Frequently Asked Questions

General

What is a Service Identity?

Service Identities are what would formerly be known as non-person accounts (NPA), generic accounts, and/or department accounts. On occasion, WTS creates electronic identities for access to central services where use of an individual’s personal identity is not appropriate. Because any identity that allows access to data and systems represents a potential risk to Western, it is necessary to ensure that all identity information is properly protected and managed.

What can a Service Identity be used for?

Service Identities are intended to be used for shared access to some centrally provided services including:

  • Some desktop access such as general student computing labs
  • Shared desktop access
  • Shared email access where mailing list and email features don't suffice e.g. position related, dean of a faculty, photocopy feature scan to email Service accounts (e.g. embedded in server configuration or programming codes, voicemail for a telephone in a lab); or

A service identity may be appropriate to provide strictly internet access to a visiting individual who is at Western briefly and does not fit the Associated Person criteria noted below.

What can a Service Identity NOT be used for?

A primary account for an individual who has a relationship with Western that should be managed as an *Associated Person. An Associated Person is an individual who has a recognized and approved affiliation with Western University, but who is not an employee of Western e.g. visiting scholar, visiting researcher, volunteer, etc. This includes individuals who require access to any of the following services:

  • OWL (e.g. safety training)
  • Western wireless
  • Zoom
  • PeopleSoft applications (e.g. Human Resources, Financial Services)
  • Library services
  • Western One Card

A secondary account for an individual who has been assigned or will be assigned a personal Western identity.

* For more information on the Associated Person process, contact the Administrative Officer designated in your department/unit who is responsible for the management/approval of these registrations.

Who can request a Service Identity?

Any vaild Western Faculty and Staff member with approval from his/her Dean or Budget head.

What are the unit responsibilities with regards to a Service Identity?

Responsibility for unit Service Identities is shared between a minimum of (2) contacts, the unit approver and requester. Both are responsible for the day-to-day management of the account which includes but is not limited to:

  • Activating new accounts
  • Renewing accounts due to expire
  • Managing and securing the password for accounts
  • Providing additional information on usage of the account in event of a security investigation

How do I manage my Service Identity?

The management of Service Identities is primarily done within Western Identity Manager. See below for the list of common account management tasks.

We recommend that the password be changed annually as part of renewal or whenever someone who had access to the SI credentials leaves the team, department or university.  Don't forget to remove their device from MFA prompt too.

What is the life-cycle of a Service Identity?

Stage 1- Account is requested. Western Idenity Manager form is properly filled out and an email is automatically sent to the WTS Computer Accounts Office to begin the approval process. More info on requesting an account.

Stage 2- Approval process. The WTS Computer Office will validate the request for such things as; is the requestor allowed to own a Service Identity, or are there alternative solutions that would better serve the request? (mailing lists, etc.)

Stage 3- Creation of account. If approval process is successful, WTS Computer Accounts Office will create the account and notify both the requester as well as the business unit approver when the new account has been created.

Stage 4- Not activated status. The account is not currently useful, waiting to be activated. All services are disabled.

Stage 5- Activation of the account. Activation is completed using Western Identity Manager. More info on activating an account.

Step 6- Active status. The account is in a useful state. The account will remain this way until the end of day on the expiry date. The account may be renewed at any time during active or expired status. More info on renewing an account.

Stage 7- First Notice of expiry. An initial warning of an upcoming expiry is sent to all service identity contacts. The account may be renewed any time during active or expired status. More info on renewing an account.

Stage 8- Second notice of expiry. A secondary warning of an upcoming expiry is sent to all service identity contacts. The account may be renewed any time during active or expired status. More info on renewing an account.

Stage 9- Expiration. The account is expired automatically at the end of day on the expiration date. The password on the account is changed preventing access to all services associated wit the account.

Stage 10- Expired Status. If you missed the renewal of your Service Identity the access can still be re-instated from this expired date. Please note in addition to renewing the access, you will also need to change/reset the password.

Stage 11- No longer accessible. The account has been slated for clean up from Identity Manager and is no longer acessible to the Service Identity contacts.

 

Email

How do I access Email for an SI?

The setup is the same as a personal account, refer to applicable setup guides and MYMFA Setup documentation.  There might be a couple wrinkles based on personal preference

1) create another account within the same outlook profile

2) create a separate Outlook profile.

If you prefer to check your email on-line then you are best to use different browsers for each account to avoid browser caching issues e.g. use Edge for your personal account and Chrome for your service identity account.

I didn't receive an MFA prompt for my SI Email, what should I do?

Make sure you selected your mobile device from the drop down menu.  If you don't see your device in the drop down menu follow up with the SI Contact to make sure 

  1. You device has been added to the DUO/MFA SI profile
  2. They have selected Ask me to choose an authentication method when setting up the device.

DUO/MFA

How do I Setup DUO for an SI – Service Identity?

Please note that setting up the duo/mfa profile for a Service Identity is done in MyMFA (mfa.uwo.ca) and must be done by an SI Contact.  If you are not a Contact for the Service Identity, you will not have access to set up the duo/mfa profile for it.

If setting up the DUO/MFA profile for an SI – Service Identity you will be prompted to sign in twice.

First login with SI credentials and you will receive a notification that "You have logged in with a service identity account.  Please re-authenticate with your Western Identity so that we can verify you are the account owner.

Login with your normal Western Identity credentials.  

Make note of the DUO account you are setting up, managing

Versus

The remaining setup for MFA is similar to what you went through for setting up your personal DUO profile with one small exception.  To extend the Service Identity concept of multiple persons having access to a single mailbox you will need to add additional devices.  Refer to sub Heading, Managing my MFA devices > add additional devices on MFA FAQ page.  For each person accessing the SI you will need to

  1. SI Contact arrange time with the users of the SI to set up their authentication device with them.
  2. In MyMFA, the SI Contact adds the device phone number that the user provides
  3. If required, the user of the SI will need to validate the contact adding their device by providing the contact with the 6 digit code they get via SMS or phone call.
  4. The SI Contact enters the 6 digit code to complete the set up

Please Note:
WTS recommends selecting Ask me to choose an authentication method when setting up MFA on an SI.  This will allow those using the SI to select their device at the MFA prompt and verify using their own device. 

If you do not add multiple devices for the SI then the users cannot select their own device to respond to the prompt.  Instead the prompt will go to yourself as the sole contact device listed for the SI.   This would require:

  • The user of the SI waiting for you to validate the MFA prompt.  In addition to possible timesouts if you don't validate the prompt in time. 
  • You as the SI Contact to verify who among your team submitted the MFA request to ensure it is valid.

What can I expect when MFA is enforced on my SI for Office 365/Email

  • MFA will need to be set up just one time for the Service Identity and can be used for any service that the SI is used for that will require MFA in the future.

  • Using MFA with the SI to access Office 365 will be the same experience as using it with your personal account – you will need to accept the MFA prompt when it is presented

  • When prompted for MFA, you will need to select your device from the list of devices that may be available so that you can respond to the prompt with your own device

  • The device used for your personal account can also be used for the Service Identity

  • There will be no impact to other services this SI might be used for. If/when those other services require use of MFA, you will be notified. 


Published on  and maintained in Cascade.