Can user download soft token from Self Service Console without access to emails? After assigning soft token to the user from security console, we want user to import or download the token from self service console without accessing emails.
Can user download soft token from Self Service Console without access to emails? After assigning soft token to the user from security console, we want user to import or download the token from self service console without accessing emails.
After adding software profiles using device type as Desktop PC 4.x and assigning token to the user from security console, do you have a article or steps how user activates or downloads the software token on windows desktop using selft service console?
The RSA software token for windows application has 'import from web' option where you paste in the URL and activation code and it will inject the ctkip token.
After adding software profiles using device type as Desktop PC 4.x and assigning token to the user from security console, do you have a article or steps how user activates or downloads the software token on windows desktop using selft service console?
If the User PC is on your Corporate network directly or through VPN, the users can access your Self Service Console similarly to how you access the Security console. If your Security Console is https://rsa01.shaga.com:7004/console-ims then your Self Service Console would be https://rsa01.shaga.com:7004/console-selfservice
And you could configure their access in Security Console - Setup - Self Service, to allow for either LDAP Password if they are from external Identity Source or RSA Password if they are from the internal AM database
Yes,
If users are coming from the Internet and not from your internal network you would need an AM Web Tier deployed in your DMZ to provide kind of a reverse proxy between the Internet and your Self Service console.
If users can logon to your Corporate LAN, even though a VPN (either without a token or with an existing token) then they could logon direct to your self service console, SSC against TCP port 7004 (take your Primary Security Console URL and change :7004/console-ims to :7004/console-selfservice, or change /sc to /ssc)
You'd probably configure CTKip encrypted delivery of the token (QR code is just a variation on this, the QR code points to a CTKip URL) as the more secure way to deliver the token, which is a URL link with an activation code and not an email
Basically without a Web Tier, a CTKIP URL shows the internal port 7004. This is configured in your Software Token Profile. Some devices, like a Windows PC, are not capable of converting this URL to a QR Code, so that option is not in the Software Token Profile.
When you distribute a soft Token as Dynamic Seed Provisioned (CT-KIP) you get a URL like the one above, plus an activation code, which you can email and/or phone call to the customer (email the URL and have them call for the code is probably safest.) If you email both the code and the URL, someone could intercept it, but it can only be used once, so that is safety through fail-safe, if it does not import into the intended User’s device, you get them a new one which invalidates the first one.
With QR Codes, that is a subset of CTKIP which only works on specific smart phones. The difference is user must logon to the Self Service Console to get their QR Code. When you distribute a soft token with QR Code, it looks like this.
You do not see a QR code or CTKIP URL, until user logs into Self Service Console, typically with a Password, and clicks the activate link.
Or Maybe have a look at this Provisioning RSA Software Tokens via QR Code