Enrollment configuration
Available actions: |
Profiles used in Enrollment application for user self enrollment. |
|
Profiles used in Operational console by operators to enroll user "on behalf". It is also possible to configure the profile to enroll new users to different tenants. |
|
Bind the group to the profile to select relevant profile for specific users. |
|
Set permissions for the profile for operators from home tenant and/or for operator from other tenants - for the on behalf enrollment situations |
Create enrollment profile for Enrollment application - SELF enrollment |
Admin Console / Tenant configuration / Enrollment configuration / new enrollment profile - SELF
parameter |
description |
value |
Name |
|
standard |
Description |
|
Normal self enrollment (minimum 1 info + 1 token) |
Type |
SELF for self enrollment OPERATOR for enrollment on behalf |
SELF |
Priority |
If the user is assigned into more groups, and there might be more enrollment profiles for each group, the profile with the lowest number in priority will be selected (1>30) |
0 |
Default |
Default profile for every type of enrollment (self / operator) |
checked |
Enforced |
unused attribute |
unchecked |
Minimum required tokens |
|
1 |
Step #1 |
|
|
Step / Description |
|
Please provide contact information |
Step / Type |
USERFIELD - one field on the step MULTI_USERFIELD - more fields on the step TOKEN - specific token enrollment on the step MAGIC_QUESTIONS - verification questions creeation on the step |
MULTI_USERFIELD |
Step / User field |
|
Professional mobil phone Private mobil phone Professional email address Private email address |
Step #2 |
|
|
Step / Description |
|
ANT ID - OTP token |
Step / Type |
|
TOKEN |
Step / User token template id |
|
ANT ID - OTP Token- FAST_AUTH |
Step / Required |
skippable or not |
FALSE |
Step #3 |
|
|
Step / Description |
|
MS Authenticator or Google token |
Step / Type |
|
TOKEN |
Step / User token template id |
|
Google TOTP token- TOTP |
Step / Required |
|
FALSE |
Step #4 |
|
|
Step / Description |
|
SMS token |
Step / Type |
|
TOKEN |
Step / User token template id |
|
SMS token- SMS |
Step / Required |
|
FALSE |
Step #5 |
|
|
Step / Description |
|
Verification questions |
Step / Type |
|
MAGIC_QUESTIONS |
Step / magic questions configuration |
|
standard |
Step / Required |
|
TRUE |
Create enrollment profile for Operational console - ON BEHALF enrollment |
Admin Console / Tenant configuration / Enrollment configuration / new enrollment profile - OPERATOR
parameter |
description |
value |
Enrollment Name |
|
On behalf enrollment |
Description |
|
Normal self enrollment (minimum 1 info + 1 token) |
Priority |
If the user is assigned into more groups, and there might be more enrollment profiles for each group, the profile with the lowest number in priority will be selected (1>30) |
0 |
Minimum required tokens |
|
1 |
Default profile |
checkbox |
False |
User fields section |
List of user field - checked user fields will be available on the on behalf enrollment form. |
|
Tokens section |
List of available token types - only Virtual/SMS/Email or HW tokens can be enrolled on behalf - checked tokens will be available on the on behalf enrollement form. |
|
Profile group binding |
Admin Console / Tenant configuration / Enrollment configuration / {specific profile} / groups binding
Bind the profile to the group for correct profile selection in Enrollment application.
The profile selection works like that:
- after user login, user groups are evaluated (Prime membership in ANT ID Group, or ANT ID Groups found based on LDAP groups mapping).
- the application serializes enrollment profiles according to priority and searches for the first matching one (the user is a member of a group defined on the profile, or it is a profile without a defined group).
- alternatively, the default profile is taken if none matches.
Set permissions |
Admin Console / Tenant configuration / Enrollment configuration / {specific profile} / Permissions
Select the tenant and the group.
The users from selected tenant and the group will be able to use this particular profile to enroll new users to the tenant - could be used for operators from the same tenant to enroll users on behalf, or could be used for operators from another tenant to enroll users on behalf.
For example:
- tenant A is main tenant and tenant B is service tenant for tenant A that sometimes substitute activity of operators from tenant A
- create enrollment profile in tenant A and grant permissions for operators from tenant A so they can use this profile to enroll new users on behalf to tenant A
- also grant permissions for operators from tenant B so they can also enroll new users to tenant A
Now operator from both tenant (A+B) can use this profile to enroll new users on behalf for the tenant A.