Self-Service Modules
A service is published to the self-service site if it is enabled. The user options and supported languages for each service are configured independently.
You can configure the self-service options and services that are located on the SAS console, at Self-Service > Configuring Self-Service > Configure Self-Service Modules.
The following figure shows an example of the Request a Token module.
All of the self-service modules include the following options:
-
Enable <Service Name>—To change the publication status of a service, select or clear the Enable option and then click Apply.
-
Require the User to Sign in—For security reasons, some services, such as My Profile or Change PIN, should require the user to authenticate before access is granted. To require authentication, select this option and then click Apply.
-
Page—Most services contain several pages; however depending on your requirements, it may not be necessary to publish all pages. For example, the My Profile service includes pages that display token requests made by the user. As this is an information page only, it is not necessary to publish the page.
-
Show Help—Help is available for most pages; however, it can be removed from the site by clearing this option.
-
Required – (not shown)—Some pages, such as My Profile, allow users to input or update information. The Required option, if enabled, requires the user to enter data into the field. If this option is not selected, the field is not displayed.
Configure a language set for the self-service modules
You can create multiple language sets for each of the self-service modules, and all of the pages, error messages, and help text available with each service.
To view a language set, select it from the language list, and then click View.
To add a language set, type the name for the set in the Language Set field, and then click Add. Next, modify all of the labels, default text, help text, and error messages for each of the pages in the service. For example, to create a French language set:
-
Add Français to the list.
-
Select a service from the Module list.
-
Select a page from the Page list and then modify the text and labels.
-
Click Apply to save the set.
-
Repeat steps 2 and 3 until all pages have been modified.
Default elements
This module has only one page and includes the basic information presented on the Self-Service home page. User access to customized Terms of Use policies and documentation can be provided by placing these on a publicly accessible location and updating the corresponding URLs in this module.
The Language icon can be replaced with text or a custom image.
The Help Desk link in the footer area should contain information that assists the user in contacting your help desk for assistance.
My Profile
This service enables users to modify basic information about their account such as address and telephone number. It also presents basic statics about their authentication activity and enables them to manage challenge-response questions valid (if enabled) for sign on to the Self-Service site. There are five pages in this service. Each service contains a section for error messages or help text.
This service requires sign in to the self-service site.
Select to Proceed
This is the first page displayed when My Profile is selected by the user.
View My Logon Statistics
This displays information about authentication activity by the user including last logon date, number of logons: today, this week this month and this year. This page can be unpublished.
View and Update My Profile
The user can update basic personal information that is stored in the Virtual Server. Note that this service cannot be used to update information obtained by the Virtual Server from an external user source such as LDAP. Only users that have been manually created or imported from a flat file can update their information through this service.
This service lists the fields that will accept user input. Some are mandatory (no options), others can be required (made mandatory). It also contains sections for customizing error messages and adding help text relevant to this page.
Update my security Questions and Answers
Security Questions and Answers can be used as an alternative sign-in method for the self-service site. This service allows the administrator to create a series of questions. The user will be required to create a set of answers to these questions. During sign-in the user will have the option of supplying the previously recorded answers to the questions as an alternative sign-in method if this method is enabled. This page can be unpublished.
Question Management
Use this functionality to create questions from which the user will select as an alternate self-service site sign in method.
Use the Edit button to modify a highlighted question from the defined question list, including the minimum and maximum answer length, case sensitivity and trivial answer control options.
Use the Add button to add a question created in the Question field to the Defined Questions list.
Question Sets
Use this functionality to define the number of question groups that will be displayed to the user. Users must answer one question from the list of questions contained in a Question Set.
Use the arrows to add or remove question sets to or from the Defined Question Sets list. Sets in this list are displayed to the user.
Question Assignment
Use this functionality to group questions created in Question Management into one or more of the sets enabled in Question Sets.
To add one or more questions to a set, select the set from the drop-down list, then using the arrows move the questions to be included in the set to the Questions in Sets list, then click the Update button to commit the change.
-
Minimum answer length
Sets the minimum number of characters allowed as an answer.
-
Maximum answer length
Sets the maximum number of characters allowed as an answer.
-
Answers are case sensitive
If checked, answers are case sensitive.
-
Disallow trivial answers
If checked, answers comprised of triplets (for example, 111, aaa) or 3 character sequential strings (for example, 123, abc) are disallowed.
Use the Add button to add questions to the list. To edit or remove a question, highlight it in the list then click the Edit or Remove button respectively.
My Token Request
This page displays a list of outstanding token requests.
Request a Token
This service provides the ability for a user to request a token. It is also where outbound messages to users and authorities are configured. To make this service available on the Self-Service site, the following must be in place:
-
The Virtual Server must have at least one Operator.
-
Enable Request a Token must be selected here and under the Self-Service Authorities service.
Although both options must be enabled for the Request a Token button to be available on the Self-Service site, enabling the option here (under the Request a Token service) allows you to show or hide the Request a Token button on the home page on the Self-Service site. However, it has no effect on the function itself, which will continue to run while the same option is enabled under Configuring Self-Service > Self-Service Authorities. Hiding the button simply prevents users from requesting new tokens, allowing administrators time to process existing requests that are currently in the token request queue.
There are six (6) pages in this service:
User Type page
This is the first page presented to the user when accessing this service. Users that have an account and an assigned authentication method, such as a token, can sign in to the Self-Service site and request an additional token.
This page also allows users that do not have an account in the virtual server to create an account (pending approval) as part of the token request process.
Create Account page
If enabled, the user will be able to submit a request to create an account in the Virtual Server during the “request a token” process. The request must be approved by Approval Level 1 (and Approval Level 2 if enabled) before the account is created.
The fields First Name, Last Name, User ID, and Email address are mandatory if this page is enabled. Other fields can be displayed by selecting the corresponding Required option.
Token Type page
This page displays a list of token types that may be requested by the user. Each type in the list has a corresponding enrollment class. The class selection determines which notification and enrollment instructions the user will receive for the selected token type.
To publish or unpublish a token type, select or clear the corresponding field option respectively, and then click Apply.
To add a token type:
-
Click the Add Token Type button.
-
Enter a description and select a class from the list.
-
Select the Field option.
-
Click Apply.
Confirmation page
The Confirmation page is used to configure messages that are displayed to the user immediately following token selection.
Only one of the messages will display, corresponding to the type of validation required or available.
Validation page
The Validation page is used to configure messages that will be displayed to the user for token validation. If enabled, the user must confirm their request for a token by replying to a message delivered to them via email or SMS.
User page
This page is displayed when the user selects the I am an Existing User option. It requires the user to provide their user ID when signing in to the Self-Service site.
-
User ID: The label for the User ID input field.
-
Error: The error message displayed if the user ID is not valid.
-
Next: Text for the Next button.
Request a Token Workflow
Reset PIN
This service provides the ability for a user to reset the server-side PIN associated with a token assigned to them. There are five (5) pages in this service. Each page contains a section for error messages or help text.
User page
This is the content of the first page served to the user when accessing the Reset PIN facilities. If the page is set to require the user to sign in, they will be directed to the Sign In page before being presented with the User page.
Select a Token page
If a user has more than one token, this page provides a list from which the user can select the token. PIN reset applies to the selected token.
Create New PIN page
This page is presented when the user has supplied their user ID and the serial number of a token assigned to their account and the PIN associated with the token allows the user to generate a new PIN (for example, server-side, user select). It requires the user to enter and verify a new PIN.
Server-side PIN page
This page is displayed if the token issued to a user requires a server-side PIN that is set by the server (for example, server-side, server select).
Confirmation page
This page is presented when the user has successfully changed their PIN.
Reset PIP
This service provides the ability for a user to reset the PIN associated with their GrID authentication method. There are three pages in this service. Each page contains a section for error messages or help text.
User page
This is the first page displayed to the user when accessing the Reset PIP facilities. If the page is set to require the user to sign in, they are directed to the Sign In page before being presented with the User Page.
If directed to sign in, the user should only provide their user ID. If an OTP field is displayed on the sign in page, it should be left blank. A valid user ID and empty OTP field generate a new page with a GrID and OTP field, allowing the user to authenticate and sign in.
Select Pattern page
This page displays for a valid user ID provided on the User page and requires the user to provide their PIP.
Confirmation page
The confirmation page is presented on successfully resetting a PIP.
Resync Token
This service provides the ability to resync a token with the server and confirm the ability to authenticate with the token. There are six (6) pages in this service. Each page contains a section for error messages or help text.
User page
The user page is served up to the user in two parts—the first requires the user ID, which, if found on the server, generates the second part requesting the token serial number.
Auth Resync page
This page is presented when the selected token supports resynchronization using two consecutive OTPs.
Time-based Resync page
This page is presented when the selected token is time-synchronous and supports resynchronization using two consecutive OTPs.
Challenge/Response page
The challenge/response page is presented when a token fails resynchronization using all other available methods. In this method the user must key the displayed challenge into their token to generate a passcode or “response”, and then enter the response in the indicated field.
Confirmation page
The confirmation page displays the outcome of the synchronization attempt whether successful (Confirmation), failed (Error) or not processed (No Token Error).
Resend SMS
The Resend SMS page enables a user to send a new SMS Token code to their mobile device.
Sign In
This service controls the options for signing into the self-service site. There are five (5) pages in this service. Each page contains a section for error messages or help text. The Sign In button is replaced with a Sign Out button when a user successfully authenticates to the Self-Service site.
Authenticate page
This page presents the allowed methods for authenticating into the Self-Service site. The remaining pages in this service provide the user experience and process necessary for the method selected by the user.
Authenticate to Process page
This page handles authentication using tokens, grids and static passwords. It includes additional prompts to deal with authentication exceptions. In most cases a user authenticating using a token provides their OTP and gains access to the site. However, it is possible that another policy will be triggered altering this workflow.
For example, if there is a server policy that requires the user to change their PIN every 30 days, and this happens to coincide with their authenticating to the self-service site, successful authentication will be followed with a requirement to create a new PIN before access to self-service is permitted. This page provides prompts that deal with such situations.
Send Password by Email page
This selection sends a one-time password, valid only for the Self-Service site to the email address associated with the user ID. It includes error messages to handle cases where email cannot be sent or the user ID cannot be found.
Send Password by SMS page
This selection sends a one-time password, valid only for the self-service site to the SMS number associated with the user ID. It includes error messages to handle cases where SMS cannot be sent or the user ID cannot be found.
Question and Answer page
This option allows a user to sign in using answers to questions provided when configuring their profile.