End-user

Specops Secure Service Desk end-users have to be pre-enrolled with the identity services required for identification. In most cases this means that certain attributes in Active Directory need to have been defined before a user can identify with the identity service in question. Please refer to the Pre-enrollment section below to see what the pre-enrollment requirements are for the most common identity services.

Note that customers using Specops uReset can use existing multi-factor authentication enrollments defined in their uReset policies. These can include identity services other than the ones listed below.

Pre-enrollment

The list below includes the most common identity services used with Specops Secure Service Desk and their pre-enrollment criteria. More information on identity services can be found in the Reference Material section.

  • Email
    Pre-enrollment requirements: the user’s email address must be defined in the email attribute in Active Directory, or in another attribute if that attribute has been defined in the settings for Email in Secure Service Desk. For more information, see here (Identity Services section).
  • Mobile Code (SMS)
    Pre-enrollment requirements: the user’s mobile phone number must be defined in the mobile attribute in Active Directory, or in another attribute if that attribute has been defined in the settings for Mobile Code (SMS) in Secure Service Desk. For more information, see here.
  • Manager Identification
    Pre-enrollment requirements: the user account must have a manager assigned to them in Active Directory, and that manager must have an email address/mobile phone number associated with their account in Active Directory, to be able to receive authentication requests from users. For more information, see here.
  • Okta
    Pre-enrollment requirements: the user’s UPN must be mapped to the Okta user profile attributes. For a full description on how to do that, see here.
  • Duo Security
    Pre-enrollment requirements: the user must be enrolled with Duo Security, and Duo Security must be linked to Specops Authentication. For more information, see here.
  • Symantec VIP
    Pre-enrollment requirements:Symantec VIP must be linked to Specops Authentication. For information on how to do that, see here.
  • Mobile Bank ID
    Pre-enrollment requirements: the user’s social security number must be defined in Active Directory.
  • SITHS eID
    Pre-enrollment requirements: the user’s HSA ID has to be defined in Active Directory, and in the settings for SITHS eID, the name of the attribute in Active Directory where that ID is stored has to be defined. For more information, see here.

Enrolling with Passkeys

The Passkeys identity service allows users to authenticate with Specops Authentication using the passkeys they have already set up on their device. Some examples of passkeys are Windows Hello, Yubikey, Bitwarden and any authentication app such as Google Authenticator.

Users have to enroll with each passkey separately.

  1. Go to the the login page and click Enroll
  2. Authenticate to enter the enrollment page.
  3. Select Passkeys.
  4. Give the passkey you want to enroll a friendly name so that you can easily recognize it.
  5. Click Add.
  6. A list with all available passkeys will be shown in a pop-up. Click on the passkey you want to add.
    NOTE
    Which passkeys will be shown depends partly on the platform you are currently on. Platform-specific passkeys (such as Windows Hello on your computer) will only be shown if you log in from that platform. Cross-platform passkeys will always be shown.
  7. Authenticate with the passkey.
NOTE
You can enroll a maximum of five passkeys.
NOTE
When authenticating with Passkeys, the list of passkeys will show all available passkeys for the platform you are on (both enrolled and not enrolled). Note that you can only use enrolled passkeys to authenticate with Specops Authentication.
NOTE
When authenticating with Passkeys, the authentication session will time out after 60 seconds.