Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

Self-service site

Configure authorities, OOB enrollment, and policies

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - SAS PCE Windows Services Startup Recommendations
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Operators
- External Operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
Self-service site
Configure authorities, OOB enrollment, and policies

Configure authorities, OOB enrollment, and policies

Self-Service authorities

Authorities are special privileges assigned to operators for the purpose of managing user requests for tokens received from the Self-Service site. There are four possible authorities:

Approval Level 1—This authority approves or denies user requests for tokens received from the Self-Service site. At least one Operator must have this authority if the Request a Token service is enabled on the Self-Service site.
Approval Level 2—This authority approves or denies user requests for tokens that have been approved by Approval Level 1 authorities. This is an optional authority.
Issuing Authority—Requests for tokens that have received the required approvals are fulfilled by the Issuing Authority. This function is the equivalent of using the Provision functions available on the Assignment tab unless a Shipping Authority has been created. At least one Operator must have this authority if the Request a Token service is enabled on the Self-Service site.
Shipping Authority—The Shipping Authority is a special function that serves two purposes:
- It can be used to coordinate the delivery of enrollment instructions with receipt of the physical token by the user.
- It can be used to increase the security of enrollment by requiring the user to provide an additional code during enrollment that is delivered separately and Out-of-Band (OOB) with respect to all other enrollment instructions.
Shipping authorities are applied by token type. Token requests for affected token types that have been approved by the Issuing Authority must be completed by the Shipping Authority. This is an optional authority.

Configure authorities

From the SAS console, select Self-Service > Configuring Self-Service > Self-Service Authorities. This displays a list of Operators that can be assigned one or more authorities. To enable an authority for an Operator, select the appropriate authority option, and then click the Apply button to commit.

There must be at least one Operator with Approver Level 1 Authority or Issuing Authority to activate Enable "Request a Token". Enable the Request a Token option for it to display on the Self-Service site.

Likewise, if a token is in the Shipping Authority Required list, at least one Operator with Shipping Authority is required.

alt_text

At least one Approval Level 1 and Issuing Authority must be enabled.

Self-Service workflow

alt_text

To add a shipping authority to a token type, first ensure that at least one Operator has been given this authority. Next, select the token type from the Not Required window and, using the arrow, move it to the Shipping Authority Required window. Repeat this step for each token type that will require a shipping authority.

Out-of-Band Enrollment

Out-of-band (OOB) enrollment requires that the user provide an additional factor during enrollment to further validate their identity. This normally is in the form of an activation code. The code can be delivered by email, SMS, or output to a file.

OOB can be used with both hardware and software tokens. To enable OOB, select the tokens to which it will apply and the activation code delivery methods, and then click the Apply button.

alt_text

Request and approval messages

Requests for tokens include workflow that incorporates appropriate messaging and alerts for the users making requests for tokens and for each Authority involved in the approval and fulfillment process. Alerts and messages can be customized and sent by email or SMS. In addition, all requests can be viewed and managed from the Queue Management module.

The Request and Approval Queue Processing module contains a page for each of the messages that is sent to the user and authorities during the approval and provisioning process. Use the messages to inform users of the status of their request and to notify authorities when action is required of them.

Each message has an enable or disable option. If enabled, the message is sent at the appropriate point in the process. If disabled, the message is not sent.

Configure request and approval messages

The following configuration options are available in this service:

Auto-delete unapproved requests after X days—If set to 0, unapproved requests will not be automatically removed from the Approval queue. Any other value will automatically remove an unapproved request the indicated number of days after it was received.
Allow approval by Email/SMS—Check the delivery method(s) the system will use to send status and action alerts to authorities. If none are checked, status and action alerts will not be sent but the request will be listed in the appropriate queue.

This service contains several notifications. Use the menu in the Configure Queue Processing section to select the message. Each message has three sections — two for email (Subject, Body) and one for SMS (SMS Content). Most messages contain variables (for example, <email />) that must not be removed or modified. Otherwise, modify any other element of each notification according to your needs.

There is a 160-character limit (including spaces) in SMS messages. To prevent a multi-part SMS message, avoid exceeding this limit.

Click Apply after each message modification to commit the change.

alt_text

Configure the Self-Enrollment Policy

Use this policy to control self-enrollment thresholds and alerts.

Configure the policy on the SAS console, in Policy > Automation Policies > Self-Enrollment Policy.

alt_text

Self-Enrollment base URL - This is the URL to which the user is directed as a result of a provisioning task and is included in the enrollment email instructions to the user. Do not modify this value unless you have installed a stand-alone enrollment web server.
To enforce self-service over SSL, replace http with https in the Self-Enrollment Base URL field. Do not modify this value unless you have installed a stand-alone enrollment web server and have a valid certificate installed.
Activation Code Format - This option determines the strength of the activation code included in the enrollment message and encoded in the enrollment URL. Options are numeric, alphabetic or alphanumeric formats.
Reservation time to live - This is the maximum number of days the user has to complete enrollment commencing with the start date of the provisioning task. This value is added to the provisioning task start date to generate the provisioning task stop date. If set to 0, a provisioning task will never expire. The default value is 10 days.
Enrollment lockout after - This value determines the number of failed enrollment attempts by a user. When this threshold exceeds, the user is unable to enroll their token.
Days Before Expiry to Warn - This value allows you to send a provisioning reminder via email to the user a specified number of days (0-31) before expiration of their provisioning task. The default setting is 0, which does not send a reminder. You can modify the email message template called Enrollment Expiring to customize the content of the expiry reminder email sent to the user.
Enable Multi-Device Instructions - If checked, the Multi-Device Instructions section in Self-Service > Configure Self-Enrollment Pages is enabled in the self-enrollment policy for MobilePASS tokens. Multi-Device Instructions may be useful to:
- Provide assistance to users when the device where the page is loaded is not a selected allowed target. Allowed Targets Settings are designed to allow the user to choose the instructions that are related to their chosen device type and selected in Policy > Token Policies.
- Provide instructions to users who may be loading the Self-Enrollment page on a device that is not their intended device for enrolling the token (and wish to only review the instructions).
Display QR Code - If checked, the enrollment email sent to the user will include the link to the page on the Self-Service module where the QR code is displayed.
- The QR code will display only if a supported device is selected in the device selection drop down menu of the enrollment email.

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com