The needs covered:Issue card - Need for administration of multiple systems to issue credentialsAdd credentials or application to card - Possibly manual process; may require card presenceReset PIN - May be out of synch; or time-intensive (and expensive) help desk callReplace card - Manually suspend/revoke credentials and recover keysDe-provisioning and revocation - Administration of multiple systems to revoke credentials
Designed to meet the present and future needs of organizations:For example, if a secure remote or web access solution is required today, in the future the organization can expand its range of security enablers to include certificate‐based authentication and advanced applications such as digital signing and disk encryption.Secure access from any available computer:Organizations can give authorized customers, partners, and employees access to web‐based applications, corporate networks, online services and business portals. SAM supports secure access from any available computer, including self‐enrollment and remote token management.
Full life‐cycle management of all SafeNet authenticators in a single systemNotification facility ‐ Built‐in or completely programmable/scriptable mechanism for notification of token lifecycle events.Open user store architecture ‐ SAM utilizes the existing organizational environment to manage tokens so the system is smoothly assimilated into the organization’s existing IT infrastructure. Administrators can perform token management functions in a manner similar to the management of group policies, ensuring a short learning curve.Synchronization‐free integration ‐ By using a SAM user store that is separate from the system’s token database, SAM supports a synchronization‐free integration with Active Directory, Microsoft SQL, OpenLDAP, and Novell eDirectory user stores. In addition, SAM supports using ADAM as an integrated user store and token database.Open, extensible architecture ‐ SAM is designed for extensibility using the SAM SDK, web services API, the SAM OTP SDK and the SAM Connectors SDK.By using SAM connectors (server‐based, configurable plug‐ins) SAM can be extended to manage tokens with third‐party security applications. The SAM Connector SDK is available to security solution providers, enabling them to create their own SAM connectors.
Authentication to Cloud-based applications: seamless strong authentication for enterprise users who want to access SaaS applications such as Google Apps and Salesforce.com.Integration with SafeNet HSMs for secure key storage: SafeNet Authentication Manager security keys are stored in the HSM. Encryption and decryption of SAM data is executed on the HSM. (Supported HSM models: Luna SA 4.4 and PCI 7000)
Windows Server 2003 SP2 (32-bit, 64-bit)Windows Server 2003 Windows XP SP3 (32-bit , 64-bit)Windows Vista SP2 (32-bit, 64-bit)R2 (32-bit and 64-bit)
SafeNet eToken Virtual family (SafeNet eToken Virtual, SafeNet eToken Rescue, and SafeNet eToken Virtual Temp) A software‐based, two‐factor authentication security solution which provides full public key cryptographic token functionality such as secure remote access, network access, encryption, and digital signing, completely in software. SafeNet eToken Virtual delivers the strength of certificate‐based authentication for PCs and portable drives without a smartcard or hardware token. As the keys and certificates are securely created and stored in SafeNet eToken Virtual, only public contents are openly available, and the private data is encrypted.eToken MobilePASS tokens Combines the security of two‐factor strong authentication with the convenience of one‐time passwords generated on personal mobile devices or PCs. MobilePASS supports BlackBerry, Windows Mobile, Java ME‐enabled devices, and Symbian, for OTP generation.eToken PRO Anywhere authenticators A certificate‐based strong authentication solution that combines the security of certificate‐based authentication with the simplicity and convenience of traditional OTP products. A true “plug and Play” solution, eToken PRO Anywhere eliminates the need for installation of desktop client software, enabling online service providers and organizations to offer customers, partners, and employees secure remote access to online services and business portals with the added benefit of digital signing capabilities.Migration of SafeWord Authenticators is supported only from ESP to ADAM (stand alone store).
SafeNet eToken Virtual Note:The user must authenticate using the external storage device on which the SafeNet eToken Virtual was enrolled. A SafeNet eToken Virtual cannot be used to authenticate if it is copied to a computer or to a different device. SafeNet eToken Virtual Temp Notes:For each enrolled physical token, one SafeNet eToken Virtual Temp can be enrolled.A SafeNet eToken Virtual Temp is enrolled the same way as a SafeNet eToken Virtual.SafeNet eToken Rescue Use CaseThe following describes how a SafeNet eToken Rescue is used:a. Sarah, a user, downloads a SafeNet eToken Rescue before she leaves on a trip, so that the up‐to‐date content on her token is backed up.b. Sarah discovers that her token is lost, but she is away from the office, and cannot replace it with a new physical token.c. She reports the token as lost through the SAM Rescue Service Center or directly to the system administrator, and requests access to the downloaded SafeNet eToken Rescue.d. A SafeNet eToken Rescue password is disclosed to Sarah by the SAM Rescue Service Center or by the system administrator.e. Sarah authenticates to her applications using the token content saved on the SafeNet eToken Rescue, accessed by SafeNet eToken Rescue password.
Express OTP installation and configuration (OTP) ‐ a dedicated installation option allows you to install SAM, and pre‐configure it for OTP usage Automatic OTP synchronization ‐ SAM keeps your OTP seed in sync with the server, resetting it automatically whenever necessaryEasy integration ‐ Enhanced OTP deployment, with applications such as Citrix, OWA, and IAS, including an OTP plug‐in for Outlook Web Access (OWA) 2007SAM OTP SDK ‐ A set of APIs and Web Services allow an external agent/application to perform OTP authentication.Extended OTP token support ‐ PIN protected, Challenge‐Response, and time‐based authentication Full compatibility with the SafeWord solution ‐ The set of OTP plug‐ins supported by SAM has been extended to include OWA 2007
Portals installation includes Remote portals sourcesSafeNet Authentication Manager is supplied with external portals, which are installed and configured separately from the main SafeNet Authentication Manager installation and configuration.
Note: SafeNet Authentication Manager 8.0 supports the use of ADAM as a combined “Standalone” directory containing both the configuration store and the user store.
When you open the SafeNet Authentication Manager’s Self Service Center window, a list of your enrolled tokens is displayed in the left panel, and a list of options is displayed in the right panel.Note: The SafeNet Authentication Manager configuration determines which options are displayed in the right panel of the Welcome to the Self Service Center window.Enrolling a New Smartcard or USB Token - Token enrollment adds your smartcard or USB token to the SafeNet Authentication Manager inventory if it is not already there, associates the token with your username, and loads its content with the data you need.Enrolling a New OTP Token - OTP (One‐Time Password) token enrollment associates your physical OTP token, which is not a smartcard or a USB token, with your username in the SafeNet Authentication Manager inventory.Enrolling a New MobilePASS Token - MobilePASS token enrollment installs a MobilePASS application on your mobile device, enabling you to generate an OTP on the device.Enabling a New MobilePASS Messaging Token - MobilePASS Messaging token enrollment enables you to receive a generated OTP as an email message, or as an SMS (Short Message Service) message on your mobile device.Enrolling a New SafeNet eToken Virtual - SafeNet eToken Virtual enrollment enrolls a software token. Depending on your SafeNet Authentication Manager configuration, a SafeNet eToken virtual is stored as a file on your computer, or on a portable drive.CompletingYourAuthentication Questionnaire - Before you can authenticate yourself to the Rescue Service Center, you must complete an authentication questionnaire in the Self Service Center. This provides a backup method of identifying yourself in case you lose your token or forget its password when you are out of the office.Changing Your SafeNet Authentication Manager User Password - Users in some SafeNet Authentication Manager environments authenticate to SafeNet Authentication Manager using a user password. Change your user password if you think someone else has seen it.After enrollment a list of the names of your enrolled tokens is displayed in the left panel of the Self Service Center window
The Selected Token options displayed in the right panel may include:Updating Your Token Content - If you accidentally deleted content from your token, or if a warning message is displayed that your token content must be updated, use this option to update it.Changing and Resetting Your Token Password - Change your password if it is about to expire, or if you think someone else has seen it. Depending on your SafeNet Authentication Manager configuration, you may be able to reset your password should you forget it.Enabling and Temporarily Disabling Your Token - Temporarily disable your token if it is misplaced, or if it is not needed for an extended period. If your token is disabled, you must enable it before you can use it again.Revoking Your Lost or Damaged Token - Revoke a lost or damaged token immediately to prevent anyone else from using its content.Replacing or Upgrading Your Token - Revoke your token, and load a new one with the same content. Downloading a SafeNet eToken Rescue - Prepare a backup of your token content in case you lose your token when you are away from your office and cannot replace it with a new one.Changing and Resetting Your OTP PIN - Change your OTP PIN if you think someone else has seen it. Depending on your SafeNet Authentication Manager configuration, you may be able to reset your OTP PIN should you forget it.Validating Your OTP Token - If you repeatedly generate an OTP without submitting one for authentication, or if the time function of your OTP token has deviated, your OTP token loses its synchronization with the system. You must validate your OTP token so that SafeNet Authentication Manager can authenticate OTPs that are subsequently generated.Enrolling a New SafeNet eToken Virtual Temp - SafeNet eToken Virtual Temp enrollment creates a software token on your computer that can be used for a limited period of time in place of a token that has been enrolled. The SafeNet eToken Virtual Temp is loaded with token content similar to the content loaded on your enrolled physical token.
Retrieving a Response Code to Unlock Your Token - Complete the process of unlocking a token whose Token Password has been forgotten.Managing Your Lost or Damaged Token - Report a lost or damaged token so that it cannot be used by anyone else, and optionally arrange for a temporary replacement.Enabling and Temporarily Disabling Your Token - Temporarily disable your token if it is misplaced, or if it is not needed for an extended period. If your token is disabled, you must enable it before you can use it again.Resetting Your OTP PIN - Reset your OTP PIN should you forget it.Validating Your OTP Token - If you repeatedly generate an OTP without submitting one for authentication, or if the time function of your OTP token has deviated, your OTP token loses its synchronization with the system. You must validate your OTP token so that SafeNet Authentication Manager can authenticate OTPs that are generated.Your SafeNet Authentication Manager configuration determines which options are displayed in the right panel.
The following information is displayed: SAM ServerShows if the SAM Agent is connected to the SAM ServerDisplays the SAM Agent version numberToken Content VerificationShows if the token content verification feature is enabledDisplays the date that the SAM Agent last checked if the token content needed updatingDisplays the date of the next scheduled token content checkSafeNet eToken RescueShows if the SafeNet eToken Rescue verification feature is enabledDisplays the date that the SAM Agent last checked if the SafeNet eToken Rescue needed updatingDisplays the date of the next scheduled SafeNet eToken Rescue check
A SafeNet eToken Rescue is a SafeNet eToken Virtual product that can be activated for use as a temporary token replacement if your token is lost or damaged.
In addition, the portal source code is available, to enable customization of the portals.Separate SAM External Portals installation files are provided:SAMPORTALS‐x32‐8.0.msi (32‐bit)SAMPORTALS‐x64‐8.0.msi (64‐bit)Prerequisites:IISasp.net
To perform activities requiring access to a connected token, the following client applications must be installed on the SAM Management Center computer:SafeNet Authentication ClientSAM ClientIf the client applications are not installed, only activities relating to the SAM inventory can be controlled
The SAM Management Center cannot be used to manage SafeNet eToken Virtual products locked to a computer.The left panel contains the following:Tabs for selecting the different SAM Management Center pagesSearch parameters: The administrator selects the domain, the token filter, and up to two different search criteria to be combined in a single searchRelevant SAM system notificationsSearch results are displayed in the right panel.At the top right of the panel: The number of records matching the search criteria, and paging operationsIn the middle section: Details of each token matching the search criteriaBelow the displayed tokens: Applications enrolled on the selected token, if presentAt the bottom of the right panel, the administrator selects an option.Below the Application box, if OTP configured: OTP optionsAlong the bottom of the panel: Token‐related options.Appropriate options are enabled for each selected token. Place the cursor on an enabled option to view its tooltip.Helpdesk operations can be :Unlock userEnable temp logonActivate eToken RescueUnlock a tokenReset the token user password (using the token Admin password set during initialization)RevokeEnableReplace an enrolled token
Users can save their token content to a SafeNet eToken Rescue, a secure backup file on their computer or external storage device. A SafeNet eToken Rescue is not accessible to the user until it is activated.If a user’s enrolled token is lost or damaged, access to the SafeNet eToken Rescue is enabled by one of the following methods:Using the SAM Management Center, the administrator enables user access.Using the SAM Rescue Service Center, the user requests access. Search for the token for which a SafeNet eToken Rescue has been downloaded.The Authentication Questions window opensA SafeNet eToken Rescue is used as a temporary token replacement. It is accessible for a limited time only, and only through a password that is disclosed when the token is reported as lost or damaged.
A Token Inventory Report lists details of tokens that are included in the SAM inventory.If the History Tokens feature is enabled in your TPO, the Token History Report lists the historical data of tokens that have been unassigned or removed.A Token Expiration Report lists tokens having an expiration date.A Token Audit Report lists details of each SAM operation.An OTP Usage Report lists each audited OTP operation in which a token is used.A Token Connections Report lists the information for each physical token connected at the time of the last refresh.An Hourly Distribution chart lists the average number of physical tokens connected per hour.The Hourly Distribution chart feature requires the following: A connection to Microsoft SQL Server or Microsoft SQL ExpressThe SAM Desktop Agent must be installed on every client computerThe SAM Desktop Agent Enable token auditing setting must be enabled.
MobilePASS tokens generate OTPs on mobile devices without the need for physical tokens. MobilePASS tokens work independently of mobile network connectivity.Download MobilePASS applications to enroll MobilePASS tokens.From a browser on your mobile device, open the link on the Downloads pageThe SafeNet website opens to the MobilePASS Authenticators Download Page.The appropriate application is downloaded After the MobilePASS application is downloaded to a mobile device, a MobilePASS token can be enrolled on it.