Configure authorities, OOB enrollment, and policies
Self-Service authorities
Authorities are special privileges assigned to operators for the purpose of managing user requests for tokens received from the Self-Service site. There are four possible authorities:
-
Approval Level 1—This authority approves or denies user requests for tokens received from the Self-Service site. At least one Operator must have this authority if the Request a Token service is enabled on the Self-Service site.
-
Approval Level 2—This authority approves or denies user requests for tokens that have been approved by Approval Level 1 authorities. This is an optional authority.
-
Issuing Authority—Requests for tokens that have received the required approvals are fulfilled by the Issuing Authority. This function is the equivalent of using the Provision functions available on the Assignment tab unless a Shipping Authority has been created. At least one Operator must have this authority if the Request a Token service is enabled on the Self-Service site.
-
Shipping Authority—The Shipping Authority is a special function that serves two purposes:
-
It can be used to coordinate the delivery of enrollment instructions with receipt of the physical token by the user.
-
It can be used to increase the security of enrollment by requiring the user to provide an additional code during enrollment that is delivered separately and Out-of-Band (OOB) with respect to all other enrollment instructions.
Shipping authorities are applied by token type. Token requests for affected token types that have been approved by the Issuing Authority must be completed by the Shipping Authority. This is an optional authority.
-
Configure authorities
From the SAS console, select Self-Service > Configuring Self-Service > Self-Service Authorities. This displays a list of Operators that can be assigned one or more authorities. To enable an authority for an Operator, select the appropriate authority option, and then click the Apply button to commit.
There must be at least one Operator with Approver Level 1 Authority or Issuing Authority to activate Enable "Request a Token". Enable the Request a Token option for it to display on the Self-Service site.
Likewise, if a token is in the Shipping Authority Required list, at least one Operator with Shipping Authority is required.
At least one Approval Level 1 and Issuing Authority must be enabled.
Self-Service workflow
To add a shipping authority to a token type, first ensure that at least one Operator has been given this authority. Next, select the token type from the Not Required window and, using the arrow, move it to the Shipping Authority Required window. Repeat this step for each token type that will require a shipping authority.
Out-of-Band Enrollment
Out-of-band (OOB) enrollment requires that the user provide an additional factor during enrollment to further validate their identity. This normally is in the form of an activation code. The code can be delivered by email, SMS, or output to a file.
OOB can be used with both hardware and software tokens. To enable OOB, select the tokens to which it will apply and the activation code delivery methods, and then click the Apply button.
Request and approval messages
Requests for tokens include workflow that incorporates appropriate messaging and alerts for the users making requests for tokens and for each Authority involved in the approval and fulfillment process. Alerts and messages can be customized and sent by email or SMS. In addition, all requests can be viewed and managed from the Queue Management module.
The Request and Approval Queue Processing module contains a page for each of the messages that is sent to the user and authorities during the approval and provisioning process. Use the messages to inform users of the status of their request and to notify authorities when action is required of them.
Each message has an enable or disable option. If enabled, the message is sent at the appropriate point in the process. If disabled, the message is not sent.
Configure request and approval messages
The following configuration options are available in this service:
-
Auto-delete unapproved requests after X days—If set to 0, unapproved requests will not be automatically removed from the Approval queue. Any other value will automatically remove an unapproved request the indicated number of days after it was received.
-
Allow approval by Email/SMS—Check the delivery method(s) the system will use to send status and action alerts to authorities. If none are checked, status and action alerts will not be sent but the request will be listed in the appropriate queue.
This service contains several notifications. Use the menu in the Configure Queue Processing section to select the message. Each message has three sections — two for email (Subject, Body) and one for SMS (SMS Content). Most messages contain variables (for example, <email />) that must not be removed or modified. Otherwise, modify any other element of each notification according to your needs.
There is a 160-character limit (including spaces) in SMS messages. To prevent a multi-part SMS message, avoid exceeding this limit.
Click Apply after each message modification to commit the change.
Configure the Self-Enrollment Policy
Use this policy to control self-enrollment thresholds and alerts.
Configure the policy on the SAS console, in Policy > Automation Policies > Self-Enrollment Policy.
-
Self-Enrollment base URL - This is the URL to which the user is directed as a result of a provisioning task and is included in the enrollment email instructions to the user. Do not modify this value unless you have installed a stand-alone enrollment web server.
-
To enforce self-service over SSL, replace http with https in the Self-Enrollment Base URL field. Do not modify this value unless you have installed a stand-alone enrollment web server and have a valid certificate installed.
-
Activation Code Format - This option determines the strength of the activation code included in the enrollment message and encoded in the enrollment URL. Options are numeric, alphabetic or alphanumeric formats.
-
Reservation time to live - This is the maximum number of days the user has to complete enrollment commencing with the start date of the provisioning task. This value is added to the provisioning task start date to generate the provisioning task stop date. If set to 0, a provisioning task will never expire. The default value is 10 days.
-
Enrollment lockout after - This value determines the number of failed enrollment attempts by a user. When this threshold exceeds, the user is unable to enroll their token.
-
Days Before Expiry to Warn - This value allows you to send a provisioning reminder via email to the user a specified number of days (0-31) before expiration of their provisioning task. The default setting is 0, which does not send a reminder. You can modify the email message template called Enrollment Expiring to customize the content of the expiry reminder email sent to the user.
-
Enable Multi-Device Instructions - If checked, the Multi-Device Instructions section in Self-Service > Configure Self-Enrollment Pages is enabled in the self-enrollment policy for MobilePASS tokens. Multi-Device Instructions may be useful to:
-
Provide assistance to users when the device where the page is loaded is not a selected allowed target. Allowed Targets Settings are designed to allow the user to choose the instructions that are related to their chosen device type and selected in Policy > Token Policies.
-
Provide instructions to users who may be loading the Self-Enrollment page on a device that is not their intended device for enrolling the token (and wish to only review the instructions).
-
-
Display QR Code - If checked, the enrollment email sent to the user will include the link to the page on the Self-Service module where the QR code is displayed.
- The QR code will display only if a supported device is selected in the device selection drop down menu of the enrollment email.