Virtual Servers

The Virtual Servers tab lists the Virtual Servers that are available to the Account Manager.

Accounts with management delegated to the Service Provider display on the Virtual Servers tab but not on the On-Boarding tab. The name of the delegating organization displays in the Management column of delegated accounts.

Click Virtual Servers tab to access the following shortcuts, functions, and information:

• Create Account (shortcut) — Enables you to add an organization’s title and address to the Virtual Server.
• List Accounts (shortcut) — Displays a list of the accounts that you can access on the Virtual Server.
• Search (section) — Enables you to find a specific account within the Account list.

• Managed Account List (section):

  • Account - Name of the account on the Virtual Server.
  • Custom #1 - The optional description can distinguish between similar accounts.
  • Class - Either Service Provider (Virtual Service Provider) or Account (Subscriber).
  • Activated - Date and time the service was set to Active in the Services module.
  • Expires - Date and time the service will end and the account will not be able to login.
  • Billing - Billing period that was configured in the Services module.
  • Capacity - Maximum number of users that may authenticate against the Virtual Server, as set in the Allocation module. This value is reduced each time inventory is allocated to an account.
  • Unused - Total unused capacity. Capacity is consumed when an authentication method is assigned to a user in the account’s Virtual Server, or if the account’s Virtual Service Provider (Operator) allocates capacity to an account that it manages.
  • Status - State of the service: Active or Disabled, as set in the Services module. It will be Active unless the current date is greater than the Expires date or the services have been deactivated in the Services module.

For more information on managing Virtual Servers, go to Account management section.

Snapshot

The following modules are available on the Virtual Servers > Snapshot tab:

• Authentication Activity — Lists up to 100 of the most recent authentications including diagnostic information.

• Authentication Metrics — Displays authentication activity metrics over various periods of time.

• Token States — Displays all tokens registered in the Virtual Server by state.

• SMS Credits — Displays the current SMS credit balance, alert level and SMS sent message count.

• Allocation — A complete listing of Virtual Server capacity and token inventory, including detailed transaction records.

• References — Displays the custom product name and version number, and URLs from which agents, software, documentation and terms of use can be downloaded or viewed.

Authentication Activity

The Authentication Activity module displays a list of the most recent authentications, up to a maximum of 100 records. Opening the module automatically refreshes the list.

Entries in the list can be filtered according to the following Result values:

• All (default) — Displays all authentication activity.

• Failure — Displays only failed authentications. Note that Push notifications that are rejected (the user tapped It wasn’t me!) are listed as a Failure, with a message to indicate that it was due to user rejection.

• Success — Displays only successful authentications. Note that Push notifications that are accepted (the user tapped APPROVED) are listed as a Success.

• Challenge — Displays SMS, Push, GrIDsure, CR token, and ID First authentication events. In the case of a challenge-response configured token, SAS sends the user a request for: an OTP (SMS); OTP (Push);GrIDsure image; or an 8-digit challenge (CR). Note that for push OTP challenges, additional information like geolocation and resource name are displayed in the message column.

  Notes about Push Notification results:

  • Push notifications are listed as Challenge.
  • Push notifications that are accepted (“approved”) by the user are listed as Success.
  • Push notifications that are rejected by the user are listed as Failure, with a message to indicate that it was due to user rejection.

  • Push notifications that are ignored by the user do not result in another entry after the Challenge.

    For SAS PCE, the Push OTP feature will only be available if it is enabled for an account.

• Server PIN Provided — Displays authentication events where the server has generated a PIN for the user.

• User PIN Change — Displays authentication events where the user has been prompted to change their PIN.

• Outer Window Authentication — The user provided a correct OTP value, but one that was outside of the inner window. Outer window success indicates that the user provided the next expected OTP.

• Change Static Password — Displays events where the user was required to change their temporary static password.

• Password Change Failed — Displays events where password change failed.

• PIN Change Failed — Displays events where user PIN change failed.

• Skipped — Displays authentications which are not required from the user due to policy settings; such as when the user requests access from a known network and/or device.

Click Refresh to sort the results according to revised criteria, or simply to update the list to include any authentications which occurred since the module was opened.

A count of records shown versus total records found is displayed at the bottom of the list. Click the Customization button on the module bar and enter a new number of rows in the text field to reset the number of records displayed.

The table of Authentication Activity results includes:

• Time Stamp — Displays the time stamp for each authentication event.

• UserID — Displays the userID provided by the user attempting to authenticate.

• Actions — Displays the action performed during the authentication.

• Result — (See the list of possible values at the beginning of this section.)

• Credential Type — Displays the type of credential used to authenticate.

• Serial # — Displays the serial number of the token used to successfully authenticate. If the value is 0 and authentication succeeded, this indicates the use of a static password to authenticate.

• IP — Displays the IP address of the authentication request. Depending upon configuration, this could be the user’s access point (for example, VPN gateway) or agent (for example, OWA) IP address.

• Message — Displays a brief description about the authentication attempt. It also displays the client IP per virtual server (if Enable Client IP checkbox is enabled).

Authentication Metrics

By default, Enable Authentication Metrics is not selected and the Authentication Metrics table does not display.

If you select Enable Authentication Metrics, you cannot thereafter disable the feature.

If Enable Authentication Metrics is selected, the Authentication Metrics table displays a list of pass, fail, and total authentications for various periods, as shown below:

The authentication metrics include:

• Today — Values for the current day from 00:00:01, to the time when the module was opened or most recently refreshed.

• Week to — Values from 00:00:01 on Monday of the current week, to the time when the module was opened or most recently refreshed.

• Last Week — Values from 00:00:01 on Monday to 24:00:00 on Sunday of the previous week.

• Month to Date — Values from 00:00:01 on the 1st day of the current month, to the time when the module was opened or most recently refreshed.

• Last Month — Values from 00:00:01 on the 1st day, to 24:00:00 on the last day of the previous month.

• Year to Date — Values from 00:00:01 on January 1 of the current year, to the time when the module was opened or most recently refreshed.

Token States

For information related to this module, refer to Tokens section.

SMS Credits

For information related to this module, refer to SMS credits section.

Allocation

For information related to this module, refer to Token allocations section.

References

The References module lists:

• The Custom Product Name set under Comms > Custom Branding > Custom Product Name.

• The version number, retrieved from the file system, which is not configurable.

• URLs from which agents, software, documentation and terms of use can be downloaded or viewed. The values in this module are configured by the Service Provider. These values are automatically inherited by all on-boarded accounts. All Virtual Service Providers can modify these values for their child accounts.

For information related to this module, refer to Customize references section.

Assignment

The Virtual Servers > Assignment tab enables you to manage all user: authentication methods/metrics, access restrictions, group memberships, and RADIUS attributes.

In addition to the Search User module, the following shortcuts display:

• Create User — Manually add users.
• Import Users — Import users from a .csv or tab delimited flat file.
• Provisioning Tasks — Remove users from tasks or extend tasks “time-to-live”.

Add users

This section describes how to add and manage users. SAS enables you to add users in the following ways:

1. Manually, one user at a time, using the Create User shortcut.

2. Manually, importing one or more user records from a flat file.

3. Automatically by synchronizing with your Active Directory or LDAP server.

4. Automatically by integrating with your Active Directory or LDAP server (SAS-PCE Only).

For more details, refer to Users and groups section.

You can add users to the Virtual Server using both manual and automated methods, provided that UserIDs are unique. This allows you to extend authenticating to users that exist in your LDAP directory such as employees, as well as users that do not, such as contractors or business partners.

Consider using Automated Provisioning if you are using automated user creation in conjunction with an external LDAP/AD user source. Automated Provisioning can save administration time by automatically provisioning users with tokens, revoking tokens when users are deleted and applying authorizations based on LDAP groups and much more. (Refer to Time Zone Offset section).

Create User (shortcut)

For information related to this function, refer to Manually add one user at a time section.

Import Users (shortcut)

For information related to this function, refer to Manually import user records section.

Provisioning Tasks

For information related to this function, refer to Provisioning tasks section.

Search User

For information related to this module, refer to Search for users section.

User Detail

For information related to this module, refer to View user details section.

Authentication Methods

For information related to this module, refer to Manage tokens for a user section.

Authentication Metrics

This module displays authentication metrics for the user reflecting pass, fail and total authentication results for the current day, current week, previous week, month to date, previous month, year to date, and previous year.

Authentication Activity

This module is identical to the Authentication Activity module on the Snapshot tab (refer to Authentication Activity) with the exception that all data is for the selected user.

Access Restrictions

For information related to this module, refer to Restrict access based on the time, day, or date section.

Group Membership

For information related to this module, refer to Groups section.

RADIUS Attributes (user)

For information related to this module, refer to RADIUS attributes for users or groups section.

Tokens

For information related to this module, refer to Tokens section.

png## Groups

For information related to this module, refer to Groups section.

Reports

For information related to this module, refer to Reports section.

Self-Service

For information related to this module, refer to Self-service site section.

Operators

For information related to this module, refer to Operators and roles section.

Policy

The Virtual Servers > Policy tab enables you to configure an account’s security policy; to enforce a consistent login experience and protect against denial of service, brute force, and other account credential attacks.

Create Account (Shortcut)	Add an organization’s name and address.
List Accounts (Shortcut)	Display a list of the accounts to which you have access.
Authentication Policies	Configure the authentication behavior. NOTE: This feature may not be available in your service zone.
User Policies	Configure a user’s access to the authentication service.
Token Policies	Configure a token’s interaction with the authentication service.
Role Management	Configure operator roles, alerts, alert thresholds, and the console language.
Automation Policies	Auto-provision users with tokens and configure self-enrollment/service.

For more details related to this module, refer to Operators and roles section.

Comms

The Virtual Servers > Comms tab contains the following modules:

• Communications — Configure or customize SMS gateways, SMTP email, and content of outbound SMS and Email messages.

• LDAP — Configure LDAP integration.

  LDAP integration is available only on SAS PCE.

• Authentication Processing — Configure Pre-authentication rules, LDAP Synchronization, and Agent key files.

• Auth Nodes — Configure Auth Nodes, Sharing, and Realms.

• Custom Branding — Customize the appearance of the SAS console.

Commumications

For more details on functionalities under this tab, refer to:

• SMS settings

• Email settings

• Voice OTP settings

LDAP

For more details related to this module, refer to LDAP integration section.

Authentication Processing

For more details related to this module, refer to LDAP settings section.

Auth Nodes

For more details related to this module, refer to Authentication Nodes section.

Custom Branding

For more details related to this module, refer to Branding the appearance section.