A Service Plan is a collection of allowed services and certificate types that are assigned to an Enterprise. A service plan may specify but not limited to the following:


  • To control the issuance of server-side keys
    • Simple
    • Remote Authorisation


  • To control the issuance of client-side key
    • Certifying a CSR
    • Generating a key pair on client side (e.g. in a PKCS#11 device) using ADSS Go>Sign Desktop


  • Multi-factor authentication (optional)
    • At the time of system login
    • At the time of sending certificate revocation request
    • At the time of sending certificate renewing request


How it Works?


  1. The Service Plans can be assigned to the Enterprises only. You cannot assign the Service Plan to the users.
  2. Based on your business requirements you can create multiple Service Plans to offer different set of certification services to the different enterprises.
  3. You can configure one service plan in multiple enterprises but it is good practice to create separate Service Plan for each Enterprise if you are the service provider and you got many enterprises registered in the ADSS Web RA.


Basic Information

Field

Description

Name

Specify a unique name for this service plan, i.e. My Service Plan. The service plans are used in the configuration of Enterprise Accounts. 

Description

Specify any description related to this service plan for your record.

Active

Tick this check box to make this service plan active. Inactive service plans cannot be configured in the Enterprise Accounts.



Profiles Settings

Field

Description

Key Stores > Profiles for requesting certificates with CSR

This field will list all the active ADSS Certification Service Profiles that have been created to issue certificates by submitting users' CSRs. Specify the ones to be used by ADSS Web RA to process such certificate requests.

If the check box Enable client keys is checked in the profile then the profile will be shown in Profile for requesting certificate with CSR dropdown where operator can configured it in service plan.


In case of specifying multiple profiles here, the ADSS Web RA end user will have the option to choose the one before sending a CSR based certificate request.

If no profile is specified, the Enterprises registered with this service plan will not be able to request CSR based certificates.

Key Stores > Profiles for creating keys on smartcards/tokens

This field will list all those active ADSS Certification Service Profiles that have been created to issue signing keys and certificates on smart cards and tokens, i.e. the profiles in which the "Smartcard/Token Profile" field is enabled. Specify the one to be used by ADSS Web RA to process such certificate requests.

In case of specifying multiple profiles here, the ADSS Web RA operator will have the option to choose the one before sending a local certificate request to Admin RA.

If no profile is specified, the Enterprises registered with this service plan will not be able to request the local signing keys and certificates.

Key Stores > Profiles for server-side keys & certificates 

This field will list all those active ADSS Certification Service Profiles that have been created to issue remote/ server-side signing keys and certificates. The remote keys will be generated and held in the ADSS Server. Specify the ones to be used by ADSS Web RA to process such certificate requests.

If the check box Enable client keys is unchecked in the profile then the profile will be shown in Profile for server-side keys & certificates drop down where operator can configured it in service plan.

In case of specifying multiple profiles here, the ADSS Web RA operator will have the option to choose the one before sending a server-side certificate request.

If no profile is specified, the Enterprises registered with this service plan will not be able to request the remote/ server-side signing keys and certificates.

Services > CSP Profile

This field will list all those active ADSS CSP Service Profiles that have been created to issue Remote Authorised Signing (RAS) certificates. Specify the one to be used by ADSS Web RA to process such certificate requests.

In case of specifying multiple profiles here, the ADSS Web RA operator will have the option to choose the one before sending a RAS certificate request.

If no profile is specified, the Enterprises registered with this service plan will not be able to request the RAS certificates.

Services > Device Enrolment Profile 

This section lists down all configured profiles to create certificates for SCEP (Simple Certificate Enrolment Protocol) and Certificate Management Protocol (CMP). On selection of SCEP or CMP profile in a service plan, the device enrolment option appears on ADSS Web RA user's portal.

Services > SigningHub Connector

This shows the list of all configured SigningHub connectors that can be used for ADSS Web RA integration.

Services > Default certificate profile for SigningHub

This shows the list of all configured certification profiles which can be used for default certificate generation for Remote Authorisation Signing under integrated app.

If None is selected then no default certificate will be generated  under integrated app for enterprise account at registration time.



Advanced Settings

Field

Description

Login Authentications > Primary Authentication Profile

Primary authentication configured as login authentication which lets an enterprise RAO to login on ADSS Web RA User's portal and by default one of the available Primary Authentication profiles must be selected.

Enterprise Registration > Enable vetting to approve enterprise registration

This enables the vetting on new enterprise account registrations, if enabled then the list of vetting forms appears to select a vetting form that has to be shown while registering an enterprise either through ADSS Web RA Admin or ADSS Web RA Web.

When None is selected under Vetting Form list, then no vetting form appears to be filled and only the new enterprise registration has to be approved by Admin RAO.


Notifications

Field

Description

SMS Gateway

This shows all the configured SMS gateway connectors that can be selected to receive OTP via SMS. Additionally, OTP length and retry interval can also be set.

Email Gateway

This shows the list of configured SMTP connectors that can be selected to receive email notifications.

The selected email gateway will be used from Service Plan for email communication. However, if there is no email gateway configured under service plan then the one which is configured under Configurations > Default Settings will be used to send all email notifications.



Create a Service Plan


  1. Click Service Plans from the left menu.
  2. Click  from the grid header. 
  3. A dialog wizard will appear to configure the service plan details. The wizard consists of 4 sequential screens, i.e.:
    1. Basic Information
    2. Profile Settings
    3. Authentications
    4. Notifications
  4. Specify the details of each screen accordingly and click Next to proceed further. Click Finish. A new service plan will be saved and displayed in the list. You may also edit and delete this service plan as required, see details. See the below table for fields description.
  5. Click Publish Changes from the top right corner, to make these configurations effective. 


SAML Authentication


When creating a service plan for SAML authentication, a user will b required to fill some basic information, profile settings, notification and advanced settings. The Advanced Settings screen will display a drop down named as 'Login Authentications', which will require all the primary authentications that are to be configured in the system. Once the user completes the configuration, the primary settings will include Email/Password authentication and SAML authentication. Here, user can select the SAML authentication profile configured previously with name as SAML Authentication using Azure. 

Note: It is the responsibility of an administrator to ensure that SAML is not configured as both primary and secondary authentication simultaneously while logging in. ADSS Web RA does not have any automated check to prevent an administrator from doing so.  



Configure Service Plan in Enterprise


  1. Click Enterprises from the left menu.
  2. Search the Enterprise whose service plan is required to change and click  adjacent to it.
  3. Select Edit.
  4. A dialog wizard will appear to configure the service plan details. The wizard consists of 3 sequential screens (Profile Settings, Notification and Advance Settings).
  5. Navigate to the Advanced Settings tab.
  6. Select the new Service Plan from the drop down.
  7. Click Finish to save the configurations.
  8. Click Publish Changes from the top right corner, to make these configurations effective.


An operator can configure multiple authentication profiles in a service plan for primary and secondary authentication. One of them will be selected by default, as shown below: