Enterprise Access Gateway Management for Exostar s IAM Platform June 2018 Copyright 2018 Exostar LLC All rights reserved. 1
Version Impacts Date Owner Enterprise Access Gateway (EAG) Guide Revised June 2018 S. Puthanveetil Copyright 2018 Exostar LLC All rights reserved. 2
Contents Enterprise Access Gateway (EAG) Overview... 5 Modify Trusted Sites in Internet Explorer... 6 Self-Link an Exostar IAM Platform Account to EAG... 7 Link an Exostar IAM Platform Account to EAG with Just-in-Time (JIT) Provisioning... 9 Bulk Load EAG Subscriptions... 12 Login... 13 Login if Persistent Cookie was Removed... 14 Delink or Relink Account... 15 FAQs... 16 What are Corporate Credentials?... 16 Corporate credentials are credentials provided to a user by their own organization. Users are issued login credentials by their company (e.g. Exostar issues internal users with a LAN User ID and Password to access their computers daily). Corporate credentials are not provided by Exostar.... 16 Can an individual purchase EAG?... 16 How much is EAG?... 16 How do I reset my Exostar s IAM Platform (MAG) Password or change my Security Questions if I am using EAG Account Linking?... 16 How does a user have their corporate password reset?... 16 I am unable to log into Exostar s IAM Platform (MAG) using my shortcut or browser favorites. What should I do?... 16 Why am I getting a Page Cannot be Displayed Message when trying to Log into Exostar s IAM Platform (MAG)?... 18 What do I do if I selected the wrong Identity Provider when trying to log into Exostar s IAM Platform (MAG) under the Advanced Log in Options and can't select the correct provider.... 18 How do I correct the system error that I am receiving after I select the Sign On (EAG, under Advanced Login Options) on the Exostar s IAM Platform (MAG) Login Page?... 18 I am getting the following error, Error 5103: R-IDP user not yet linked when trying to log into Exostar s IAM Platform (MAG). What do I need to do to resolve this?... 18 I am getting the following error, Error 5105: R-IDP user is not allowed to login with local credential. What do I need to do to resolve this?... 18 I am being prompted for my corporate token Username and Password after selecting my identity provider when trying to log into Exostar s IAM Platform (MAG). What do I need to do?... 19 Copyright 2018 Exostar LLC All rights reserved. 3
I am able to successfully log into Exostar s IAM Platform (MAG) via EAG but I receive an error when trying to access my application within the Exostar s IAM Platform (MAG).... 19 Why am I getting the error Higher Level of Credential Required when accessing an application?... 20 Copyright 2018 Exostar LLC All rights reserved. 4
Enterprise Access Gateway (EAG) Overview Exostar s Enterprise Access Gateway (EAG) is an authentication portal that allows users to use their native (corporate credentials) to access the Exostar IAM Platform (formerly known as MAG) service and application that are federating with the service. EAG acts an Identity Federation component that functions as a forward trust proxy between Service Providers and Identity Providers, supporting standards-based single sign-on and user account provisioning while remaining completely invisible to the end users. EAG allows Identity Providers to gain access to multiple participating Service Providers at Exostar. EAG allows users to use their corporate network login credentials to access Exostar IAM Platform (MAG) applications. An organization must be subscribed to EAG before a user can link their account. Copyright 2018 Exostar LLC All rights reserved. 5
Modify Trusted Sites in Internet Explorer Exostar.com must be designated a trusted site in Internet Explorer before corporate login credentials can be used for EAG. To modify trusted sites in Internet Explorer: 1. From Internet Explorer, select Tools or the Gear icon in the top right corner of the browser. Then, select Internet Options. 2. The Internet Options window displays. Select the Security tab, then click Sites. Copyright 2018 Exostar LLC All rights reserved. 6
3. Insert *.exostar.com into the text field and click Add. Note: If the Require Server Verification (https:) for all sites in this zone is selected, please remove the checkmark from the box and click Add. If you are unable to add Exostar as a trusted site or if you are unable to remove the checkmark, contact your IT Department or Help Desk. Self-Link an Exostar IAM Platform Account to EAG After designating Exostar as a trusted site, your MAG account can be linked to EAG. Follow the steps to complete linking. 1. Log into your Exostar IAM Platform (MAG) account by going to https://portal.exostar.com. Log in with your username and password or a FIS Digital Certificate(s). 2. Go to the My Account tab and click the Edit Profile sub-tab. 3. If your organization is subscribed to the EAG service, you will see the Enterprise Access Gateway (EAG) Account Settings section which allows you to link your account. Click Link Accounts. Copyright 2018 Exostar LLC All rights reserved. 7
4. A notification displays. To save profile changes, click OK. Click OK to start the account linking process. 5. Click Connect to Identity Provider. 6. If you have logged into your corporate network, click Link Accounts. If you have not, you are prompted to provide your network credentials. The displayed page is specific to your company. After entering your corporate credentials, the Account Linking page displays. Click Link Accounts. Copyright 2018 Exostar LLC All rights reserved. 8
7. After clicking Link Account, your corporate network ID appears. 8. Click Logout and Close Browser to complete the account linking process. When you click Logout and Close Browser, you are logged out of your current Exostar IAM Platform (MAG) session. 9. The logout screen displays. Close the browser. When you click Logout and Close Browser, you are logged out of your current Exostar IAM Platform (MAG) session. 10. A persistent cookie is saved on your computer to identify your Corporate Identity Provider (also known as your Enterprise IDP) to ensure that you are not required to select your Enterprise IDP again for the Exostar IAM Platform (MAG). If you clear the browser history or use a different browser, you need to select the Enterprise IDP for the Exostar IAM Platform (MAG). Link an Exostar IAM Platform Account to EAG with Just-in-Time (JIT) Provisioning Just-In-Time provisioning allows users to be provisioned in the Exostar IAM Platform (MAG) automatically. Users go through a one-time registration process and are required to subscribe an application. When account attributes change in the Enterprise, JIT based assertion allows user attributes to be updated in the Exostar IAM Platform (MAG) when users federate to Exostar IAM Platform (MAG) services. Enterprises that have configured and subscribed to EAG (Remote Identity Provider service connection) in Exostar s IAM Platform (MAG) can place a URL on their internal website. Employees can self-register for Exostar IAM connected application services. Follow the steps below to use JIT provisioning. Copyright 2018 Exostar LLC All rights reserved. 9
1. Go to https://portal.exostar.com. 2. Select Single Sign On (EAG) under Advanced Login Options. 3. Select your Remote Identity Provider (R-IDP) service connection. 4. Use your native (corporate) credentials to complete login. 5. The JIT User Registration page displays. Click Next. 6. Personal information displays. Copyright 2018 Exostar LLC All rights reserved. 10
Note: Most fields are not editable. The information displaying in these fields is provided from your corporate identity provider and not Exostar. Click Next. 7. Select applications you need to access. Click Next to complete. Application access requires approval by an Application Administrator. If an application requires additional approval, the request routes to the next participant in the approval workflow. 8. A persistent cookie is saved on your computer to identify your Corporate Identity Provider (also known as your Enterprise IDP) to ensure that you are not required to select your Enterprise IDP again for the Exostar IAM Platform (MAG). If you clear the browser history or use a different browser, you need to select the Enterprise IDP for the Exostar IAM Platform (MAG). Copyright 2018 Exostar LLC All rights reserved. 11
Bulk Load EAG Subscriptions Organization Administrators who want to complete a multiple user or complete actions for multiple users can subscribe users to the EAG service by entering the Remote Identity Provider (R-IDP) for the user in the ridpuserid field of the.csv file. Once upload completes, users receive an email with instructions on how to access Exostar s IAM Platform (MAG). 1. Log into your Exostar IAM Platform (MAG) account by going to https://portal.exostar.com. Log in with your username and password or a FIS Digital Certificate(s). 2. Go to the Administration tab and click the appropriate sub-tab (User Upload or Bulk Actions). 3. Complete the.csv template and ensure that complete the ridpuserid field. Do not enter information in the password field. This will cause an error when uploading the file. Save the completed template as.csv. For instructions on how to use User Upload or Bulk Actions and to obtain the.csv file, use Online Help. Note: Application access requires approval by an Application Administrator. If an application requires additional approval, the request routes to the next participant in the approval workflow. 4. Once the upload completes, users receive an email with instructions about accessing the Exostar IAM Platform (MAG). Copyright 2018 Exostar LLC All rights reserved. 12
5. After going to https://portal.exostar.com and clicking Enterprise Single Sign On (EAG), select your corporate Identity Provider from the drop-down menu. Click Login. 6. Depending on the Identity Provider you selected, you are directed to a login page where you are required to enter your corporate credentials. Note: Your login page may look different than the illustration. If you are unable to login and need your corporate password reset, contact your IT department or Internal Helpdesk. 7. A persistent cookie is saved on your computer to identifying the Enterprise IDP so that you are not required to select the Enterprise Identity provider again in Exostar s IAM Platform (MAG). The next time you access your account using EAG, you are directed to enter your corporate credentials which will log you directly into your account. You can have the Exostar IAM Platform (MAG) URL saved as a favorite in your browser or saved as an icon on your desktop. Login Open a new browser or use an existing Favorites link. You are taken directly to the Exostar IAM Platform (MAG) applications page or the application you access. Note: The applications you see listed may be different than the illustration above. Copyright 2018 Exostar LLC All rights reserved. 13
If you are NOT logged in to your corporate network, you may be prompted to login. Note: The credential strength of an application in Exostar s IAM Platform is determined by the application owner. If you receive the Login Requirements Not Met message when accessing an application or have additional questions, please contact Exostar Customer Support. Login if Persistent Cookie was Removed If you clear your browser cookies and cache, the persistent cookie is removed and you are not taken directly to your corporate login page when accessing Exostar s IAM Platform (MAG), follow the steps below. 1. The Exostar IAM Platform (MAG) login page displays. Select Single Sign ON (EAG) under Advanced Login Options. 2. Select your corporate Identity Provider from the drop-down menu. Click Login. Copyright 2018 Exostar LLC All rights reserved. 14
3. Depending on the Identity Provider you selected, you are directed to a login page where you are required to enter your corporate credentials. Note: Your login page may look different than the illustration. If you are unable to login and need your corporate password reset, contact your IT department or Internal Helpdesk. 4. A persistent cookie is saved on your computer to identifying the Enterprise IDP so that you are not required to select the Enterprise Identity provider again in Exostar s IAM Platform (MAG). The next time you access your account using EAG, you are directed to enter your corporate credentials which will log you directly into your account. You can have the Exostar IAM Platform (MAG) URL saved as a favorite in your browser or saved as an icon on your desktop. Delink or Relink Account If you are not logged into your corporate network, you are unable login using EAG. For example, if you are working remotely and cannot use your Corporate VPN to login, you are unable to use EAG. To have your account delinked, contact your Exostar IAM Platform (MAG) Organization Administrator. They can delink your account. Once the account has been delinked, you receive an email confirmation with log in instructions. To relink your account, follow the instructions in the How to Link Your Account section of this document. If you linked your account using JIT provisioning, you are required to register again. Copyright 2018 Exostar LLC All rights reserved. 15
FAQs What are Corporate Credentials? Corporate credentials are credentials provided to a user by their own organization. Users are issued login credentials by their company (e.g. Exostar issues internal users with a LAN User ID and Password to access their computers daily). Corporate credentials are not provided by Exostar. Can an individual purchase EAG? No, EAG is issued at the corporate level. How much is EAG? Callers inquiring about setting their organization up for EAG should be directed to Exostar Sales. How do I reset my Exostar s IAM Platform (MAG) Password or change my Security Questions if I am using EAG Account Linking? If your account is linked with corporate account, you do not need to change the password or set up security questions in Exostar s Managed Access Gateway (Exostar s Identity and Access Management Platform (MAG)). Your password life cycle is managed by your corporate enterprise. If you want to reset your Exostar s IAM Platform (MAG) password or change your security questions, you will need to have EAG de-linked from your Exostar s IAM Platform (MAG) account. You will need to contact Exostar Customer Support. How does a user have their corporate password reset? If you do not know your corporate credentials (your corporate user id and/or password), you will need to work with your Corporate Help Desk. I am unable to log into Exostar s IAM Platform (MAG) using my shortcut or browser favorites. What should I do? 1. Once you have successfully authenticated to Exostar s IAM Platform (MAG) with EAG, you will need to create a new favorites/shortcuts or update your existing favorites/shortcuts. Your old links will not work. To update your existing links, in an Internet Explorer browser window, you will need click on the Star (upper, right hand corner). Copyright 2018 Exostar LLC All rights reserved. 16
2. Find the favorite (e.g. Exostar s IAM Platform (MAG) Dashboard) that you want to update and right click on it. 3. Select Properties and update the URL. Click Apply and OK. Copyright 2018 Exostar LLC All rights reserved. 17
Why am I getting a Page Cannot be Displayed Message when trying to Log into Exostar s IAM Platform (MAG)? Close all browsers and attempt to log in again. You can complete this by going to Single Sign On (EAG) under the Advanced Log in Options on the Exostar s IAM Platform (MAG) login page. Select your correct Remote Identity Provider and enter your corporate credentials. If the problem continues, please contact your local IT help desk to ensure there are no issues with your local account. What do I do if I selected the wrong Identity Provider when trying to log into Exostar s IAM Platform (MAG) under the Advanced Log in Options and can't select the correct provider. Close all browsers and try to log in again. You can complete this by going to Single Sign On (EAG) under the Advanced Log in Options on the Exostar s IAM Platform (MAG) login page. Select the proper Remote Identity Provider and enter your corporate credentials. If the problem continues, please contact your local IT help desk to ensure there are no issues with your local account. How do I correct the system error that I am receiving after I select the Sign On (EAG, under Advanced Login Options) on the Exostar s IAM Platform (MAG) Login Page? Clear your cookies, browser history and close the browser. Open a new browser and go to the Exostar s IAM Platform (MAG) log in page again (https://portal.exostar.com). Select your correct Remote Identity Provider. I am getting the following error, Error 5103: R-IDP user not yet linked when trying to log into Exostar s IAM Platform (MAG). What do I need to do to resolve this? You need to ensure that you have linked your Exostar s IAM Platform (MAG) account to the correct corporate credentials. I am getting the following error, Error 5105: R-IDP user is not allowed to login with local credential. What do I need to do to resolve this? If you have already linked your Exostar s Identity and Access Management Platform (MAG) account via EAG, you will not be required to enter your Exostar s IAM Platform (MAG) login credentials to access Exostar s IAM Platform (MAG) and applications. If you attempt to access your account using Exostar s IAM Platform (MAG) credentials, you will receive the error message. To resolve: 1. Go to https://portal.exostar.com. 2. Click Sign Sign On (EAG). 3. Select Corporate Identity Provider from the drop-down menu. Copyright 2018 Exostar LLC All rights reserved. 18
4. Click Login. You are directed to a login page where you need to enter your corporate credentials. I am being prompted for my corporate token Username and Password after selecting my identity provider when trying to log into Exostar s IAM Platform (MAG). What do I need to do? Please ensure that you are logging in with your corporate credentials (e.g. username/password, token password, smart card, etc.). I am able to successfully log into Exostar s IAM Platform (MAG) via EAG but I receive an error when trying to access my application within the Exostar s IAM Platform (MAG). If the status of the application you are trying to access says Open Application and you receive an error, you will need to contact Exostar Customer Support. Please see what action to take if the status of the application says: Pending Application Administrator Approval-You will need to contact the Exostar s IAM Platform (MAG) Application Administrator who has the ability to approve or deny access to the application. Inactive-You will need to request access to the application. Once you request access, your Application Administrator will need to approve the request. Organization application suspended-the application has been suspended by Exostar. You will need to have your Organization Administrator contact Exostar Customer Support. Suspended-The application access has been suspended by your Application Administrator or by Exostar. You will need to contact the Application Administrator to have the application unsuspended. Pending Acceptance of Terms and Conditions-Your Exostar s IAM Platform (MAG) Organization Administrator or the Application Administrator for that application will need to accept the Terms and Conditions before you can request access to it. Pending Application Owner-The application owner (the owner of an application) needs to approve the access. You can determine which company is the owner of the Copyright 2018 Exostar LLC All rights reserved. 19
application by checking the company name in the upper, left hand corner of the applications section from the Home dashboard view of your Exostar s IAM Platform (MAG) account. In the example below, Exostar LLC is the application owner of the listed applications. You will need to work with the Application Owner. If the application is managed by Exostar, please contact Exostar Customer Support. Why am I getting the error Higher Level of Credential Required when accessing an application? Your authentication details from your Remote Identity Provider (your corporate provider) may not have been passed to the application owner or the application might not accept your credential strength. Close all browsers and attempt to log in again under the Single Sign On (EAG) under the Advanced Log in Options on the Exostar s IAM Platform (MAG) login page. If problem continues, please contact Exostar Customer Support to verify if your authentication level is supported on the application(s) you are trying to access. Copyright 2018 Exostar LLC All rights reserved. 20