Manager Identification
When a user authenticates with Manager Identification, an authentication request is sent to their manager in the form of a text message or email. Their manager must then confirm the user’s identity by approving the request.
Note: To make use of Manager Identification:
- Each user account must have a manager assigned to them in Active Directory.
- Each manager account must have an email address/mobile phone number associated with their account in Active Directory, to be able to receive authentication requests from users.
If you choose to send notifications in the form of a text message, you can add customized text, URLs, and placeholders to the text message body.
If you choose to send notifications in the form of an email, you can add: customized text, URLs, media (images and videos), tables, and placeholders to the email body.
You can select a placeholder from the menu and insert it into the text of an email or text message notification. Placeholders represent pieces of information related to the user sending the request and the manager receiving it, such as: manager or user account names, email addresses, and phone numbers. When the request notification is sent out, placeholders in the body are automatically replaced with information specific to the manager and user involved.
Note: Information such as phone numbers, email addresses, and user/manager display names are taken directly from Active Directory.
Examples:
- %ManagerDisplayName% might be replaced with Mark Smith.
- %UserEmail% might be replaced with sjones@myorganization.com.
- %UserMobile% might be replaced with 071234567.
Configuring an email request notification
- In Specops Authentication Web , click Identity Services.
- From the Identity Services list, select Manager Identification.
- Click the Notifications tab.
- Click New.
- From the Event drop down, select User received Manager Identification request.
- From the Action drop down, select Email.
- Click Next.
- In the From field, enter the email address of a user that exists in your organization’s domain.
- In the To field, enter the email address of a manager that exists in your organization’s domain. The user you have selected in the From field, must report directly to this manager in Active Directory. The domain of all email addresses must match the domain that is registered with your organization. Email addresses that do not match your organization’s domain, cannot be used.
- In the Subject field, enter a subject for the request notification. You can insert placeholders into this field if required. This can be useful in providing the manager with more context. %ManagerSignInTarget% sign in request from %UserAccountName%”. The %ManagerSignInTarget% is the resource that the user is trying to gain access to, such as Specops uReset 8 or other Specops products.
-
In the Body field, you can either use the default template
provided, or add your own content to the body of the email. The body of
the email is a combination of text and placeholders. On the right-hand
side, you can select and insert specific placeholders into the body,
such as the user/manager email address, user/manager mobile number,
user/manager display name, and manager verification URL. When the
request is sent to a manager, these placeholders are automatically
populated with the relevant user/manager information.
When using the Insert link button in the ribbon and putting the URL placeholder in the To what URL should this link go? field, make sure to uncheck the Use default protocol checkbox. If this is not unchecked, the resulting link will not work because of a repeated "http://" inserted before the link.
- When you have finished configuring the notification request, click Save.
Configure a text message request notification
- Click the Notifications tab.
- Click New.
- From the Event drop down, select User received Manager Identificationrequest.
- From the Action drop down, select Text message.
- Click Next.
- In the Number field, enter the mobile phone number of the manager receiving the request notification.
- In the Message field, you can add your own content to the body of the message. The message body is a combination of text and placeholders. On the right-hand side, you can select and insert specific placeholders into the body, such as the user/manager email address, user/manager mobile number, user/manager display name, and manager verification URL. When the request is sent to the manager, these placeholders are automatically populated with relevant user/ manager information. The %ManagerVerificationUrl% placeholder must be included in the body of text message, so that the manager can verify the request.
- Select the Enabled checkbox, to enable the message template.
- When you have finished configuring the notification request, click Save.
Configure the Manager Identification authentication policy
Under the Policies tab, you can create a dynamic multi-factor authentication policy with which managers can authenticate before they can verify a request notification. You can decide which identity services a manager can use to in order to authenticate, as well as how secure each one is.
- Go to Identity services in the left navigation.
- Click on Manager Identification
- Click on the Policies tab.
- Configure your policy. For more information on how to configure a dynamic multi-factor authentication policy, see here.
- Click Save.