• Overview of Benefits
• Features
  • - Authnodes & RADIUS
  • - Automated End User Helpdesk
  • - Brand the Signify service with your own labels
  • - Emergency Access Management
  • - How to set up the service
  • - How to set up your security policy
  • - IMC Logging and Reporting
  • - Overview of Provisioning Services
  • - Role Based Management
  • - RSA SecurID - The market leading authentication tokens
  • - Signify Service Infrastructure
  • - Temporary User Access Control
  • - The Identity Management Centre (IMC)
  • - Why you still need 2FA with Juniper SSL VPNs
  • - Signify Service availability
• Services
• How to Buy
• Contact Us

• Home

How to set up the service

Setting up the Signify service is a quick and straight forward process.  Summarised below are the various stages involved in the process of getting our service up and running.  This process is applicable to the following Signify authentication technologies:

• RSA SecurID from Signify
• Passcode OnDemand to mobile phones (by SMS)
• Passcode OnDemand to mobile devices (by e-mail), e.g. BlackBerry devices

The full Administrator Guide deals with the process in detail.  The full Administrator Guide also acts as a reference about how to perform various tasks and helps ensure that all the options are configured correctly before roll-out to users.

Getting started

Once an organisation is created on the Identity Management Centre (IMC), a single person from that organisation is appointed the initial administrator - during the initial set up or pilot of a system, a single person often needs to be able to configure a system, get it to a working point, and then deploy the system with different ‘real’ administrators.  These appointed administrators have full administrative privileges for their organisation on the IMC, though once the service is deployed they can remove some or all their roles.

Before the administrator can start, they must first register themselves on the IMC.  They do this simply by following the instructions they will have received in their Welcome email. Once registered they will arrive at the IMC ‘My Signify’ page, see below:

Understand the IMC Interface

From this page the administrator can get the service up and running.  The Administration menus down the left hand side are dynamically driven by the admin access rights of the user. The Initial administrator has full admin rights and starts with all the options.  The display and content of each section on this screen is based upon your admin rights and scope.

The ‘My Signify’ options at the top of the left-hand menu are available to all users, while the second section ‘Administration’ is the common tasks only available to administrators.

The rest of the screen provides the information about the status of the organisation’s system – number of users, admin roles, authentication nodes that you can log in to, and the status of relevant servers.

An advanced administration area provides more detailed access to certain items and access to usage logs.

Review the security policy

The next stage of the process is to review the organisation’s security policy (only a security officer can do this).  The administrator reviews the policy by finding their organisation via  the advanced administration area in the IMC.  When the organisation’s security policy is displayed, all settings are preset to ‘medium’ by default. 

The administrator reviews the settings and amends as necessary. Most settings are self explanatory, but the administrator should leave any they are unsure of as default – these can be fine tuned once everything is up and running.

Register the first authentication node

Now that the administrator has registered their Signify identity (be it a SecurID token, SMS Passcode or a password), they want to use their ID to access something useful!

The ‘something’ they want to access is referred to in the Signify architecture as an ‘Authentication Node’ – the place that they want their users to authenticate at before performing something useful.  This could be a firewall or VPN device that they must authenticate at before getting access to the network.  It could be a web server to get web-based access to their Exchange or Notes e-mail, or to your own internal web-based applications. 

To be configured as an authentication node, the device or software must fit into one of the following categories:

• Have an RSA ACE/Agent embedded (such as Check Point Firewall-1)
• Have an RSA ACE/Agent software agent available (such as Windows 2003/2000 IIS, Citrix)
• Be able to use the RADIUS protocol to perform authentication against an external RADIUS server (such as Cisco, Watchguard or SonicWall)
• Support 802.1X authentication (such as Wireless Acccess Points that support 802.1X (also referred to as WPA-Enterprise), and some wired Ethernet switches)

Test the authentication node

Once the authentication node is configured, it needs to be tested.  To do this the administrator must first activate themselves.  Using the IMC, the administrator ensures that the authentication node they have just set up is selected in their Signify identity and then creates a username for themselves.

They are now activated and can test the authentication node by attempting to log in using the appropriate method:

• When prompted for a username, they enter the username they created for this authentication node.
• When prompted for a password or passcode, they enter the appropriate code:
  • If they are a SecurID user – their PIN followed by the code on their token
  • If they are a Passcode OnDemand user, visit www.signify.net to request a passcode to be sent to them

They should now be logged in.

All working

The authentication node should now be working.  Once able to authenticate at authentication node, the administrator is ready to proceed with a further roll-out for a trial or for full usage.

To add additional users, the administrator simply goes to ‘My Signify’ and chooses ‘Request New User’ – they are then stepped through the process.

Using SecurID tokens for authentication:

• If a batch of tokens are sent for ‘local fulfilment’ the administrator should request the new users from the appropriate local pool (this will have been set as a default). 
• If Signify are performing the token fulfilment, the administrator needs to ensure that they request the tokens for Signify fulfilment, then so long as they are within their pre-paid limit, the tokens are sent out automatically.

Using Passcode OnDemand for authentication:

• When requesting the new user, enter the details exactly as for a SecurID user, but in the Authentication Device Information section, ensure the Authentication device is set to ‘Passcode OnDemand’ and select the appropriate options.

Other common tasks

While the service is up and running, there are some common tasks which may also need completing.  These include:

• Revoking users
• Appointing Administrators
• Grouping policies and users
• End-user helpdesk services
• Security policy for helpdesk processes

Checklist to complete before ‘Going Live’:

Once the system is up and running, and is ready to deploy to users, there are a number of things that may still need reviewing.  Below is a suggested checklist:

• Who within the organisation will be administrators – request these users, and assign them the appropriate administrative rights.  Make sure you have at least 2 Security Officers.
• Make sure your service that you are delivering to your users is ready for deployment to live – whether it is web-access to e-mail, Citrix, a VPN, wireless or RAS dial-in.  Make sure any documentation needed to be given to users is complete.
• Review the Security Policy on the IMC to ensure you are happy with its configuration.
• Identify who within the organisation will be set up with users, and request those users (or delegate to an HR Admin to request those users)