About the ActivID Management Console

The ActivID Management Console is the central portal for day-to-day operations, configuration and administration of the system. It is an intuitive, web-based interface designed with wizard-like processes to facilitate operations.

The ActivID Management Console functions are organized into tabs (pages) according to operational focus:

Configuration Tab

Administration Tab

Reporting Tab

Operators with appropriate permissions can search for audit reports.

The tab opens to the search page where you can define the parameters of the report that you want to generate.

Help Desk Tab

Log On to the ActivID Management Console

The default authentication methods for the ActivID Management Console are:

  • User Name/Password
  • LDAP User Name/Password
  • One-Time Password (OTP)
  • Public Key Infrastructure (PKI)
  • Security Questions & Answers
  • Push Authentication

The supported authentication policies are associated with GUI templates. You can customize the User Authentication Process to configure the available authentication methods.

You can also configure the ActivID AS Properties to customize the properties (such as the user and device search limits and case-sensitivity) of the ActivID Management Console.

Log On with a Password

Important: If you are logging on as the ftadmin administrator for the first time, you are required to change the default password (password01).

  1. To launch the ActivID Management Console, open your web browser and go to the following secure URL:

    2. https://<AS-hostname>:8445/aiconsole

    • The default authentication method is the Username/Password (based on the Management Console Static Login authentication policy).

      • You can change the default authentication policy by editing the ActivID Management Console channel settings.

    • If you want to use another authentication method, then you can select the relevant icon at the bottom of the login page.
    • As a prerequisite, you must be registered for either Questions & Answers, PKI, One-Time-Password or Push.

  2. Select the Domain from the drop-down list.

  3. Enter your User name.

  4. Enter your Password.

  5. Click Login.

    6. If this is the first time you are accessing the ActivID Management Console as the ftadmin administrator, you are prompted to change the default password (password01).

  6. Enter the current Password.

  7. Enter and confirm a New Password.

    8. It must meet the conditions of the displayed Password Policy.

  8. Click Login.

Log On with a PKI Certificate

Prerequisites:
  • To log on to the ActivID Management Console with PKI credentials, you must import the following certificates in to the browser's truststore:

    • The application server certificate

    • The certificate of the Certificate Authority used to issue the certificate for the operator

    • A user certificate bundle including its intermediate CA certificates (.cer, .crt, .pem, .p7b) for the operator

      • Important: The first certificate in the chain must be the end user certificate.

    • A certificate with its private key (p12 or pfx) for the operator

      Alternatively, this certificate can be stored on a smart card or device supporting PKI.

  • The certificate of the Certificate Authority is imported into the application server's truststore, see Manage the Certificates

  • You are registered for Management Console PKI Login during which your certificate (.cer) was imported into ActivID AS or ActivID AS is configured for PKI certificate matching so your certificate is checked at authentication

Additional requirements:

  • The application server has a connector configured for TLS 1.2 (minimum) with client authentication

  • If a smart card-based certificate is used, then a middleware – such as ActivID ActivClient® – must be installed locally on the client machine. If the certificate is password-protected, then the operator will be prompted to enter the password

  • If your deployment uses TLS mutual authentication, the user will be redirected to port 8443. Therefore, make sure the:

    • Reverse proxy forwards the <public hostname:8443> requests to <AS-hostname:8443>
    • Reverse proxy 8443 port is configured for mutual authentications (request a certificate, trust the client certificates)
    • End-user certificate is propagated to the ActivID IdP via a configurable HTTP header

Users’ certificates are validated at certificate import and logon.

Online Certificate Status Protocol (OCSP) and full Certificate Revocation List (CRL) can both be used to check the revocation status of a certificate. Delta and redirect CRLs are not supported.

ActivID AS supports CRL Distribution Points (CDP) specified in certificates or locally configured CDPs.

By default, OCSP is the preferred method for checking revocation status. When using CRL, the CDP URL selection rules are:

  • If manually configured, CDPs specified in certificates are ignored

  • HTTP/FTP CDPs are preferred to LDAP CDPs

  • LDAP URLs without hostname are simply ignored

The behavior of the certificate validation is configurable. The behavior of the certificate validation is configurable. See Configure the Certificate Validation Settings for further information.

 

  1. To launch the ActivID Management Console, open your web browser and go to the following secure URL:

    2. https://<AS-hostname>:8445/aiconsole

    Note: If your deployment uses TLS mutual authentication, the user will be redirected to port 8443.

  2. Select the PKI icon (a smart card ) to log on with the PKI certificate instead of password.

  3. When prompted, enter the User name, and then click Login.

    4. Note: The first time you attempt to log on with a certificate, you are prompted to select your authentication certificate, as normally required for any SSL authentication. For subsequent logons, the Login page is displayed directly.

  1. Select the appropriate certificate, and then click OK.

    2. Note: If the certificate is password-protected, then you are also prompted to enter the password.

    pkilogin5

  2. Select the Grant permission option to use the key, and then click OK.

    3. Note: If you are using a smart card-based certificate that is PIN-protected, you are prompted to enter your PIN.

Logging on successfully authenticates you, and the ActivID Management Console Home page is displayed.

Use the Home page to search for users and devices, change your profile, and access the ActivID Management Console functions.

Log On with Auto PKI

You can also use the Auto Public Key Infrastructure method to log on.

Auto Public Key Infrastructure only requires that you select your certificate. Then, the user name is automatically populated as defined in the certificate subject name.

Prerequisites: To use this method, you must configure the ActivID Identity Provider, and add a supplementary Authentication Policies template for the Authentication Portal.

The following illustration is an example of authentication policy template mapping for the Auto Public Key Infrastructure Login:

  1. To launch the ActivID Management Console, open your web browser and go to the following secure URL:

    2. https://<AS-hostname>:8445/aiconsole

    Note: If your deployment uses TLS mutual authentication, the user will be redirected to port 8443.

  2. Select the PKI icon (the smart card).

  1. Select the certificate, and then click OK.

  2. Once you have selected your certificate, click Login.

    3. The user name is populated.

Log On with an Expired Password

If your password has expired, when you try to log on to the ActivID Management Console, you are prompted to change the password.

  1. Enter the old Password.

  1. Enter and confirm a New Password.

  2. Click Login.

    3. It must meet the conditions of the displayed Password Policy.

    You can configure expired password management per authentication policy using two parameters:

    • Change password on expiry – the number of times the user can enter the existing expired password in an attempt to change it before being denied further access.
    • Valid days on update – the expiry date is extended for X number of days when the user updates his password.

Logging Off

Logging off from the ActivID Management Console closes your session.

Click Log Off at the top right of any page.

When prompted, click Yes to log off.

Session Time Out

A session is the period for which you are authenticated to ActivID AS. Your session is protected by two timeout periods:

  • The session-inactivity timeout period means that if you are logged on and do not use any ActivID Management Console functionality for the period of the timeout, when you next try to use the application, the Operator Login page is automatically displayed for you to re-authenticate to the ActivID Management Console by logging on again.

  • The session valid duration timeout period is the maximum amount of time you can remain logged on (the maximum amount of time for which your session is valid). If you exceed this timeout period, then ActivID Management Console automatically displays the Operator Login page for you to re-authenticate to log on again.

For each of the authentication policies, these periods can be configured.

Important: The session-inactivity timeout period should be shorter than the ActivID Management Console session duration.

View the Your User Profile

You can view your user profile (the user currently logged on) by selecting Profile.

From the user Profile page, and with the appropriate permissions, you can manage the User Details: