of the docker-compose.yml looks like below:

  sf-station:
    image: ${REGISTRY}sf-station:${SFS_VERSION}
    container_name: SFStation
    restart: unless-stopped
    ports:
      - 8000:8000
    volumes:
      - "./branding:/build/branding"
    env_file: .env.sfstation

To apply the changes, restart the SFStation container:

docker restart SFStation

Branding for the SmartFace Station

To apply branding to your SmartFace Station, you can apply changes to these files:

  • naming-product.json
  • logo-product.svg
  • logo-product-without-text.svg
  • logo-company.svg
  • favicon-product.ico

The *.svg and *.ico files are common image files, to update them you need to match the constraints of the image types. We recommend keeping similar sizes to avoid any rendering or network issues, both in the sense of data and space. The naming-product.json has the configuration for the text strings used.

The default content of the naming-product.json:

{
  "windowTitle": "SmartFace Station",
  "configSection": "SmartFace Platform",
  "feedbackDisplayErrorMessage": "Error",
  "feedbackDisplayAccessGrantedWelcomeMessage": "Welcome",
  "feedbackDisplayDeniedNotIdentifiedMessage": "Passage is not allowed",
  "feedbackDisplayDeniedBlockedOrSpoofMessage": "Passage is not allowed",
  "feedbackDisplayPutOnYourMaskMessage": "Put on your mask please"
}

The windowTitle and configSection changes will apply directly to your SmartFace Station.

Branding for the SmartFace Station’s Feedback Display

The Feedback Display can be branded, updating its layout, texts and animations. For more information about the Feedback display read here. Files that can be changed to apply branding:

  • naming-product.json
  • feedback-display-top-image.svg
  • feedback-display-error.svg
  • feedback-display-bottom-image.svg
  • feedback-display-access-denied-not-identified.svg
  • feedback-display-access-denied-block-or-spoof.svg
  • favicon-product.ico
  • empty-display.gif

The *.svg and *.ico files are common image files, to update them you need to match the constraints of the image types. We recommend keeping similar sizes to avoid any rendering or network issues, both in the sense of data and space. The naming-product.json has the configuration for the text strings used. The empty-display.gif is a file that can show an animation during a time when no one is in front of the camera.

The default content of the naming-product.json:

{
  "windowTitle": "SmartFace Station",
  "configSection": "SmartFace Platform",
  "feedbackDisplayErrorMessage": "Error",
  "feedbackDisplayAccessGrantedWelcomeMessage": "Welcome",
  "feedbackDisplayDeniedNotIdentifiedMessage": "Passage is not allowed",
  "feedbackDisplayDeniedBlockedOrSpoofMessage": "Passage is not allowed",
  "feedbackDisplayPutOnYourMaskMessage": "Put on your mask please"
}

The feedbackDisplayErrorMessage, feedbackDisplayAccessGrantedWelcomeMessage, feedbackDisplayDeniedBlockedOrSpoofMessage, feedbackDisplayPutOnYourMaskMessage changes will apply directly into your Feedback display.

How to apply and manage labels

The SmartFace Station allow to enable labels for each watchlist member. It is a set of key/value pairs that can be shown in the SmartFace Station. To present such labels you need to enable them and then you need to add this information to watchlist members.

In an example below you can see “Date of birth”, “Tax number” and “Phone number” labels.

Enabling labels in the SmartFace Station

Please edit .env.sfstation in your installation folder with a text editor.

Uncomment/apply changes to the section below:

# Add optional labels to watclist member (key is used in API requests, label is visual representation of key and used only in station frontend)
WATCHLIST_MEMBER_KEY_0=date
WATCHLIST_MEMBER_LABEL_0=Date of birth
WATCHLIST_MEMBER_KEY_1=tax_number
WATCHLIST_MEMBER_LABEL_1=Tax number
WATCHLIST_MEMBER_KEY_2=phone
WATCHLIST_MEMBER_LABEL_2=Phone number

Apply changes to the SmartFace Station, so the configuration reloads. The easiest way to achieve this is to run the command below:

docker compose up -d

Please observe any match notification in the SmartFace station to ensure the labels are shown for any watchlist member.

Adding label data to watchlist members

You can change the values for each label either directly in the SmartFace Station, or via the RESP API on the port 8098.

To update the values, please run a REST API request, such as below:

{
	"displayName": "Juraj",
	"fullName": null,
	"note": "",
	"labels": [],
	"id": "88866909-54ea-4c09-8673-2a95aa370180",
	"createdAt": "2023-10-25T10:16:56.899082Z",
	"updatedAt": "2023-10-25T10:17:05.337245Z",
	"labels": 
	[
		{
		  "key": "date",
		  "value": "11/01/2023"
		},
		{
		  "key": "tax_number",
		  "value": "123456789"
		},
		{
		  "key": "phone",
		  "value": "004219123456789"
		}
	]
}

Once applied, the values are visible together with the keys in the SmartFace Station.

How to setup SmartFace Station Presets

The SmartFace allows to use several presets meant for different users, who have different roles. The preset’s lock out options and the user is not allowing to do certain actions.

Available SmartFace Station roles

The default role is the admin (administrator) of the whole SmartFace Station - can see/change everything. There are 3 specific roles Access, Investigation and Security with 3 levels each - Operator, Supervisor and Administrator

Access

SmartFace Station Functionality Per Role Level for the Access. The Starting Page is http://localhost:8000/access-control

Access AdminAccess SupervisorAccess Operator
Security Dashboard
Camera Preview Setting
Recent Events Settings
Notification Detail
Investigation Dashboard
History
History - Notification Detail
Access Dashboard
Watchlist
Configuration
SmartFace Station section
SmartFace Camera section
SmartFace Platform section
Investigation

SmartFace Station Functionality Per Role Level for the Investigation. The Starting Page is http://localhost:8000/investigation/

Investigation AdminInvestigation SupervisorInvestigation Operator
Security Dashboard
Camera Preview Setting
Recent Events Settings
Notification Detail
Investigation Dashboard
History
History - Notification Detail
Access Dashboard
Watchlist
Configuration
SmartFace Station section
SmartFace Camera section
SmartFace Platform section

Security SmartFace Station Functionality Per Role Level for the Security. The Starting Page is http://localhost:8000/security

Security AdminSecurity SupervisorSecurity Operator
Security Dashboard
Camera Preview Setting
Recent Events Settings
Notification Detail
Investigation Dashboard
History
History - Notification Detail
Access Dashboard
Watchlist
Configuration
SmartFace Station section
SmartFace Camera section
SmartFace Platform section

How to Setup the Roles

The file .env.sfstation is located in the same folder as the main docker-compose.yml. There is a section in this file that allows you to configure what role is to be used in the SmartFace Station. This allows you to focus on the functionality related to the role and to hide functionality that should not be related to the role of the user.

The section of the file .env.sfstation is listed below:

# Optional roles are used for locking specified part of frontend for given roles
# Claim name is "Group mapper name" specified in Keycloak or "cognito:groups" in Cognito
# ROLES_CLAIM_NAME=sf_roles
# ROLE_KEY_ADMIN=/admin
# ROLE_KEY_SECURITY_SUPERVISOR=/security_supervisor
# ROLE_KEY_SECURITY_OPERATOR=/security_operator
# ROLE_KEY_ACCESS_SUPERVISOR=/access_supervisor
# ROLE_KEY_ACCESS_OPERATOR=/access_operator
# ROLE_KEY_INVESTIGATION_SUPERVISOR=/investigation_supervisor
# ROLE_KEY_INVESTIGATION_OPERATOR=/investigation_operator
# ROLE_KEY_SECURITY_ADMIN=/security_admin
# ROLE_KEY_ACCESS_ADMIN=/access_admin
# ROLE_KEY_INVESTIGATION_ADMIN=/investigation_admin
# FORCED_ROLE_NAME_0=/admin

By adjusting the line # FORCED_ROLE_NAME_0=/admin you can adjust the role to be used. So to change the role to access operator instead of the `admin role, you can set the line as this:

FORCED_ROLE_NAME_0=/access_supervisor

Please do not forget to remove the # symbol as only then is the new configuration applied. Once the role is applied please save the configuration file and restart the SmartFace Station docker container. It easiest way to achieve this is to run the commands below in the same folder as is the docker-compose.yml file.

docker-compose stop;docker-compose down;docker-compose up -d

Please note that the roles can also be applied dynamically to specific users. Together with restricting access to specific ports this can be done via Keycloak setup.

Centralized Edge Camera Management (Station)

Since the SmartFace Platform version 4.25, there is new centralized configuration for Edge cameras (Smart cameras using the SmartFace Embedded Stream Processor plugins). This configuration can be done using the SmartFace Station or via API. This guide focuses on the configuration via the SmartFace Station. To know more about how to configure the Edge cameras centrally using APIs, read here.

More information about installing the SmartFace Embedded Stream Processor can be read here.

Once the plugin is installed and the initial configuration is done, you can add the Edge camera to the SmartFace. Such a cameras is then visible in the SmartFace Station’s list of cameras within the Camera dashboard. You can configure the following on the Edge cameras directly within the SmartFace Station:

Uploading Licenses

Managing and updating licenses for all cameras can be done centrally, eliminating the need to individually access each camera. To obtain a license, please read the Get Started section for more information.

At first, for each cameras there is License not provided warning. It is visible both at the top of the Edge camera’s configuration panel and in the License section of the same panel

In the License section you can drag and drop you license file into the highlighted area, or you can choose file to be uploaded. After uploading a license, please click on the Save button.

After a successful upload, the License will be Valid with a green ribbon. The License not valid notification will be no longer present at the top of the panel.

Setting Face Recognition Parameters

You can set and adjust the face recognition parameters directly in the SmartFace Station. Enabling/disabling the face processing is possible using the toggle button. The parameters below can be adjusted:

  • Order by
    In the case there are several faces detected on an incoming image from the Edge camera, you can order the notifications created. You can order them by Detection Confidence, or by their Face Size.
  • Confidence threshold
    The face detector is looking for faces in the images generated by the Edge camera. Each detected face comes with a confidence, that represents how certain the detector is that something detected as a face is actually a face. By changing the Confidence threshold you filter out results under your preferred threshold. You can choose Include low quality faces (1200), Only good faces (1500), Only perfect faces (3500) and Custom, allowing you to set your own values.
  • Face size
    You can set the minimum and maximum face size in pixels. Detected faces outside of the set range will be ignored.
  • Max faces
    The maximum amount of faces provided by the face detector from one image.
  • Face Save Strategy
    You can choose a strategy to save detected faces: All for saving all images,Balanced for saving the initial match and then saving into tracklet additional images with with higher matching threshold or face detection confidence , and MatchOnly with similar behaviour as the balanced, however only matched enrolled Watchlist Members will have their tracklet saved.
  • Maximum frames lost for tracklet
    You can adjust the detector’s tracking capabilities, where you can set an amount of frames, where the person who’s face is being detected, is not visible for the camera, yet once the person reappears, it will continue within the same tracklet. There is default optimal value of 25, you can set a Custom value.
  • Tracking threshold
    It is the inimal detection confidence threshold for tracked faces. Faces with detection confidence below this threshold are filtered out by tracking and not propagated to landmarks detection and template extraction.
  • Tracking stability
    This is a threshold where the certainty of having the same person’s face within a tracklet is being set. You can set custom values, where lower values increase a change of the tracklet jumping between nearby persons and higher values increase chances of loosing the detected person from a tracket and the risk of creating an additional tracklet for the same person.
  • Template Generator Resource
    You can choose whether the Face Template extraction happens directly on the Edge camera or on the SmartFace Platform server. Within the server you can choose to use the CPU, GPU or Any service.

Synchronizing Watchlists

You can synchronize Watchlists and their Watchlist Members on the Edge camera(s). You can enable matching and synchronizating using the toggle button.

This allows to do the matching directly on the camera. You can choose what Watchlist(s) to use and you can se the Matching threshold. Only matches with higher Biometric score will be considered a match.

Enabling and setting up the Liveness Check

You can enable spoof check / liveness check using the toggle button in the Spoof detection section. Once enabled, there are several parameters to set and adjust:

  • Distant detector Resource
    You can choose what resource to use for the Distant liveness. It can be None to not use the Distant liveness, On edge to run the liveness on the Edge camera directly, CPU External for running it on the SmartFace Platform’s server using CPU, GPU Internal for running it on the SmartFace Platform’s server using GPU, Any External for running it on the SmartFace Platform’s server using any service.

  • Distant Liveness Score Threshold
    You can choose the minimal Liveness Score that we will consider genuine for the Distant Liveness. Lower Score will be considered Spoof.

  • Nearby detector Resource
    You can choose what resource to use for the Distant liveness. It can be None to not use the Nearby liveness, On edge to run the liveness on the Edge camera directly, CPU External for running it on the SmartFace Platform’s server using CPU, GPU Internal for running it on the SmartFace Platform’s server using GPU, Any External for running it on the SmartFace Platform’s server using any service.

  • Nearby Livenss Score Threshold
    You can choose the minimal Liveness Score that we will consider genuine for the Nearby Liveness. Lower Score will be considered Spoof.

  • Spoof execution on edge
    If you use the Spoof check / Liveness check on the edge, you can choose whether to choose it on each extracted or identified face. Extracted faces went throught the face detection and face template extraction process sucessfully. The identified faces went successfully via matching.

Messaging Configuration

You can enable messaging between the Edge Camera and the SmartFace platform using the toggle button in the Messaging section. If the toggle is disabled, no message will be sent to the SmartFace Platform. You can choose messaging stratefy and interval.

Strategy options:

  • On new and interval
    New message to the SmartFace Platform is sent once a new tracklet is created and then each time we keep the same tracket and the interval ticks
  • On new and interval best
    New message to the SmartFace Platform is sent once a new tracklet is created and then each time we keep the same tracket and the interval ticks, but only of new best confidence is achieved within the tracklet

You can choose the interval in miliseconds (ms).

You can also enable and disable the crop images. If this is disabled, the crops of detected faces will not be sent. If enabled you can adjust the image quality (90% or Custom), maximum image size (Optimal (50px) or Custom) and image format (JPEG, RAW, PNG).

You can also enable and disable the crop images. If this is disabled, the crops of detected faces will not be sent. If enabled you can adjust the image quality (90% or Custom), image resolution(Source, High definition (1080p), Resource saving(720p) and Custom) and image format (JPEG, RAW, PNG).

How to setup Authentication

The SmartFace Station supports several methods for authentication, security restrictions and identity providers.

Setting up Keycloak

One of the supported identity providers is the Keycloak. It uses standard protocols and provides Single-Sign On. It is easily configurable and offers many options for advanced users.

In this guide we provide an easy basic installation that allows you to hide the SmartFace Station behind it, exposing only public ports.

Requirements

  • 1 to N SmartFace installations, including the SmartFace Station (can be both Windows and Linux/Docker)
  • Docker-enabled Linux machine/virtual machine
  • Machines are networked and communication between them is allowed

Setting up the SmartFace

In this sample, KeyCloak is deployed on the same machine. In production deployments, KeyCloak is deployed on a standalone machine with extra security.

For our sample installation, we will use the docker-compose.yml preset available on the SmartFace GitHub.

Download the required files using the GIT by running the command below in the desired location:
git clone https://github.com/innovatrics/smartface.git

Navigate to the preset at sf-docker > special > sf-with-keycloak.

Find $YOUR-SERVER-IP$ strings across the realm-export.json in the keycloak-server subfolder and .env.sfstation in the sf-server subfolder.

Replace them with the IP address of the KeyCloak server, that is accessible for both the SmartFace Station and the final user. When deployed publicly on the internet, replace with FQDN (keycloak.mySuperDomain.com)

Files and the line numbers:

keycloak-server/realm-export.json:877 >> "rootUrl": "http://$YOUR-SERVER-IP$:8000/",
keycloak-server/realm-export.json:878 >> "adminUrl": "http://$YOUR-SERVER-IP$:8000/",
keycloak-server/realm-export.json:884 >> "http://$YOUR-SERVER-IP$:8000/*"
sf-server/.env.sfstation:36:          >> KEYCLOAK_DOMAIN=http://$YOUR-SERVER-IP$:8080/auth
sf-server/.env.sfstation:39:          >> KEYCLOAK_JWKS_URI="http://$YOUR-SERVER-IP$:8080/auth/realms/master/protocol/openid-connect/certs"
sf-server/.env.sfstation:40:          >> KEYCLOAK_ADMIN_URL=http://$YOUR-SERVER-IP$:8080/auth/admin

Then you can start the KeyCloak and the SmartFace, including the SmartFace Station using the steps below:

  • Enter keycloak-server and run command docker-compose up -d
  • Enter sf-server and run run.sh

Or you can use the run.sh bash script located in the sf-with-keycloak directory.

User roles and their configuration

The SmartFace Station supports several roles. An authenticated user can have a role.

Roles in the SmartFace Station

For more information about the roles available and how to set them for the SmartFace Station, read about the SmartFace Station Presets.

Such roles are defined for the SmartFace Station in the .env.sfstation environmental variable file, such as below:

ROLES_CLAIM_NAME=sf_roles
ROLE_KEY_ADMIN=/admin
ROLE_KEY_SECURITY_SUPERVISOR=/security_supervisor
ROLE_KEY_SECURITY_OPERATOR=/security_operator
ROLE_KEY_ACCESS_SUPERVISOR=/access_supervisor
ROLE_KEY_ACCESS_OPERATOR=/access_operator
ROLE_KEY_INVESTIGATION_SUPERVISOR=/investigation_supervisor
ROLE_KEY_INVESTIGATION_OPERATOR=/investigation_operator
ROLE_KEY_SECURITY_ADMIN=/security_admin
ROLE_KEY_ACCESS_ADMIN=/access_admin
ROLE_KEY_INVESTIGATION_ADMIN=/investigation_admin
ℹ️ The left side is the role preset in the SmartFace, the right side is the group in Keycloak that will match the preset.

Roles in the Keycloak

  • Visit the Keycloak’s server via URL:

    http://<your-keycloak-ip-or-hostname>:8080/auth/
    
  • Click on Administration Console

  • Use admin/admin credentials in the default setup to login. Do not forget to change it for production!

  • Click in the left menu: Manage>Groups

  • Ensure you have all the groups (mapped to roles in the SmartFace Station) or click New to add new groups if needed.

    /admin
    /security_supervisor
    /security_operator
    /access_supervisor
    /access_operator
    /investigation_supervisor
    /investigation_operator
    /security_admin
    /access_admin
    investigation_admin
    

You can also use premade users or create new users in the Manage>Users section:

If you create a new user or edit an existing user, you can adjust the rules available to the user in the Groups tab within the Manage>Users section:

Securing the communication

After creating a secured channel to communicate with the SmartFace Station to ensure that only the selected ports are used we should disable any ports that are normally used to communicate with the SmartFace Station and the SmartFace Station.

This can be done in the firewall configuration and you should disable the unused ports between the SmartFace installation machines and the outer world, especially the ports 8098 and 8097. Disable unused ports between the SmartFace installation machines and the Keycloak machine.

We also recommend changing the default admin user in the Keycloak.

Using the configured Keycloak

Once the Keycloak is configured and running, trying to visit the SmartFace Station at port 8000 will require you to log in/authenticate.

Once logged in, you can log off using the button at the bottom left.