Enrollment on behalf can be done in the home tenant of the operators or for the "foreign" tenant (from the operator point of view). The configuration should be done this way: create configuration in AC (privileges, profiles) and IGA (invitation templates) in the tenant where this on behalf enrollment should work. Then add permission to whatever operators from whatever tenants who will work with this invitations templates and who will enroll users on behalf to the tenant.


The configuration includes steps in both Admin console and IGA-Governance console:

start at Admin console:

  1. assign privilege [ANT ID OPERATIONAL CONSOLE] user enroll to enroll user for target tenant in Admin console to operator's role for home tenant and/or for target tenants
  2. create operator enrollment profile on home or target tenant in AC -> switch to target tenant and create enrollment profile
  3. give permission for users from executing tenant in AC - open Permission feature in the new operator enrollment profile and grant permissions for the group of operators

then continue to IGA - Governance console

  1. create EXT invitation - create new EXT invitation template and set enrollment type ON_BEHALF
  2. give permission for invitation template for operators from home and/or foreign tenant - on new template go to OPERATOR PERMISSIONS tab and grant permission to home operators and/or foreing operator so they can enroll users with this new template to this tenant



1. How to grant privilege for the ON BEHALF enrollment

Admin Console / Tenant configuration / Roles / edit privileges

Assign privilege [ANT ID OPERATIONAL CONSOLE] user enroll to enroll user for target tenant in Admin console to operator's role for home tenant and/or for target tenants 


2. How to create new enrollment profile for ON BEHALF enrollment

Admin Console / Tenant configuration / Enrollment configuration / new enrollment profile - OPERATOR

parameter

description

value

Enrollment Name


On behalf enrollment

Description


Normal self enrollment (minimum 1 info + 1 token)

Priority

If the user is assigned into more groups, and there might be more enrollment profiles for each group, the profile with the lowest number in priority will be selected (1>30)

0

Minimum required tokens


1

Default profile

checkbox

False

User fields section

List of user field - checked user fields will be available on the on behalf enrollment form.


Tokens section

List of available token types - only Virtual/SMS/Email or HW tokens can be enrolled on behalf - checked tokens will be available on the on behalf enrollement form.



3. How to set permissions for new enrollment on behalf profile

Admin Console / Tenant configuration / Enrollment configuration / {specific profile} / Permissions

Select the tenant and the group.

The users from selected tenant and the group will be able to use this particular profile to enroll new users to the tenant - could be used for operators from the same tenant to enroll users on behalf, or could be used for operators from another tenant to enroll users on behalf.

For example:

  1. tenant A is main tenant and tenant B is service tenant for tenant A that sometimes substitute activity of operators from tenant A
  2. create enrollment profile in tenant A and grant permissions for operators from tenant A so they can use this profile to enroll new users on behalf to tenant A
  3. also grant permissions for operators from tenant B so they can also enroll new users to tenant A

Now operator from both tenant (A+B) can use this profile to enroll new users on behalf for the tenant A.


4. How to create invitation template for new enrollment on behalf profile


1

Open the IGA - Governance section and go to the Invitation configuration.

2

The list of invitation templates will be displayed.

3

Press the ADD TEMPLATE button and fill the template with the following parameters.

Parameter

Description

Example value

Template name

input box

template name

Description

input box

description for better recognizing the template in the onboarding process

Onboard type

options:

  • EXT for sponsored onboarding
  • LDAP for onboarding of users already created in LDAP

LDAP

Enrollment type

options:

  • SELF - template is used for importing user from LDAP to ANT ID - see Operatinal console/Users/Add new user feature
  • ON_BEHALF - template is used for enrollment on behalf - specific use case when new user is created by operators from another tenant
  • BOTH - template could be used for sponsored onboarding and for enrollment on behalf

ON_BEHALF

Require email address within onboarding

The checkbox for managing the collecting of contact details neccessary for successful invitation. The behaviour is partially driven by the type of enrollment (see above):

  1. if enrollment type = SELF then Require email address within onboarding = true and it's inactive
  2. když enrollment type = ON_BEHALF then Require email address within onboarding = true and active and uthentication type + OTP address type are hidden
  3. když enrollment type = BOTH then Require email address within onboarding = true and it's active


Require phone number within onboarding

The checkbox for managing the collecting of contact details neccessary for successful invitation. The behaviour is partially driven by the type of enrollment (see above):

  1. if enrollment type = SELF then Require phone number within onboarding = false and it's active
  2. když enrollment type = ON_BEHALF then Require phone number within onboarding = false and active and Authentication type + OTP address type are hidden
  3. když enrollment type = BOTH then Require phone number within onboarding = false and it's active


Authentication type

options:

  • OTP - the verification will be done by OTP (user can use any of enrolled tokens)
  • CODE - erification will be done using the code sent during onboarding
  • LDAP - password - option only for LDAP type of onboarding

OTP

OTP Address type

options for the OTP code receive within the onboarding process

  • SMS
  • EMAIL

SMS

External resource

LDAP resource where the users are created (to obtain stored information necessary for the onboarding process)

defined resource


5. How to add operator permission to use the template - part of enrollment on behalf feature

1

Go to the OPERATOR PERMISSIONS tab on the relevant template.

  • Note: the tab is visible only on saved template

2

The list of users or groups with the permission to use this template is displayed.

3

Press the ADD PERMISSION button.

4

Select which tenant is this template for - which operators or group of operators can use this template to enroll user on behalf - and select user of group of users to obtain the permission.

5

Press CONFIRM button to save the permission.

6

The newly granted permission will be displayed on the list of permissions.


<< Back