Create an account
If you have an account manager role in a service provider account, you can create child accounts. The child accounts can be virtual service providers or subscriber accounts.
You create accounts on the STA Token Management console, in On-Boarding tab. Creating accounts includes these tasks:
Create the account and add the name and billing address
-
On the STA Token Management console, select the On-Boarding tab.
-
Under Shortcuts, select Create Account.
-
Enter the account information:
Field Description Account The name of the organization must be unique within your account hierarchy. Billing Address Account invoices are sent to this mailing address for a physical location. Ship To same as Billing Address Select this option to send all other shipments, not just account invoices, to the billing address. Otherwise, enter the mailing address where you want to send other shipments. Custom #1-#3 Add descriptors that distinguish this account from similarly named accounts. You can change the title of these fields with the branding options. Group Select the account management group, to create an association with related accounts. -
Select Save, and then configure the services.
The information that you added becomes the Account Detail, which you can edit later as needed.
Configure account services
-
On the On-Boarding tab, expand the Services module.
-
For Account Status, select the Active check box.
The service is active for the service period that you define. The service is disabled until you select this check box, regardless of the service period.
If an account's service is suspended, the account becomes unavailable to all of its operators and users. Re-activating services restores the service and operator rights to the state immediately prior to suspension.
-
Select the Plan. STA is offered with three levels of subscription plans. Higher-level plans include all the features in the lower-level plans.
-
Select the Account Type:
-
Evaluation: Enables a potential customer to use the service on a trial basis. Evaluation accounts have full access to STA features.
Generate an alert before the evaluation service stops, so that you can contact the potential customer while the account is active. You can also use this option in reports, to distinguish paying customers from those who are evaluating the service.
-
Subscriber: Enables an account to add users to the service. This account type cannot create or manage additional accounts.
-
Virtual Service Provider: Enables an account to add users to the service. This account type can also create, manage, and share resources with child accounts.
For example, virtual service providers might resell your service to their client base, and therefore create and manage their own accounts. They might also on-board subsidiary companies, segregate management and services between internal groups, or use multiple LDAP servers to synchronize users.
-
-
Set the Service Period (duration). The start and stop dates depend on the account status being active.
-
Service Start: The date when the service is enabled.
-
Service Stop: The date when the service is disabled.
-
Billing Frequency: A flag that is reproduced in reports. It enables you to determine the service and billing commitments for an account without referring to contracts.
-
-
Enter the Max Auth Nodes that are available to the account.
Auth nodes are the RADIUS protocol based integrations or legacy agents that virtual servers receive and process authentication requests from. Use this setting to limit the number of devices or applications that can authenticate against the service for this account. The minimum value is 1. Typically, set this value to reflect the minimum account requirements.
-
To immediately delegate account management to the parent account, select the Use Delegate check box, and then enter the Primary Contact and Telephone number.
The delegated account will appear on the parent account's Virtual Servers tab.
-
Click Save.
Allocate tokens
The allocation process moves inventory into an account’s virtual server. You allocate each type of token and capacity to an account in a separate transaction. The steps in the allocation process depend on the type of tokens that you want to allocate.
-
On the On-Boarding tab, expand the Allocation module.
The Allocation module shows the capacity and quantity of all token and authentication types that are allocated to an account’s virtual server. Capacity determines the maximum number of tokens that can be in use (assigned to users).
-
Allocate tokens and capacity and then create an operator.
Create an operator
An account can be managed by either or both an account manager or an operator. By default, a service provider can manage the virtual server for every child account. If the account needs to manage their own virtual server, create an operator in their virtual server. If the account is fully managed by the service provider, there is no need to create an operator.
The process of creating an operator for a child account:
-
Creates a user in the account's virtual server
-
Assigns an authentication method to the user
-
Prepares for enrollment
-
Promotes the user to operator status
-
Prepares the operator email validation process
If the account is created as a subscriber account, this process creates an operator within the account’s virtual server. On login, the operator has access to the virtual server tabs on the STA Token Management console, and has full control of all aspects of their virtual server.
If the account is created as a virtual service provider, the user is also promoted to account manager at the service provider level. When they log in, the user has access to the account management view of the STA Token Management console and has full control of all aspects of their virtual server, and the ability to create and manage accounts.
In both cases, STA sends the user an email with enrollment instructions. After the user completes the enrollment, they receive a second email with instructions for validating their email address, which requires logging in to STA.
On the On-Boarding tab, the operator is always created as an account manager, if the child virtual server supports it. If only operator rights are required or you need the operator to have a different role, create the operator from within the virtual server instead (add a user on the Assignment tab, and then promote that user to operator status on the Operators tab and select the appropriate role).
-
On the On-Boarding tab, expand the Create Operator module.
-
Select Add.
-
Enter the details for the operator and include the following details as necessary:
-
Mobile/SMS: If SMS is enabled for the account’s service, this number is used to send SMS/OTP and other SMS messages to the operator. This field must contain digits, and the first digits must be the country code, followed by the city code. This field can contain a full country prefix, such as +1 or +49.
In North America, this results in an entry in the format: +16131112222, where 1 is the country code, 613 is the area code, and the remaining 7 digits are the phone number.
In the UK, this results in an entry in the format: +448701112222, where 44 is the country code, 870 is the city code, and the remaining digits are the phone number.
-
Container: Corresponds to the containers configured in the account’s virtual server.
-
Custom #1, #2, #3: Correspond to the three custom fields that are allowed for each user account. These are different from the similarly labeled fields in the Account Detail module. These custom fields can be used to store information that is relevant to the record and to distinguish similar users.
-
-
Select Next.
-
Select the Authentication Type, select Done, and then configure auth nodes.
The available authentication types reflect the inventory that is allocated to this account and present in its virtual server.
The Available column shows the tokens that are available for this user, which means that the tokens belong to the same container as the user.
This can be different from the corresponding value in the Available row of the Allocation list, which shows the whole inventory for all containers.
The status of the operator is set to pending until enrollment and email validation are complete. The enrollment process varies depending on the assigned authentication method.
After the operator is enrolled, they receive an operator email validation message:
After they complete this step, the operator is logged in to their virtual server.
Configure auth nodes
Configure authentication (auth) nodes to enable VPN and web applications to authenticate against the virtual server. An auth node is any RADIUS client, agent, or application (for example, VPN and web applications such as Outlook Web Access) that sends authentication requests to the virtual server.
Configuring auth nodes here is optional, and can be done later by the operator from the STA Token Management console in the Virtual Servers > Comms > Auth Nodes module.
The number of auth nodes that you can add is limited to the Max. Auth Nodes value that is specified in Services for this account. To increase this value, contact your service provider.
-
On the On-Boarding tab, expand the Auth Nodes module and select the Auth Nodes task.
-
Click Add.
-
Enter the auth node information.
-
Click Save.
Configure RADIUS IP addresses and port numbers
Configuring RADIUS IP addresses and port numbers is optional. It is required only if you don't want to use the default cloud RADIUS servers.
-
On the STA Token Management console, select On-Boarding > Auth Nodes > RADIUS IP/Port #s.
-
Select Custom.
-
Complete the RADIUS IP/Port #s fields:
-
Primary RADIUS Server: Configure your RADIUS client (for example, VPN gateway) to use this address as the primary RADIUS server.
-
Failover RADIUS Server: Configure your RADIUS client (for example, VPN gateway) to use this address as the failover RADIUS server.
-
Primary Agent DNS: Configure your agent (for example, SafeNet Agent for Windows Logon) to use this address as the primary authentication server.
-
Failover RADIUS Server:****Configure your agent (for example, SafeNet Agent for Windows Logon) to use this address as the failover authentication server. Configuring the RADIUS client to use the failover RADIUS server as its primary or failing to configure a failover RADIUS server may result in reduced performance or authentication outage.
-
-
Click Apply.
Add contacts
You can add optional contacts who are associated with the account.
-
On the On-Boarding tab, select Contacts.
-
Select Add.
-
Enter the contact details and select Save.