Purpose

To enable configuration of the Callista Connect (Self Serve) functionality at institution level

SubSystem

Callista Connect

Self Serve User Eligibility Rule (RULF2000)

This form is used to establish an institution level configuration for all Callista Connect (self serve) user applications and web pages. Configuration details set in this form have system-wide effect, unless overridden at a lower level.

Transaction Management

This three check boxes include configuration items for Transaction Management that apply at a system wide level. The Administrator uses this function to:
Indicate if user details will be logged. User details are:

• Record the user’s Browser Details
• The IP Address of the Application User and
• The User’s Operating System.

The administrator could, as an example, use the Log Browser Details to define which browser (e.g. IE or Firefox) is being used the most; the Log IP Addresses to see if traffic is within the institution or outside and the Log Operating System to determine whether or not the information comes from a Mac or PC and what OS version. This information could be used for statistical analysis.

System Self Serve Facility Configuration block

• Web Style Code
• Default Web Page Code
• Login Web Page Code
• Pre-Page Declaration

Authentication Details sub block

• Idle TimeOut
• Age TimeOut
• SSO Protected check box
• Encryption Key Age Timeout
• Use Default Password to Authenticate check box

Cookie Details sub block

• Domain
• Path

Transaction Management

• Log Browser Details
• Log IP Address
• Log Operating System

Buttons

• Override (SSFF1201)
• Default Self Serve User Password Rule (RULF2000)
• Self Serve User Eligibility Rule (RULF2000)

Rules/Notes:

The Pre-Page Declaration is used to store anything which should appear at the beginning of a PAGE web_element, that is, at the beginning of a HTML page generated by Connect. In future, this field will contain the DOCTYPE which Connect is certified against. The data in this field will be delivered as mandatory system data and should not be modified by institutions. Modifying this data may cause parts of Connect to stop functioning.

Timeout values must be entered in the format H24:MI:SS

Authentication Details - Age Timeout must be greater than or equal to Authentication Details - Idle Timeout

Authentication Details - Encryption Key Age Timeout must be greater than Authentication Details - Age Timeout

SSO Protected checkbox - This checkbox indicates if the Connect URL is protected by Single Sign On. See warning below.

If Authentication Details - Encryption Key Age Timeout is recorded, then Authentication Details - Age Timeout must also be recorded

Authentication Details - Encryption Key Age Timeout must be greater than all Authentication Details - Age Timeout values recorded for individual applications. That is, no Self Serve Application can have an Authentication Details - Age Timeout that is greater than the Self Serve Configuration Encryption Key Age Timeout.

Transaction Management

The Log Browser Details, Log IP Address and Log Operating System check boxes have their information displayed in Summary Person Transaction Inquiry (SSFF4200).

1. Select a Web Style Code from the LOV.

i. Styles, which are created in Web Administrator, define the font, table and page body attributes of web pages. This is the style that is applied to all Callista Connect web pages, unless an override style is specified for individual pages or page elements in Web Administrator Page Builder, or an override self serve configuration as specified in SSFF1201.

2. Select a Default Web Page Code from the LOV. The Default Web Page appears when Connect starts up. For example, a welcome page.

3. If required, select a Default Web Page Code from the LOV.

i. Normally, the login process only protects the Self Serve Application linked to a web page, not the entire page. That is, prior to authentication, the user can see the content of the target web page with the exception of the Self Serve Application. In order to protect the entire page (i.e. the application and all other page elements such as text blocks and links), an application with System Self Serve Application USERDEF can be created and mapped to the target web page/s in SSFF1110. Consequently, when logging in, the user sees only the login page until authenticated as a valid user. A login page can be mapped to the target web page. If one is not specified the login page in this form is used. Note: any login pages must first be created in the Web Administrator.

4. Note: As stated in the previous section, DO NOT modify data in the Pre-Page Declaration field

5. Optionally record:

i. Idle TimeOut.
When using secured applications, users are required to re-authenticate if their session has been inactive for the amount of time specified as idle timeout.

ii. Age Timeout.
Regardless of how many secured applications the user has accessed, if they are still using an application at the end of this timeout, they are required to re-authenticate.

iii. Encryption Key Age Timeout.
All user identifier/password combinations are held in a cache while the user is accessing secure applications. To provide further security over the user identifier/password information, and to prevent another person from viewing these combinations in the cache, it is encrypted with a key. In order to view the information in the cache, a user would need to decrypt the key. By setting an Encryption Key Age Timeout, the encryption key is changed after the timeout period thereby making it more difficult for a person to decrypt the key. The key is produced by the system and does not need to be set by a user.

6. Select the SSO Protected checkbox - only after configuring an SSO Server to protect the URL. See SSO details in Rules/Notes.

7. The Use Default Password to Authenticate check box (when selected) means that users authenticated via the CALLISTA ID authentication method can use their default password (see below) to gain authentication. If the check box is not selected, the first time a user accesses a secure application, they are required to change their password before proceeding.

8.The Cookie Details - Domain field is where the host name of the server appears. Valid values are: Host Name, NULL or <default>. For example, if a URL was http://mars.it:8840/connect/webconnect, then the Domain window could be specified as 'server.domain', and the path could be specified as 'connect'. Alternatively, the domain could have <default>.

Note: Wildcard. The '%' can also be used. For example, '% server %'.

9. The Cookie Details - Path field is where the path of the server appears. Valid values are server path, NULL or <default>.

10. The Override (+) button, at the bottom of the block, navigates to the Maintain Self Serve Configuration Override form (SSFF1201) where the specific details of each configuration override for different profiles can be entered. See SSFF1201 for more information.

11. The Default Self Serve User Password Rule button, at the bottom of the block, navigates to the Maintain Rule form (RULF2000), where the rule for deriving default passwords is specified.

i. The rule syntax enables the default password to be derived from elements of the user's Date Of Birth, their Person ID or a string. Combinations of these options may also be used.

12. The Self Serve User Eligibility Rule button, at the bottom of the block, also navigates to the Maintain Rule form (RULF2000), where the rule for defining eligibility of users to access secure Callista Connect applications is specified.

i. This rule is used by the system when the Authentication Method CALLISTA ID is used and the user does not have a Self Serve User Record. If the user does not satisfy the rule check they are prevented from accessing secure applications.

ii. The System also automatically deletes a person's Self Serve User Record when they no longer satisfy the requirements of the eligibility rule, thus denying them access to secure applications. For example, if the rule specifies that Callista Connect users must have a course attempt with a status of ENROLLED, INACTIVE or INTERMIT, the System will delete a person's Self Serve User Record if the course attempt changes status to COMPLETED, LAPSED, DISCONTIN or UNCONFIRM.

iii. The rule syntax enables user eligibility to be defined in terms of :

• At least one course attempt of <defined statuses>, or
• At least one admission course application of <defined outcomes statuses> and offer response of <defined statuses>; or
• Surname matches a specified value

Rules/Notes:

If a default password rule is not defined, the System cannot determine default passwords. Users without a Self User Record will therefore be denied access.

If the default password rule includes Date Of Birth elements, the System will not be able to determine default passwords for users without a recorded date of birth. Such users will therefore be denied access.

The Self Serve User Eligibility Rule may be defined as 'True'. This means that all users will be allowed access to secure applications if their user ID and password are validated.

Warning: The consequences of not defining a Self Serve User Eligibility Rule are:

• All users without an existing Self Serve User Record will be denied access to secure applications
• All users whose Course Attempt Status, Admission Course Application Status or Offer Response Status Changes will have their Self Serve User Record deleted by the System, thus denying them access to secure applications.

SSO Protected checkbox - This checkbox indicates if the Connect URL is protected by Single Sign On. It is important that this check box is only selected after configuring a SSO Server to protect the URL. If this checkbox is selected without the Connect URL’s being protected by an SSO Server, the application may be exposed.
See Callista Technical Documentation for further details.
When this check box is selected a warning is displayed - 'Warning: For this change to take effect, a Single Sign On Server must be configured'.