Configure the ActivID Self-Service Portal Access

Users can access the ActivID Self-Service Portal using the portal’s designated URL in your web browser.

https://<hostname>:<port>/ssp

Note: The default user, spl-contractor, can be used to view the ActivID Self-Service Portal features (by setting a static password for this user).
Prerequisites: You must have a valid authenticator already assigned to you.

Users are prompted to log on with an existing authentication method:

Static password (network credentials)

LDAP username and password

One-Time Password (OTP) generated by an authentication device

PKI certificate on a smart card

Security Questions and Answers

A password delivered via email or SMS

Push Authentication using HID Approve to validate the logon

FIDO Challenge/Response U2F Authentication using two-step authentication (for example, username/password and OTP) with a tiered authentication policy. To enable this method, see Configure Support for FIDO U2F Authentication.

Note: You can set the available authentication methods by editing the ActivID Self-Service Portal’s channel authentication policies in ActivID Management Console, and defining the associated logon templates.

Access with a PKI Certificate

Prerequisites: For PKI logon:
  • The user’s CA Certificate must be imported into the server truststore to enable an SSL connection.
  • The user must have been assigned a certificate (private key) which can be installed in the browser certificate store – or stored on a smart card. The user’s certificate must be imported into ActivID AS during the registration of their portal PKI Login.
  • The application server has a connector configured for TLS 1.1/TLS 1.2 with client authentication.
  • If a smart card-based certificate is used, then a middleware – such as ActivID ActivClient® – must be installed locally on the client machine. If the certificate is password-protected, then the user will be prompted to enter the password.
  • The server certificate must be installed in the browser's truststore.
  • If your deployment uses TLS mutual authentication, the user will be redirected to port 8443. Make sure your reverse proxy is configured correctly.

To log on to the ActivID Self-Service Portal with PKI credentials, import the following certificates:

  • Certificate Authority certificate of the CA you will use to issue the certificate for the user.
  • A user certificate bundle including its intermediate CA certificates (.cer, .crt, .pem, .p7b) for the user.
  • Important: The first certificate in the chain must be the end user certificate.
  • A certificate with the corresponding private key (p12 or .pfx) for the user.

Certificate Validation and Revocation Check

Users’ certificates are validated when importing the certificate and users log on.

Online Certificate Status Protocol (OCSP) and full Certificate Revocation List (CRL) can both be used to check the revocation status of a certificate. Delta and redirect CRLs are not supported.

ActivID AS supports CRL Distribution Points (CDP) specified in certificates or locally configured CDPs.

By default, OCSP is the preferred method for checking revocation status. When using CRL, the CDP URL selection rules are:

  • If manually configured, CDPs specified in certificates are ignored.
  • HTTP/FTP CDPs are preferred to LDAP CDPs.
  • LDAP URLs without hostname are simply ignored.

The behavior of the certificate validation is configurable.

Set the ActivID Self-Service Portal Logon Methods

The ActivID Authentication Portal allows users to access the Self-Service Portal features once they have successfully authenticated.

Prerequisites:  
  • The ActivID Self-Service Portal channel must have a set of Allowed Authentication policies.
  • Authentication policy mappings must exist to display the associated logon GUI templates.

The authentication policies that are assigned to the ActivID Self-Service Portal channel are listed in the Allowed Authentication Policies tab of the channel (in the ActivID Management Console).

To modify the available logon methods:

  1. Log on to the ActivID Management Console as an ActivID Administrator (as you need the Update authentication policy permission).
  2. In the Configuration tab, under Polices, select Authentication and click Authentication Policies.
  3. Click the Code of the authentication policy you want to use.
  4. Select the Assignments tab.
  5. Assign the Authentication Policy to the ActivID Self-Service Portal by moving it from the Available Channels list to the Selected Channels list.
  6. In this example, the authentication policy is already assigned to the ActivID Self-Service Portal.

  7. Click Save.
  8. Under Policies, select Identity Providers and then ActivID Identity Provider to check that an Authentication Policies Mapping exists for the authentication policy, in the Authentication Policies mapping list:
  9. If not, you must add a new authentication policies mapping.

    You can also add support for FIDO passkeys as a second factor authentication.

Important: Users will not be able to log on to the portal using LDAP pass-through if the Change password at next logon option is set for the user’s account in the corporate directory.

Make sure that this option is not selected for users that will log on using LDAP pass-through.

Direct Access to ActivID Self-Service Portal Features

Each of the ActivID Self-Service Portal features can be accessed directly using specific links. You can integrate these links into your own applications or use them to control how end users access and use the portal.

For example, to direct end users directly to the enrollment feature via a notification email, you can provide a direct URL to that feature of the ActivID Self-Service Portal.

Important: The end user will have to authenticate before accessing the feature directly.
Prerequisites: For users to be able to use the direct link feature, they must have the required permissions.

ActivID Self-Service Portal Direct Access Links

Feature Direct URL
Self-Service Portal home https://<hostname>:<port>/ssp/home.xhtml
Activate my device https://<hostname>:<port>/ssp/tab/activate-token/activateTokenHome.xhtml
Activate Hardware Token https://<hostname>:<port>/ssp/tab/activate-token/activateHardwareToken.xhtml
Activate HID Approve mobile app https://<hostname>:<port>/ssp/tab/activate-token/activateMobile.xhtml
View my devices https://<hostname>:<port>/ssp/tab/my-devices/list/deviceList.xhtml
Test my device https://<hostname>:<port>/ssp/tab/my-devices/test/testDeviceSelect.xhtml
Rename my device https://<hostname>:<port>/ssp/tab/my-devices/list/renameDeviceSelect.xhtml
I have a problem https://<hostname>:<port>/ssp/tab/my-problem/myProblemHome.xhtml
Report a device as lost, stolen or damaged https://<hostname>:<port>/ssp/tab/my-problem/lost/deviceLost.xhtml
I cannot log in https://<hostname>:<port>/ssp/tab/my-problem/cannot-login/cannotLogin.xhtml

Domain-Specific Direct Access to ActivID Self-Service Portal Features

The direct access configuration can also be applied per domain so that a direct URL directs the end user to the chosen feature in the chosen domain.

When users log on to the ActivID Self-Service Portal using the direct link, they do not need to select their domain (the option is not available) and they are re-directed to the feature.

Important: The ActivID Authentication Portal property, DomainRequired, must be set to true.

You can be define this property in the <ACTIVID_HOME>/ActivID_AS/applications/resources/ap/samlidp.properties file.

To define the domain direct access links, add the domain name to the feature URL.

For example, the Activate HID Approve mobile app link can be configured as
https://<hostname>:<port>/ssp/tab/activate-token/activateMobile.xhtml?domain=BANKING

The following table lists the activation options as examples.

ActivID Self-Service Portal Domain-Specific Direct Access Links

Feature Domain-Specific Direct URL
Activate Hardware Token https://<hostname>:<port>/ssp/tab/activate-token/activateHardwareToken.xhtml?domain=<domainname>
Activate HID Approve mobile app https://<hostname>:<port>/ssp/tab/activate-token/activateMobile.xhtml?domain=<domainname>

ActivID AS supports the addition of the domain name in the following formats:

  • Clear value of the domain name
  • sha256 value of the domain name

In the examples above, domain=<domainname> can be replaced by the sha256 value of the domain name if required.

For example, the Activate HID Approve mobile app link can be configured as
https://<hostname>:<port>/ssp/tab/activate-token/activateMobile.xhtml?domain=daa1a83ff66299a0a7c4f3797cc225b7a70552b70743dbf2b4980fbd0af08d05

For further information about defining the direct access links, see Hide the List of Domains.