Configure the ActivID Self-Service Portal Features

Verify the Self-Service Portal Direct User Permissions

Prerequisites: You must have the Search Users permission.

The ActivID Self-Service Portal Direct User is configured by default with the required permissions to interface with ActivID AS.

To make sure the direct user has the required permissions:

  1. Log on to the ActivID Management Console as an ActivID Administrator and with the required permissions for the domain.
  2. Search for the user sys*.
  3. In the user details page, select the Permissions Inherited from Admin Group and User Role tab.
  4. Verify that the group is assigned the SSP System Administration Functions and SSP System Asset Management Functions permissions sets.
  5. Both sets should also be assigned to the Self-Service Portal Direct channel.

Important: Do NOT edit the SSP System Administration Functions permission set as these permissions are required for Direct User operations in the ActivID Self-Service Portal.

Define the Available Portal Features

You can define the features available per security domain or group by configuring the Self Service Portal Access Permissions set.

This permission set is assigned to all end user groups in a security domain.

The available permissions are:

  • Change Soft Pin using the SSP
  • Discard User Device using the SSP
  • Hardware Token Activation through SSP
  • Problem Solving using the SSP
  • Rename User Device using the SSP
  • Renew User Device using the SSP
  • Test User Devices through SSP
  • User Personal Information displayed in SSP
  • View User Device List in SSP
  • Web Token Activation through SSP
Note: If you are blacklisting a Soft Token Platform at activation, you must disable the corresponding permission (for example, disable the PC Token Activation through SSP permission) as well as configure the black list settings.
Prerequisites: You must have the following permissions:
  • Update predefined permission set
  • Update external permission set

Define the Features Per Domain

To define the features available to all domain users, enable or disable the permissions in the Self Service Portal Access Permissions permission set.

  1. Log on to the ActivID Management Console as an ActivID Administrator and with the required permissions for the domain.
  2. In the Access Administration tab, under Access Control, select Permission Sets.
  3. To edit the portal permission set, click Self Service Portal Access Permissions.
  4. From the drop-down list, select Enabled and then select or clear the individual permissions as required.
  5. Click Save to apply the changes.

The modified permission set will apply to all groups in the domain, which are currently assigned the permission set.

When the users log on to the portal, only the features defined in the permission set will be available.

Define the Features Per Group

To define the features available per user group, make a copy of the Self Service Portal Access Permissions set and edit the copied set as required (enable or disable the permissions). Finally, assign the new permission set to the relevant group.

  1. Log on to the ActivID Management Console as an ActivID Administrator and with the required permissions for the domain.
  2. In the Access Administration tab, under Access Control, select Permission Sets.
  3. Select the check box for Self Service Portal Access Permissions and click Copy.
  4. To edit the new permission set, click Copy of Self Service Portal Access Permissions.
  5. Rename the permission set to make it easier to identify (for example, if the permission set will be assigned to contractors, you could rename it to Contractors – SSP Access Permissions).
  6. In the Enabled column, select or clear the individual permissions as required.
  7. Click Save to apply the changes.
  8. Return to the Access Administration tab and, under User Organization, select Administration Groups.
  9. Select the group to which you want to assign the new permission set.
  10. Select the Permissions tab.
  11. In the Available list of permission sets that can be assigned, scroll down to the list of External permission sets.
  12. Click Assign for the new permission set (in this example, Contractors – SSP Access Permissions).
  13. Complete the assignment wizard by selecting the required Authentication Policies and Channels.
  14. If necessary, click Unassign to remove the original Self Service Portal Access Permissions permission set.
  15. Click Save.

Configure the Portal Settings

To customize the portal's settings:

  1. Generate a Customization package.
  2. Open the ssp.properties file in the SelfServicePortal/config directory of the package.
  1. Configure the portal settings as required:
  2. When complete, save the file in the common folder (to apply the settings to all domains) or the domain-specific folder of the package.
  3. Then apply the customization package.

Configure the Token Activation Settings per Domain or All Domains

The Token Activation settings are defined per default for all domains. They can be customized for all domains or per domain.

Alternatively, the Token Activation settings can also be customized per administration group.

By default, the activation settings are:

  • Device type:
    • The PC, and Mobile tokens will be activated using the PC Soft Token OATH Event (DT_STP_OE) and Mobile Smart Phone Soft Token OATH Event device types (DT_STM_OE) respectively.
    • The HID Approve app will be activated using the Mobile push based Validation device type (DT_TDSV4).
    • The FIDO passkeys will be activated using the FIDO device device type (DT_FIDO).
  • Authentication policies:

    The default policies varies according to the User’s Administration Group (that is, Employee One-Time Password authentication policy will be used to create the authenticator when the device is activated for users in the Full Time Employees Admin Group).

Important:  
  • You must only modify the configuration files if you are sure of the changes to be made. It is recommended to contact HID Global Technical Support before modifying these files.
  • To configure the device types and authentication policy applied at activation, go to the Token Activation section and edit the following settings:
    • token.activation.pc.devicetype=DT_STP_OE
    • token.activation.mobile.devicetype=DT_STM_OE
    • token.activation.mobile.hid.devicetype=DT_TDSV4
    • token.activation.mobile.hid.authenticationpolicy=AT_SMK
    • token.activation.fido.devicetype=DT_FIDO
  • For Mobile Soft Token activation on mobile devices and PC Soft Token activation on PCs, you can also define the list of available applications (for example, to prevent the activation of one specific application):
    • For Mobile Soft Tokens, edit the application.config.mobile.activation.availableapps setting.
    • For PC Soft Tokens, edit the application.config.pc.activation.availableapps setting.

    For both settings, the possible values are ACTIVID_TOKEN and/or HID_APPROVE

    For example, application.config.pc.activation.availableapps=ACTIVID_TOKEN,HID_APPROVE

    Note: If you define only one type of application, the ActivID Self-Service Portal will directly display the activation workflow for that application and the user will not be prompted to select either ActivID Token or HID Approve.
  • For HID Approve activation, you can define a customized provisioning URL by editing the application.config.mobile.activation.provisioningurl setting.

    By default, the setting is empty and the value is computed with local information (server name and port in the HTTP request).

    The required format is <server_name>:<server_port>

    • If a proxy is configured in front of ActivID AS, enter the proxy server URL
    • If the portal is installed on an ActivID AS front-end, enter the back-end URL

Configure the Token Activation Settings per Admin Group

You can define the device type and authentication policy used to create the authentication record during activation for each group.

Important:
Prerequisites: You must have the Asset Type Administration functions permission set.
  1. Log on to the ActivID Management Console as an ActivID Administrator.
  2. In the Access Administration tab, under User Organization, select Administration Groups.
  3. Select the group for which you want to define activation settings.
  4. In the group's Details page, select the Authentication Policies tab.
  5. Go to the Self-Service Tokens Activation Configuration section.
  6. For each activation option, select the:
    • Device type for each type of token
    • Authentication policy from the list of polices compatible with the device type selected for the type of device

    To disable an activation option for the group, leave the settings empty or clear the selected configuration.

  7. Note:
    • If One-Time Password authentication policies are not available for your User Type, the lists will remain empty. You must define such a policy to be able to activate the tokens.
  8. Click Save.
Note: These settings are retained in the form of "Assets" that belong to the GroupConfig asset type:

  • These assets must not be deleted after they are created (as it will delete the settings)
  • Such assets will not be created if the settings are left to default values (meaning no specific device type is selected for the Admin Group)

Define the HTTP Session Timeout

You can define the HTTP session timeout is seconds (by default, this is 300 seconds).

application.session.timeout.seconds=300

Define the Direct and Indirect Channels for the ActivID Self-Service Portal

You can define the direct and indirect channels for the ActivID Self-Service Portal (by default, these are SSP_DIRECT and CH_SSP respectively).

DirectChannelCode=SSP_DIRECT

IndirectChannelCode=CH_SSP

Define the Device Incident Status

You can define the status that should be set for the device when the user reports a device incident (by default, this is SUSPENDED).

When a user reports a device as lost using the ActivID Self-Service Portal, the device is set to an inactive state. This means that, if the device is recovered, it can be used for authentication again after the Help Desk has reactivated it.

ai.ssp.deviceincident.status=SUSPENDED

If you want to change the default state, it is recommended that you change the value to select a state that:

  • Is inactive
  • Can be transited from any of the other states
  • Exists for all device types

Define the Authentication Policy for Test Push Authentication

You can define the authentication policy used to test the push notifications (by default, the policy is AT_PASA).

token.push.verify.authpolicy=AT_PASA