University of Toronto Logo

Information + Technology Services

Small normal big

eToken Management Overview

The eToken management system is designed to give departments and divisions increased control and visibility. This document provides an overview of what that entails from a department’s point of view through the use of examples.

Example Departmental Workflow for Managing eTokens

Department A has five administrative staff. Two people require access to AMS SAP, two people require access to ROSI via Host Explorer and ROSI Express, and one person requires DB2 access via Rocketshuttle. All the staff currently possess SecurID cards for this purpose.

Department A’s business manager will receive notice that the five staff have SecurID cards that will expire and that they must be replaced by eTokens. The business manager needs to select one or two staff people to be eToken Department Admins (DA) to assign and un-assign eTokens for their staff. The DAs will receive eTokens with specific access rights to assign tokens for other people. Department IT staff will begin to install the necessary client software and Information Security staff (ISEA) will arrange for the issuance of the eToken Departmental Admin (DA) eToken and for some on-site training.

On completion, the  DA will be able to issue tokens for their 5 staff using the SAM web application.

If a new staff member joins the department, the DA would use a blank eToken from their on-hand supply and issue it using the SAM web application.

If a staff member leaves the employ of the University, the DA would retrieve the eToken and un-assign it using SAM.

If a staff member changes positions within the University, they can carry their eToken to their new position.

Note that the process for applying for access to AMS or ROSI applications for staff does not change.

Departmental IT Staff Role

IT staff can assist with the installation and configuration of the client software required for the eToken. This includes:

  • SafeNet Authentication Client (SAC) required for all users of eToken (Windows, MacOSX, Linux). This client is required to integrate the eToken with the desktop computer.
  • SafeNet Authentication Manager client (SAM) for all Windows users of eToken.  This client is required for self-service renewal of digital certificates on the eToken.  Certificates have a lifetime of around 2-3 years. When they are due to expire, the user will be notified by a popup and will be directed to a website to renew the certificate.
  • Registry configuration to support the expired certificate notification.
  • Cisco AnyConnect VPN. This is used for two purposes. Firstly, the VPN supports the eToken for authentication. Clients that do not support the eToken can chain with the VPN authentication to provide the requires strength.  Secondly, the VPN implements a coarse authorization capability that allows users to be grouped for specific access to resources.

 

 Example Department User Experience

A staff person who needs access to AMS SAP from Department A has received their new eToken from their DA. They have changed the password on the eToken at the time it was given to them by the DA. They connect the eToken to their desktop, start the Cisco tunnel, type in their eToken password when prompted, then start up the SAP program. If they need to run ROSI by Host Explorer at the same time, they can do so.

If the staff member works from home, and forgets to bring the eToken to work, they must go to the DA who will issue a new eToken and unassign the old one. The staff person should give the unassigned eToken to the DA for re-use.

If the staff member sees a popup ‘Certificate due to expire’, then they can clieck to renew the certificate if they are using a Windows desktop configured correctly. If they are using a MacOSX or Linux desktop, they will be notified via email of impending certificate expiry. They will need to use a Windows desktop or go to their DA for assistance on certificate renewal.