sas administration guide - orange- · pdf fileadministration guide sas ... managing managing...
TRANSCRIPT
SASAdministration Guide
Version 1.6.1
10/mar/13
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
2 of 86
Table of contents
1111 RefeRefeRefeReferencesrencesrencesrences ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ 4444
2222 IntroductionIntroductionIntroductionIntroduction ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ 5555
3333 SAS overviewSAS overviewSAS overviewSAS overview ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ 6666
4444 SAS management portSAS management portSAS management portSAS management portalalalal ............................................................................................................................................................................................................................................................................................................................................................................................................................ 9999 4.1 Access .................................................................................................................................................... 9 4.2 Account Manager view ......................................................................................................................... 10 4.3 Operator view ....................................................................................................................................... 11
5555 Customizing SAS environmentCustomizing SAS environmentCustomizing SAS environmentCustomizing SAS environment ............................................................................................................................................................................................................................................................................................................................................................................ 12121212 5.1 Appearance and branding .................................................................................................................... 12 5.2 Communications .................................................................................................................................. 13
5.2.1 SMS settings ......................................................................................................................... 13 5.2.2 E-mail settings ....................................................................................................................... 14 5.2.3 SMS messages ..................................................................................................................... 15 5.2.4 E-mail messages ................................................................................................................... 16
5.3 User policies ......................................................................................................................................... 17 5.4 Token policies ....................................................................................................................................... 18 5.5 Automation policies .............................................................................................................................. 18
5.5.1 Provisioning rules ................................................................................................................... 18 5.5.2 Self-service policy .................................................................................................................. 19 5.5.3 Self-enrollment policy ............................................................................................................ 19 5.5.4 SAML provisioning rules ........................................................................................................ 19
6666 Managing SAS inventoryManaging SAS inventoryManaging SAS inventoryManaging SAS inventory .................................................................................................................................................................................................................................................................................................................................................................................................................... 20202020 6.1 Inventory status .................................................................................................................................... 20 6.2 Allocating .............................................................................................................................................. 20 6.3 Managing allocated tokens .................................................................................................................. 22
7777 Managing SAS endManaging SAS endManaging SAS endManaging SAS end----usersusersusersusers ............................................................................................................................................................................................................................................................................................................................................................................................................ 24242424 7.1 Creating end-users accounts ............................................................................................................... 24
7.1.1 Create User shortcut ............................................................................................................. 24 7.1.2 Import Users shortcut ............................................................................................................ 25 7.1.3 LDAP synchronization ........................................................................................................... 28
7.2 Managing end-users groups ................................................................................................................ 28 7.2.1 “Group Maintenance” module ............................................................................................... 29 7.2.2 Group Membership module .................................................................................................. 29 7.2.3 RADIUS Attribute (Group) module ......................................................................................... 30
7.3 Managing containers ............................................................................................................................ 30 7.3.1 Container Maintenance module ............................................................................................ 31 7.3.2 Container Members module .................................................................................................. 31
7.4 Authorization and pre-authentication rules........................................................................................... 31 8888 Managing SAS tokensManaging SAS tokensManaging SAS tokensManaging SAS tokens .................................................................................................................................................................................................................................................................................................................................................................................................................................... 33333333
8.1 Provisioning end-users ......................................................................................................................... 33 8.1.1 Bulk provisioning ................................................................................................................... 33 8.1.2 Automated provisioning ......................................................................................................... 34 8.1.3 Manual provisioning ............................................................................................................... 36 8.1.4 Manual assigning ................................................................................................................... 36
8.2 Managing a provisioned/assigned token.............................................................................................. 39 8.2.1 Suspend ................................................................................................................................ 41 8.2.2 Unlock .................................................................................................................................... 42 8.2.3 New PIN................................................................................................................................. 42
© copyright, Equant 2009
All rights reserved.
The information contained in this document is the property of Equant and its affiliates and subsidiary companies
forming part of the Equant group of companies (individually or collectively). No part of this document may be
reproduced, stored in a retrieval system, or transmitted in any form or by any means; electronic, mechanical,
photocopying, recording, or otherwise, without the prior written permission of Equant. Legal action will be taken
against any infringement.
Equant is a member of the France Telecom Group and operates its services under the name Orange Business Services.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
3 of 86
8.2.4 Resync ................................................................................................................................... 43 8.2.5 Revoke ................................................................................................................................... 43
9999 Managing SAS Auth NodesManaging SAS Auth NodesManaging SAS Auth NodesManaging SAS Auth Nodes .................................................................................................................................................................................................................................................................................................................................................................................................... 44444444
10101010 Managing SAS SAML ServicesManaging SAS SAML ServicesManaging SAS SAML ServicesManaging SAS SAML Services ............................................................................................................................................................................................................................................................................................................................................................................ 47474747 10.1 Adding SAML Service Providers .......................................................................................................... 47 10.2 Provisioning SAML Services ................................................................................................................. 49
10.2.1 Manual provisioning ............................................................................................................... 49 10.2.2 Auto-provisioning rules .......................................................................................................... 50
11111111 Managing SAS reportingManaging SAS reportingManaging SAS reportingManaging SAS reporting .................................................................................................................................................................................................................................................................................................................................................................................................................... 52525252 11.1 Accessing the SAS reporting modules ................................................................................................. 52
11.1.1 Account ................................................................................................................................. 52 11.1.2 Virtual Server.......................................................................................................................... 53
11.2 “Available Reports” module .................................................................................................................. 54 11.3 “My Report List” module ...................................................................................................................... 55 11.4 “My Scheduled Reports” module ......................................................................................................... 56 11.5 “My Report Output” module ................................................................................................................. 56
12121212 Monitoring your SASMonitoring your SASMonitoring your SASMonitoring your SAS ............................................................................................................................................................................................................................................................................................................................................................................................................................................ 57575757 12.1 Snapshot summary information ........................................................................................................... 57 12.2 “User management” page .................................................................................................................... 58
13131313 Requesting changesRequesting changesRequesting changesRequesting changes ............................................................................................................................................................................................................................................................................................................................................................................................................................................ 59595959
14141414 Requesting supportRequesting supportRequesting supportRequesting support ................................................................................................................................................................................................................................................................................................................................................................................................................................................ 60606060
appendix A: appearance and branding cuappendix A: appearance and branding cuappendix A: appearance and branding cuappendix A: appearance and branding customizationstomizationstomizationstomization ........................................................................................................................................................................................................................................................ 61616161 A.1 Custom fonts ........................................................................................................................................ 61 A.2 Custom colours .................................................................................................................................... 63 A.3 Custom buttons .................................................................................................................................... 65 A.4 Custom logo images ............................................................................................................................ 66 A.5 Custom titles ......................................................................................................................................... 69 A.6 Custom labels ....................................................................................................................................... 71
appendix B: communications customizationappendix B: communications customizationappendix B: communications customizationappendix B: communications customization .................................................................................................................................................................................................................................................................................................................... 72727272 B.1 SMS messages tags ............................................................................................................................ 72 B.2 SMS messages list ............................................................................................................................... 72 B.3 E-mail messages tags .......................................................................................................................... 73 B.4 E-mail messages list ............................................................................................................................. 74
appendix C: SAML default CCS sourceappendix C: SAML default CCS sourceappendix C: SAML default CCS sourceappendix C: SAML default CCS source .................................................................................................................................................................................................................................................................................................................................................... 84848484
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
4 of 86
1 References
SAS welcome guide – <software/hardware> token on <PC/smartphone> ......................................... Ref 1
SAS LDAP synchronization agent configuration guide ........................................................................ Ref 2
MSCT user guide ............................................................................................................................... Ref 3
SAML Authentication with SAS Cloud ................................................................................................ Ref 4
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
5 of 86
2 Introduction
As part of the system that enables your company’s employees to make remote connections to your
company network, your company has chosen to use the Secure Authentication Service provided by
Orange Business Services.
The Secure Authentication Service (SAS) is a security system that ensures only authorized people can
access your company’s network.
About this document
This document is intended for SAS customer operators.
Below is an overview of the chapters in this guide and their content:
� CCCChapter hapter hapter hapter 3333: : : : SAS overviewSAS overviewSAS overviewSAS overview – describes some basic principles of SAS.
� From From From From cccchapterhapterhapterhapter 4444 to chapter 12 to chapter 12 to chapter 12 to chapter 12 : : : : managing managing managing managing your SAyour SAyour SAyour SAS serviceS serviceS serviceS service – describes how you can use the SAS
management portal to manage user accounts, provision tokens, manage groups, authorizations,
policies, customize your SAS portals and the SAS message contents, view SAS reports, etc.
� CCCChapter hapter hapter hapter 13131313: requesting chan: requesting chan: requesting chan: requesting changesgesgesges – gives details of how to request changes that cannot be performed
using your SAS management portal.
� CCCChapter hapter hapter hapter 14141414: : : : requesting requesting requesting requesting supportsupportsupportsupport – gives details of how to contact the Orange Business Services
support center.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
6 of 86
3 SAS overview
The SAS ensures strong authentication of users who access their company resources via a remote
connection.
Strong authenticationStrong authenticationStrong authenticationStrong authentication combines "what you know" (user name and PIN code) and "what you have" (token
code). This compares to Simple authenticationSimple authenticationSimple authenticationSimple authentication, which is only "What you know" (user name and
Password).
The user’s password, called PPPPasscodeasscodeasscodeasscode, is composed of a PIN code (between 4 and 8 numeric
characters) immediately followed by the token code (the digits displayed by the token).
Login: UserID
Passcode: PIN code + token code
Each token code is unique and it is impossible to predict the value of a future token code.
Example:
The SAS is implemented on the SafeNet Authentication Service Cloud platform. Each customer is
provided with Virtual Servers on this platform. A Virtual Server is an individual account’s authentication
server (virtual).
Orange Business Services is proposing the following Cryptocard tokens with the SAS:
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
7 of 86
� Hardware tokens
token type picture battery life usage
metal key fob
(KT 4)
unlimited (replaceable) very frequent usage, ideal in
aggressive industrial
environment
plastic key fob
(KT 5)
5 to 7 years frequent usage
lightweight plastic key
fob
(crystal)
3 to 5 years normal usage
� Software tokens
Software token codes are generated by the Cryptocard MP-1 application on the user’s equipment.
Cryptocard software tokens can run on almost all common devices (Windows PC, iPhone, iPad,
Android devices, Blackberry devices, Symbian phones, Java phones).
software token picture
MP-1 application for PC
MP-1 application for Smartphone
Cryptocard tokens can be configured for
� Token-side PIN: PIN must be keyed into the token before an OTP is generated
� Server-side PIN: PIN is prepended to the OTP and validated by the server.
� Orange Business Services provides Cryptocard tokens configured for server-side PIN by default.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
8 of 86
SAS management portal and SAS self-service portal
Three useful tools are provided with the SAS:
� The SAS SAS SAS SAS management management management management portalportalportalportal allows you to perform day-to-day management activities, such as
creating end-user accounts, provisioning end-users with tokens, suspending tokens, viewing SAS
reports.
For a detailed description of how to use the SAS management portal, refer to chapter 4.
� The SASASASAS S S S selfselfselfself----service service service service portalportalportalportal allows end-users to perform strong authentication operations such as:
- change their PIN code
- resynchronize their token to verify that it is functioning properly and in sync with the server.
- Request SMS OTP: this functionality is not available for the moment.
The SAS self-service portal is available at the URL provided in the end-user self-enrollment e-mail.
� The Managed Service Change ToolManaged Service Change ToolManaged Service Change ToolManaged Service Change Tool allows customer operators to order tokens and to request
changes that cannot be performed using the SAS management portal (refer to chapter 13).
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
9 of 86
4 SAS management portal
4.1 Access
Before connecting to the SAS management portal:
1. you have to open the SAS “Self-enrollment” e-mail from your mailbox (if may happen that this e-mail is redirected to your “junk/mail” container) and follow instructions to install the SAS Software Tools
and download/activate the MP software token you will use to authenticate against the SAS
management portal.
2. once you have successfully completed the self-enrollment process, you receive a second e-mail titled “E-mail validation”: open it and follow instructions (before you can log to the SAS management portal,
you must confirm you own the e-mail associated with your SAS userID).
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
10 of 86
4.2 Account Manager view
When logged to the SAS management portal, you have access to the Account Manager view:
At the top right of the page, you have a welcome message that displays the name of the Service Provider
account created by Orange Business Services (for the SAS administrators of your company) followed by
your userID (e-mail). Click the “ON-BOARDING” tab:
Another account is displayed in the Account module: this is a Subscriber account created by Orange
Business Services too, but dedicated to the end-users of your company that will use the SAS. In some
cases, multiple Subscriber accounts can be listed in the Account module, but generally there is only one
Service Provider account (called “company” in the examples and screenshots of this document) and one
Subscriber account (called “company-sas” in the examples and screenshots of this document) created
for each company. Click the “VIRTUAL SERVERS” tab:
Every account has a Virtual Server, including your Service Provider account.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
11 of 86
4.3 Operator view
When selecting an account from the Accounts List on the “VIRTUAL SERVERS” tab, a second row of
tabs (called sub-tabs in this document) appears through which you can manage the Virtual Server part of
the account you just selected (the name of the account being managed is displayed above this row of
sub-tabs).
Service Provider Service Provider Service Provider Service Provider account’s Operator view:
Subscriber Subscriber Subscriber Subscriber account’s Operator view:
� Note that the configuration options are more limited for your Service Provider account’s Virtual Server:
this is explained by the fact that this Virtual Server is largely managed by Orange Business Services as it relates to sensitive administrator accounts.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
12 of 86
5 Customizing SAS environment
� We highly recommend that you customize the SAS environment before you begin to provision your end-users with tokens.
5.1 Appearance and branding
� By default, the appearance and branding of both Service Provider and Subscriber accounts are inherited from Orange Business Services.
The scope of customization for your Service Provider account is:
� the pages of your SAS management portal (including the logon one).
� the SAS self-service portal dedicated to the SAS administrators of your company.
� the enrollment pages sent to the SAS administrators of your company.
The scope of customization for your Subscriber account is:
� the SAS self-service portal dedicated to the SAS end-users of your company.
� the enrollment pages sent to the SAS end-users of your company.
� By default, the appearance and branding of both Service Provider and Subscriber accounts are inherited from Orange Business Services.
� If you want to customize both Service Provider and Subscriber accounts in the same way, you just have to customize the Service Provider account: appearance and branding of the Subscriber account will be inherited from the Service Provider one.
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click the hyperlink of the account for which
you want to customize appearance and branding, and go to the “Custom Branding” module of the
“COMMS” sub-tab.
Refer to the appendix “appearance and branding customization” page 61.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
13 of 86
5.2 Communications
� By default, communications settings of both Service Provider and Subscriber accounts are inherited from
Orange Business Services.
� Only communicatioOnly communicatioOnly communicatioOnly communications ns ns ns settings settings settings settings ooooffff your Subscriber account can be customized (communications your Subscriber account can be customized (communications your Subscriber account can be customized (communications your Subscriber account can be customized (communications settings settings settings settings ofofofof your Service Provider account are directly managed by Orange Business Service).your Service Provider account are directly managed by Orange Business Service).your Service Provider account are directly managed by Orange Business Service).your Service Provider account are directly managed by Orange Business Service).
The scope of customization for your Subscriber account is:
� the SMS settings (SMS plug-in)
� the E-mail settings (SMTP server)
� the SMS messages (text and formatting).
� the E-mail messages (text and formatting).
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click the hyperlink of your Subscriber
account and go to the “Communications” module of the “COMMS” sub-tab.
5.2.1 SMS settings
SMS gateways are used to send SMS/OTPs and alerts. There are two options for sending SMS
messages:
� Default:Default:Default:Default: SMS messages will be sent via the SAS’s SMS gateway.
� The current version of SAS does not The current version of SAS does not The current version of SAS does not The current version of SAS does not yet have its ownyet have its ownyet have its ownyet have its own SSSSMS MS MS MS gateway, butgateway, butgateway, butgateway, but you you you you have the ability tohave the ability tohave the ability tohave the ability to configure configure configure configure a custom one if you meet the criteria below.a custom one if you meet the criteria below.a custom one if you meet the criteria below.a custom one if you meet the criteria below.
� CustomCustomCustomCustom: SMS messages will be sent via a gateway service to which your company has subscribed or
SMS modem installed at your site.
Click the “SMS Settings” hyperlink to define a custom SMS plug-in for your Subscriber account.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
14 of 86
Select the “Custom” option.
Complete the “SMS settings” form.
The options for configuration will vary depending on your SMS plug-in selection. Your gateway service
provider will supply the necessary configuration information.
Other configuration options that may be available, depending on your network and SMS gateway service
provider:
� Use Proxy:Use Proxy:Use Proxy:Use Proxy: if you will be sending SMS messages via a Proxy Server, select the “Yes” option and add
the Proxy URL, Port number, User Name and Password.
� Use Flash SMSUse Flash SMSUse Flash SMSUse Flash SMS: use this option if the gateway supports Flash SMS and you do not want SMS
messages stored on the receiving device.
� Use Overwrite SMS:Use Overwrite SMS:Use Overwrite SMS:Use Overwrite SMS: use this option if the gateway supports Overwrite SMS, causing the previous
SMS message stored on the receiving device to be overwritten by each new message.
� SMSSMSSMSSMS Mobile NumberMobile NumberMobile NumberMobile Number:::: you can verify the ability to send SMS messages by entering the number of a
device capable of receiving SMS messages in this field. SMS phone numbers must contain only digits
and must begin with a country code.
Click the “Apply” button to commit any change.
5.2.2 E-mail settings
SMTP servers are used to send enrollment messages and alerts. There are two options for sending e-
mail messages:
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
15 of 86
� DefaultDefaultDefaultDefault:::: e-mail messages will be sent via the SAS SMTP server. Note that e-mail sent via this server
will not appear to come from your Subscriber account. In addition, any failed deliveries (e.g. invalid e-
mail address) will be sent to the SAS SMTP server.
� CustomCustomCustomCustom:::: select this option to send e-mail messages via your own SMTP server. E-mail sent via this
server will appear to come from your Subscriber account. Any failed delivery notices will be sent to
your own SMTP server.
Click the “E-mail Settings” hyperlink to define a custom SMTP server for your Subscriber account.
Select the “Custom” option.
Complete the “E-mail settings” form:
� From address:From address:From address:From address: this is the “From” name and valid account on your SMTP server from which e-mail will
be sent. For example: System Administrator ([email protected]).
� SMTP server and port number:SMTP server and port number:SMTP server and port number:SMTP server and port number: this is the SMTP server name or IP address and port number (e.g.
Name: smtp.mycompany.com Port #: 25).
� SMTP user and SMTP password:SMTP user and SMTP password:SMTP user and SMTP password:SMTP user and SMTP password: if the SMTP server requires authentication, enter an account and
password in these fields.
� SSL:SSL:SSL:SSL: select this option if your SMTP server is configured to use SSL.
� Test To Address:Test To Address:Test To Address:Test To Address: you can verify the ability of your Subscriber account’s Virtual Server to send e-mail
messages by entering a valid e-mail address in the this field, and then clicking the Test button.
Click the “Apply” button to commit any change.
5.2.3 SMS messages
You can customize the various SMS/OTP messages that are sent by your Subscriber account’s Virtual
Server.
Click the “SMS Messages” hyperlink and select an “SMS Message Type” from the dropdown list (the
message content is displayed in the “Message” window).
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
16 of 86
Message content can be modified as required, bearing in mind that SMS messages greater than 160
characters in length (including spaces) will be split into 2 or more messages.
Refer to :
� the appendix “SMS messages tags” page 72 for details about tags that are used to insert information from your Subscriber account’s Virtual Server into your SMS message content.
� the appendix “SMS messages list” page 72 for details about the SMS messages list.
5.2.4 E-mail messages
You can customize the various e-mail messages that are sent by your Subscriber account’s Virtual
Server.
Click the “E-mail Messages” hyperlink and select an “E-mail Message Type” from the dropdown list (the
message content is displayed in the “Body” window).
Message content can be modified as required. Select the Text or HTML option to send content using
plain text of HTML respectively.
Refer to :
� the appendix “E-mail messages tags” page 73 for details about tags that are used to insert information from your Subscriber account’s Virtual Server into your e-mail message content.
� the appendix “E-mail messages list” page 74 for details about the e-mail messages list.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
17 of 86
5.3 User policies
� Only Only Only Only uuuuser policiesser policiesser policiesser policies settings ofsettings ofsettings ofsettings of your Subscriber account can be customized (your Subscriber account can be customized (your Subscriber account can be customized (your Subscriber account can be customized (user policiesuser policiesuser policiesuser policies settings ofsettings ofsettings ofsettings of your your your your
Service Provider account are directly managed by Orange Business Service).Service Provider account are directly managed by Orange Business Service).Service Provider account are directly managed by Orange Business Service).Service Provider account are directly managed by Orange Business Service).
User policies affect your end-users accounts, allowing you to determine how to handle consecutive failed
logon attempts.
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click the hyperlink of your Subscriber
account and go to the “User Policies” module of the “POLICY” sub-tab.
Click the “Account Lockout/Unlock Policy” hyperlink
Complete the “Thresholds and Actions” form:
� Account lock threshold: Account lock threshold: Account lock threshold: Account lock threshold: this is the maximum number of consecutive failed logon attempts permitted
for a user. If this value is exceeded, the account will lock. Setting this value to 0 is the equivalent of
disabling this function. Default value: 3
� Alert Operator on account lockout: Alert Operator on account lockout: Alert Operator on account lockout: Alert Operator on account lockout: if checked, an alert regarding the User’s Account being locked will
be sent to an Operator.
� Alert User on account lockout: Alert User on account lockout: Alert User on account lockout: Alert User on account lockout: if checked, an alert regarding the User’s Account being locked will be
sent by e-mail to the User.
� Alert Operator on account unlock: Alert Operator on account unlock: Alert Operator on account unlock: Alert Operator on account unlock: if checked, an alert regarding the User’s Account being unlocked
will be sent to an Operator.
� Alert User on account unlock: Alert User on account unlock: Alert User on account unlock: Alert User on account unlock: if checked, an alert regarding the User’s Account being unlocked will be
sent by e-mail to the User.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
18 of 86
� Account lock duration: Account lock duration: Account lock duration: Account lock duration: this is the time in seconds, minutes or hours that must elapse after locking the
account, after which the User’s account will automatically unlock. If set to 0, the account will not
automatically unlock. Default value: 15 minutes.
Click the “Apply” button to commit any change.
5.4 Token policies
� Only Only Only Only token policiestoken policiestoken policiestoken policies settings ofsettings ofsettings ofsettings of your Subscriber account can be customized (your Subscriber account can be customized (your Subscriber account can be customized (your Subscriber account can be customized (token policiestoken policiestoken policiestoken policies settings ofsettings ofsettings ofsettings of
your Service Provider account your Service Provider account your Service Provider account your Service Provider account are directly managed by Orange Business Service).are directly managed by Orange Business Service).are directly managed by Orange Business Service).are directly managed by Orange Business Service).
� During SAS creation, your company completed the Orange Business Service SRF2 document from which token policies settings have been configured by Orange Business Services. However, if you want to update these settings, please use the Orange Business Services MSCT tool (refer to the chapter “Requesting changes” page 59). In that case, new settings will take effect after new token enrollment.
You have a read-only access to the token policies: go to the “Manage” module of the “VIRTUAL
SERVERS” tab, click the hyperlink of your Subscriber account and go to the “Token Policies” module of
the “POLICY” sub-tab.
5.5 Automation policies
� Only Only Only Only automationautomationautomationautomation policiespoliciespoliciespolicies settings ofsettings ofsettings ofsettings of your Subscriber account can be customized (your Subscriber account can be customized (your Subscriber account can be customized (your Subscriber account can be customized (automation policiesautomation policiesautomation policiesautomation policies
settings ofsettings ofsettings ofsettings of your Service Provider account are directly managed by Orange Business Service).your Service Provider account are directly managed by Orange Business Service).your Service Provider account are directly managed by Orange Business Service).your Service Provider account are directly managed by Orange Business Service).
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click the hyperlink of your Subscriber
account and go to the “Automation Policies” module of the “POLICY” sub-tab.
5.5.1 Provisioning rules
Refer to the chapter “Automated provisioning” page 34.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
19 of 86
5.5.2 Self-service policy
This policy displays the default and custom URL at which the user can access self service functions such
as PIN management, Resynchronization and SMS OTP resend.
� Do not modify the Self service URL or the Self service Unique URL value unless you have installed a Do not modify the Self service URL or the Self service Unique URL value unless you have installed a Do not modify the Self service URL or the Self service Unique URL value unless you have installed a Do not modify the Self service URL or the Self service Unique URL value unless you have installed a standstandstandstand----alone selfalone selfalone selfalone self----service web server.service web server.service web server.service web server.
5.5.3 Self-enrollment policy
This policy controls self-enrollment thresholds and alerts.
Click the “Self-enrollment Policy” hyperlink.
Complete the “Self-enrollment Settings” form:
� Self enrolment base URLSelf enrolment base URLSelf enrolment base URLSelf enrolment base URL: : : : this is the URL to which the user will be directed as a result of a provisioning
task and is included in the enrollment email instructions to the user. Do not modify this value unless Do not modify this value unless Do not modify this value unless Do not modify this value unless
you have installed a standyou have installed a standyou have installed a standyou have installed a stand----alone enrollment web server.alone enrollment web server.alone enrollment web server.alone enrollment web server.
� Self enrolment over SSL:Self enrolment over SSL:Self enrolment over SSL:Self enrolment over SSL: if enabled, enrollment must occur over an SSL connection. Do not modify Do not modify Do not modify Do not modify
this value unless you have installed a standthis value unless you have installed a standthis value unless you have installed a standthis value unless you have installed a stand----alone enrollment web server.alone enrollment web server.alone enrollment web server.alone enrollment web server.
� Activation code formatActivation code formatActivation code formatActivation code format: : : : this option determines the strength of the activation code included in the
enrollment message and encoded in the enrollment URL. Options are numeric, alphabetic or
Alphanumeric formats.
� Reservation time to liveReservation time to liveReservation time to liveReservation time to live: : : : this is the maximum number of days the user has to complete enrollment
commencing with the start date of the provisioning task. This value is added to the provisioning task
start date to generate the provisioning task stop date. If set to 0, a provisioning task will never expire.
The default value is 10 days.
� Enrollment lockout afterEnrollment lockout afterEnrollment lockout afterEnrollment lockout after: : : : this value determines the number of failed enrollment attempts by a user.
When this threshold is exceeded, the user will be unable to enroll their token.
Click the “Apply” button to commit any change.
5.5.4 SAML provisioning rules
Refer to the chapter “Auto-provisioning rules” page 50.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
20 of 86
6 Managing SAS inventory
6.1 Inventory status
The first thing to do is check the inventory status of your Subscriber account, because you can not
successfully provision your end-users with tokens and authentication methods if this inventory is
insufficient.
Go to the Account module of the ON-BOARDING tab and click your Subscriber account hyperlink. The
allocation module displays a table showing the capacity (determines the maximum number of tokens that
can be in use/assigned to users) and quantity of all token and authentication types allocated to your
Subscriber account’s Virtual Server where:
� Maximum:Maximum:Maximum:Maximum: this row shows the total by capacity, token and authentication method allocated to your
Subscriber account’s Virtual Server.
� In Use:In Use:In Use:In Use: shows the capacity, tokens and authentication methods consumed by your Subscriber
account’s Virtual Server.
� Available:Available:Available:Available: shows unconsumed capacity, tokens and authentication methods.
� Deallocate: Deallocate: Deallocate: Deallocate: shows the quantity by type that can be deallocated from your Subscriber account’s Virtual
Server and returned to your Service Provider account’s Inventory.
If you think the amount of unconsumed capacity, tokens and authentication methods are sufficient to
complete the provisioning of your end-users, you can go directly to the chapter “Managing SAS end-
users” page 24.
If not, there are two cases:
� Your Service Provider account’s inventory has enough available capacity, tokens and authentication methods. The only thing to do is to allocate them to your Subscriber account’s Virtual Server.
� Your Service Provider account’s inventory does not have enough available capacity, tokens and authentication methods. In that case, you have to order a new pool of tokens to Orange Business
Services using the Orange Business Services MSCT tool (refer to the chapter “Requesting changes”
page 59).
� Note that you have the ability to display your Service Provider account’s current inventory by going to the
Inventory module of the DASHBOARD tab. Unfortunately, this inventory contains not only available capacity, tokens and authentication methods but also the MP software tokens and related capacity units already used by the SAS administrators of your company. However, the allocation process described below only deals with capacity, tokens and authentication methods that are really available.
6.2 Allocating
Go to the “Account” module of the “ON-BOARDING” tab, click your Subscriber account hyperlink, go to
the “Allocation” module and click the “Allocate” button.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
21 of 86
Select the “Sale” allocation type, use the drop-down list to select the token type you want to allocate (KT,
MP or GrIDsure), check the “Automatically add Capacity with this allocation” box and click the “Next”
button.
Select the “Default” container, enter the token quantity you want to allocate (this value must be equal to
or lower than the “Available” value, click the “Search” button, select all tokens by checking the box of the
first row (grayed cell) and click the “Next” button.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
22 of 86
Complete the “Billing References form”, click the “Next” button and click the “Finish” button.
6.3 Managing allocated tokens
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink, go
to the “Tokens” module of the “TOKENS” sub-tab.
Use the “Search” button to refresh the list of the tokens allocated to your Subscriber account’s Virtual
Server, based on any combination of the following criteria:
� Token type:Token type:Token type:Token type: this search criterion refines the list to a specific type of token. If All is selected, then all
tokens regardless of type are listed.
� StateStateStateState: : : : these criterions refine the list to tokens in a selected state. Options are:
- Inventory:Inventory:Inventory:Inventory: token is available for assignment to users
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
23 of 86
- IniIniIniInitialize: tialize: tialize: tialize: a hardware token in inventory that must be initialized before it becomes available for
assignment.
- Assigned:Assigned:Assigned:Assigned: the token is no longer in inventory. It has either been manually assigned to a user but
not activated or is part of a bulk provisioning operation and has not yet been enrolled by a user.
- Active:Active:Active:Active: the token is assigned to a user and has been enrolled or used to authenticate.
- Suspended:Suspended:Suspended:Suspended: this indicates that an Operator has placed the token in a suspended state, making it
invalid for authentication but leaving it assigned to a user. This is usually done if there is a security
concern such as a lost or misplaced token. Suspended tokens can be reactivated by an Operator
when the security concern has been resolved.
- Locked:Locked:Locked:Locked: this state occurs when a user exceeds the maximum consecutive failed logon attempts
threshold. A locked token can be reactivated by an Operator. The automatic locking and unlocking
of tokens is controlled by the Account Lockout/Unlock Policy.
- Lost/Failed:Lost/Failed:Lost/Failed:Lost/Failed: is a state applied by an Operator when revoking a token. Revoked tokens are returned
to Inventory in this state where they can be permanently removed or if the token is subsequently
found or determined to function properly, it can be reinitialized into the Inventory state.
- Expired:Expired:Expired:Expired: when the token is expired. This regards only non-Cryptocard tokens imported in the
server.
� Serial #:Serial #:Serial #:Serial #: search by partial or complete serial number to find a range or specific token.
� Container:Container:Container:Container: lists only those tokens that are held in the selected container.
The result of a search is displayed in the tokens list. From the list you can:
� Move tokens:Move tokens:Move tokens:Move tokens: this option is used to move the selected tokens to a different container.
� Reset PIN:Reset PIN:Reset PIN:Reset PIN: this option is used to apply the current Server-Side PIN policy to the selected range of
tokens. Note that this function is not available for tokens initialized with Token-side PINs. Tokens must
be in the Inventory state.
� Click the serial number hyperlink:Click the serial number hyperlink:Click the serial number hyperlink:Click the serial number hyperlink: this option displays the token operating parameters, in-use statistics
and organizational ownership.
� Click the UserID hyperlinkClick the UserID hyperlinkClick the UserID hyperlinkClick the UserID hyperlink:::: this option gives access to the user’s record and management functions.
This is the equivalent of selecting the UserID from the Search module of the ASSIGNMENT sub-tab.
The “Change Log” button in the Tokens tab displays up to the last five token management operations.
The log displays a row for each token operation that includes the token serial number, the operation or
action, a date/time stamp of the operation, the name of the Operator that performed the action, the
organization to which the Operator belongs (i.e. your company or Orange Business Services) and any
comment entered by the Operator.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
24 of 86
7 Managing SAS end-users
� You can manage only users ofYou can manage only users ofYou can manage only users ofYou can manage only users of your Subscriber accountyour Subscriber accountyour Subscriber accountyour Subscriber account’s Virtual Server (end’s Virtual Server (end’s Virtual Server (end’s Virtual Server (end----users).users).users).users). UseUseUseUsersrsrsrs ofofofof your your your your Service Provider accountService Provider accountService Provider accountService Provider account’s Virtual Server (SAS administrators of your company)’s Virtual Server (SAS administrators of your company)’s Virtual Server (SAS administrators of your company)’s Virtual Server (SAS administrators of your company) are directly managed by are directly managed by are directly managed by are directly managed by Orange Business Service).Orange Business Service).Orange Business Service).Orange Business Service).
7.1 Creating end-users accounts
There are three ways to create end-users accounts:
� Manually, one user at a timeManually, one user at a timeManually, one user at a timeManually, one user at a time using the Create User shortcut.
� Manually, importing one or more user recordsManually, importing one or more user recordsManually, importing one or more user recordsManually, importing one or more user records from a flat file.
� AutomaticallyAutomaticallyAutomaticallyAutomatically by synchronizing with your Active Directory / LDAP server.
You can add users using both manual and automated methods, provided that userIDs are unique. This
allows you to extend authenticating to users that exist in your LDAP directory such as employees, as well
as users that do not, such as contractors or business partners.
7.1.1 Create User shortcut
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink, go
to the “Shortcuts” left pane of the “ASSIGNMENT” sub-tab and click the “Create User” shortcut.
The minimum requirement for adding a user is ““““First NameFirst NameFirst NameFirst Name””””, ““““Last NameLast NameLast NameLast Name””””, ““““User IDUser IDUser IDUser ID”””” and “E“E“E“E----mail”mail”mail”mail”
address. The “Add” button is disabled until these fields are populated.
� UserID:UserID:UserID:UserID: must be unique. If an identical UserID already exists, an error message is displayed.
� EEEE----mailmailmailmail: : : : address is required. It is used in provisioning and self-enrollment.
� Mobile/SMSMobile/SMSMobile/SMSMobile/SMS: : : : this is an optional field. Only digits are allowed in this field.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
25 of 86
� Phone:Phone:Phone:Phone: this is an optional field which may contain spaces, periods (.), dashes (-) and plus signs (+) in
addition to digits
� Custom #1, Custom #2 and Custom #3:Custom #1, Custom #2 and Custom #3:Custom #1, Custom #2 and Custom #3:Custom #1, Custom #2 and Custom #3: these are optional fields that can be used to store additional
data related to the user.
� Container:Container:Container:Container: Use this option to place the user in a container.
When the four required fields have been completed, clicking the “Add” button creates the record and
opens the “User Management” page.
7.1.2 Import Users shortcut
Bulk import of users is a convenient way to add many users in a single operation. Go to the “Manage”
module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink, go to the “Shortcuts”
left pane of the “ASSIGNMENT” sub-tab and click the “Import Users” shortcut.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
26 of 86
Select the import file format, the field qualifiers (if any), and then click the “Next” button.
Browse to and select the user data import file, by using the checkbox, disable the “File has a header row”
option if the import file does not include a header row, and then click the “Next” button.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
27 of 86
In the “Confirm Field Mappings and Import” pane, select the appropriate “Database Field” for each
“Import Data” field. There are 4 required “Database fields” in the “Confirm Field Mappings and Import”
pane: ““““FirstNameFirstNameFirstNameFirstName””””, ““““LastNameLastNameLastNameLastName””””, ““““UserIDUserIDUserIDUserID”””” and ““““EEEE----mailmailmailmail””””, each marked by an asterisk (*). “UserID” entries
must be unique.
Optionally, use “Add Field” button and select the appropriate unused field name from the dropdown list to
add further rows. Add field can be used to force data not contained in the import file into the database.
Default values can be created for any added fields. Data entered into any of the “Default Value” fields will
be used to populate user records that do not have data in the corresponding import file field.
Click the “Next” button.
Select the container into which users should be imported.
The “Do not import if the UserID exists in the database” option prevents a user record from being
imported if it already exists in the database.
The “Update user record if the UserID exists in the database” option will overwrite fields in the database
with data from corresponding fields in the import file if a matching “UserID” is found in the database. Note
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
28 of 86
that populated fields in the database will not be overwritten if a corresponding field is not included in the
import file.
Click the “Import” button to complete the process. When import is finished the server will display the
result of the import, showing users that were imported and/or any errors that occurred.
7.1.3 LDAP synchronization
Users can be automatically added, suspended or removed from your SAS virtual server by utilizing the
SAS LDAP Synchronization Agent, eliminating the need to manually create and manage users. The agent
comes with support for standard Active Directory, eDirectory and SunOne. The agent can be configured
to support non-standard schemas.
This method requires the installation of a Synchronization Agent, normally somewhere in the same
network as the AD/LDAP directory.
The agent is configured to monitor the specified LDAP containers (DNs) and groups for changes such as
adding or removing a user, synchronizing and applying these changes at the SAS virtual server.
� Note that the SAS supports manual creation of users concurrent with LDAP synchronization, bearing in mind that manually created users will not be modified in any way by an LDAP synchronization provided there is no overlap in UserID. If an overlap occurs, any tokens assigned to the manually created UserID are revoked and marked as lost with a comment, and the UserID is replaced by the overlapping LDAP UserID.
To configure your system for LDAP synchronization, refer to the LDAP synchronization agent
configuration guide [Ref 2].
7.2 Managing end-users groups
Groups are attributes that can be attached to a UserID and used for authorization during the
authentication process. Group attributes provide a way to distinguish between valid users (all users that
can authenticate) and those that should be allowed to authenticate to gain access to a particular
resource.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
29 of 86
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink, go
to the “GROUPS” sub-tab.
This sub-tab provides access to all functions necessary to:
� Create and Manage Groups (“Group Maintenance” module)
� Manage User Group Memberships (“Group Membership” module)
� Apply RADIUS Attributes to Groups (“RADIUS Attribute (Group)” module)
7.2.1 “Group Maintenance” module
This module is used to create, modify or remove user groups.
Depending on the ways you used to create end-users accounts, two types of groups are available:
� InternalInternalInternalInternal ((((whenwhenwhenwhen user accounts have been created manuallyuser accounts have been created manuallyuser accounts have been created manuallyuser accounts have been created manually)))).... To create an internal group, click the
“New“ button of the “Group Maintenance” module (after selecting the “Internal” group type), enter a
group name and a brief description of its purpose and click the “Add” button.
� SynchronizedSynchronizedSynchronizedSynchronized ((((when user accounts have been created automaticallywhen user accounts have been created automaticallywhen user accounts have been created automaticallywhen user accounts have been created automatically)))).... These groups are synchronized
in your Subscriber account’s Virtual Server from your directory server by the SAS LDAP
Synchronization Agent and can not be created locally from the SAS management portal.
� LDAP Synchronization not only synchronizes groups, it also retains each synchronized user’s group membership.
7.2.2 Group Membership module
This module is used to display all members of a group or to modify the memberships of one or more
users.
To view group membership, select the “Search Internal Groups” tab or the “Search Synchronized
Groups” tab of the “Group Membership” module, then use the “Search” function in conjunction with:
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
30 of 86
� “Is a member of”“Is a member of”“Is a member of”“Is a member of” option: this refines the list to users that are members of any group or a specific
group.
� “Is not a member of”“Is not a member of”“Is not a member of”“Is not a member of” option: this returns a list of users that do not belong to any group, or do not
belong to the specified group.
You can further refine the list by adding the User’s last name or UserID to the search criteria. The
“UserID” hyperlink can be used to display the corresponding “User Detail” form.
� If you’re dealing wiIf you’re dealing wiIf you’re dealing wiIf you’re dealing with an internal groupth an internal groupth an internal groupth an internal group: check box(es) to select one or more users. To add member(s)
click the “New” button, use the dropdown to select the group membership to add to the user(s), and
then click the “Add” button (to delete member(s) click the “Remove” button instead of the “New” one).
� If you’re dealing with a synchronized groupIf you’re dealing with a synchronized groupIf you’re dealing with a synchronized groupIf you’re dealing with a synchronized group: member(s) cannot neither be added nor removed from
the SAS management portal, they must be added/deleted directly from your directory server.
Changes will be applied to your Subscriber account’s Virtual Server during the next synchronization
cycle.
7.2.3 RADIUS Attribute (Group) module
This module allows RADIUS Attributes to be attached to a group. The attribute will be returned for each
member of the group when they authenticate.
� Note that attributes assigned to users have precedence over attributes assigned to a group to which the user belongs.
To set RADIUS attributes, select the appropriate “Internal” or “Synchronized” group within the “RADIUS
Attribute (Group)” module and click the ‘New’ button. The options and input values will vary depending
upon your selection from the various drop-down lists (consult your network equipment vendor’s
documentation for guidance on which attributes to use). Once the attribute is set, click the “Add” button:
this will add the attribute to the Group (repeat as necessary to add more attributes).
To view RADIUS attributes, select the group to view using the “Internal” or “Synchronized” group option
and click the Search button. A list of attributes assigned to the group is displayed. The “Edit” hyperlink for
each attribute can be used to modify the corresponding attribute (likewise, the “Remove” hyperlink is
used to remove the group attribute).
7.3 Managing containers
Containers are used to separate objects (users, tokens or both) for the purposes of management.
� Objects can only reside in one container at a time.
� When a user is moved between containers, all of the user’s assigned tokens are moved at the same time.
Containers define an Operator’s Scope – what it is they can manage. If a container is not in an
Operator’s scope, then all of the objects in the container are also not in scope and consequently cannot
be viewed or managed by the Operator.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
31 of 86
7.3.1 Container Maintenance module
This module is used to create, modify or remove a container.
To create a new container, click the “New” button, then enter a unique container name and brief
description of its purpose, and then click the “Add” button. The new container will appear in the
“Containers List”.
Click the “Edit” hyperlink or the “Remove” hyperlink respectively to edit the container information or
remove it. Note that all objects must be removed from a container before it can be removed.
7.3.2 Container Members module
Containers and their members can be viewed and members moved between containers using this
module.
The Containers view includes two tabs: “Users” and “Unassigned tokens”. To view objects by type, select
the appropriate tab. Recall that tokens assigned to users always reside in the container with the user.
To view the members of a container, select the appropriate “Source Container” and click the “Search”
button. This resulting list displays all objects in the container. Clicking the “UserID” or “Serial Number”
hyperlink displays the object’s details.
To move objects to a different container, select the objects in the list using the check box option, then
select the target container from the “Move to Container” dropdown, and then click the “Move” button.
7.4 Authorization and pre-authentication rules
Just because a user is able to provide a valid one-time passcode does not necessarily mean that they
should be granted access to the network. Other conditions such as network access point, group
membership, account status and other attributes might be important in allowing or denying access.
Pre-authentication rules can be used to apply additional conditions that must be met for authentication to
succeed.
The key advantages of pre-authentication rules are
� rules can be applied to LDAP/Active Directory user account attributes.
� rules can be applied to user accounts maintained in the internal SQL user data source.
� rules can be applied based on network access points (source IP, Agent).
� rules can be used to modify the authentication sequence (OTP, LDAP, LDAP + OTP).
� changes to user attributes made in LDAP or the internal user data source are immediately effective on the SAS virtual server.
� rules can have a fixed start and/or stop date; a useful feature for transitioning from static passwords to OTP authentication.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
32 of 86
There are few limitations to how pre-authentication rules can be used. Rules can be relatively simple,
checking a single attribute such as time of day restrictions or can be complex, checking multiple
attributes such as group membership, network access point and token state.
The authentication proceeds in the following sequence:
1.1.1.1. userID is validated. If valid:
2.2.2.2. pre-authentication rules are applied. If any rule is satisfied:
3.3.3.3. password is validated. If valid, access is granted.
Pre-authentication rules can be configured by Orange Business Services for you (refer to Requesting
changes on p 59). Note that initially, your SAS virtual server is configured with an “Allow All” rule.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
33 of 86
8 Managing SAS tokens
8.1 Provisioning end-users
� You can provision only users ofYou can provision only users ofYou can provision only users ofYou can provision only users of your Subscriber accountyour Subscriber accountyour Subscriber accountyour Subscriber account’s Virtual Server (end’s Virtual Server (end’s Virtual Server (end’s Virtual Server (end----users).users).users).users). UsersUsersUsersUsers ofofofof your your your your Service Provider accountService Provider accountService Provider accountService Provider account’s Virtual Server (SAS administrators of your company)’s Virtual Server (SAS administrators of your company)’s Virtual Server (SAS administrators of your company)’s Virtual Server (SAS administrators of your company) are directly are directly are directly are directly provisionedprovisionedprovisionedprovisioned by Orange Business Service).by Orange Business Service).by Orange Business Service).by Orange Business Service).
There are several ways to provision users with tokens:
� bulk provisioning:bulk provisioning:bulk provisioning:bulk provisioning: any number of users is provisioned in one simple, time-saving step.
� automated provisioning:automated provisioning:automated provisioning:automated provisioning: rules are used to evaluate when a user should be issued a token and what
type of token. If the rule evaluates true for a user, a token is issued. If false, the token is revoked.
� manual provisioning:manual provisioning:manual provisioning:manual provisioning: used to manually provision users, one user at a time
� manual assigning:manual assigning:manual assigning:manual assigning: used to manually assigned tokens to users, one user at a time. This process can be
used when issuing hardware tokens to users, one user at a time and usually where the token can be
handed to the user. In most cases Provisioning should be used instead of Assigning
� Note that provisioning represents major time-saving for SAS administrators and is the recommended method for associating a token with a user.
8.1.1 Bulk provisioning
This process is used to provision each of any number of users with a token in a simple point-and-click
process.
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink, go
to the “Search User” module of the “ASSIGNMENT” sub-tab and click the “Search” button.
Check box(es) to select one or more users, click the “Provision” button, once you have verified the list of
selected users, click the “Provision” button again, and select the type of token to be issued to each of the
users in the list.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
34 of 86
Click the “Provision” button again and click the ”Confirm” button to complete the process and create a
Provisioning task.
Each user in the provisioning task will receive an e-mail with instructions for enrollment. The content of
the e-mail message varies, depending on the token type.
Provisioning tasks can be modified or recalled for all or some users in the task by clicking the
“Provisioning Tasks” hyperlink of the “Shortcuts” left pane.
8.1.2 Automated provisioning
Provisioning rules are one of the most powerful features of the SAS. They determine under what
conditions tokens will be automatically issued and revoked. Rules are triggered when group
memberships and other user attributes change. This means that if a user becomes a member of a group
included in a rule, the user will be provisioned with a token. Conversely, when the user is no longer a
group member, the token will be automatically revoked.
Provisioning rules can be used with internal groups or LDAP synchronized groups. By combining
provisioning rules with LDAP synchronization, the server can automatically issue and revoke tokens
based on changes made in LDAP. In other words an Operator need not log into the SAS management
portal to create users and provision users with tokens as the combination of LDAP synchronization and
provisioning rules can achieve the same result.
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink, go
to the “Automation Policies” module of the “POLICY” sub-tab.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
35 of 86
Click the “Provisioning Rules” hyperlink and click the “New Rule” button.
� ““““Rule NameRule NameRule NameRule Name””””:::: this is a unique, descriptive name for the rule.
� ““““Token TypeToken TypeToken TypeToken Type””””:::: this is the type of token to be provisioned when the rule evaluates true.
� ““““Issue Duplicate TypesIssue Duplicate TypesIssue Duplicate TypesIssue Duplicate Types””””: : : : if unchecked a user will not be provisioned with the selected token type if
they already have one of the same type as a result of manually assigning a token or a different rule
evaluating true.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
36 of 86
� ““““Auto RevokeAuto RevokeAuto RevokeAuto Revoke””””:::: if checked, the token issued by this rule will be revoked if the rule evaluates false for
the user such as when a user has been removed from the monitored group(s).
� ““““ContainerContainerContainerContainer””””: : : : the user must reside in the selected container for the rule to evaluate true.
� ““““Require ExpiringRequire ExpiringRequire ExpiringRequire Expiring””””:::: enable this option to replace RSA tokens assigned to users before they expire.
This options checks the expiration date for all RSA tokens assigned to users in the Rule Groups and
auto-provisions a new token X days before expiration.
- ““““Provisioning X days before expirationProvisioning X days before expirationProvisioning X days before expirationProvisioning X days before expiration””””:::: this value determines the number of days in advance of
expiration to provision with a replacement token.
- ““““AutoAutoAutoAuto----revoke token being replaced on successful enrollmentrevoke token being replaced on successful enrollmentrevoke token being replaced on successful enrollmentrevoke token being replaced on successful enrollment””””:::: if selected, this option automatically
revokes the expiring token as soon as the user completes enrolment of the replacement token.
� ““““Groups FilterGroups FilterGroups FilterGroups Filter””””:::: use this option with “*” wildcard to limit the groups displayed in the Groups list.
� ““““GroupsGroupsGroupsGroups””””:::: a list of internal and synchronized groups. Server Groups represent groups that are not
used by the rule whereas Rule groups represent groups to which users must belong for the rule to
evaluate true. Highlight a group and use the appropriate arrow to move it between the group
windows.
8.1.3 Manual provisioning
� Note that manual provisioning process is the same as the bulk provisioning one, except that it regards only one user.
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink, go
to the “Search User” module of the “ASSIGNMENT” sub-tab and click the “Search” button.
To manually provision a token to a user, click its “UserID” hyperlink, click the “Provision” button in the
“Tokens” module, select the type of token to be issued to the user and click the “Provision” button again
to complete the process and create a Provisioning task. The user in the provisioning task will receive an
e-mail with instructions for enrollment. The content of the e-mail message varies, depending on the token
type.
Provisioning tasks can be modified or recalled for all or some users in the task by clicking the
“Provisioning Tasks” hyperlink of the “Shortcuts” left pane.
8.1.4 Manual assigning
� Use manual assignment process only for hardware tokens or if the user already has the SAS Software Tool application installed (for software token).
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink, go
to the “Search User” module of the “ASSIGNMENT” sub-tab and click the “Search” button.
To manually assign a token to a user, click its “User ID”, click the “Assign” button in the “Tokens” module,
refine the inventory list of tokens available for assignment by selecting from the “Token Type” drop-down
list or entering a partial serial number in the “Serial #” field before clicking the “Search” button.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
37 of 86
Click the “Select” hyperlink corresponding to the token to be assigned, click the “Assign” button to
commit.
The token is now assigned to the user.
In the case of a hIn the case of a hIn the case of a hIn the case of a hardware tokenardware tokenardware tokenardware token,,,, you should give this to the user now along with the initial PIN shown in
the last column of the list. The default policy requires the user to change this PIN on first use of the token
to a value known only to them. The value in the “Initial PIN” field is cleared when the user completes their
PIN change.
In the case of a sIn the case of a sIn the case of a sIn the case of a software tokenoftware tokenoftware tokenoftware token, , , , you must ensure that the SAS Software Tool application is installed on
the user’s device (PC, BlackBerry™, iPhone etc) before proceeding, then:
� Click the “Manage” hyperlink and click the “Issue” button.
Choose the delivery method for the token profile, before clicking the “Issue” button to commit.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
38 of 86
� BlackBerry:BlackBerry:BlackBerry:BlackBerry: selecting this option causes the server to send two e-mails to the user, one of which
contains the initial PIN, the other containing the token profile. This method is ideal when using a BES
server to install the SAS Software Tool application on the user’s device in advance of assignment.
� Save the token file: Save the token file: Save the token file: Save the token file: this saves the token profile to a location you specified. The file must be transferred
to the user’s device.
� EEEE----mail the token and PIN to the user: mail the token and PIN to the user: mail the token and PIN to the user: mail the token and PIN to the user: choose this option to e-mail the token and initial PIN to the user.
Typically this method is used for installation of the MP software token on a laptop.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
39 of 86
8.2 Managing a provisioned/assigned token
� You can manage provisioned/assigned tokens of both Service Provider and Subscriber accounts Virtual
Servers except for the revocation except for the revocation except for the revocation except for the revocation optionoptionoptionoption of your Service Provider account that is managed by Orange of your Service Provider account that is managed by Orange of your Service Provider account that is managed by Orange of your Service Provider account that is managed by Orange Business Services.Business Services.Business Services.Business Services.
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click the hyperlink of the account for which
you want to manage a specific token, go to the “Search User” module of the “ASSIGNMENT” sub-tab,
click the “Search” button.
Click the “User ID” hyperlink corresponding to the user to which the token has been
provisioned/assigned.
The “Tokens” module displays all authentication methods available to the user, usually one or more
tokens. Each entry provide the following information:
� “Type”“Type”“Type”“Type”:::: displays the type of the token (“MP, “KT” etc).
� “Serial #”“Serial #”“Serial #”“Serial #”: token serial number hyperlink that displays the corresponding operational parameters and
usage statistics when clicked.
� “S“S“S“Statetatetatetate””””: state of the token/authentication method where:
- ActiveActiveActiveActive:::: the corresponding authentication method can be used to authenticate
- SuspendedSuspendedSuspendedSuspended: : : : the authentication method is associated with the user but has been suspended by an
Operator, preventing it from being used to authenticate until the method is reactivated by an
Operator.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
40 of 86
- LockedLockedLockedLocked:::: indicates that the user has exceeded the maximum number of consecutive failed logon
attempts. The token will remain locked until the unlock policy is triggered or an Operator
reactivates the token.
- AAAAssignedssignedssignedssigned:::: indicates that the token has been assigned to the user but has not yet been used to
authenticate.
- Suspended:Suspended:Suspended:Suspended: this indicates that an Operator has placed the token in a suspended state, making it
invalid for authentication but leaving it assigned to a user. This is usually done if there is a security
concern such as a lost or misplaced token. Suspended tokens can be reactivated by an Operator
when the security concern has been resolved.
- Locked:Locked:Locked:Locked: this state occurs when a user exceeds the maximum consecutive failed logon attempts
threshold. A locked token can be reactivated by an Operator. The automatic locking and unlocking
of tokens is controlled by the Account Lockout/Unlock Policy.
- Lost/Failed:Lost/Failed:Lost/Failed:Lost/Failed: is a state applied by an Operator when revoking a token. Revoked tokens are returned
to Inventory in this state where they can be permanently removed or if the token is subsequently
found or determined to function properly, it can be reinitialized into the Inventory state.
- Expired:Expired:Expired:Expired: when the token is expired. This regards only non-Cryptocard tokens imported in the
server.
� “Initial PIN”“Initial PIN”“Initial PIN”“Initial PIN”:::: initial PIN value to be given to the user when using “Assign” to issue a token. By default
the initial PIN value must be changed by the user during their first authentication.
Click the “Manage” hyperlink corresponding to the token to be managed.
A raw of buttons shows the token management options: a highlighted button indicates an option
available (otherwise, the button is grayed).
Token management options include:
� SuspendSuspendSuspendSuspend: : : : use this option to suspend the token, making it invalid for authentication but leaving it
assigned to the user. Suspending a token is useful for situations where the user has forgotten or
misplaced their token as it prevents it from being used until the Operator re-activates the token.
� Note that the “Suspend” button is disabled if the token is not in the “Active” state.
� UnlockUnlockUnlockUnlock:::: use this option to reactivate a token that is in the locked state, making it valid for
authentication.
� NNNNew PINew PINew PINew PIN:::: use this option to set a new PIN value for a token according to the configured PIN policy.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
41 of 86
� ResyncResyncResyncResync: : : : use this option to resync a token or test the token if there are repeated failed authentication
attempts with this token.
� IssueIssueIssueIssue:::: use this button to create an MP software token profile (token seed and operating parameters) in
conjunction with the “Assign” function.
� RevokeRevokeRevokeRevoke: : : : revoke is used to sever the relationship between the user and token.
8.2.1 Suspend
The suspend process may allow a temporary password to be assigned and used as a valid credential
until the token is re-activated:
� “No Static Password”:“No Static Password”:“No Static Password”:“No Static Password”: the user’s token will be suspended and the user will not be given a temporary
static password.
� ““““Accept LDAP PasswordAccept LDAP PasswordAccept LDAP PasswordAccept LDAP Password””””: the user’s token will be suspended and the user will be allowed to use their
LDAP password to authenticate. Note that this option requires LDAP integration.
� ““““Set TemSet TemSet TemSet Temporary Static Passwordporary Static Passwordporary Static Passwordporary Static Password””””: the user’s token will be suspended and the user will be given a
temporary static password which can be used to authenticate:
- ““““GenerateGenerateGenerateGenerate””””:::: generates a static password that complies with the established policy
- ““““Change static password Change static password Change static password Change static password on first useon first useon first useon first use”:”:”:”: if checked, the user must change the provided static
password to a new value known only to them and which complies with the established policy.
- ““““No Static Password afterNo Static Password afterNo Static Password afterNo Static Password after””””: use this option to limit the life of the temporary password.
- ““““CommentCommentCommentComment””””: use this area to enter a brief explanation for suspending the token. This forms part of
the permanent token record and can be viewed by other Operators managing this user’s account.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
42 of 86
8.2.2 Unlock
Its use varies depending on the PIN mode:
� ServerServerServerServer----side PIN:side PIN:side PIN:side PIN: if the token is locked due to excessive consecutive failed authentication attempts,
clicking the “Unlock” will reactivate the token.
Check the “Set a New PIN” option to create a new PIN for the user for this token or use the “Random”
button to generate a PIN that complies with the policy.
� TokenTokenTokenToken----side PIN:side PIN:side PIN:side PIN: a token initialized with a token-side PIN which has been locked by the user by
exceeding the maximum allowed PIN attempts may be unlocked using this function, provided the
token was initialized with the unlock token option enabled. This function should only be used if you are
certain that the person in possession of the token is the rightful owner.
� To use this function the user must generate an unlock challenge. The method for doing this varies with token type. Enter this value into the “Challenge displayed on token” field, click the “Unlock” button to
display an unlock code, give this to the user to enter into their token. If correctly entered, the user will
be required to generate a new PIN, after which the token can be used to authenticate.
8.2.3 New PIN
� Note that this option is available where the PIN is evaluated by the Server (Server-side PIN).
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
43 of 86
Use the “Generate” button to automatically create a new PIN that meets the minimum policy
requirements. Note that the default policy requires the user to change this PIN on first use.
8.2.4 Resync
Use this option to resync a token or test the token if there are repeated failed authentication attempts
with this token. Generally resync is not required. Resync does not require the user or Operator to reveal
the PIN associated with a token. Have the user key the Challenge into their token after enabling resync to
generate a Response.
Enter the resulting response into the “Response” field, and then click the “Resync” button. The response
provided by the user's token for the displayed challenge should result in a successful test. If so, the token
is working properly and in sync with the server.
8.2.5 Revoke
When MP software tokens are revoked they are automatically returned to inventory from which they can
be re-provisioned to other users. Note that each time an MP software token is provisioned, the current
MP template and PIN policy is applied and new encryption keys are generated. This means that there is
no need to recover anything from the original token user and any software still in their possession is no
longer valid for authentication. This also means that MP software tokens (as well as hardware tokens) can
be issued and revoked as often as desired. During revocation, depending of the token type, you are
presented with options to:
� Return to Inventory, Initialization required:Return to Inventory, Initialization required:Return to Inventory, Initialization required:Return to Inventory, Initialization required: use this if revoking a hardware token configured for token-
side PIN. In most cases this will apply only apply to RB-1 tokens.
� Return to Inventory:Return to Inventory:Return to Inventory:Return to Inventory: use this option if revoking tokens with Server-side or no-PIN configuration. This
assumes that hardware tokens have been returned and can be reused.
� Lost:Lost:Lost:Lost: this option should only be used with hardware tokens and only if they will not be recovered. Lost
tokens will still appear in the token inventory list but with the “Lost” status.
� Faulty:Faulty:Faulty:Faulty: this option is used to indicate that a token has failed. This choice is useful for warranty claims.
A comment such as the reason for revoking the token can be added to a Suspend transaction.
Comments form part of the token permanent history and are also displayed in the token detail.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
44 of 86
9 Managing SAS Auth Nodes
An Auth Node is any RADIUS client that will send authentication requests to the SAS. An Auth Node is any RADIUS client that will send authentication requests to the SAS. An Auth Node is any RADIUS client that will send authentication requests to the SAS. An Auth Node is any RADIUS client that will send authentication requests to the SAS.
� You can manage SAS Auth Nodes of both Service Provider and Subscriber accounts Virtual Servers, however however however however Auth Nodes must be created at the Service Provider account’s Virtual Server level and then Auth Nodes must be created at the Service Provider account’s Virtual Server level and then Auth Nodes must be created at the Service Provider account’s Virtual Server level and then Auth Nodes must be created at the Service Provider account’s Virtual Server level and then shared with the Subscriber account’s Virtual Server.shared with the Subscriber account’s Virtual Server.shared with the Subscriber account’s Virtual Server.shared with the Subscriber account’s Virtual Server.
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Service Provider account
hyperlink and go to the “Auth Node” module of the “COMMS” sub-tab.
Click the “Auth Nodes” hyperlink.
Already configured Auth Nodes are listed and you have the ability to edit or remove them by clicking the
related hyperlinks.
An entry in the Auth Nodes table must be created for every Auth Node. The number of Auth Nodes
cannot exceed the allowed number set (100). Virtual Server will not process authentication requests
received from devices that are not in the list.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
45 of 86
To add an Auth Node, click the “Add” button.
Fill-in at least the following fields:
� “Agent Description”:“Agent Description”:“Agent Description”:“Agent Description”: descriptive name of the RADIUS client.
� “Host Name”:“Host Name”:“Host Name”:“Host Name”: hostname of the RADIUS client.
� “Low IP Address In Range”:“Low IP Address In Range”:“Low IP Address In Range”:“Low IP Address In Range”: IP Address of the RADIUS client
� “Shared Secret/Confirm Shared Secret”:“Shared Secret/Confirm Shared Secret”:“Shared Secret/Confirm Shared Secret”:“Shared Secret/Confirm Shared Secret”: RADIUS shared secret (this must be identical in both SAS
and the RADIUS client).
Some RADIUS Clients are not fully RADIUS compliant and do not support “Challenge-Response” which is
a requirement for server-side PIN changes. If your RADIUS client does not support Challenge-Response
and your SAS account is configured with server-side PIN policy, check the “Exclude from PIN change
requests” to prevent a forced PIN change with the non-compliant RADIUS client.
Auth Nodes become active within minutes of configuration.
Because the Auth Node has to be shared with the Subscriber account, click the “Sharing and Realms
tab”.
Configure as necessary before clicking the “Save” button to commit the configuration.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
46 of 86
� ““““Allow accounAllow accounAllow accounAllow account lookup based on user namet lookup based on user namet lookup based on user namet lookup based on user name””””:::: the submitted userID will be used to authenticate the
user. The Virtual Server will search the “Shared Auth Node” list in descending order. The first matching
userID will be used to authenticate the user. Use the up/down arrows to move a selected realm up or
down in the priority list. Effectively this means that all userIDs must be unique across all Realms.
� ““““Enable realmsEnable realmsEnable realmsEnable realms””””:::: use this option where userIDs may not be unique across all realms. If enabled,
additional userID information will be used to determine to which realm the user belongs. Typically the
userID will be an email address. Use this feature in conjunction with the Selected Account and Realm
Identifier options.
� ““““Strip realm from userIDStrip realm from userIDStrip realm from userIDStrip realm from userID””””:::: strips all data starting with the delimiter character from the userID. This
allows a submitted userID such as an email address ([email protected]) to be authenticated as
userID.
� ““““Delimiter instanceDelimiter instanceDelimiter instanceDelimiter instance””””:::: uses the first instance of the delimiter (left to right) or last instance of the delimiter
(right to left).
For example, consider two users with the identical userID of BSmith, one belonging to ACME
(acme.com), the other belonging to International Light (IL.com). Configured as follows:
- realms enabled
- strip realm from userID
- delimiter character is “@”
- selected realm=International Light, realm identifier= IL.COM
- the userID of [email protected] would authenticate against the Acme Virtual Server with an
effective userID of BSmith while [email protected] would authenticate against the International Light
Virtual Server with an effect userID of BSmith.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
47 of 86
10 Managing SAS SAML Services
� You can manage only SAS SAML You can manage only SAS SAML You can manage only SAS SAML You can manage only SAS SAML ServicesServicesServicesServices ofofofof your Subscriber accountyour Subscriber accountyour Subscriber accountyour Subscriber account’s Vi’s Vi’s Vi’s Virtual Server.rtual Server.rtual Server.rtual Server. SAS SAML SAS SAML SAS SAML SAS SAML ServicesServicesServicesServices ofofofof your Service Provider accountyour Service Provider accountyour Service Provider accountyour Service Provider account’s Virtual Server ’s Virtual Server ’s Virtual Server ’s Virtual Server are directly are directly are directly are directly provisioned by Orange Business provisioned by Orange Business provisioned by Orange Business provisioned by Orange Business ServiceServiceServiceService....
10.1 Adding SAML Service Providers
SAML Service Providers (e.g. Google Apps, Salesforce, Box.net…) can rely on the SAS for
authentication.
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink and
go to the “SAML Service Providers” module of the “COMMS” sub-tab.
The information displayed below the Add button will be required by your Service Provider.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
48 of 86
Click the “Add” button to insert a new provider into the list where:
� ““““Friendly NameFriendly NameFriendly NameFriendly Name”: ”: ”: ”: this is a name you assign to the Relying Party for easy identification. This name will
appear in SAML Services lists on the “SAML Services” module of the “ASSIGNMENT” sub-tab and in
the “SAML Provisioning Rules” of the “Automation Policies” module of the “POLICY” sub-tab.
� SAML 2.0 MetadataSAML 2.0 MetadataSAML 2.0 MetadataSAML 2.0 Metadata::::
- ““““Upload existing Upload existing Upload existing Upload existing MMMMetadata fileetadata fileetadata fileetadata file”:”:”:”: this is an XML file that is generated by your SAML Service
Provider.
- ““““Create new Create new Create new Create new MMMMetaetaetaetadata filedata filedata filedata file”: ”: ”: ”: some SAML Service Providers do not provide a metadata file but
instead provide only their Entity ID and Location (essentially the resource being accessed). Use this
option to have the virtual server create and add a metadata file based on this information.
� ““““Entity IDEntity IDEntity IDEntity ID”:”:”:”: this is the “Entity ID” of the SAML Service Provider, typically (but not always) in the form of
a URL. This value will be provided by the SAML Service Provider or can be extracted from the
metadata (XML file) provided by the SAML Service Provider.
For example:
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID=https://mycompany.salesforce.com
The remaining options are used to customize the appearance of the logon page presented to the user:
� ““““Custom LogoCustom LogoCustom LogoCustom Logo””””: : : : this is the logo you want to appear on the logon form presented to your users during
authentication
� “Custom CCS”:“Custom CCS”:“Custom CCS”:“Custom CCS”: modify default CSS then upload to modify the appearance of the page (refer to the
appendix “SAML default CCS source” page 84).
� ““““Custom Button ImageCustom Button ImageCustom Button ImageCustom Button Image”: ”: ”: ”: this is the image used for the logon button.
� ““““Custom Page TitleCustom Page TitleCustom Page TitleCustom Page Title”: ”: ”: ”: this is the page title displayed on the browser tab.
� ““““Custom IconCustom IconCustom IconCustom Icon”:”:”:”: this is the icon displayed on the browser tab.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
49 of 86
� ““““Custom Login Header TextCustom Login Header TextCustom Login Header TextCustom Login Header Text”:”:”:”: this is the text displayed in the header of the logon form.
� ““““Custom Login Button TextCustom Login Button TextCustom Login Button TextCustom Login Button Text””””: : : : this is the text displayed on the logon button.
� ““““Login messaLogin messaLogin messaLogin messagegegege”:”:”:”: this is the text, usually containing instructions, displayed between the Logon Header
Text and the Username field.
� ““““Custom UsernameCustom UsernameCustom UsernameCustom Username Text”:Text”:Text”:Text”: this is the label for the user name field.
� ““““Custom Password TextCustom Password TextCustom Password TextCustom Password Text”:”:”:”: this is the label for the password field.
Click the “Apply” button to commit your changes.
10.2 Provisioning SAML Services
10.2.1 Manual provisioning
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink, go
to the “Search User” module of the “ASSIGNMENT” sub-tab and click the “Search” button.
Click the “User ID” hyperlink corresponding to the user to which the SAML service has to be provisioned.
The “SAML Services” module lists already provisioned SAML Services and you have the ability to edit or
remove them by clicking the related hyperlinks. Click the “Add” button.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
50 of 86
Complete the “Add SAML Service” form before clicking the “Add” button:
� ““““ServiceServiceServiceService”:”:”:”: lists all of the configured SAML Service Providers.
� SAML Login ID: SAML Login ID: SAML Login ID: SAML Login ID: this is the UserID that will be returned to the Service Provider in the SAML assertion
on successful authentication. For example, if your service provider (e.g. Salesforce) requires a userID
of [email protected] and this is identical to the user’s email address, choose the E-mail option.
Doing so allows the user to consistently use their UserID to authenticate regardless of the Service
Providers requirements. In most cases a Service Provider will require either the UserID or E-mail. For
all other cases choose the Custom option and enter the required userID to be returned.
10.2.2 Auto-provisioning rules
SAML provisioning rules automates adding or removing the right for users to authenticate to configured
SAML Service Providers.
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click your Subscriber account hyperlink, go
to the “Automation Policy” module of the “POLICY” sub-tab.
Click the “SAML Provisioning Rules” hyperlink and click the “New Rule” button.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
51 of 86
Complete the “Add SAML Auto-create Role” form before clicking the “Add” button:
� ““““Rule NameRule NameRule NameRule Name””””:::: this is a name that describes the rule.
� ““““User is in containerUser is in containerUser is in containerUser is in container””””:::: users affected by this rule must be in the selected container.
� ““““Groups FilterGroups FilterGroups FilterGroups Filter””””:::: use this option with “*” wildcard to limit the groups displayed in the “Groups” list
� ““““SerSerSerServer Groupsver Groupsver Groupsver Groups””””:::: users in these groups are not affected by this rule.
� ““““Rule GroupsRule GroupsRule GroupsRule Groups””””:::: users must be in one or more of these groups to be affected by this rule.
� ““““Relying PartiesRelying PartiesRelying PartiesRelying Parties””””:::: Service Providers in this section are not affected by this rule.
� ““““Rule PartiesRule PartiesRule PartiesRule Parties””””:::: users that belong to one or more of the “Rule Groups” will be able to authenticate
against Service Providers in this section.
� ““““SAML Login IDSAML Login IDSAML Login IDSAML Login ID””””:::: this is the UserID that will be returned to the Service Provider in the SAML assertion.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
52 of 86
11 Managing SAS reporting
SSSSAS reporting is AS reporting is AS reporting is AS reporting is availableavailableavailableavailable at account and account’s Virtual Server level.at account and account’s Virtual Server level.at account and account’s Virtual Server level.at account and account’s Virtual Server level.
� You can manage SAS reporting of both Service Provider and Subscriber accounts and corresponding Virtual Servers.
SAS account reporting modules and SAS account’s Virtual Server modules are in different locations, and available reports are different too.
However, reporting management modules are the same for both:
� ““““Available ReportsAvailable ReportsAvailable ReportsAvailable Reports””””:::: this module lists all of the standard reports available. Reports from this list can be
customized and copied to the “My Reports List” module.
� ““““My Report ListMy Report ListMy Report ListMy Report List””””:::: this module lists all reports that can be run. Reports in this module can be
scheduled to run once or periodically at regular, predefined intervals. Delivery options and recipients
are defined in this module.
� ““““My Schedule ReportsMy Schedule ReportsMy Schedule ReportsMy Schedule Reports””””: : : : all scheduled reports appear in the “My Scheduled Reports” list. Schedules
can be modified and reports can be run “Now” without modifying the normal schedule.
� ““““My Report OutputMy Report OutputMy Report OutputMy Report Output””””:::: this module lists all reports that are currently in the run state or have completed.
From this list Operators can view or download reports in a variety of formats.
11.1 Accessing the SAS reporting modules
11.1.1 Account
Go to the “Administration” module of the “ADMINISTRATION” tab.
Click the “Report and Billing Management” hyperlink.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
53 of 86
11.1.2 Virtual Server
Go to the “Manage” module of the “VIRTUAL SERVERS” tab, click the hyperlink of the account for which
you want to manage reporting of the corresponding Virtual Server and go to the “REPORTS” sub-tab.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
54 of 86
11.2 “Available Reports” module
All reports that are available are listed in this module. To view the entire list of available reports, use the
navigation controls below the list or expand the number of rows displayed using the customization icon in
the module bar. The report class dropdown selects reports corresponding to:
� ““““Security PolicySecurity PolicySecurity PolicySecurity Policy””””:::: this group of reports deals with alert history, container management, Operator Roles
and Scope, Auth Nodes and RADIUS attributes.
� ““““ComplianceComplianceComplianceCompliance””””:::: this group of reports covers user authentication activity, Operator activity and other
factors important to internal and external security auditors.
� ““““BillingBillingBillingBilling””””:::: this group of reports provides details of all transactions including capacity, tokens, SMS
credits and their related billing terms.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
55 of 86
� ““““InventoryInventoryInventoryInventory””””:::: this group of reports provides detailed information on tokens, token ownership, states and
other general inventory information.
To add a report to the “My Report List” module, select a report from the “Available Reports” list, then
click the “Add” button.
Then customize the report. The options for customization vary depending on the type of report selected.
In general:
� ““““Report sectionReport sectionReport sectionReport section””””:::: customize the name of the report and its description. These changes will appear in
the My Reports List module. Note that report names must be unique.
� ““““FilterFilterFilterFilter””””:::: if available, filters provide a way to limit the scope of a report.
� ““““Report ColumnsReport ColumnsReport ColumnsReport Columns””””:::: this shows default fields included in the report. To include/exclude fields,
select/deselect fields using the corresponding check boxes.
� ““““AuthorizationAuthorizationAuthorizationAuthorization””””:::: the “Access to Report not Enabled” field lists all Operators that are potential report
recipients. The “Access to Reports Enabled” field lists all Operators that will receive the reports. To
add or remove from the recipient list, highlight the Operators (CTRL Click to select multiple Operators),
and then click the appropriate arrow to move.
� ““““External AuthorizationExternal AuthorizationExternal AuthorizationExternal Authorization””””:::: the “Access to Report not Enabled” field contains your Service Provider that
is potential report recipient. The “Access to Reports Enabled” field lists Service Providers that will
receive the reports. To add or remove from the recipient list, highlight the Service Providers (CTRL
Click to select multiple Service Providers), and then click the appropriate arrow to move.
� ““““EEEE----mail recipientsmail recipientsmail recipientsmail recipients””””: : : : the server can send the report by e-mail to addresses in the recipients list. To add
recipients, enter their e-mail address then click the Add button. To remove recipients, highlight their e-
mail address then click the Remove button.
Click the “Finish” button to commit the customizations and add the report to the “My Report List”
module.
11.3 “My Report List” module
This module lists all customized reports. It is from this list that you schedule reports to run. To schedule a
report, select the report then click the “Schedule” button. The schedule report options are:
� ““““Run NowRun NowRun NowRun Now””””:::: the run now option adds the report to the report processing queue. Reports in the queue
are run in chronological order.
� ““““Schedule BeginsSchedule BeginsSchedule BeginsSchedule Begins””””:::: the report will not run prior to this date.
� ““““FrequencyFrequencyFrequencyFrequency””””:::: reports can be scheduled to run on specific days of the week by selecting the
Days/Week option, then selecting the specific days. Alternatively, the report can be scheduled to run
on a monthly basis by selecting the Months/Year option, then selecting the specific months. If
Months/Year is selected, the On day option is enabled. Use this option to specify a day in each month
that the report should run. Reports will not run after the date specified in Expiration Date. By default
report schedules do not expire.
� ““““Run TimeRun TimeRun TimeRun Time””””:::: the time at which the report should begin executing.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
56 of 86
� ““““ExpirationExpirationExpirationExpiration””””:::: the date after which the report will be removed from the “My Scheduled Reports” list.
To commit the report schedule, click the “Finish” button. This adds the report to the “My Scheduled
Reports” module. The report can be modified or removed using the corresponding “Edit” or “Remove”
hyperlink.
11.4 “My Scheduled Reports” module
Scheduled reports to which the Operator is entitled appear in the “My Scheduled Reports” List. The list
shows the report name, run frequency, run time and expiration date.
Click the “Report Name” hyperlink to display or modify the report criteria.
Click “Edit” to update the scheduling of the report.
Select a scheduled report and click the “Run” button to add the report to the report processing queue.
Reports in the queue are run in chronological order. The reporting service checks the queue every 5
minutes and after each report is generated. This means that all reports will be processed in order.
However if no reports are detected, up to 5 minutes may elapse before the service will check the queue
for new report additions.
Clicking the “Run” button does not alter the report’s regular schedule.
11.5 “My Report Output” module
All reports that are running or have completed to which the Operator is entitled are listed in the “Report
Output” table.
Reports can be viewed in the browser by clicking the report name hyperlink. Alternatively they may be
downloaded for local processing by clicking any of the CSV, Tab or HTLM hyperlinks. Reports that are no
longer required can be deleted from the list by clicking the remove hyperlink.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
57 of 86
12 Monitoring your SAS
12.1 Snapshot summary information
The Snapshot tab provides you with summary information about your SAS virtual server (your service
provider or your subscriber account, depending on the virtual server you are on), including authentication
history, metrics and inventory.
� Authentication Activity moduleAuthentication Activity moduleAuthentication Activity moduleAuthentication Activity module: : : : lists up to 100 of the most recent authentications including diagnostic
information.
� Authentication Metrics moduleAuthentication Metrics moduleAuthentication Metrics moduleAuthentication Metrics module:::: displays authentication activity metrics over various periods of time.
� Token States moduleToken States moduleToken States moduleToken States module:::: displays all tokens registered in the Virtual Server by state.
� Allocation mAllocation mAllocation mAllocation moduleoduleoduleodule:::: a complete listing of Virtual Server capacity and token inventory, including detailed
transaction records.
� RRRReferenceeferenceeferenceeferencessss modulemodulemodulemodule:::: displays links to SAS documentation and agents that you may need.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
58 of 86
12.2 “User management” page
� User Detail moduleUser Detail moduleUser Detail moduleUser Detail module: : : : this module displays basic user information. User detail can be modified for all
users that were manually created or imported. User accounts created by LDAP integration /
synchronization must be modified in the LDAP directory.
� Tokens moduleTokens moduleTokens moduleTokens module: : : : use this module to assign, provision and manage all tokens associated with an
individual user.
� Authentication Metrics moduleAuthentication Metrics moduleAuthentication Metrics moduleAuthentication Metrics module: : : : displays the individual user’s authentication metrics over various
periods of time.
� Authentication Activity module:Authentication Activity module:Authentication Activity module:Authentication Activity module: displays authentication history for up to 100 of the user’s most recent
authentications.
� Access Restrictions moduleAccess Restrictions moduleAccess Restrictions moduleAccess Restrictions module: : : : use this to set specific times/days and periods during which the user is
allowed to authenticate or conversely prevent a user from being authenticated.
� Group Membership module:Group Membership module:Group Membership module:Group Membership module: use this module to add or remove group memberships for the selected
user. Groups can be used to automate provisioning and/or determine if the user is allowed to
authenticate and/or be granted access to specific resources. Note that to modify the memberships of
many users at a time, use the Group Membership module on the Groups tab instead
� Radius Attributes module: Radius Attributes module: Radius Attributes module: Radius Attributes module: use this module to apply RADIUS attributes to the selected user. Note that
user attributes take precedence over attributes applied to groups to which the user belongs.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
59 of 86
13 Requesting changes
Any changes that cannot be performed using your SAS management portal must be required via the
Managed Services Change Tool (MSCT).
These changes include initial token ordering and pre-authentication rule creation request.
MSCT is available at the URL below, using HTTPS, so all transactions are encrypted:
https://equantcc.mhs-pf.com.
Orange Business Services will provide you with your MSCT login and password to log in.
Please refer to MSCT user guide [Ref 3] for details.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
60 of 86
14 Requesting support
For any problems, please call the Orange Business Services Help Desk at your usual phone number, who
will open a trouble ticket (also called a case).
To open a case, you have to provide the Help Desk with at least the following information, which you
received when ordering the SAS:
� company name
� customer code
� search key 1
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
61 of 86
appendix A: appearance and branding customization
To customize, begin by clicking the Set Customization Inherit hyperlink, clear the Use Customizations
Inherit option, and then click Apply. The module will now display options for customizing Fonts, Colours,
Buttons and Logos. Conversely, to discard customizations, check the set customization inherit option.
� if Use Customizations Inherit is re-enabled, the SAS Virtual Server inherits Orange Business Services defaults
A.1 Custom fonts
Click the Custom Fonts hyperlink and select the font-family from the dropdown list.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
62 of 86
� Custom fonts - SAS management portal logon page
� Custom fonts - SAS self-service portal
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
63 of 86
� Custom fonts - SAS self-enrollment pages
A.2 Custom colours
Click the Custom Colours hyperlink, select the font-family from the dropdown list, enter colours using
standard names (red, green, blue etc.) or use hex values (#F80000, #CC6600 etc.)
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
64 of 86
� Custom colours - SAS management portal logon page
� Custom colours – SAS management portal pages
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
65 of 86
� Custom colours - SAS self-service portal
� Custom colours - SAS self-enrollment pages
A.3 Custom buttons
Click the Custom Buttons hyperlink. To select a preset graphic button, click the corresponding radio
button and click Apply. To use an HTML button, enter a colour value (red, green…) or a colour HEX value
(#F80000, #00C800…).
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
66 of 86
To normal and hover button text size, colour and weight can be customized by configuring the Button
Text and Button Hover Text options. As above use standard colour values or enter a HEX value for font
colour.
Custom graphic buttons can also be used. Buttons must be 120 x 28px in png, jpg or gif format. First
upload the button in the Custom Logo Images module, then return to this page and select the button,
text, hover etc.
Click Apply to commit the changes.
A.4 Custom logo images
Click the Custom Logo Images hyperlink. Select the images then click the Upload button. Images can be
replaced with the defaults by clicking the “X” to the right of any custom image or replaced by simply
uploading a new image.
� Custom Console Logo must be in no larger than 400 x 100 px in png, jpg or gif format.
� Self-Service Logo must be no larger than 162 x 70 px in png, jpg or gif format.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
67 of 86
� Self-Service Banner must be 688 x 70 px in png, jpg or gif format.
� Alert Icon must be 30 x 30 px in png, jpg or gif format
The recommend background size is 1800 x 1100 px in png, jpg or gif format. To maintain page loading
speed image size should be less than 50kB.
� Custom logo images – SAS management portal logon page
� Custom logo images – SAS management portal pages
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
68 of 86
� Custom logo images – SAS self-service portal
� Custom logo images – SAS self-enrollment pages
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
69 of 86
A.5 Custom titles
Modify the text in the corresponding fields to replace the titles on the console management logon, self-
enrollment and self-service pages.
� Custom titles – SAS management portal logon page
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
70 of 86
� Custom titles – SAS self-service portal
� Custom titles – SAS self-enrollment pages
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
71 of 86
A.6 Custom labels
Use this module to change the Custom # labels displayed in the SAS management portal where:
� User custom
Refers to Custom #1, Custom #2 and Custom #3 field labels displayed in User Detail (Virtual Server)
and in user related reports and tables. An example use would be to change Custom #1 to an
employee number or other identifier that could be used to link reports and user information in SAS to
the external system.
� Account custom
Refers to Custom #1, Custom #2 and Custom #3 field labels displayed in account related reports and
tables. An example use would be to change Custom #1 to an account number or other identifier that
could be used to link reports and customer information in SAS to the external system.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
72 of 86
appendix B: communications customization
B.1 SMS messages tags
TagTagTagTag UseUseUseUse
<BR><BR><BR><BR> Text following this tag is on a new line.
<NEW_PIN><NEW_PIN><NEW_PIN><NEW_PIN> New PIN value set by Operator or via Self-Service
<NEXT_OTP><NEXT_OTP><NEXT_OTP><NEXT_OTP> OTP
<USER_ID><USER_ID><USER_ID><USER_ID> User ID
<PIN><PIN><PIN><PIN> PIN
<TEMP_PIN><TEMP_PIN><TEMP_PIN><TEMP_PIN> Temporary Password (Token suspended by Operator)
B.2 SMS messages list
MessageMessageMessageMessage EventEventEventEvent
ActivatedActivatedActivatedActivated Sent when suspended token is Unlocked by Operator
Activated New PINActivated New PINActivated New PINActivated New PIN Sent when suspended token is Unlocked by Operator and a New PIN is set.
New Challenge/ResponseNew Challenge/ResponseNew Challenge/ResponseNew Challenge/Response Sent when SMS token in challenge/response mode is provisioned.
New PINNew PINNew PINNew PIN Sent when a new PIN is set by an Operator.
New PIN Change NextNew PIN Change NextNew PIN Change NextNew PIN Change Next Sent when a new PIN is set by an Operator and PIN change on first use is required.
New QUICKLogNew QUICKLogNew QUICKLogNew QUICKLog Sent when SMS token in QUICKLog mode is provisioned.
New QUICKLog with no PINNew QUICKLog with no PINNew QUICKLog with no PINNew QUICKLog with no PIN Sent when SMS token in QUICKLog mode is provisioned and a PIN is not required to use the token.
Next OTPNext OTPNext OTPNext OTP Sent after successful SMS/OTP authentication for tokens in QUICKLog mode.
Next OTP with no PINNext OTP with no PINNext OTP with no PINNext OTP with no PIN Sent after successful SMS/OTP authentication for tokens in QUICKLog mode and a PIN is not
required to use the token.
SuspendedSuspendedSuspendedSuspended Sent when the SMS/OTP token is Suspended.
Suspended Temp PasswordSuspended Temp PasswordSuspended Temp PasswordSuspended Temp Password Sent when the SMS/OTP token is Suspended and a temporary password is set for the user.
Test SuccessfulTest SuccessfulTest SuccessfulTest Successful Sent when testing SMS Settings.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
73 of 86
B.3 E-mail messages tags
TagTagTagTag UseUseUseUse
<BR><BR><BR><BR> Text following this tag is on a new line.
<accountName /><accountName /><accountName /><accountName /> Company name associated with Virtual Server
<remaining /><remaining /><remaining /><remaining /> The remaining (unused) capacity in the Virtual Server.
<total /><total /><total /><total /> The total capacity allocated to the Virtual Server
<active /><active /><active /><active /> Virtual Server service as set by Service Provider (enabled / disabled)
<type /><type /><type /><type /> Virtual Server service type (account, Virtual Service Provider, Evaluation)
<daysLeft /><daysLeft /><daysLeft /><daysLeft /> Day before Service stop date.
<stepDate /><stepDate /><stepDate /><stepDate /> Service stop date as set by Service Provider
<dateTime /><dateTime /><dateTime /><dateTime /> Timestamp of an event
<firstName><firstName><firstName><firstName> First name of a User
<lastName><lastName><lastName><lastName> Last name of a User
<blackberryURL /><blackberryURL /><blackberryURL /><blackberryURL /> Unique URL for self-enrollment of MP-1 token on BlackBerry generated by Virtual Server.
<reportName /><reportName /><reportName /><reportName /> Name of a report
<name /><name /><name /><name /> User ID
<taskeID /><taskeID /><taskeID /><taskeID /> Provisioning task number generated by Virtual Server.
<count /><count /><count /><count /> Number of users that did not complete self-enrollment before the Provisioning Task expiration.
<username /><username /><username /><username /> A User’s UserID (User Detail)
<Uaddress /><Uaddress /><Uaddress /><Uaddress /> Address (User Detail)
<Ucity /><Ucity /><Ucity /><Ucity /> City (User Detail)
<Uprovince /><Uprovince /><Uprovince /><Uprovince /> State/Province (User Detail)
<Upostal /><Upostal /><Upostal /><Upostal /> Postal/Zip (User Detail)
<Ucountry /><Ucountry /><Ucountry /><Ucountry /> Country (User Detail)
<orgName /><orgName /><orgName /><orgName /> Account Name (Virtual Server)
<Oaddress /><Oaddress /><Oaddress /><Oaddress /> Account address (Virtual Server)
<Oprovince /><Oprovince /><Oprovince /><Oprovince /> Account State/Province (Virtual Server)
<Opostal /><Opostal /><Opostal /><Opostal /> Account Postal/Zip (Virtual Server)
<Ocountry /><Ocountry /><Ocountry /><Ocountry /> Account country (Virtual Server)
<otaURL /><otaURL /><otaURL /><otaURL /> Unique URL for self-enrollment to install MP-1 generated by Virtual Server.
<tokenPIN /><tokenPIN /><tokenPIN /><tokenPIN /> PIN for MP-1 token enrollment on Java phone.
<capLeft /><capLeft /><capLeft /><capLeft /> Remaining Virtual Server license capacity.
<capTotal /><capTotal /><capTotal /><capTotal /> Total Virtual Server license capacity.
<expiryDate /><expiryDate /><expiryDate /><expiryDate /> Server license expiration date
<expiryTime /><expiryTime /><expiryTime /><expiryTime /> Days remaining before license expires.
<capLeft /><capLeft /><capLeft /><capLeft /> Service capacity remaining.
<capTotal /><capTotal /><capTotal /><capTotal /> Service capacity total.
<tokenList /><tokenList /><tokenList /><tokenList /> Serial numbers of tokens no longer associated with users.
<freeSpace /><freeSpace /><freeSpace /><freeSpace /> Disk space remaining.
<diskSize/><diskSize/><diskSize/><diskSize/> Total disk space.
<percentageFree /><percentageFree /><percentageFree /><percentageFree /> Percentage of available space versus total disk size.
<consoleLink /><consoleLink /><consoleLink /><consoleLink /> Unique URL for Operator Validation and logon to management UI.
<username /><username /><username /><username /> Unique UserID used by Operator to logon to management UI.
<unlockTime/><unlockTime/><unlockTime/><unlockTime/> Time a user account will automatically unlock.
<organization /><organization /><organization /><organization /> Account to which a user belongs.
<state /><state /><state /><state /> Operator account status. (active, pending, suspended)
<remaining /><remaining /><remaining /><remaining /> Quantity of SMS Credits in Virtual Server inventory.
<selfEnro<selfEnro<selfEnro<selfEnrollURL />llURL />llURL />llURL /> Unique URL sent to user for self-enrollment.
<addList /><addList /><addList /><addList /> List of users added by synchronization with an external user data source.
<ignoreList /><ignoreList /><ignoreList /><ignoreList /> Total number of users not updated during synchronization as users already exist in the Virtual Server.
<updateList /><updateList /><updateList /><updateList /> Total number of users removed by synchronization as users no longer exist in the external data source.
<removeList /><removeList /><removeList /><removeList /> List of users removed by synchronization as users no longer exist in the external data source.
<totalMarkforRemoval <totalMarkforRemoval <totalMarkforRemoval <totalMarkforRemoval />/>/>/> Total number of users not found in external data source during synchronization. These users will be removed from the
Virtual Server after 24 hours have elapsed.
<markedList /><markedList /><markedList /><markedList /> List of users not found in external data source during synchronization. These users will be removed from the Virtual
Server after 24 hours have elapsed.
<tokenType /><tokenType /><tokenType /><tokenType /> Type of token. (KT, MP…)
<time /><time /><time /><time /> Date/Time of request by user to be issued a token.
<oldState /><oldState /><oldState /><oldState /> State of token (assigned, active…) when token was assigned to user.
<newState /><newState /><newState /><newState /> The State a token is moved to by the Virtual Server when the user to which it was assigned can no longer be found.
<serial /><serial /><serial /><serial /> Serial number of a token.
<remaining /><remaining /><remaining /><remaining /> Quantity of a type of token remaining in inventory.
<total /><total /><total /><total /> Total quantity of tokens registered in the Virtual Server.
<failAttempts /><failAttempts /><failAttempts /><failAttempts /> Quantity of consecutive failed logon attempts.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
74 of 86
B.4 E-mail messages list
The following is a list of e-mail messages and corresponding events that cause the messages to be sent
where:
� SP SP SP SP AlertAlertAlertAlert:::: these alerts are only available to accounts where the Service Type is Virtual Service Provider.
� AlertAlertAlertAlert:::: these alerts are available in all account Service Types.
� HHHHaaaalertslertslertslerts:::: these are system alerts and are valid only for the hosting service.
� EnrollmentEnrollmentEnrollmentEnrollment:::: these messages are sent as part of a Provisioning and/or Self-enrollment process.
Account Capacity
Type
SP Alert
Event
Sent when Virtual Server capacity falls below configured event threshold.
Subject
SAS Account Capacity
Body
The account <accountName /> is approaching their capacity with <remaining /> remaining of <total /> allocated to them.
SMS Content
Account <accountName /> approaching capacity. <remaining />/<total /> left.
Account Removed
Type
SP Alert
Event
Sent when an Account (Virtual Server) is removed.
Subject
SAS Account Removed
Body
The account <accountName /> has been removed by <operator />.
SMS Content
Account <accountName /> removed by <operator />.
Account Status Change
Type
SP Alert
Event
Sent when a Virtual Server account is enabled or disabled.
Subject
SAS Account Status Change
Body
The account <accountName /> has changed to an <active /> <type />
SMS Content
Account <accountName /> changed to an <active /> <type />.
Account Stop Date
Type
SP Alert
Event
Sent X days in advance of Service stop date.
Subject
SAS Account Stop Date
Body
The account <accountName /> is approaching their stop date. There are <daysLeft /> day(s) till the stop date on <stopDate />.
SMS Content
<daysLeft /> day(s) till stop on <stopDate /> for account <accountName />.
Active Evaluation Stop Date
Type
SP Alert
Event
Sent X days in advance of Service stop date for evaluation accounts.
Subject
SAS Evaluation Stop Date
Body
The account <accountName /> is approaching their evaluation stop date. There are <daysLeft /> day(s) till the stop date on <stopDate
/>.
SMS Content
<daysLeft /> day(s) till stop on <stopDate /> for eval account <accountName />.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
75 of 86
Android Token
Type
Enrollment
Event
Sent to User enrolling MP-1 on an Android device.
Subject
Over-The-Air (OTA) Installation for Android Device
Body
<firstName /> <lastName />:
<p>Follow these 2 easy steps to install the MP-1 token on your Android device:</p>
<p>Step 1: Tap the icon below to download the MP-1 from Android Market.</p>
<p><a href="https://market.android.com/details?id=com.m2m" target="_blank"><img
src="https://ssl.gstatic.com/android/market/com.m2m/hi-256-0-fa57afae26ab4810eb581ed44fd0d90c6c763d09" width="75" alt="MP-
1 token for Android" height="75" /></a></p>
<p>Step 2: Now that the MP-1 is installed, you can click the URL below to install the MP-1 token profile.</p>
<otaURL />
SMS Content
The MP-1 token Download URL: <otaURL />
Auth Service Down
Type
SP Alert
Event
Sent if an element of the service is downgraded or unavailable.
Subject
SAS Authentication Service Error
Body
This message is to report that the SAS authentication service was found to be unresponsive at <dateTime />, during a scheduled check
of the service.
SMS Content
BlackShield authentication service down at <dateTime />
AuthNode Changes
Type
SP Alert
Event
Sent if an element of the service is downgraded or unavailable.
Subject
SAS Auth Node Changes
Body
The Auth Node <nodeName /> in account <accountName /> was <action /> by <changedBy />.
SMS Content
Auth Node <nodeName /> in <accountName /> <action /> by <changedBy />.
Blackberry PIN
Type
Enrollment
Event
Sent to Users receiving BlackBerry token by e-mail. First of two messages.
Subject
SAS Auth Node Changes
Body
<firstName /> <lastName />:
This e-mail will assist you in the installation and activation of your new CRYPTOCard token into your Blackberry. Step one is to install the
Token Authenticator and Token Attachment handler application on your BlackBerry. Step two is the installation and activation of the
actual token. Please make note of the PIN below, as it is required to activate your token.
To install the Token Authenticator "Over-the-Air", browse to the URL below with your BlackBerry. If the application is installed via
Desktop Manager
(USB) or Blackberry Enterprise Server, this step is not necessary. Again, please make note of your token activation PIN. Your token will
be issued to you shortly.
<blackberryURL />
Your token activation PIN is: <tokenPIN />
SMS Content
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
76 of 86
Blackberry Token
Type
Enrollment
Event
Sent to Users receiving BlackBerry token by e-mail. Second of two messages.
Subject
SAS Blackberry Token
Body
<firstName /> <lastName />:
Your new CRYPTOCard BlackBerry token is attached.
To install the token, move the cursor to the attached file at the bottom of this message. Click the trackwheel or trackball and then select
the Load Token option on the menu. It will pop up the CRYPTOCard BlackBerry token installation wizard and prompt for the user name
and activation PIN. Use the activation PIN received in the previous e-mail. If you have not received an activation PIN, contact your HELP
Desk.
SMS Content
SAS MP Token
Type
Enrollment
Event
Sent to Users receiving MP-1 token by e-mail.
Subject
SAS MP Token
Body
<<firstName /> <lastName />:
Your new SAS MP token is attached.
To install, double click on the attached token. This will launch the SAS Software Tools installation wizard and prompt you for the
activation PIN. Use the activation PIN received in the previous e-mail.
If you have not received an activation PIN, or you do not have the SAS Software Tools installed, please contact your Help Desk or
Administrator.
SMS Content
Completed Report
Type
Alert
Event
Sent to recipients receiving reports by e-mail.
Subject
SAS Report Results
Body
<accountName />
Results of the report <reportName /> are attached.
SMS Content
Enrollment Lockout
Type
Alert
Event
Sent when a User exceeds the maximum number of attempts to self-enrol. (Refer to Error! Reference source not found. on page Error! Error! Error! Error!
Bookmark not defined.Bookmark not defined.Bookmark not defined.Bookmark not defined.)
Subject
Enrollment Lockout
Body
<accountName />,
The user <name /> has been locked out of self enrollment at <dateTime />
because there have been too many failed attempts to enroll.
SMS Content
User <name /> has been locked out of self enrollment
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
77 of 86
Expired Reservation
Type
Alert
Event
Sent when a Provisioning Task expires before all Users in the task have completed self-enrollment.
Subject
SAS Reservation is Expired
Body
Provisioning task <taskID /> has expired in account <accountName /> with <count /> users still pending enrollment.
They will no longer be able to complete enrollment.
SMS Content
Reservation expired for user <userName />
Hardware Assignment Notification
Type
Alert
Event
Sent when manually assigning a hardware token.
Subject
SAS Token Assignment Notification
Body
A hardware token has been assigned
<firstName /> <lastName />: <userName />
At:
<Uaddress />
<Ucity />
<Uprovince />
<Upostal />
<Ucountry />
In company:
<orgName />
At:
<Oaddress />
<Ocity />
<Oprovince />
<Opostal />
<Ocountry />
SMS Content
Hardware Provisioning Notification
Type
Alert
Event
Sent when auto-provisioning a hardware token.
Subject
SAS Token Provisioning Notification
Body
A hardware token has been provisioned
<firstName /> <lastName />: <userName />
At:
<Uaddress />
<Ucity />
<Uprovince />
<Upostal />
<Ucountry />
In company:
<orgName />
At:
<Oaddress />
<Ocity />
<Oprovince />
<Opostal />
<Ocountry />
SMS Content
Administration Guide SAS
VVVVersionersionersionersion 1.6.1
78 of 86
iPhone Token
Type
Enrollment
Event
Sent to User enrolling MP-1 on iPhone or iPad.
Subject
Over-The-Air (OTA) Installation for iPhone Device
Body
<firstName /> <lastName />:
<p>Follow these 2 easy steps to install the MP-1 token on your iPhone, iPod, iTouch or iPad:</p>
<p>Step 1: Tap the icon below to download the MP-1 from App Store.</p>
<p><a href="http://itunes.apple.com/us/app/cryptocard-mp-1-authentication/id421105724" target="_blank"><img
src="http://a2.phobos.apple.com/us/r1000/034/Purple/2b/37/84/mzl.zzidcgff.175x175-75.jpg" width="75" alt="MP-1 token for iPhone
and iPad" height="75" /></a></p>
<p>Step 2: Now that the MP-1 is installed, you can click the URL below to install the MP-1 token profile.</p>
<otaURL />
SMS Content
The MP-1 token Download URL: <otaURL />
Java ME OTE
Type
Enrollment
Event
Sent to User enrolling MP-1 on Java phone.
Subject
SAS MP Token for Java-enabled Mobile Device
Body
<firstName /> <lastName />:
This e-mail will assist you in the Over-the-Air (OTA) installation and activation of your new SAS Multi-Platform (MP) token on your Java-
enabled Mobile Device.
Initial PIN: <tokenPIN />
Download URL: <otaURL />
SMS Content
New BlackShield MP token: PIN:<tokenPIN /> Download URL: <otaURL />
Java ME USB
Type
Enrollment
Event
Sent to User enrolling MP-1 on Java phone via USB desktop connection.
Subject
SAS MP Token for Java-enabled Mobile Device
Body
<firstName /> <lastName />:
This e-mail will assist you in the desktop suite (USB) installation and activation of your new SAS Multi-Platform (MP) token on your Java-
enabled Mobile Device.
Initial PIN: <tokenPIN />
========================================================================
Download Nokia PC Suite:
http://www.nokia.ca/get-support-and-software/software/pc_suite/download
MP token installation on Nokia Phone:
<nokiaHelpURL />
========================================================================
SMS Content
License Capacity
Type
HAlert
Event
Sent when Service capacity falls below minimum threshold.
Subject
SAS License Capacity Warning
Body
This message is a warning that your SAS system is nearing its maximum license capacity.
Remaining Active Token Capacity: <capLeft /> / <capTotal />
If you require more capacity, contact CRYPTOCard to expand your license.
SMS Content
System Capacity warning: <capLeft /> / <capTotal />
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
79 of 86
License Expiry
Type
HAlert
Event
Sent X days before license expires.
Subject
SAS License Expiry Warning
Body
This message is a warning that your SAS system is nearing its license expiry.
Your license expires on <expiryDate />.
You have <expiryTime /> day(s) left before SAS shuts down.
Contact CRYPTOCard to get your license extended.
SMS Content
License expiry warning: Your license expires on <expiryDate />
License Accounts
Type
Alert
Event
Sent when remaining account capacity falls below minimum threshold.
Subject
SAS License Capacity Warning
Body
This message is a warning that your SAS system is nearing its maximum account capacity.
Remaining account capacity: <capLeft /> / <capTotal />
If you require more accounts, contact CRYPTOCard to expand your license.
SMS Content
System Account Limit warning: <capLeft /> / <capTotal />
List of Token Users Not Found
Type
Alert
Event
Lists token(s) no longer associated with users caused when users are removed from external user source before revoking token.
Subject
List of SAS Token Users Not Found
Body
The following list contains tokens that have had their state set to <newState /> because the users they were assigned to can no longer
be found by BlackShield.
<tokenList />
SMS Content
Tokens have been orphaned in BlackShield. Log in to see the details.
Low Disk Space
Type
HAlert
Event
Sent when disk space falls below minimum threshold.
Subject
SAS Low Disk Space Warning
Body
This message is to report that the free disk space on system drive <driveLetter /> is low.
Details:
Time of Report: <dateTime />
Free Space: <freeSpace /> bytes.
Disk Size: <diskSize /> bytes.
Percentage Free: <percentageFree />
SMS Content
Low disk space warning. <percentageFree />% free on <driveLetter />
Mail Test
Type
Alert
Event
Sent when testing email/smtp settings.
Subject
SAS E-mail Configuration Test
Body
E-mail configuration is correct if you have received this message.
SMS Content
SMS configuration is correct if you have received this message.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
80 of 86
MP PIN
Type
Enrollment
Event
Sent to users receiving MP-1 token by email. First of two messages.
Subject
SAS MP Token PIN
Body
<firstName /> <lastName />:
This e-mail will assist you in the installation of your new SAS MP token. Please make note of the PIN below, as it is required to activate
your token, which will be issued to you shortly.
Your token activation PIN is: <tokenPIN />
SMS Content
Operator E-mail Validation
Type
Enrollment
Event
Sent to user when promoted to Virtual Server Operator.
Subject
SAS E-mail Validation
Body
To activate your Operator account in the SAS Authentication Manager you must logon by following the link and using the e-mail address
indicated below:
Logon link: <consoleLink />
E-mail: <userName />
SMS Content
Welcome to SAS. Logon at <consoleLink />
Operator Lockout Alert
Type
Alert
Event
Sent to Operator when a user account becomes locked. (Account Lockout/Unlock Policy)
Subject
SAS User Lockout Alert
Body
Attention:
The following user has been locked out of authentication access until <unlockTime />, following <failedAttempts /> consecutive failed
logon attempts:
Name: <firstName /> <lastName />
Username: <userName />
Account: <organization />
SMS Content
Account <userName /> in organization <organization /> has been locked.
Operator Unlock Alert
Type
Alert
Event
Sent to Operator when a user account becomes unlocked. (Account Lockout/Unlock Policy)
Subject
SAS User Unlock Alert
Body
Attention:
The following user's authentication access has been unlocked:
Name: <firstName /> <lastName />
Username: <userName />
Account: <organization />
SMS Content
Account Unlock Alert: User: <userName /> Organization <organization />
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
81 of 86
Operator Status Change
Type
Alert
Event
Sent when an Operator’s status changes. (active, pending, suspended)
Subject
Operator Status Change
Body
Attention:
The following operator's state has been changed to <state />
User Account: <userName />
Account: <accountName />
SMS Content
<organization />: <userName />'s operator status changed to <state />
Organization Capacity
Type
Alert
Event
Sent when Virtual Server capacity falls below threshold.
Subject
SAS Capacity
Body
<accountName />
You are approaching your maximum capacity. <remaining /> left out of <total />
SMS Content
Approaching capacity: <remaining /> left of <total />
Organization SMS Credits
Type
Alert
Event
Sent when Virtual Server SMS Credits falls below threshold.
Subject
SAS SMS Credits
Body
<accountName />,
Your available SMS credits are getting low. You have <remaining /> left.
SMS Content
SMS Credits low. <remaining /> left
Provisioning Cancelled
Type
Alert
Event
Sent to users that have not completed self-enrollment when the corresponding provisioning task is cancelled.
Subject
SAS Provisioning Cancelled
Body
<First /> <Last />, your pending token provisioning has been cancelled. The enrollment link you received in a previous E-mail is no longer
active.
SMS Content
Your token provisioning has been cancelled.
Self Enrollment
Type
Enrollment
Event
Self-enrollment instructions sent to users as part of a provisioning task.
Subject
SAS Self-enrollment
Body
<firstName /> <lastName />:
Your self-enrollment account has been created.
If you are enrolling a hardware token, and do not have your token yet, please contact your system administrator.
Please, go to the following URL to enroll with SAS:
<selfEnrollURL />
If the above link does not work, please copy and paste this url to your web browser.
SMS Content
SAS Self Enrollment: Enroll at <selfEnrollURL />
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
82 of 86
Software Token Self Enrollment
Type
Enrollment
Event
Self-enrollment instructions containing URL.
Subject
SAS Self-enrollment
Body
<firstName /> <lastName />:
Your self-enrollment account has been created.
Please, go to the following URL to activate your token:
<selfEnrollURL />
If the above link does not work, please copy and paste this url to your web browser.
SMS Content
SAS Self Enrollment: Active your token at <selfEnrollURL />
Sync Notification
Type
Alert
Event
Sent each time the Virtual Server is synchronized via the LDAP Sync. Agent.
Subject
LDAP Sync notification
Body
The following actions have been processed for <orgName />:
The following <totalAdded /> new users have been added:
<addList />
The following <totalIgnored /> new user messages were ignored as the users already exist.
<ignoreList />
The following <totalUpdated /> existing users have been removed:
<updateList />
The following <totalRemoved /> users have been removed:
<removeList />
The following <totalMarkForRemoval /> users have been marked for deletion:
<markedList />
They will continue to exist for 24 hours, during which period they have been marked as disabled.
If this was a result of a misconfiguration, fixing the configuration will re-enable the users.
Note: If you have deleted a user in LDAP, re-creating a new user with the same user name will NOT restore the existing user.
SMS Content
Token Request Ack
Type
Enrollment
Event
Sent to user to acknowledge request to be issued a token.
Subject
SAS Token Request Acknowledged
Body
This message is to confirm that your request for a <tokenType /> token has been received as of <time />.
SMS Content
Your request for a BlackShield token has been received.
Token Request Deny
Type
Enrollment
Event
Sent to user when request to be issued a token is denied.
Subject
SAS Token Request Denied
Body
This message is to inform you that your request for a <tokenType /> token has been denied.
SMS Content
Your request for a BlackShield token has been denied.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
83 of 86
Token User Not Found
Type
Alert
Event
Sent when token state is change when the user to which it was assigned is not found.
Subject
SAS Token User Not Found
Body
The token <serial /> which was assigned to user <userName /> has been changed from state <oldState /> to <newState />
This has occured because the user <userName /> can no longer be found by BlackShield.
SMS Content
Token <serial /> has been orphaned as user <userName /> can not be found.
Token User Replaced
Type
Alert
Event
Sent when a User (UserID) with an assigned token is overwritten with an user from a different user source with an identical UserID. For
example, a manually created userID is overwritten during LDAP synchronization which includes an identical UserID.
Subject
SAS Token User Replaced
Body
The token <serial /> which was assigned to user <userName /> has been changed from state <oldState /> to <newState />
This has occured because the user <userName /> has been overwritten by a new user <userName />.
SMS Content
Token <serial /> orphaned because user <userName /> was over written.
Token Sub Capacity
Type
Alert
Event
Sent when remaining quantity of tokens in inventory falls below the minimum threshold.
Subject
SAS Token Capacity
Body
<accountName />,
You are approaching your remaining capacity available to you. <remaining /> left out of <total /
SMS Content
Approaching capacity: <remaining /> left of <total />
User Lockout Alert
Type
Alert
Event
Sent to user when their account becomes locked due to excessive failed consecutive logon attempts
Subject
SAS User Lockout Alert
Body
<firstName /> <lastName />, you have been locked out of authentication access until <unlockTime />, following <failedAttempts />
consecutive failed logon attempts.
SMS Content
Your BlackShield account has been locked until <unlockTime />
User Unlockout Alert
Type
Alert
Event
Sent to user when their account becomes unlocked.
Subject
SAS User Unlock Alert
Body
<firstName /> <lastName />, you can again attempt to logon to the authentication service.
SMS Content
Your BlackShield account has been unlocked.
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
84 of 86
appendix C: SAML default CCS source
.tableBanner
{
width: 600px;
border-width: 0px;
border-spacing: 0px;
background-color: white;
}
.tableMain
{
width: 600px;
border-width: 1px;
border-spacing: 0px;
border-style: solid;
border-color: #4682B4;
border-collapse: separate;
background-color: white;
padding: 0px;
}
.tdTopSpaceAboveBanner
{
height: 50px; text-align: center;
}
.tdBanner
{
height: 100px; text-align: center;
}
.tdSpaceBelowBanner
{
height: 50px; text-align: center;
}
.tdLoginHeader
{
height: 50px; text-align: center; font-size: 28px; color: white; background-color: #4682B4; padding-left: 0px; padding-right: 0px;
}
.tdLoginMessage
{
height: 50px; text-align: center; font-size:20px; color: #4682B4;
}
.tdUserNameLabel
{
text-align: right;
font-size: 15px;
color: #4682B4;
padding-left: 70px;
}
.textUserName
{
width: 225px; height: 20px; text-align: left; border-color: #4682B4; border-width: 1px;
}
.tdPasswordLabel
{
text-align: right;
font-size: 15px;
color: #4682B4;
padding-left: 70px;
}
.textPassword
{
width: 225px; height: 20px; text-align: left; border-color: #4682B4; border-width: 1px;
}
.tdUserName
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
85 of 86
{
padding-left: 60px;
}
.tdPassword
{
padding-left: 60px;
}
.td20PxSpace
{
height: 20px;
}
.td40PxSpace
{
height: 40px;
}
.tdUserErrorMessage
{
height: 40px; color: red; text-align: center; font-size: 14px;
}
.tdSubmit
{
text-align: center; height: 30px;
}
.buttonSubmit
{
background-color: white; background-repeat:no-repeat; border-width: 0px; width: 120px; height: 28px; text-align: center; font-size: 14px;
color: white;
}
.tdSpaceBelowLoginWindow
{
height: 80px;
}
.relayingParty
{
text-align: center; font-size: 10px; color:darkblue; height: 20px;
}
.sessionTimeout
{
text-align: center; font-size: 12px; color:blue;
}
.sessionWarning
{
text-align: center; font-size: 14px; color:crimson;
}
.copyRight
{
text-align: center; font-size: 8px; color: darkblue; height: 20px;
}
.td404Error
{
height: 40px; color: red; text-align: left; font-size: 28px;
}
.tdError
{
height: 40px; color: red; text-align: left; font-size: 28px;
}
.tdWarning
{
height: 40px; color: brown; text-align: left; font-size: 28px;
}
.tdInformation
{
height: 40px; color: darkblue; text-align: left; font-size: 28px;
}
.tdSignoutMessage
{
height: 40px; color: red; text-align: left; font-size: 18px;
}
.tdErrorMessage
{
height: 40px; color: red; text-align: left; font-size: 14px;
}
Administration Guide SAS
VersionVersionVersionVersion 1.6.1
86 of 86