Hi everyone.
Can you help me clarify this?
I have always used hardware tokens with AM 8.4.
Now we have moved to software tokens sid 820 (always with AM).
What are the methods of distributing the software token to the users?
The most practical thing would be to have it managed by individual users independently, perhaps with a QR code as they are working from home.
Also, I've heard of AMIS: does this improve the user-case of user enrollment? in which way?
Thanks so much
Shanelle
AM Prime is a robust tool, but is not part of the AM server, so if your goal is to let users self-manage their software tokens without making customization you could consider using the build in Self Service Console, SSC instead of the Self Service Portal, SSP from AMIS AM Prime. SSC does not have near the features of SSP, but you can allow users to authenticate with their LDAP password, request and then import a software token into their device; Smart phone or PC and get on with their work.
The big considerations are;
1. Secure Delivery of the software token is best achieved with CTKip encryption, basically a one time use URL that a user either clicks, or it can be converted into a QR-Code so that a Phone could scan the URL (PC based software token application cannot scan QR code, only click or copy and paste URL).
a. importing a software token .sdtid file, even a password protected one, is not as secure as a CTKip delivered software token.
b. Device ID binding can add a layer of security, but requires Admin intervention, can't really be done with Self Service
c. If you use CTKip, it is arguable that you do not need device binding, but if you are using .sdtid files, it is arguable that for some level of security you should include device binding or have strict limits on how and where the file can be imported. It is Not considered a secure practice to email these these .sdtid files all over the place, they can be copied, You'd want some kind of control for email encryption, maybe only within your Corp LAN or something like that.
2. If you want your users to access this Self Service Console from the Internet as opposed to coming into the office or through a VPN, you will need a Web Tier, which is kind of a reverse proxy app the runs on either your Windows or RHEL server and sits in your DMZ. Smart phones may not typically authenticate to a VPN, more like they might access your corporate wireless. So your PC based Software token app could work without a Web Tier if that PC VPNs into your Corp LAN, you do not need a web tier because the PC is virtually on your internal network. But if your PC VPNs in, logs onto the SSC and requests a soft token for a Phone, even if the QR code displays on the SSC, the CTKip URL will not work on the smart phone because the smart phone without a web tier because only the PC is on the VPN, the smart phone is not.