User Management
Create New User
To create a new user, follow these steps:
- Log in to your AdminX panel and navigate to the Users page.
- Select the appropriate user directory into which the new user should be created.
- Click Create New User.
- Enter the following User's Account Information:
- Username: Enter a username to associate with the account
- Role: The role determines permissions and authority associated with the account. Please see User Roles below for more detailed information.
- Status: Select between Active or Disabled. Disabled accounts cannot log in or access any account information.
- Under User Information, provide the following details:
- Firstname: User's first name
- Middlename: Optionally enter a middle name or initial
- Lastname: User's last name
- Enter the user's Contact Information:
- Primary Email Address: Primary email associated with account
- Secondary Email Address: Optional fallback email to use in the event the primary email cannot be accessed
- Phone Number: Phone number associated with the account, used to deliver One-Time Passcodes (OTP)
- Send User Invitation Email to: Where the user invitation should be sent
- After entering all the user information, click Create to finish the new account creation.
If you want to send an email invite, you must select the appropriate email template to be used for delivering the invitation. You can also edit the template using the built-in rich text editor by clicking Edit Template.
Click Send Invite to deliver the invitation to the user's email or phone number as selected.
Edit Existing User
To view or edit the settings of an existing user, log in to your AdminX panel as a community administrator and navigate to the Users page.
Scroll down to the user you wish to edit and click the three ellipses to view the Actions menu. Select Edit Profile to view and edit user Account Information.
Edit any settings as desired, and click Save.
User Roles
There are three primary roles that be used for user accounts in AdminX, Basic User, Community Administrator, and Helpdesk Administrator.
Basic User
This is the basic user profile that your customers and basic users will use.
The Basic User role allows users to view their own profile information, see which devices are associated with their accounts, and see their past account invites. All administrative options are removed.
Community Administrator
The Community Administrator role contains the highest privileges and the ability to configure Identity Provider (IdP) options and manage settings for the AdminX portal itself.
The Community Administrator role has the power to set BlockID session attributes, edit authentication options, add, edit, or remove user directories, add SAML and OIDC applications for SSO, view and download reports, and set and change all other configuration settings within AdminX.
Community Administrators can edit profile information for all accounts, remove devices are associated with the accounts, and send new invites for all accounts.
With the introduction of the aliases feature, the community administrator can use the Manage Username Aliases button on the Profile Information page to associate a maximum of eight aliases name to the user. These aliases are displayed as attributes and the administrator can use them while mapping to SAML claims. The user can then use the aliases name to login into the following applications:
- AdminX
- Linux Credential Provider
- Mac Credential Provider
- Windows Credential Provider
- Radius Applications
- Step-up OIDC
To associate an aliases name to a user, follow these steps:
-
After navigating to the Profile Information page of a user, click Manage Username Aliases. The Manage Username Aliases page window is displayed.
-
In the Username Aliases field, specify one or more aliases name and click Save. The user can use the aliases name to login.
Note:- Aliases must be unique. They are only supported on the login page, specifically in the username tab.
- Aliases are NOT supported in:
- QR code
- Reset Password, Forgot Password, or any other flows
Applications Utilizing Aliases for Authentication
This section provides information on using Aliases in various applications:
- Accessing Radius Applications
- Using Aliases in Credential Provider
- Performing SAML/OIDC authentication using Aliases
Accessing Radius Applications
When using a radius application, you can input an alias name of a user instead of the username while performing the authentication using password, Interactive voice response (IVR), push notification, or OTP.
After authenticating into the Radius application using the aliases name, you can use the Event Logs page to view the aliases name as shown below. The following screenshot illustrates an example of push authentication in Radius
Using Aliases in Credential Provider
The V2 credential provider (CP) module uses the adaptive authentication journey mechanism to tailor authentication configurations for users based on the business needs. When using a credential provider to login, you can input an alias name of a user instead of the username while performing the authentication using password, push notification, OTP, or FIDO.
Note:
- The adaptive authentication journey for CP can only be configured through the database instead of the AdminX interface. It’s recommended not to use the adaptive auth journey in the AdminX interface as it will override the existing DB settings.
- If no adaptive auth journeys are configured for CP, then the CP uses the following default journeys:
- Password
- OTP
- FIDO
- Password + OTP
- Password + FIDO
- OTP + FIDO
If you have configured Windows CP with the OTP option, it is mandatory to enter your password to login.
The following example illustrates a scenario on the usage of windows v2 CP:
Connecting to Virtual Machines Through RDP Using Aliases
To connect to virtual machines using Aliases, follow these steps:
Prerequisites:
- Make sure that you have configured the aliases name for the user.
- You must have installed CP on the host machine or the home machine from which you are trying to connect to the Remote system.
-
Login to a Remote Desktop Connection.
-
Login with BlockID.
-
In the Enter your username field, specify your aliases name.
-
Select the appropriate authentication method. The following screenshot shows an example of selecting OTP.
Note: While configuring the adaptive authentication journey, if only one authentication method has been configured, the user will directly be prompted to use that method. -
After selecting the OTP option, enter the verification code and then type the password.
You will then be able to login to the remote system.
Note:
- In the case of Windows credential provider, it is mandatory to use the password when you use aliases to login into the server.
- In case of Linux SSH login with aliases, password authentication does not work because the password cannot be validated through 1Kosmos as the directory is not linked. If there are multiple authentication methods configured in adaptive auth journeys and password is one among them, then the Linux SSH pam will not display the password option to the user on the menu. However, if the administrator has configured only the password option for the user, then the Linux SSH pam will deny access to the user.
Performing SAML/OIDC authentication using Aliases
During SAML assertion or OIDC setup, you can use the NameID attribute to be an alias1,2, and so on. When you use the aliases name in the SAML authentication, the id_token parameter displays the name of the aliases used. If you have not associated the aliases name for the user, then id_token carries the default value configured in the claims, where the claims are the user attributes transferred during SAML assertion. If the aliases name is not added to the user as well as the default value is not configured in claims, then the authentication fails displaying the reason for the failure.
Helpdesk Administrator
The Helpdesk Administrator role has the privileges necessary to troubleshoot any problems that users might encounter with the tenant. Helpdesk Administrators can see and download reports and logs, and view SAML and OIDC application information.
In order to assist with user troubleshooting, Helpdesk Administrators can view profile information for all user accounts, see which devices are associated with the accounts, and view invites for all user accounts.