If you have an Account Manager role in a Service Provider account, you can create child accounts. The child accounts can be virtual Service Providers or Subscriber accounts.

You can create accounts on the SAS console through the On-Boarding tab. Create Account functionality enables you to do the following tasks:

• Create an account (and edit account details)

• Configure account services

• Allocate tokens

• Create an Operator

• Configure Auth Nodes

• Add contacts

Create an account

1. On the SAS console, select the On-Boarding tab.

2. Under Shortcuts, select Create Account.

   

3. Enter the account details in the given fields:

   Field	Description
   Account	The name of the organization must be unique within your account hierarchy.
   Billing Address	Account invoices are sent to this physical mailing address.
   Ship To same as Billing Address	Select this option to send all other shipments, not just account invoices, to the billing address. Otherwise, enter the mailing address to which other shipments for the account must be sent.
   Custom #1-#3	Add descriptors that distinguish this account from similarly named accounts. You can change the title of these fields with the branding options.
   Group	Select the account management group, to create an association with related accounts.

4. Select Save, and then configure the services.

   The account information you added is displayed in the Account Detail module and can be updated later as required using the Edit button.

   

   You can view the history of changes made to an account by clicking Change Log.

Configure account services

1. On the On-Boarding tab, expand the Services module.

   

2. For Account Status, select the Active check box.

   This enables the service for the Service Start and Service Stop dates defined in the Service Period section. If this option is not selected, the service is disabled regardless of the Service Period.

   Suspending services stops all authentication services for the account’s Virtual Server and prevents any Operators they may have from logging into the console.

   Re-activating services restores the service and Operator rights to the state immediately prior to the suspension.

3. Select the Account Type:

   • Evaluation: Distinguishes “paying” customers from those “evaluating” the service, in reports. It can also be used to generate an alert, a defined number of days before the service stops, enabling you to manage the account while it is still active.

   • Subscriber: Enables an account to add users to the service: manually, by import, or by synchronization from a single LDAP or Active Directory server. This account type cannot create or manage additional accounts.

   • Virtual Service Provider: Enables an account to create, manage, and share resources with subordinate accounts or to support synchronization with multiple LDAP servers, it must be configured as a Virtual Service Provider. Typically, you would use this option when:

     • The account is reselling your service to its customer base and therefore will create and possibly manage its own accounts.
     • The subscribing organization wants to onboard subsidiary companies or segregate management and services between internal groups, or where multiple LDAP servers will be synchronizing users on the service. This account type can also create, manage, and share resources with child accounts.

4. Set the Service Period (duration). The start and stop dates depend on the Account Status being active.

   • Service Start: The date when the service is enabled.

   • Service Stop: The date when the service is disabled.

   • Billing Frequency: A flag that is reproduced in reports. It enables you to determine the service and billing commitments for an account without referring to contracts.

5. Enter the Max Auth Nodes that are available to the account.

   Auth Nodes are the RADIUS protocol based integrations or legacy agents that Virtual Servers receive and process authentication requests from. Use this setting to limit the number of devices or applications that can authenticate against the service for this account. The minimum value is 1. Typically, set this value to reflect the minimum account requirements.

6. Select the Use Delegate check box to immediately delegate account management to the parent account, and then enter the Primary Contact and Telephone number.

   The delegated account will appear on the parent account's Virtual Servers tab.

7. Click Save.

Allocate tokens

You can allocate each type of token and capacity to an account in a separate transaction.

To allocate a toke type or capacity:

1. On the On-Boarding tab, expand the Allocation module.

   

2. Allocate tokens and capacity and then create an Operator.

Create an Operator

An account can be managed by either an Account Manager or an Operator, or both. By default, a Service Provider can manage the Virtual Server for every child account. If the account needs to manage their own Virtual Server, create an Operator in their Virtual Server. If the account is fully managed by the Service Provider, there is no need to create an Operator.

The process of creating an Operator includes the following steps:

• Create a user in the account's Virtual Server

• Assign an authentication method to the user

• Prepare for enrollment

• Promote the user to Operator status

• Prepare the Operator email validation process

If the account is created as a Subscriber account, this process creates an Operator within the account’s Virtual Server. On login, the Operator has the Subscriber view of the SAS console, and has full control of all aspects of their Virtual Server.

If the account is created as a Virtual Service Provider, the user is also promoted to Account Manager at the Service Provider level. On login, the user has the Service Provider view of the SAS console and has full control of all aspects of their Virtual Server, and the ability to create and manage accounts.

In both cases, an email containing enrollment instructions is sent to the user. When enrollment is complete, the user receives a second email with instructions for validating their email address, which requires logging in to the Management Console.

To create an Operator:

1. On the On-Boarding tab, expand the Create Operator module.

   

2. Select Add.

3. Enter details for the Operator and click Next. Most fields in this wizard are self-explanatory, except:

   • Mobile/SMS: If SMS is enabled for the account’s service, this number is used to send SMS/OTP and other SMS messages to the Operator. This field must contain digits, and the first digits must be the country code, followed by the city code. This field can contain a full country prefix, such as +1 or +49.

     In North America, this results in an entry in the format: +16131112222, where 1 is the country code, 613 is the area code, and the remaining 7 digits are the phone number.

     In the UK, this results in an entry in the format: +448701112222, where 44 is the country code, 870 is the city code, and the remaining digits are the phone number.

   • Container: Corresponds to the containers configured in the account’s Virtual Server.

   • Custom #1, #2, #3: Corresponds to the three custom fields that are allowed for each user account and should not be comfused with the similar labeled fields in the Account Detail module. These custom fields can be used to store information that is relevant to the record and to distinguish similar users.

   

4. Select the Authentication Type, select Done, and then configure Auth Nodes.

   

   The available authentication types reflect the inventory that is allocated to this account and present in its Virtual Server.

   The Available column shows the tokens that are available for the given user, which means that the tokens belong to the same container as the user. The available quantity for an authentication type can be different from the corresponding value in the Available row of the Allocation list. This occurs if tokens in this Virtual Server have been moved to containers other than Default. Only tokens that reside in the Default Container on the account’s Virtual Server are available through this wizard.

   

   The status of the Operator is set to pending until enrollment and email validation are completed. The enrollment process varies depending on the assigned authentication method.

   After the Operator is enrolled, they receive an Operator email validation message as shown below:

   

   After they complete this step, the Operator is logged in to their Virtual Server.

Configure Auth Node

Configuring authentication (auth) nodes allows VPN and web applications to authenticate against the Virtual Server. An Auth Node is any RADIUS client, agent, or application (for example, VPN and web applications such as Outlook Web Access) that sends authentication requests to the Virtual Server.

In SAS-PCE, if there is a single organization (Virtual Server) and no Auth Nodes are configured, the system allows for authentications to be accepted from any source (all IP addresses are allowed).

Depending upon network conditions, authentication requests from an Auth Node will be accepted for processing by the Virtual Server within approximately 5 minutes of configuration.

To add an Auth Node:

1. On the On-Boarding tab, expand the Auth Nodes module and select the Auth Nodes task.

   

   • Add — Add an Auth Node.
   • Change Log — View the last five changes to Auth Nodes.

   The number of Auth Nodes that can be added is limited to the Max. Auth Nodes value that is specified in Services for this account. To increase this value, contact your Service Provider.

2. Click Add. The Add Auth Node section is displayed.

   

3. Enter Auth Node details in the given fields with the folowing directions:

   For RADIUS clients, such as SSL VPNs:	For SAS Agents, such as Outlook Web Access:
   A descriptive name of the device in the Auth Node Name field	A descriptive name of the device in the Name field
   The IP address of the RADIUS client	The IP address of the RADIUS agent
   The RADIUS Shared secret (this must be identical in both SafeNet Authentication Service and the RADIUS client)

4. Click Save.

Configure RADIUS IP addresses and port numbers

This task is available only to Administrators.

1. Click On-Boarding > Auth Nodes > RADIUS IP/Port #s. The RADIUS IP/Port #s section is displayed.

   

2. Select Custom. The RADIUS IP address and port number fields display.

   

3. Complete the RADIUS IP/Port #s fields:

   • Primary RADIUS Server: Configure your RADIUS client (for example, VPN gateway) to use this address as the primary RADIUS server.

   • Failover RADIUS Server: Configure your RADIUS client (for example, VPN gateway) to use this address as the failover RADIUS server.

   • Primary Agent DNS: Configure your agent (for example, SafeNet Agent for Windows Logon) to use this address as the primary authentication server.

   • Failover RADIUS Server: Configure your agent (for example, SafeNet Agent for Windows Logon) to use this address as the failover authentication server. Configuring the RADIUS client to use the failover RADIUS server as its primary or failing to configure a failover RADIUS server may result in reduced performance or authentication outage.

4. Click Apply.

Add contacts

On-Boarding > Contacts enables you to add/edit contact references associated with the account.

1. On the On-Boarding tab, select Contacts.

2. Select Add. The Add Contact section is displayed.

   

3. Enter the contact details and select Save.

To display contact details:

1. Click the contact name.

2. (Optional) To send alerts to the contact, select:

   1. Receives Service Update.
      and/or
   2. Receives System Alerts.