Frequently Asked Questions
General
What is a Service Identity?
What can a Service Identity be used for?
- Some desktop access such as general student computing labs
- Shared desktop access
- Shared email access where mailing list and email features don't suffice e.g. position related, dean of a faculty, photocopy feature scan to email Service accounts (e.g. embedded in server configuration or programming codes, voicemail for a telephone in a lab); or
A service identity may be appropriate to provide strictly internet access to a visiting individual who is at Western briefly and does not fit the Associated Person criteria noted below.
What can a Service Identity NOT be used for?
A service identity cannot be used as a primary account for an individual who has a relationship with Western that should be managed as an *Associated Person. An Associated Person is an individual who has a recognized and approved affiliation with Western University, but who is not an employee of Western e.g. visiting scholar, visiting researcher, volunteer, etc. A service identity cannot be used to access individually licensed applications or services such as:
- OWL (e.g. safety training)
- Western wireless
- Zoom
- PeopleSoft applications (e.g. Human Resources, Financial Services)
- Library services
- Western One Card
* For more information on the Associated Person process, contact the Administrative Officer designated in your department/unit who is responsible for the management/approval of these registrations.
Who can request a Service Identity?
Any valid Western Faculty and Staff member with approval from his/her Dean or Budget head.
What are the unit responsibilities with regards to a Service Identity?
Responsibility for unit Service Identities is shared between a minimum of (2) contacts, the unit approver and requester. Both are responsible for the day-to-day management of the account which includes but is not limited to:
- Activating new accounts
- Renewing accounts due to expire
- Managing and securing the password for accounts
- Providing additional information on usage of the account in event of a security investigation
How do I manage my Service Identity?
The management of Service Identities is primarily done within Western Identity Manager. See below for the list of common account management tasks.
- Request a new Service Identity
- Activate a Service Identity
- Renew a Service Identity
- Manage a Service Identity password
- Manage SI MFA Device and DUO Profile
- Edit a Service Identity's attributes
- Find my Service Identity
- Disable a Service Identity
- Changing Contact Information on a Service Identity
What is the life-cycle of a Service Identity?
Stage 1- Account is requested. Western Identity Manager form is properly filled out and an email is automatically sent to the WTS Computer Accounts Office to begin the approval process. More info on requesting an account.
Stage 2- Approval process. The WTS Computer Office will validate the request for such things as; is the requestor allowed to own a Service Identity, or are there alternative solutions that would better serve the request? (mailing lists, etc.)
Stage 3- Creation of account. If approval process is successful, WTS Computer Accounts Office will create the account and notify both the requester as well as the business unit approver when the new account has been created.
Stage 4- Not activated status. The account is not currently useful, waiting to be activated. All services are disabled.
Stage 5- Activation of the account. Activation is completed using Western Identity Manager. More info on activating an account.
Step 6- Active status. The account is in a useful state. The account will remain this way until the end of day on the expiry date. The account may be renewed at any time during active or expired status. More info on renewing an account.
Stage 7- First Notice of expiry. An initial warning of an upcoming expiry is sent to all service identity contacts. The account may be renewed any time during active or expired status. More info on renewing an account.
Stage 8- Second notice of expiry. A secondary warning of an upcoming expiry is sent to all service identity contacts. The account may be renewed any time during active or expired status. More info on renewing an account.
Stage 9- Expiration. The account is expired automatically at the end of day on the expiration date. The password on the account is changed preventing access to all services associated wit the account.
Stage 10- Expired Status. If you missed the expiration notice of your Service Identity the access can still be renewed 30 days after expiration. Please note in addition to renewing an expired SI you will also need to change/reset the password.
Stage 11- No longer accessible. The service identity and all its content are deleted and removed from Identity Manager and is no longer acessible to the Service Identity contacts.
How do I access Email for an SI?
It is recommended that you use the web mail interface to access your SI mailbox. If you are using this interface to check your own personal email then you are best to use different browsers for each account to avoid browser caching issues e.g. use Edge for your personal account and Chrome for your service identity account.
I didn't receive an MFA prompt for my SI Email, what should I do?
Make sure you selected your mobile device from the drop down menu. If you don't see your device in the drop down menu follow up with the SI Contact to make sure
- You device has been added to the DUO/MFA SI profile
- They have selected Ask me to choose an authentication method when setting up the device.
DUO/MFA
How do I Setup DUO for an SI – Service Identity?
Note that it must be done by an SI Contact. If you are not a Contact for the Service Identity, you will not have the ability to manage the duo/mfa profile for it.
- Browse to Western Identity Manager.
- Enter your Western User ID and Password.
- Click Login.
- Select Service Identities
- Search on the SI you are updating MFA
- place a checkmark on the SI and select Manage MFA
- Select Launch DUO Manager
The remaining setup for MFA is similar to what you went through for setting up your personal DUO profile with one small exception. Refer to Managing your MFA Devices
To extend the Service Identity concept of multiple persons having access to a single mailbox you will need to add additional devices. Refer to Managing your MFA Devices > add additional devices on MFA FAQ page. For each person accessing the SI you will need to
- SI Contact arrange time with the users of the SI to set up their authentication device with them.
- In DDMP - Duo device management portal, the SI Contact adds the device phone number that the user provides
- If required, the user of the SI will need to validate the contact adding their device by providing the contact with the 6 digit code they get via SMS or phone call.
- The SI Contact enters the 6 digit code to complete the set up
Individuals will need to use the Other Options when using the SI in order to select the appropriate device relationship. If you do not add multiple devices for the SI then the users cannot select their own device to respond to the prompt. Instead the prompt will go to yourself as the sole contact device listed for the SI. This would require:
- The user of the SI waiting for you to validate the MFA prompt. In addition to possible timesouts if you don't validate the prompt in time.
- You as the SI Contact to verify who among your team submitted the MFA request to ensure it is valid.
What can I expect when MFA is enforced on my SI for Office 365/Email
-
MFA will need to be set up just one time for the Service Identity and can be used for any service that the SI is used for that will require MFA in the future.
-
Using MFA with the SI to access Office 365 will be the same experience as using it with your personal account – you will need to accept the MFA prompt when it is presented
-
When prompted for MFA, you will need to select your device from the list of devices that may be available so that you can respond to the prompt with your own device
-
The device used for your personal account can also be used for the Service Identity
-
There will be no impact to other services this SI might be used for. If/when those other services require use of MFA, you will be notified.
Published on and maintained in Cascade.