Manage Session Transfer Codes

The period for which a user is authenticated to ActivID AS is called a session. An indirect user indirect users are end users, such as an organization's customers. Indirect users do not make direct use of ActivID AS services. They are authenticated to or managed by applications which themselves authenticate as direct users in order to obtain certain permissions. For example, a call center agent (direct user) can verify a customer’s identity (authenticate) via the ActivID Management Console.’s session can be transferred between direct users Direct users are people or entities that connect directly to ActivID AS through APIs or through the ActivID Management Console. For example, operators and administrators who log on to the ActivID Management Console are direct users. Also, an internet banking server is a direct user when it uses an ActivID AS authentication service exposed through the public API to authenticate a customer.. This enables direct users (operators) to perform different transactions on behalf of the indirect user’s request(s).

The following table describes the required permissions to perform specific operations for a user, with or without a session transfer code.

Operator Privilege Required		Action (Button/Link)
Indirect User Present (using session transfer code)	Indirect User Not Present
Administer devices user present	Administer all devices	Change soft PIN Synchronize Unlock
Change indirect SQ responses user present	Change SQ responses user not present	Edit and save an existing security question response Add and save a new security question response
Change indirect password user present	Change password user not present	Change Password
Reset indirect password user present	Reset password user not present	Flag for password generation Note: This option is not available in this version.

For illustration purposes, two operators (Op01 and Op02) are used as sample operators.

Generate and Transfer an Indirect User Session

1. (As Op01) In the user’s Identity tab, click Generate a Session Transfer Code.

   

2. Select an Authentication Policy from the drop-down list.

Important: If you want to generate a session transfer code using OOB, then you must configure the OOB mail delivery gateway, and add the gateway in the Authentication Policy of Customer OOB authentication (see Configure OOB Delivery Gateways).

If the user tries to generate a session transfer code from an activation code instead of the OTP, then the following error message appears.



3. Select a Session Transfer Policy from the drop-down list.

   The default session transfer policies are:

   Policy name	Format	Expiry period	Length
   NUM001	Numeric	10 minutes	8 digits
   NUM002	Numeric	3 minutes	20 digits
   ALP001	Alphabetic	10 minutes	8 digits
   ALP002	Alphabetic	3 minutes	20 digits
   ANU001	Alphanumeric	10 minutes	8 digits
   ANU002	Alphanumeric	3 minutes	20 digits

4. Click Next.

   

5. Select the Channel on which the user’s identity is being verified.

6. Depending on the authentication policy, provide answers to the Security Questions if the authentication policy is a Q&A authentication policy, or provide a password if it is a static password authentication policy. 

7. Click Generate.

   

If authentication is successful, a generated Session Transfer Code is displayed.

8. Make a note of the code and click Close.



If the authentication fails, then an error message appears.

9. Forward the call to Op02, and provide the generated session transfer code.

Retrieve the Indirect User Session using the Code

1. As Op02, go the Advanced User Search page.



2. Enter the Session Transfer Code provided by Op01, and then click Transfer.

The User Details page appears. As Op02, you can now perform requests for the indirect user such as changing the user password, or editing the user’s security questions and responses.