Connector Guides › Connectors Guide › Connecting to Endpoints › CA Arcot Connector › Provision Users

Provision Users

This section describes how to use the connector to provision accounts on the endpoint.

Provision a User with an Arcot Account

You can use CA Identity Manager to provision a user with an Arcot account on a specified Arcot endpoint. To provision a user with an Arcot account, the user must be an existing CA Identity Manager user.

Follow these steps:

1. In CA Identity Manager, click Users, Manage Users, Modify User's Endpoint Accounts.
2. Search for the user that you want to provision with an Arcot account.
3. Click Create Account.
4. In the Search for an endpoint of Endpoint Type list, select Arcot, then click Search.
5. Select the Arcot endpoint you want to provision the user to.
6. Search for the container that represents the Arcot Organization you want to provision the user to, then click Select.

   The Create Arcot User page appears.

7. Click the User tab.
8. Complete the fields on the User and User Details tab.
9. Click the OTP tab, then complete the Default OTP Profile Name field.

   Default OTP Profile Name

   (Optional) Specifies the name of the default OTP Issuance profile used to create the OTP of the user.

   If you do not specify a value, the user is assigned the default OTP profile.

10. Click the ArcotID tab, then if necessary, complete the ArcotId Profile Name field.

    Default ArcotId Profile Name

    (Optional) Specifies the name of the default ArcotID Issuance profile used to create the ArcotID of the user.

    If you do not specify a value, the user is assigned the default ArcotID profile.

11. Click the QnA tab, then complete the Default QnA Profile Name field.

    Default QnA Profile Name

    (Optional) Specifies the name of the default QnA Issuance profile used to create the users QnA.

    If you do not specify a value, the user is assigned the default QnA profile.

    Important! Verify that the default OTP, ArcotID, and QnA profile names are correct. The profile must be configured at the Arcot organization of the user. CA Identity Manager does not validate the default OTP, ArcotID, or ArcotOTP profile name when you try to acquire the endpoint.

    Note: To see the objects and attributes that CA Identity Manager supports, download the attribute list from the Download page for Endpoint Guides for CA Identity Manager.

12. Click Submit.

CA Identity Manager provisions the user with an Arcot account on the Arcot endpoint you specified.

Provision a User with an OTP

You can use CA Identity Manager to provision an OTP to a customer where organizations require the use of a one-time password.

Follow these steps:

1. In CA Identity Manager, click Manage Users, Modify User's Endpoint Accounts.
2. Search for the user that you want to provision with an OTP.
3. Search for the Arcot endpoint account of the user, then select the account.
4. Click the Actions button, then click Generate Arcot User OTP.

   The Generate Arcot User OTP page appears.

5. In the Generate OTP Action field, select Create.
6. Complete the fields on the Generate Arcot User OTP page.

   Note: To see the objects and attributes that CA Identity Manager supports, download the attribute list from the Download page for Endpoint Guides for CA Identity Manager.

7. Click Submit.

CA Identity Manager sends an email to the customer with the OTP password.

Note: For information about setting up an email notification in CA Identity Manager see the chapter "Email Notifications" in the CA Identity Manager Administration Guide.

Provision a User with an ArcotID

You can use CA Identity Manager to provision an ArcotID to a customer where organizations require two-factor authentication.

Follow these steps:

1. In CA Identity Manager, click Manage Users, Modify User's Endpoint Accounts.
2. Search for the user that you want to provision with an ArcotID.
3. Search for the Arcot endpoint account of the user, then select the account.
4. Click the Actions button, then click Generate Arcot User ArcotID.

   The Generate ArcotID page appears.

5. In the Generate ArcotID Action field, select Create.
6. Complete the fields on the Generate ArcotID page.

   Note: To see the objects and attributes that CA Identity Manager supports, download the attribute list from the Download page for Endpoint Guides for CA Identity Manager.

7. Click Submit.

CA Identity Manager sends an email to the customer with the ArcotID details.

Note: For information about setting up an email notification in CA Identity Manager see the chapter "Email Notifications" in the CA Identity Manager Administration Guide.

Self-Service for Arcot Users

You can set up the following self-service tasks for Arcot:

• Create or reset an ArcotID
• Download an ArcotID

  A user must be already authenticated before using a CA Identity Manager self-service task to download an ArcotID credential.

For information about setting up self-service, search for "self service" in the bookshelf.

Configure the URL for the Return Link

Self-service tasks are usually triggered by a client application.

For example, an online banking phone app sends the user to a web page that lets the user download an ArcotID. After the task is complete the user clicks on a link to return to the banking app.

To enable this redirection, include the redirection URL at the end of the self-service task URL, in the following format:

&task.RedirectURL=url

Example: Redirect to the SomeBank site

In this example, Bob logs in to DemoBank website to access his banking details. The DemoBank site shows Bob a link that will let him create and download an ArcotID:

http://servername:8080/iam/im/env/ui7/index.jsp?task.tag=DownloadMyArcotID&task.RedirectURL=http://demobank.com/money

The link starts with the following URL, which is enough to open the correct page:

http://servername:8080/iam/im/env/ui7/index.jsp?task.tag=DownloadMyArcotID

The link also includes the following information, which will send Bob back to his DemoBank page:

demobank.com/money

Set the Client Used for Downloading the ArcotID

When you configure a self-service task, you can specify the type of client that will download the ArcotID. The connector currently supports the following clients:

• Java Applet (default)
• Flash client - This option is not available for CA Identity Manager 12.5 and its service packs. It is available for CA Identity Manager 12.6 and later, and CA CloudMinder 1.1 and later.

If you use a Flash client, ensure that you configure same client to be used for both downloading and authenticating ArcotID credentials. By default, the ArcotID is downloaded using the Flash client that was installed with CA Identity Manager.

Follow these steps:

1. Configure one of the following self-service tasks:
   • Create/Reset My ArcotID
   • Download My ArcotID
2. Choose the client type from the ArcotID Client Type list.
3. If you selected Applet, do not enter a URL.

   If you selected Flash, the URL for the default Flash client is automatically entered in the ArcotID Flash Client Base URL field. This URL points to the Flash client that is installed with CA Identity Manager.

4. Ensure that this URL matches the URL used by the application that authenticates the ArcotID, in one of these ways:
   • Make the authenticating application use the Flash client that is supplied with the product.
   • Make the ArcotID Flash Client Base URL point to the Flash client that the authenticating application uses.

Provision ArcotID Credentials Using an Account Template

You can associate ArcotID credentials with an account template. When you create a new account from a template that includes ArcotID, CA Identity Manager creates the account and sets up the credentials with default values.

Follow these steps:

1. In CA Identity Manager, select the Endpoint tab, then select Create Account Template or Modify Account Template.
2. Set up the account template as usual, then select the ArcotID tab.
3. Select the Create ArcotID check box.

   The fields for setting up the ArcotID appear.

4. In the ArcotID password field, enter a rule for password. For example, %AC%123.

   Note: You cannot use %P% for the ArcotID password rule.

5. Verify that the rule will create a password that meets the password requirements of WebFort.
6. Complete the account template, then click Submit

When a provisioning role with this template is granted to a global user, CA Identity Manager creates the Arcot endpoint account and the ArcotID.

Note: The user does not receive an automatic email when an ArcotID was created using an account templates.

Provision QnA Credentials Using an Account Template

You can associate QnA credentials with an account template. When you create a new account from a template that includes QnA, CA Identity Manager creates the account and sets up the credentials with default values.

The user must change the questions and answers, because any defaults that the account receives from its account template are not secure. The answers should be known by the user only.

Follow these steps:

1. In CA Identity Manager, select the Endpoint tab, then select Create Account Template or Modify Account Template.
2. Set up the account template as usual, then select the QnA tab.
3. Select the Create QnA check box.

   The fields for setting up the questions and answers appear.

4. In the QnA section, click Add, then type a question and answer in the fields.
5. Repeat Step 3 for each new pair of question and answer.

   The following table shows some example questions and answers:

1. Verify that the questions and answers meet the requirements of the WebFort QnA profile.
2. Complete the account template, then click Submit

When a provisioning role with this template is granted to a global user, CA Identity Manager creates the Arcot endpoint account and the QnA.

Note: The user does not receive an automatic email when QnA was configured using an account templates.