Service Provider
Entrust Identity as a Service (IDaaS) has a multi-tier account structure. The Service Provider portal lets partners and resellers manage the tenant accounts they own, including high-level tasks such as unlocking accounts or reviewing account metrics for billing.
To access the Service Provider portal, your IDaaS account must be upgraded to a Service Provider account. Users must be assigned a Service Provider role. A Super Account Manager can assign Service Provider roles to users. See Managing Service Provider roles for more information.
When a new tenant account is created, the first administrator to sign in must review and accept the legal terms and conditions immediately after signing in.
Changes made to IDaaS accounts from the Service Provider portal are permanent. Make sure you have proper planning and authorization before you act on another account.
Language support
Service Provider is supported in English only.
Service Provider account hierarchy
Service Provider accounts are organized into three levels.
Entrust
Entrust is the top-level Service Provider. The Entrust Service Provider can perform high-level operations on any direct child account. Entrust manages top-level Service Provider accounts.
Standard tenant accounts
Standard tenant accounts can be created from the Entrust top-level account. One user of a standard tenant account is assigned the Super Administrator role. The Super Administrator of a standard tenant account can contact Entrust and request to have their account promoted to a Service Provider account.
Service Provider accounts
Standard tenant account Super Administrators that are promoted to Service Providers keep the administrator role originally assigned to them. When promoted to a Service Provider tenant account, the administrator is assigned a Service Provider role and is sometimes called a Managed Service Provider (MSP).
A newly promoted Service Provider tenant account includes a Service Provider section that is unique to the account. After being promoted, the Service Provider can:
- Create standard tenant accounts.
- Manage tenant accounts.
- Promote standard tenant accounts to Service Provider accounts.
The Tenants page on a Service Provider tenant account shows a list of all child accounts.
Account entitlements
Entitlements determine the number of users or credentials for your account. The number of entitlements available depends on whether your account is a Trial account or a Production account.
Accounts created before Entrust Identity as a Service release 5.8 are classified as Unknown accounts and are treated as Production accounts. Entrust recommends that you review your accounts and convert them to either Trial or Production accounts, as required. See Upgrade trial accounts.
Authentication account entitlements set limits for an IDaaS authentication account, including the number of users and OTP/voice credits. IDaaS enforces entitlements whenever you attempt to add a user by comparing the current number of users to the maximum allowed in the entitlement. If the maximum number of user entitlements is reached, the attempt to add a user is denied.
Trial account entitlements
Trial accounts have the following restrictions:
- Trial accounts are available for 60 days with a maximum of 30 users.
- Trial accounts must be converted to Production accounts before the trial period expires.
- When a trial account expires, the account is automatically locked and you cannot access it.
- Trial accounts receive email warnings about account expiry 7 days, 3 days, and 1 day before the end of the trial period. When a trial account is created, the system enables email notifications using the first administrator email (see > Settings > Notifications in the Administrator Portal and Manage entitlement usage and expiration notifications).
Production account entitlements
Production accounts follow these rules:
- The entitlements given to a new tenant account cannot exceed those of the Service Provider account that created the tenant account.
- Entitlements given to a tenant account are subtracted from the Service Provider's total number of available entitlements.
- When a tenant account is promoted to a Service Provider account, the tenant's existing entitlements can be sub-allocated to its tenants. For example, a regular tenant has 1000 user entitlements and has 10 users. The tenant is promoted to a Service Provider. The newly promoted tenant can allocate up to 990 entitlements to its tenant accounts.
- If a user attempts to exceed their maximum entitlements:
- If you manually try to add users in excess of the allotted entitlements, a message appears indicating that no more users can be added to the account.
- If accounts are created through bulk operations, the user bulk import operation succeeds but row failures appear for each user account in excess of the account entitlements.
- If a directory synchronization attempts to add more users, no more users are added despite attempts from the directory synchronization.
SMS and Voice account entitlements
This entitlement grants tenants the ability to receive OTPs through SMS or voice. Each SMS or voice OTP delivered consumes a number of credits based on the country associated with the mobile or voice number defined in the user account. When a tenant runs out of credits, SMS and voice OTP is not available.
The entitlement defines:
- Quantity - A numeric value that represents the number of SMS/voice credits available. As OTPs are delivered, the credits consumed are subtracted from this amount.
- Entitlement period - This is fixed to one year. Once the end date is reached, any credits not used are lost.
- Renewal quantity - A numeric value that represents SMS/voice credits. When the entitlement period reaches the end date, the entitlement is automatically extended for another year with the quantity set to the renewal quantity value. The renewal quantity is reset to zero.
Email OTP is always available in the following situations if the account user has a valid email address:
- Accounts without SMS and voice credits.
- Accounts with expired SMS and voice credits.
- Accounts with no credits remaining for SMS/voice OTP delivery.
Entitlement summary
To view a summary of account entitlements, do the following:
- Sign in to your IDaaS tenant account. The Dashboard page appears. This page provides information about your Service Provider account. For example:
- The Users button shows the number of users, including both Active and Inactive users. When you select Users, the Users list appears. Inactive users remain in the list but do not count toward entitlement usage.
- The Entitlements button shows the number of entitlements available. When you select Entitlements, the Contract Details dialog box appears. This dialog box shows the total number of entitlements, the number used, and the number remaining. Inactive users do not count in the remaining entitlements field.
:::info Example
The Users icon shows that you have two users. When you review the Users list you see that one user is active and the other is inactive. When you review the Entitlements (Contract Details), the Contract Details show that you have one consumed user entitlement and 29 remaining user entitlements. The inactive user does not count toward your entitlement usage.
:::
Service Provider bundles
When you add tenants to your Service Provider account, you select a bundle for the account. The bundle defines the set of features that users and administrators can access in IDaaS. Trial accounts are automatically assigned the Plus bundle type. Production accounts can be assigned the Plus, Premium, or Consumer bundle. The following table describes the features available with each bundle.
| Feature available in IDaaS | Plus | Premium | Consumer |
|---|---|---|---|
| User self-service (authenticator) | Yes | Yes | Yes |
| User self-service password reset | Yes | Yes | Yes |
| VPN remote access | Yes | Yes | No |
| Single sign-on portal | Yes | Yes | No |
| AD sync | Yes | Yes | No |
| Office 365 SAML integration | Yes | Yes | No |
| Additional SAML integrations | Yes | Yes | Yes (generic SAML integration only) |
| Mobile soft token and push notifications | Yes | Yes | Yes |
| SMS/Email OTP, KBA, Google Authenticator, FIDO, grid authentication | Yes | Yes | Yes |
| Native device biometrics | Yes | Yes | Yes |
| Email, web, and telephone support: Mon-Fri, 8 a.m.-8 p.m. EST | Yes | Yes | Yes |
| Adaptive/risk-based policy engine | Yes | Yes | Yes |
| Desktop login (using the Desktop Agent) | Yes | Yes | No |
| On-premises applications - On-premises application integrations | Yes | Yes | No |
| On-premises applications - ISAPI and Apache integrations | Yes | Yes | Yes |
| Microsoft Entra ID sync | Yes | Yes | No |
| OpenID Connect and OAuth application integration | Yes | Yes | Yes (generic OIDC and OAuth integrations only) |
| Microsoft Entra ID (formerly Azure AD) | Yes | Yes | No |
| SIEM integration (Splunk) | Yes | Yes | Yes |
| Authentication API (for example, custom web/mobile applications) | Yes | Yes | Yes |
| Administration API (users/groups/policies) | Yes | Yes | Yes |
| Cross-platform facial biometrics | No | Yes | No |
| LDAP database sync | No | Yes | Yes |
| OAuth 2.0 URL/API protection | No | Yes | Yes |
| Mobile smart credential/Bluetooth login | No | Yes | No |
| AD Connector | Yes | Yes | No |
| Identity Providers | No | Yes | Yes |
| User verification | No | Yes | Yes |
| External risk engine | No | Yes | Yes |
| User provisioning (inbound and outbound) | Yes | Yes | Yes |
| User certificate authentication | No | Yes | No |
Logging out
You are signed out of IDaaS when your session lifetime expires, you explicitly sign out, or your browser session ends (typically when you close the browser).
On macOS, you must Quit the browser in order for the session to be terminated.
Service Provider online help
The Service Provider online help outlines how to use the Entrust Identity as a Service features available to Service Provider administrators. For other administrative tasks, see the Entrust Identity as a Service Administrator Help.