Managed Access Gateway. Request Management Guide (For Administrators)

Managed Access Gateway Request Management Guide (For Administrators) Version 2.0 Exostar, LLC October 14, 2013

Table of Contents Purpose...1 Overview...2 Organization Administrator Tasks...3 Verify User's Registration Request...3 Verify User s OTP Hardware Token Activation Request...5 Subscribe to Application...7 Application Administrator Tasks...16 Search for a User...16 Request Application Subscription for a user...17 Add/Update Sponsor Code...17 Authorize User's Access to an Application (SCP, ForumPass and other Invitation-only applications)...18 Activate User's Access to an Application (For SCP)...19 Suspend a user s access to the application...21 Activate a user s suspended access to the application...21 FIS Administrator Tasks...22 Basic vs. Medium Level of Assurance...24 What to do when the user is renewing certificates?...25 What to do when the user is sponsored?...25 Authorize a User's Access to FIS (new certificate request)...25 Approving/Denying Multiple Requests...27 Authorize User's Access to FIS (Renewal request)...28 Revoke User's Certificates...29 ii

Purpose MAG Request Management Guide This guide has been created for Organization and Application Administrators. This guide will provide you information on the administrative tasks that you need to perform complete subscription requests for users within your organization. You can access MAG by logging on to: https://portal.exostar.com. NOTE: This guide does not include information on managing users. Please refer to the User Management Guide for information related to processing all user management requests. This guide will provide you information on all the tasks under the Registration Requests tab that are performed by the Organization and Application administrators. Important URLs: MAG information: http://myexostar.com/myexostarall.aspx?id=550 o User Guides: http://myexostar.com/myexostarall.aspx?id=1026 o Administration Guides: http://myexostar.com/myexostarall.aspx?id=1024 FIS Information: http://myexostar.com/myexostarall.aspx?id=534 o FIS Administration Guide: http://myexostar.com/workarea/showcontent.aspx?id=900 Copyright 2009 Exostar LLC. All rights reserved Page 1 of 31

Overview An organization account for Exostar MAG requires that two types of administrators are created: 1. Organization Administrators; and 2. Application Administrators MAG Request Management Guide Organization Administrators are individuals who are designated to perform administrative activities on behalf of their organization (in addition to administering their own accounts as regular users). Upon successful login, the Exostar MAG will automatically recognize your designation as an Organization Administrator, and your view of the dashboard will include the 'Administration' tab and 'Registration Requests' tab in addition to the general 'Applications' and 'My Account' tabs. Application Administrators are individuals of an organization who are designated within Exostar MAG to perform administrative activities for an application. An Application Administrator has the ability to perform the following functions: Authorize a user's request to access an application or application group Activate a user's access to SCP application. (This feature is available for SCP Application Administrators only) Authorize user for FIS Revoke User s Digital Certificates (FIS only) Upon successful login, the system will automatically recognize your designation as an Application Administrator, and your view of the dashboard will include the Administration tab and the 'Registration Requests' tab in addition to the general 'Applications' and 'My Account' tabs. NOTE: Based on your designation within MAG, the individual tabs will display only those sub-tabs that are applicable to your profile. This guide is divided into three chapters as follows: Organization Administrator tasks; Application Administrator tasks; and FIS administrator tasks 1 1 FIS Administrators are application administrators who perform specific tasks to authorize users to receive digital certificates. Copyright 2009 Exostar LLC. All rights reserved Page 2 of 31

Organization Administrator Tasks Verify User's MAG Registration Request An Organization Administrator is responsible for certifying a user's affiliation with the organization and verifying the user's self-registration request. 1. On the 'Registration Requests' tab, under the Verify page, you will see the list of requests awaiting your verification/approval. This is your 'Requests Inbox'. You will be able to filter the requests by the status of 'New' and 'Pending'. You will be able sort the table by clicking on the column headers. 2. Select a request and click on the Request_ID (as highlighted below). NOTE: If the user was created by an Organization Administrator, this step will not be required. 1. You will be presented with the User Registration Request page. You will have the option to change the user's personal information, if necessary. NOTE: The Select User option will generate results only if you are subscribed to Lockheed Martin s P2P Application. Copyright 2009 Exostar LLC. All rights reserved Page 3 of 31

2. Sponsor Code: This is an optional attribute for requesting access to an application. If it is not already filled-in by the user, a sponsor code should be filled-in, if the user has been sponsored. If you do not have the information, contact the sponsoring organization or Exostar for information to input in the Sponsor Code field. 3. Click on 'Next' button to go to the next page. 4. If you want to approve this request, you must answer 'Yes' to both questions on this. 5. If you opt to deny this request, you will be prompted to enter a denial reason. Select the appropriate option. 6. After you select to approve or deny a request, you will be presented with a confirmation message. 7. If the request was approved, the system will send out the welcome emails to the user with the UserID and password and will start the application access approval workflow based on the application(s) selected. 8. If the request was denied, the system will send out an email to the user that the registration request was denied. 9. After a request is approved or denied, the request will be removed from your 'Requests Inbox' and you will receive an email notification. NOTE: Once you have started to process the user s authorization request, ensure that you either complete the process or click Cancel to ensure that the request is available to other organization administrators for further action. Copyright 2009 Exostar LLC. All rights reserved Page 4 of 31

Verify User s OTP Hardware Token Activation Request MAG Request Management Guide As an organization administrator you are required to approve activation requests from existing users in your organization who need to activate OTP Hardware Tokens on their MAG accounts. To approve an OTP Hardware Token activation request from a user in your organization, you must log into MAG with one of the following credentials: An active OTP Hardware Token FIS Medium Level of Assurance Hardware Certificates, or a comparable digital certificate If you do not have either of the above credentials on your account, you will need to associate one of the credentials to your MAG account before you can approve any OTP Hardware Token activation requests from users in your organization. For more information on purchasing and activating an OTP Hardware Token on your account, view the OTP Hardware Token User Guide. For more information on how to get an FIS Medium Level of Assurance Hardware Certificate, view the Federated Identity Service (FIS) User Guide. To approve an OTP Hardware Token Request from a user in your organization, click on the Verify OTP tab in Registration Requests. If you did not authenticate to MAG with the correct credentials, you will see an error: If you did authenticate to MAG with the correct credentials, click on the Request ID to open the OTP Activation Request. Copyright 2009 Exostar LLC. All rights reserved Page 5 of 31

To approve the request, select Approve in the dropdown This user is authorized to be provisioned an OTP Hardware Token. If you approve the request, this will activate the OTP Hardware Token on the user s account, and the user will be able to use that token to log in to MAG. The user will receive an email when you approve the request. To deny the request, select Deny in the dropdown This user is authorized to be provisioned an OTP Hardware Token. You will be required to enter a reason for denying the request in the Deny Comments field. The user will receive an email when you deny the request. If you believe that the user s OTP Hardware Token Activation request was fraudulent, you should suspend that user MAG account immediately. Denying the request will also reset the token so that it can be activated on another user s account. Once you have approved or denied an OTP Hardware Token Activate request, it will be removed from the Verify OTP queue. Copyright 2009 Exostar LLC. All rights reserved Page 6 of 31

Subscribe to Application MAG Request Management Guide As an Organization Administrator, you will be able to perform the following tasks: Subscribe your organization to Federated Identity Service (FIS), if not already subscribed; or Upgrade your organization s Level of Assurance to Medium Level of assurance (Software) for Federated Identity Service (FIS) for an existing subscription. Subscribe to other applications. Subscribe to FIS: Follow the steps below to complete these tasks: Step 1: Subscribe 1. To subscribe to FIS go to Administration tab and click on 'Subscribe to Application link. 2. The Subscribe to Application' page will be presented as below: 3. Click on Subscribe to Application next to the application name. 4. The following screen will be presented. a. Number of Certificates You do not need to provide information in this field. This is not a required field. b. Provide the FIS Administrator information. You may enter new information by selecting Other or select from the drop-down list of users within the organization to designate the FIS Administrator role. Copyright 2009 Exostar LLC. All rights reserved Page 7 of 31

If entering a new user s information, make sure you enter all the required fields and click on Next >> button to complete the subscription process. If an existing user is selected, the following screen is presented. Click Next>>. Copyright 2009 Exostar LLC. All rights reserved Page 8 of 31

5. Enter the Authorized Officer information. You may select the FIS Administrator, an existing user, or Other. Click Next >>. 6. The Submission Confirmation screen will be presented. Copyright 2009 Exostar LLC. All rights reserved Page 9 of 31

Step 2: Exostar approval MAG Request Management Guide You will be presented with a confirmation page. The following activities will take place once the subscription request has been submitted: 1. Payments: Exostar Membership Services will provide the instructions for payment prior to approval of your registration request. 2. Once all payment requirements have been completed, Exostar will complete the approval process. On successful approval, automated notifications will be sent out with information on next steps. 3. Organization Administrator will receive an approval notification; and 4. Designated FIS Administrator will receive notification of FIS Subscription. Step 3: Accept Terms and Conditions Once the Organization Administrator receives the approval notification from Exostar, they will need to accept the Terms & Conditions online. If the organization has multiple Organization Administrators, these Terms & Conditions may be accepted by any ONE Organization Administrator. To sign-off on Terms & Conditions: 1. Login to your MAG account by accessing the following URL: https://portal.exostar.com. 2. On the Applications tab, the status for FIS Application will be shown as Pending Acceptance of Terms & Conditions 3. Click on View Service Agreement next to FIS Application name. 4. You will be displayed the Terms & Conditions for FIS based on whether your organization was approved for FIS Basic or FIS Medium Level of Assurance. 5. Click on Accept to complete the sign-off. Once the Organization Administrator accepts the Terms & Conditions, the FIS application status changes to Active and the FIS Administrator is now able to approve user FIS Subscription requests. The Organization Administrator(s) will receive an Adobe PDF version of the agreement via email on completion of the acceptance. After your organization is subscribed to an application, users within your Organization can request access to FIS application. Upgrade to Medium Software: It doesn t appear so, but want to confirm Step 1: Subscribe 1. To upgrade your organization s subscription to Medium Software, login to your Exostar MAG account. 2. Go to Administration tab and click on 'Subscribe to Application link (highlighted below). 3. The Subscribe to Application' page will be presented as below: 4. Click on Upgrade Organization to Medium Level Assurance next to the application name. Copyright 2009 Exostar LLC. All rights reserved Page 10 of 31

5. Enter the number of certificates required and click Next>>. 6. A confirmation page is displayed. Step 2: Exostar approval You will be presented with a confirmation page. The following activities will take place once the subscription request has been submitted: 1. Payments: Exostar Membership Services will provide the instructions for payment prior to approval of your registration request. 2. Once all payment requirements have been completed, Exostar will complete the approval process. On successful approval, automated notifications will be sent out with information on next steps. 3. Organization Administrator will receive an approval notification; and 4. Designated FIS Administrator will receive notification of FIS Subscription. Step 3: Accept Terms and Conditions Once the Organization Administrator receives the approval notification from Exostar, they will need to accept the Terms & Conditions online. If the organization has multiple Organization Administrators, these Terms & Conditions may be accepted by any ONE Organization Administrator. To sign-off on Terms & Conditions: 1. Login to your MAG account by accessing the following URL: https://portal.exostar.com. 2. On the Applications tab, the status for FIS Application will be shown as Pending Acceptance of Terms & Conditions 3. Click on View Service Agreement next to FIS Application name. Copyright 2009 Exostar LLC. All rights reserved Page 11 of 31

4. You will be displayed the Terms & Conditions for FIS based on whether your organization was approved for FIS Basic or FIS Medium Level of Assurance. 5. Click on I Agree to complete the sign-off. A message will be displayed to confirm the acceptance of service agreement. After your organization is subscribed to an application, users within your Organization can request access to FIS application. What if the Organization Administrator declines the Terms & Conditions? 1. If an Organization administrator declines the Terms & Conditions, the status of FIS Application on the Applications tab will continue to display as Pending Acceptance. 2. The Organization Administrator can click on View Service Agreement next to FIS Application name and complete acceptance at any other time. Subscribe to other Exostar applications: Follow the steps below to complete these tasks: Copyright 2009 Exostar LLC. All rights reserved Page 12 of 31

Step 1: Subscribe MAG Request Management Guide 1. To subscribe to Exostar s other applications go to Administration tab and click on 'Subscribe to Application link (highlighted below). 2. The Subscribe to Application' page will be presented as below: 3. Click on Subscribe to Application next to the application name. 4. The following screen will be presented. Provide the Application Administrator information. You may enter new information by selecting Other or select from the drop-down list of users within the organization to designate the FIS administrator role. Copyright 2009 Exostar LLC. All rights reserved Page 13 of 31

5. If entering a new user s information, make sure you enter all the required fields and click on Next >> button to complete the subscription process. If an existing user is selected, the following screen is presented. Click Next>>. Copyright 2009 Exostar LLC. All rights reserved Page 14 of 31

6. Click Next>>. The Submission Confirmation screen will be presented. Step 2: Exostar approval You will be presented with a confirmation page. The following activities will take place once the subscription request has been submitted: 1. Payments: Exostar Membership Services will provide the instructions for payment prior to approval of your registration request. 2. Once all payment requirements have been completed, Exostar will complete the approval process. On successful approval, automated notifications will be sent out with information on next steps. 3. Organization Administrator will receive an approval notification; and 4. Designated application administrator will receive notification of account upgrade to the role. Step 3: Accept Terms and Conditions Once the Organization Administrator receives the approval notification from Exostar, they will need to accept the Terms & Conditions online. If the organization has multiple Organization Administrators, these terms & conditions may be accepted by any ONE Organization Administrator. To sign-off on Terms & Conditions: 1. Login to your MAG account by accessing the following URL: https://portal.exostar.com. 2. On the Applications tab, the status for application will be shown as Pending Acceptance of Terms & Conditions. 3. Click on View Service Agreement next to application name. 4. The Service Agreement will be displayed for your review. 5. Click on Accept to complete the sign-off. For detailed information on the application status, refer to section User Application Subscription Status Information. Once the Organization Administrator accepts the Terms & Conditions, the application status changes to Active and the application administrator is now able to approve user subscription requests. The Organization Administrator(s) will receive an Adobe PDF version of the agreement via email on completion of the acceptance. After your organization is subscribed to an application, users within your Organization can request access to the application. NOTE: For the following tasks, you will need to contact Exostar Customer support by completing the online form at: http://www.myexostar.com/contactsupport.aspx: Invitation-only applications; OR Upgrade your Organization s FIS subscription to Medium Level of Assurance (Hardware). Copyright 2009 Exostar LLC. All rights reserved Page 15 of 31

Application Administrator Tasks IMPORTANT: If the Application Administrator is also the Organization Administrator, the Organization Administrator privileges will supersede the Application Administrator privileges. Search for a User Access the Administration tab and you will be presented with the View User sub-tab. If you did not have an Organization Administrator role, earlier this is a new tab that will appear on your profile. (See the highlighted tab below.) 1. Enter your keyword in the 'Search For: text box. 2. Select search filter criterion from the drop-down list. You have the option to search by: Last Name First Name User ID E-mail Org ID Organization Name R-IDP User ID If your organization is subscribed to Enterprise Access Gateway (EAG), you can search for the user by your native authentication UserID for the user. External User ID This is currently being used primarily for Boeing Supplier Portal. So if you want to search for the user by their BEMSID, use this search criteria. External Organization ID The External Organization ID is the same for all users for an application. This will be the ESD number if your organization account is subscribed to a Raytheon application or the BEST Code if your organization is subscribed to the Boeing Supplier Portal application. 3. Click on the Search button and the results will display below the search area. 4. Click on the Results Per Page drop-down and select an option. The default value is 25, but you can select from 10, 25, 50 or 100 results per page. Note: The number of users returned is subject to the system limit. The search filter is NOT case sensitive and excludes leading and trailing spaces. Wild card (*) searching is inherent to the search filter. You need not enter a "*" character as it is already implied. You can select the number of results that you want on a page up to a 100 records. The search will present a maximum of 500 results for any given search criteria. Use the Export Search Results button to generate a.csv file of your search results. Note that you will be able to export only 500 search results. Copyright 2009 Exostar LLC. All rights reserved Page 16 of 31

Request Application Subscription for a user MAG Request Management Guide To subscribe a user to your application: 1. Search for a user from the Administration tab 2. Click on the User ID to open the user profile 3. Only the application(s), or application group, that the admin has the application administrator role for is available to subscribe see the request access button below: NOTE: As an Application Administrator, you can add a Sponsor Code for the user while subscribing the user to the application. You may also add the sponsor code after the user has been approved for subscription. Refer to section Add/Update Sponsor Code for additional information. What happens next: If application, or application group, does not include FIS, SCP or LMP2P: MAG will check if SP Admin approval is required. If the application requires an SP Admin approval (for Example Rolls- Royce Global Supplier Portal), then the request will be routed to the SP Admin. If no SP Admin approval is required, then the user is provisioned to the application and is sent an email notifying that their subscription has been granted. If application is FIS: User s request will be routed to the FISA s authorize queue for approval. The FISA will receive an email to approve the user s request. The FISA will be required to complete the authorization for the certificates to enable the user to receive the certificates. If the application group is a bundle which includes FIS: The Admin will be required to complete the authorization for the certificates to enable the user to receive the certificates. If application is LMP2P or an SCP instance: The application is routed to the App Admin s Authorize queue and the app admin gets an email to approve the user. NOTE: For SCP, if the SCP App admin is also an Org Admin, the process remains the same and the admin will be prompted for Activate now/later option. Add/Update Sponsor Code 1. Search for a user from the administration tab 2. Click on the User ID to open the user profile 3. Only the application(s) that the admin has the app admin role for is/are available to updating the Sponsor code. Copyright 2009 Exostar LLC. All rights reserved Page 17 of 31

4. Enter the Sponsor Code for the application and click on Submit. Authorize User's Access to an Application (SCP, ForumPass and other Invitation-only applications) An Application Administrator role within an Organization is responsible for authorizing a user's access to Exostar-enabled applications or application bundles. On the 'Registration Requests' tab, you will see the 'Requests Inbox' with the list of requests awaiting your authorization. These are the user requests that have been verified by the Organization Administrator and are awaiting access to a specific application(s). The 'Action' column lists all the requests that need your authorization or activation. You will be able to filter the requests by the status of 'New' and 'Pending'. You will be able sort the table by clicking on the column headers. In this step, you will see the user's Organization information and personal information in read-only mode. 1. Locate a request that needs authorization and click on the Request ID as highlighted below. Copyright 2009 Exostar LLC. All rights reserved Page 18 of 31

2. The User Application Subscription Request page will be presented. MAG Request Management Guide Application name 3. Click on 'Next' button to go to the next step. 4. If you opt to deny this request, you will be prompted to enter comments/reason for denial. Click Next. 5. After you approve or deny a request, you will be presented with a confirmation message. SCP Requests If you approved the request for access to SCP application, you will be taken to the 'Activate User' step. ForumPass Requests and other Invitation-only applications If you approved the request for access to the ForumPass application, the request will be routed to an Exostar Administrator for approval. If you denied the request, the system will send out an email to the user that the registration request was denied. Application Group Requests Application Groups typically incorporate access to multiple applications including requests to FIS. If you approved the request for access to an Application Group, you will need to review and complete the FIS approval as well. See steps for Application Groups approvals below. Approvals for Application Groups include access to multiple applications; therefore the request may appear as pending after approval while access to all of the applications are processed. Activate User's Access to an Application (For SCP) If you are an application administrator for SCP, after the verification step, you will have the option to activate a user's account immediately or delay the activation until a user can be setup within the SCP application. Copyright 2009 Exostar LLC. All rights reserved Page 19 of 31

If you select 'Activate User in SCP Now' option: o The user will be automatically provisioned in SCP and the access to the application will be activated in the Portal. o An email is sent to the user notifying him/her that access to SCP has been granted. The user will be able to login and access the application from the Portal. If you select 'Activate User in SCP Later' option: o The user will be automatically provisioned in SCP and the request will be routed to the 'Activate' sub-tab in your 'Registration Requests' tab. o The user will not be able to access the application until you complete the activate step. The User will see the application status as 'Pending' on the Application Dashboard. 1. On the 'Registration Requests' tab, click on the 'Authorize' link and you will see the list of requests awaiting your authorization/activation. You will be able sort the table by clicking on the column headers. 2. Select a request that needs activation and click on the Request ID to start the activation workflow. 3. You will see a the User information in a read-only mode as shown below: 4. Click on 'Next' button to activate the user and you will be presented with a confirmation. Copyright 2009 Exostar LLC. All rights reserved Page 20 of 31

The request will be removed from your 'Requests Inbox' and an email is sent to the user notifying him/her that access to SCP has been granted. The user will be able to login and access the application from the Exostar MAG. NOTE: Once you have started to process the user s authorization request, ensure that you either complete the process or click Cancel to ensure that the request is available to other application administrators for further action. Suspend a user s access to the application To suspend user s application access: 1. Search for a user from the Administration tab. 2. Click on the User ID to open the user profile. 3. Only the application(s) that the admin has the app admin role for is/are available to suspend see the Suspend button below 4. Click on Suspend and the system will prompt you to confirm your action. 5. Click OK or Cancel to continue. 6. The system sends the user a suspension notification if the application administrator confirms the suspension. Activate a user s suspended access to the application To re-activate a user s application access: 1. Search for a user from the Administration tab. 2. Click on the User ID to open the user profile. NOTE: If the Application Administrator suspends the user s access to the application, the following administrators will be able to re-activate the user s access to the application: Application Administrator for the application Organization Administrator Exostar Portal Administrator Copyright 2009 Exostar LLC. All rights reserved Page 21 of 31

3. Click on Activate and the system will prompt you to confirm your action. 4. Click OK or Cancel to continue. 5. The system sends the user an activation notification if the application administrator confirms the activation. Application Groups - Administrator Tasks Some Application Administrators within an organization may be designated within Exostar MAG to perform administrator activities for an Application Group. These administrators may request access to application groups on behalf of users, and may suspend and activate application access as described above. Authorize User Access to an Application Group: Application Groups typically incorporate access requests to FIS as well as other applications. To process a request for access to an application group: 1. Locate a request that needs authorization and click on the Request ID as highlighted below. 2. The User Application Subscription Request page will be presented. Review the User information. Copyright 2009 Exostar LLC. All rights reserved Page 22 of 31

3. Review the FIS Certificate Information. Note: If attributes of the FIS Certificate have been locked, the Administrator may not modify them. These attributes may include: the level of assurance, certificate type, validity period, partner/application, and request reason 4. Make a selection for the Is this user authorized option. Click Next. If you opt to deny this request, you will be prompted to enter comments/reason for denial. Click Next. 5. After you approve or deny a request, you will be presented with a confirmation message. Note: Approvals for Application Groups include access to multiple applications; therefore the request may appear as pending after approval while access to all of the applications are processed. Copyright 2009 Exostar LLC. All rights reserved Page 23 of 31

FIS Administrator Tasks MAG Request Management Guide FIS Administrators are individuals of an organization who are designated within Exostar MAG to perform administrative activities for an application. A FISA performs the following functions: Approves all user requests for access to FIS Revokes user s Digital Certificates Prepares employment authorization letters for users Note that the FISA is not required to have digital certificates to perform all the roles above. Upon successful login, the system will automatically recognize your designation as an Application Administrator, and your view of the dashboard will also include the 'Registration Requests' tab as highlighted below. Here is a review of the components available on this screen: NOTE: For some organizations, an organization administrator may also perform FIS Administrator functions. These administrators will see all the tabs and sub-tabs that are individually available to the organization and application administrators. Administration tab: You can search for users with FIS certificates via this tab. This tab also allows you to view their certificate information and if require, revoke their certificates. Authorize sub-tab: No information available under this tab if you do not have application administrator rights for an application other than FIS. Authorize FIS: All FIS requests are available under this tab. Filter Requests: This filter allows you to filter out the requests in the queue based on the new or pending requests. Note that if you have any requests Pending in your queue, another FIS Administrator will not be able to access those requests. If you will not be taking action on a Pending request in your queue, open the request and release it for another FIS Administrator (if available) to take appropriate action. Search: You have the option to search for a specific user s request by First Name, Last Name, UserID or the Requested Level of assurance. Action: You are able to approve/deny up to 30 requests at the same time. More information is provided under section Approving/Denying Multiple Requests. Basic vs. Medium Level of Assurance Users within your organization may require either Basic or Medium Level of Assurance certificates. This may be dictated by a number of factors. Note that the Medium Level of Assurance Certificate requires that the user goes through in-person proofing activity. Make sure that you follow step 5 under Authorize User s Access to FIS to approve the user s request appropriately. If you are not sure whether the user requires Basic or Medium Level of Assurance Certificate, review the information provided via the approval screen to make an appropriate decision. If you still have questions, you may contact the sponsoring organization for additional information or Exostar Customer Support. Copyright 2009 Exostar LLC. All rights reserved Page 24 of 31

What to do when the user is renewing certificates? MAG Request Management Guide When the user submits a certificate renewal request, the FIS Administrator is unable to change the type of certificate. All certificate information is pre-populated based on the certificate the user has requested for renewal. These fields are also not editable. If you do not think that the user continues to need digital certificates, you can deny the renewal request. Note that the user will be able to submit additional renewal requests for the same certificate until the certificate expires. What to do when the user is sponsored? Make sure that you select the appropriate level of assurance for the user as required by the sponsoring organization. If the user requires Medium Level of Assurance certificates and your organization is approved only for Basic, contact your Organization Administrator and follow the steps provided under section Upgrade to Medium Software to upgrade your organization s account. Authorize a User's Access to FIS (new certificate request) If you are the designated administrator for Federated Identity Solution (FIS), you will see the 'Authorize FIS' sub-tab under 'Registration Requests'. Here, you will see the list of requests awaiting your authorization for FIS. These are the user requests that have been verified by the Organization Administrator. You will be able to filter the requests by the status of 'New' and 'Pending'. You will be able sort the table by clicking on the column headers. You will be able to search for a user based on the available search criteria. You will be able to approve/deny multiple requests. Refer to the Approving/Denying Multiple Requests section for details. Note: There is no differentiation between a renewal request and a new certificate request on the Authorize FIS tab. The difference in the requests can be viewed only after selecting the request. You will be able to view information on whether the user has an existing certificate to enable you to review the user s existing certificate prior to approving a new request. It is important to note that your company may be invoiced for any additional certificates for the user. For a renewal request, you will not be able to select the certificate attributes. All the fields will be non-editable. Refer to the Renewal request section of this guide for more information. 1. Select a request that needs authorization by clicking on the Request Id as highlighted above. 2. You will be presented with the user's approval request screen. The approval screen is divided into 5 sections: a. User Information b. Products & Services c. Organization Information d. Org Administrator Comment e. FIS Administrator Action Copyright 2009 Exostar LLC. All rights reserved Page 25 of 31

3. Review User Information: In this section, all information is in read-only mode. If any information is incorrect, you can deny the user s request with comments for the user to update the information appropriately and resubmit the request. 4. Review Products & Services section: In this section, you will be presented with the information that the user selected at the time of requesting access to FIS certificates. IMPORTANT: Make sure you review and if required update the selected options. If you need additional information on what options to select, access the support link as highlighted on screenshot below for information. Sponsor Code: This is an optional field and if the user has not input any information and you have not received any information from a partner organization or Exostar, you can leave this field blank. Partner/Application: Review the information provided by the user and update as needed by selecting from the drop-down list. Assurance Level: The Medium option will be available only if your Organization is subscribed for MLOA (Software) or MLOA (Hardware). If the user needs an MLOA certificate and the Medium option is not available, deny the user s request and contact the Organization Administrator to complete the Upgrade to MLOA request. Refer to the Upgrade to Medium Software section for details on upgrading your organization s subscription. If your organization account needs to be upgraded to MLOA (Hardware), contact Exostar Customer Support. If the user has selected UNKNOWN as the option, you are required to select the assurance level other than UNKNOWN to approve the user s request. Certificate Usage: This option appears only when you select the Basic for the user s certificates. You have the option of selecting Identity or SecureEmail. For users that need access to ForumPass applications only, it is recommended that you select Identity. If the user has selected UNKNOWN as the option, you are required to select the certificate usage other than UNKNOWN to approve the user s request. Certificate Type: The Hardware option will be available only if your organization is approved for MLOA Hardware certificates. Contact Exostar Customer Support if you need to upgrade your organization for MLOA Hardware. If the user has selected UNKNOWN as the option, you are required to select the certificate type other than UNKNOWN to approve the user s request. Certificate Validity Period: If the user selected Medium option for the assurance level, the user will have the option of selecting between 1 year and 3 years. Please note that for Medium certificates, the user has to go through inperson proofing irrespective of the validity period. In addition, a 3 years certificate is available at a discounted price. (For price details, contact Exostar Customer Support). If the user has selected UNKNOWN as the option, you are required to select the certificate validity period other than UNKNOWN to approve the user s request. Request Reason: The Unknown option is a valid option for this field. Copyright 2009 Exostar LLC. All rights reserved Page 26 of 31

Click on View More Information link for detailed instructions on selecting the appropriate certificate and other options. 5. Organization Information section: In this section, you can view your organization s information in read-only mode. 6. Org Administrator Comment: If the organization administrator entered any comments during user approval process, these will be reflected in read-only mode here. 7. FIS Administrator Action section: a. Administrator Comment: If you need to enter any comments, you may enter them here. These comments will be available to Exostar for any additional actions as required for MLOA certificates. b. Is this user authorized : If you select Deny option, you will be presented with a Deny Comments box to input your denial reason. This information will be sent to the user. Select Approve to approve the user s request. 8. Click Next> > complete the approval. You will receive a confirmation screen (see below). Approving/Denying Multiple Requests You can select up to 30 FIS requests to either approve or deny at a time. To be able to approve or deny, the user needs to have provided information other than UNKNOWN for the following fields: Assurance Level Certificate Usage (for Basic only) Certificate Type Copyright 2009 Exostar LLC. All rights reserved Page 27 of 31

Certificate Validity period If any of these fields has Unknown as the response, you will be required to access the request individually to approve. For approval: Once you have selected the requests for approval, select the Approve action from the Action drop-down as highlighted below. Click Apply. All requests will be approved in a single attempt. For denying requests: Once you have selected the requests for denial, select the Deny action from the Action drop-down as highlighted above. Click Apply. You will be prompted to provide the denial reason. All FIS requests will receive the same denial comments as provided in the Denial comments box. Authorize User's Access to FIS (Renewal request) Note: There is no differentiation between a renewal request and a new certificate request on the Authorize FIS tab. The difference in the requests can be viewed only after selecting the request. For a new request, as a FISA, you are able to select all the certificate attributes. Refer to the new request approval section of this guide for more information. 1. Select a request to approve. Copyright 2009 Exostar LLC. All rights reserved Page 28 of 31

You cannot edit this information Select the Approve option if the user continues to need the certificates. If you select Deny, you will be required to provide the denial comments. These are then sent to the user. 2. You will be able to approve or deny the user's access to FIS and enter comments. 3. If you opt to deny this request, you will be prompted to enter comments/reason for the denial. 4. After you approve or deny a request, you will be presented with a confirmation message. 5. If you approved the request for access to FIS, the user will receive a notification that the access has been approved for this application. The user will also receive their certificate download passcode in the email. 6. If you denied the request, the system will send out an email to the user that the registration request was denied. IMPORTANT: If the user s MLOA certificate renewal request is approved, the user will not be required to go through face-toface proofing activitiy with an Exostar Trusted Agent. Revoke User's Certificates If you are the designated administrator for Federated Identity Solution (FIS), you will be able to revoke the certificates of users within your organization from the user s profile page. NOTE: If you started a revocation process and didn't complete it, the requests will be available in the 'Registration Requests' tab. 1. Select the 'Administration' tab and then select the option 'View Users'. You can search for the user that you want to revoke the certificates for by using a search option from the available drop-down. 2. Once you have found the user, click on the Details button next to the user details. 3. The user s profile will be presented. Scroll to the bottom of the profile screen: Copyright 2009 Exostar LLC. All rights reserved Page 29 of 31

4. Click on the Revoke button as highlighted above. IMPORTANT: This action will revoke all certificates for the user. 5. Select a request that needs revocation and click on 'Process Request' to view details and revoke the request. New screen shot 6. Select the certificates by clicking on the check box against each certificate. 7. From the drop-down list of Reason for Revocation (as highlighted above), select an appropriate reason for revoking all the certificates. 8. Click on Submit. You will be presented with the confirmation screen. Copyright 2009 Exostar LLC. All rights reserved Page 30 of 31

9. Click on 'Sign' to complete the revocation process. Once a user's certificates are revoked, the user will not be able to use those certificates to login and will need new certificates Copyright 2009 Exostar LLC. All rights reserved Page 31 of 31