Update the IdP URL for mobile tokens
This migration procedure is required only if your organization uses mobile soft tokens with push authentication capabilities.
This procedure describes how to update the identity provider URL in mobile soft tokens. The identity provider URL is used for push authentication (a form of transaction verification), transaction verification, and updates to soft token customization.
Complete this procedure after the export and migration procedures described earlier in this document.
The procedure consists of two main tasks:
- Updating the identity provider URL in the transaction component's
web.xmlfile. - Deploying a new JAR file.
- Be sure you've updated to the most recent patch of your Entrust Identity Enterprise Self-Service installation (with installation 12.0, Patch 450438 or newer; with installation 13.0, Patch 452874 or newer).
To configure the Transaction component to re-register soft token identities with Entrust Identity as a Service
-
Go to the directory
$IGSELFSERVICE_HOME/webapps/server/igst/WEB-INFand create a backup copy of theweb.xmlfile (for example,web.xml.bak). Make sure theweb.xmlfile is writable; if it is not, make it so. -
Shut down the Entrust Identity Enterprise Self-Service Module service.
On Windows:
a. Open the Services Panel.
b. Select Entrust Identity Enterprise Self-Service Module.
c. Select Stop the service.
On Linux:
a. Navigate to the
bindirectory of the installation.b. Issue the following command:
./igselfservice.sh stop -
Open the
web.xmlfile in an editor.- If you are running Entrust Identity Enterprise Self-Service Module 13.0, update to the newest Patch (452874 or newer) and skip to Step 6.
OR
- If you are running Entrust IdentityGuard Self-Service Module Release 12.0, update to the newest Patch (450438 or newer) and skip to Step 5.
OR
- If you are running a release between Self-Service Module 10.2.x and 11.0, continue to Step 4.
-
If your Self-Service Module installation is at 11.0 or earlier, you must add a new section to the
web.xmlfile to provide a filter definition and its associated mapping. To do so, complete the following steps.a. Copy the following XML block from this document and paste it into
web.xmlbefore the first<servlet>definition:<!-- Servlet Filter for adding a X-New-Identity-Provider HTTP header if required --><filter><filter-name>New Identity Provider Filter</filter-name><filter-class>com.entrust.identityGuard.selfService.transaction.NewIdentityProviderFilter</filter-class><!-- Uncomment the <init-param> element and change the <param-value> as appropriate. --><!--<init-param><param-name>newIdentityProvider</param-name><param-value>https://<example>.us.trustedauth.com/api/mobile</param-value></init-param>--><!-- If you want to progressively migrate users based on alias prefix,change the <param-value> settings below so they represent the aliasprefix associated with users who have been imported into Identity asa Service and what that alias prefix should be changed to once thenew Identity Provider Address has been set and the user is fullymigrated. For the softTokenMigratedComment initialization parameter,change the provided value if you want a different comment to be addedfor those soft tokens that have been migrated. If you don't want anycomment added, provide an empty <param-value/> element. Then,uncomment all three <init-param> elements below. --><!--<init-param><param-name>aliasPrefixImported</param-name><param-value>IMPORTED_</param-value></init-param><init-param><param-name>aliasPrefixMigrated</param-name><param-value>MIGRATED_</param-value></init-param><init-param><param-name>softTokenMigratedComment</param-name><param-value>Soft token has been migrated to Entrust Identity as a Service.</param-value></init-param>--></filter><!-- Apply the new identity provider filter to the /txnpoll request --><filter-mapping><filter-name>New Identity Provider Filter</filter-name><url-pattern>/txnpoll</url-pattern><dispatcher>REQUEST</dispatcher></filter-mapping> -
If you are running Self-Service Module Release 12.0 Patch 450438 or newer, you already have the
<filter>and<filter-mapping>elements discussed in Step 4. This step describes how to add the new progressive migration initialization parameters. Before the terminating</filter>tag of the New Identity Provider Filter, insert the following:<!-- If you want to progressively migrate users based on alias prefix,change the <param-value> settings below so they represent the aliasprefix associated with users who have been imported into Identity asa Service and what that alias prefix should be changed to once thenew Identity Provider Address has been set and the user is fullymigrated. For the softTokenMigratedComment initialization parameter,change the provided value if you want a different comment to be addedfor those soft tokens that have been migrated. If you don't want anycomment added, provide an empty <param-value/> element. Then,uncomment all three <init-param> elements below. --><!--<init-param><param-name>aliasPrefixImported</param-name><param-value>IMPORTED_</param-value></init-param><init-param><param-name>aliasPrefixMigrated</param-name><param-value>MIGRATED_</param-value></init-param><init-param><param-name>softTokenMigratedComment</param-name><param-value>Soft token has been migrated to Entrust Identity as a Service.</param-value></init-param>--> -
Edit the value of the
newIdentityProviderparameter associated with the New Identity Provider filter. The portion of interest is as below:<!--<init-param><param-name>newIdentityProvider</param-name><param-value>https://<example>.us.trustedauth.com/api/mobile</param-value></init-param>-->This value depends on your specific Entrust Identity as a Service instance. Replace the placeholder
<example>with your Entrust Identity as a Service account URL prefix, for example,MyCorp. After you provide the correct value, uncomment the<init-param>element by removing the leading<!--and trailing-->. -
If you wish to migrate your users and their associated soft tokens progressively, rather than all at once, uncomment the three
<init-param>elements and set values foraliasPrefixImported,aliasPrefixMigrated, andsoftTokenMigratedComment.noteUser aliases (the sum of the alias prefix and the username) must not exceed 255 characters in length.
-
Save the changes to
web.xml. -
If you are running SSM release 13.0, ensure you have updated to the latest patch. You can then skip to Step 10.
If you are using SSM release 12.0 or earlier, you must deploy a new JAR file. The JAR file is contained in a ZIP file that you can download from Entrust Trusted Care: https://trustedcare.entrust.com/.
Complete the following steps to deploy the JAR file:
If you are using SSM release 12.0:
a. Ensure you have updated to SSM Release 12.0 Patch 450438 or newer.
b. Save a copy of the current JAR file
IdentityGuardSelfServiceNewIdentityProviderFilter.jarin$IGSELFSERVICE_HOME/webapps/server/igst/WEB-INF/liband give it the nameIdentityGuardSelfServiceNewIdentityProviderFilter.jar.bak.From the ZIP file
IGSSM_MobileSoftTokenMigrationFilter_20.zip, copy the new version of the fileIdentityGuardSelfServiceNewIdentityProviderFilter.jarinto the directory$IGSELFSERVICE_HOME/webapps/server/igst/WEB-INF/lib.If you are using an SSM release 11.0 or earlier:
a. From the ZIP file
IGSSM_MobileSoftTokenMigrationFilter_20.zip, copy the fileIdentityGuardSelfServiceNewIdentityProviderFilter.jarinto the directory$IGSELFSERVICE_HOME/webapps/server/igst/WEB-INF/lib. -
Restart the Entrust Identity Enterprise Self-Service Module service.
On Windows:
a. Open the Services Panel.
b. Select Entrust Identity Enterprise Self-Service Module.
c. Select Start the service.
On Linux:
a. Navigate to the
bindirectory of the installation.b. Issue the following command:
./igselfservice.sh start -
Your user community must update their Entrust Identity mobile application to version 22.6.1 or newer. Users do not need to perform any configuration steps to update the identity provider URL. The app updates the URL on the first invocation after successful completion of this procedure.