pulibrary / pul-it-handbook

Princeton Univ. Library Apps best practices and recommendations
BSD 3-Clause "New" or "Revised" License
10 stars 1 forks source link

Improve the documentation for retrieving an RSA soft token for DSpace server authentication #59

Open jrgriffiniii opened 4 years ago

jrgriffiniii commented 4 years ago

Users are required to download https://apps.apple.com/us/app/rsa-securid-software-token/id318038618 to their iPhone, and to properly configure this for single sign-on.

jrgriffiniii commented 4 years ago

Users also need to authenticate over the bastion host using the following command:

ssh -J libvijrg@epoxy.princeton.edu libvijrg@dataspace.princeton.edu

Where libvijrg is the NetID of the service account with elevated access for the servers.

jrgriffiniii commented 4 years ago

Document the process of setting the RSA PIN from the online dashboard for RSA token management. This is currently found on https://sdprsa200l.princeton.edu:7004/console-selfservice/SelfService.do.

jrgriffiniii commented 4 years ago

https://princeton.service-now.com/service?id=sc_cat_item&sys_id=a8f092884f569e00f56c0ad14210c791 is the form needed to request a soft token.

jrgriffiniii commented 4 years ago

Dept. ID should be LIB - Information Technology (41006). The fund should consistently be A0000.

The following fields may be left blank:

The associated server hostname should only be dataspace.princeton.edu. Please provide your service account NetID in the field Associated Elevated Service Account netID.

Manager Authorized to Approve this request should be Stephanie Ayers. New Token or Replacement should be New. Software or Hardware Token should be Software, Is this a temporary Token? should be No.

Please also provide the Make, Model and Mobile Operating System for the smartphone which you will be using with the RSA SecurID app:

Make: Samsung Model: Galaxy S8 (Android 7) Mobile Operating System: Android

No other fields are required.

jrgriffiniii commented 4 years ago

Users should receive a secure message (via e-mail) containing a confirmation that the request has been fulfilled.

jrgriffiniii commented 4 years ago

Users need to install GlobalProtect for their smartphones, and then first access the link provided for them by OIT in order to import a soft token into the RSA SecureID smartphone app. Once this has been provided, the user should attempt to authenticate on to epoxy.princeton.edu.

jrgriffiniii commented 4 years ago

Please also link to https://princeton.service-now.com/service?id=csm_sc_cat_item&sys_id=588cfb664fcd124022a859dd0210c7ca in the documentation for requesting support from OIT.

jrgriffiniii commented 4 years ago

For each new user on the VMs, we will need to create OIT support requests in order to grant access for the new service account to escalate their own privileges to root, and to be able to authenticate through the bastion host.