Frequently Asked Questions

Service Identities are intended to be used for shared access to some centrally provided services including:

• Some desktop access such as general student computing labs
• Shared desktop access
• Shared email access where mailing list and email features don't suffice e.g. position related, dean of a faculty, photocopy feature scan to email Service accounts (e.g. embedded in server configuration or programming codes, voicemail for a telephone in a lab); or

A service identity may be appropriate to provide strictly internet access to a visiting individual who is at Western briefly and does not fit the Associated Person criteria noted below.

A primary account for an individual who has a relationship with Western that should be managed as an *Associated Person. An Associated Person is an individual who has a recognized and approved affiliation with Western University, but who is not an employee of Western e.g. visiting scholar, visiting researcher, volunteer, etc. This includes individuals who require access to any of the following services:

• OWL (e.g. safety training)
• Western wireless
• Zoom
• PeopleSoft applications (e.g. Human Resources, Financial Services)
• Library services
• Western One Card

A secondary account for an individual who has been assigned or will be assigned a personal Western identity.

* For more information on the Associated Person process, contact the Administrative Officer designated in your department/unit who is responsible for the management/approval of these registrations.

Any valid Western Faculty and Staff member with approval from his/her Dean or Budget head.

Responsibility for unit Service Identities is shared between a minimum of (2) contacts, the unit approver and requester. Both are responsible for the day-to-day management of the account which includes but is not limited to:

• Activating new accounts
• Renewing accounts due to expire
• Managing and securing the password for accounts
• Providing additional information on usage of the account in event of a security investigation

The management of Service Identities is primarily done within Western Identity Manager. See below for the list of common account management tasks.

• Request a new Service Identity
• Activate a Service Identity
• Renew a Service Identity
• Manage a Service Identity password
• Manage SI MFA Device and DUO Profile
• Edit a Service Identity's attributes
• Find my Service Identity
• Disable a Service Identity
• Changing Contact Information on a Service Identity

Stage 1- Account is requested. Western Identity Manager form is properly filled out and an email is automatically sent to the WTS Computer Accounts Office to begin the approval process. More info on requesting an account.

Stage 2- Approval process. The WTS Computer Office will validate the request for such things as; is the requestor allowed to own a Service Identity, or are there alternative solutions that would better serve the request? (mailing lists, etc.)

Stage 3- Creation of account. If approval process is successful, WTS Computer Accounts Office will create the account and notify both the requester as well as the business unit approver when the new account has been created.

Stage 4- Not activated status. The account is not currently useful, waiting to be activated. All services are disabled.

Stage 5- Activation of the account. Activation is completed using Western Identity Manager. More info on activating an account.

Step 6- Active status. The account is in a useful state. The account will remain this way until the end of day on the expiry date. The account may be renewed at any time during active or expired status. More info on renewing an account.

Stage 7- First Notice of expiry. An initial warning of an upcoming expiry is sent to all service identity contacts. The account may be renewed any time during active or expired status. More info on renewing an account.

Stage 8- Second notice of expiry. A secondary warning of an upcoming expiry is sent to all service identity contacts. The account may be renewed any time during active or expired status. More info on renewing an account.

Stage 9- Expiration. The account is expired automatically at the end of day on the expiration date. The password on the account is changed preventing access to all services associated wit the account.

Stage 10- Expired Status. If you missed the renewal of your Service Identity the access can still be re-instated from this expired date. Please note in addition to renewing the access, you will also need to change/reset the password.

Stage 11- No longer accessible. The account has been slated for clean up from Identity Manager and is no longer acessible to the Service Identity contacts.

It is recommended that you use the web mail interface to access your SI mailbox.  If you are using this interface to check your own personal email then you are best to use different browsers for each account to avoid browser caching issues e.g. use Edge for your personal account and Chrome for your service identity account.

Make sure you selected your mobile device from the drop down menu.  If you don't see your device in the drop down menu follow up with the SI Contact to make sure 

1. You device has been added to the DUO/MFA SI profile
2. They have selected Ask me to choose an authentication method when setting up the device.

Please note that setting up the duo/mfa profile for a Service Identity is done in MyMFA (mfa.uwo.ca) and must be done by an SI Contact.  If you are not a Contact for the Service Identity, you will not have access to set up the duo/mfa profile for it.

If setting up the DUO/MFA profile for an SI – Service Identity you will be prompted to sign in twice.

First login with SI credentials and you will receive a notification that "You have logged in with a service identity account.  Please re-authenticate with your Western Identity so that we can verify you are the account owner.

Login with your normal Western Identity credentials.  

Make note of the DUO account you are setting up, managing

Versus

The remaining setup for MFA is similar to what you went through for setting up your personal DUO profile with one small exception.  To extend the Service Identity concept of multiple persons having access to a single mailbox you will need to add additional devices.  Refer to sub Heading, Managing my MFA devices > add additional devices on MFA FAQ page.  For each person accessing the SI you will need to

1. SI Contact arrange time with the users of the SI to set up their authentication device with them.
2. In MyMFA, the SI Contact adds the device phone number that the user provides
3. If required, the user of the SI will need to validate the contact adding their device by providing the contact with the 6 digit code they get via SMS or phone call.
4. The SI Contact enters the 6 digit code to complete the set up

Please Note:
WTS recommends selecting Ask me to choose an authentication method when setting up MFA on an SI.  This will allow those using the SI to select their device at the MFA prompt and verify using their own device. 

If you do not add multiple devices for the SI then the users cannot select their own device to respond to the prompt.  Instead the prompt will go to yourself as the sole contact device listed for the SI.   This would require:

• The user of the SI waiting for you to validate the MFA prompt.  In addition to possible timesouts if you don't validate the prompt in time. 
• You as the SI Contact to verify who among your team submitted the MFA request to ensure it is valid.

• MFA will need to be set up just one time for the Service Identity and can be used for any service that the SI is used for that will require MFA in the future.

• Using MFA with the SI to access Office 365 will be the same experience as using it with your personal account – you will need to accept the MFA prompt when it is presented

• When prompted for MFA, you will need to select your device from the list of devices that may be available so that you can respond to the prompt with your own device

• The device used for your personal account can also be used for the Service Identity

• There will be no impact to other services this SI might be used for. If/when those other services require use of MFA, you will be notified.