Creating Sender Account
Tuesday, August 2, 2022 at 12:08amHello Duo,
Our requirements:
We will have a multiple subscribers using our service. Currently, we have one single account under onespan for the integration of onespan into our system. We are using the saved layout for applying the fields in the document. Since, we will have different subscribers, if we save a layout for each of them, the layouts can be accessed by all the clients, which we don't want them to. So, we have decided to separate the account for each of them via sender account.
Looking into the sender account, I found that, yes, we can have sender API key and use that for creating a transaction on subscribers level. The problem with this approach is, subscribers can access the account and can use the onespan feature via sandbox.esignlive.com. We do not want our subscribers to access the onespan account and use the transaction feature via onespan. The other solution, I thought would be to create a new role with limited permission but in this approach to create a transaction via our iframe, the user should still be provided with the permission of creating a transaction, in doing so, they can again access the onespan login via the user credentials.
The last option I had was creating a sub account. Currently, the subaccount feature is not available into our account, please suggest a best possible solution or workaround so that the different account can be distributed to the clients and still stop them from accessing the transaction. If creating a subaccount would fix the problem, I will request the same to OneSpan.
Please let me know.
Reply to: Creating Sender Account
Tuesday, August 2, 2022 at 07:00amHi Bikram,
Thanks for your post! Few thoughts and options according to your description:
(1)If you don't your sender accounts to directly log onto their OSS portal, you can contact support team ([email protected]) and turn on the feature "SSO Login" (you don't have to really configure the SAML). This will disable the login capability (for all senders, including your admin user), but remains #1 the API Key/Token access #2 If you retrieved a session token
POST /api/authenticationTokens/user
And build a link similar to below, you can still access the UI pages (including the transaction edit page and designer page)
https://sandbox.esignlive.com/auth?authenticationToken={userToken}&target=https://sandbox.esignlive.com/a/dashboard
(2)If you don't have to register your sender account with the same email they used in your system, you can register them with a dummy username under your domain, in which case they won't be able to reset the password. By doing so, I imagine the main side effect is that your users will not be able to receive the completion email from their actual email.
Duo
Reply to: Creating Sender Account
Tuesday, August 2, 2022 at 11:48pmThank you Duo,
Creating sender account with a dummy username under our domain looks like will work for us. Meanwhile, I was looking at the subaccount thinking it is somewhere similar to sender account, also has created three subaccounts under our master account, I have got the API keys of these 3 subaccounts as well but couldn't figure out how to implement this subaccount thing with the use of their API key ? I have tried to look at the resources in OneSpan but couldn't find anything substantial.
Can you please help me on this one ? Using subaccount as an iframe.
Reply to: Creating Sender Account
Wednesday, August 3, 2022 at 07:21amHi Bikram,
The Subaccount feature could be a little bit tricky in this case.
Generally speaking, the main reasons why a user wants to use the subaccount feature could be #1 They already have multiple accounts and they want to put them under one main account for better account management #2 You can have different brandings and account level settings for each subaccount
The suggested practice to leverage the subaccount feature is to
#1 add all senders under the main account level
#2 assign OOTB or customized Account Role to each sender under the respective subaccount level - For example, sender1 can only create a transaction under subaccount1 when you assigned SENDER role (or a role with "Transaction" permission) to him/her at subaccount1.
PS: With Roles&Permissions feature enabled, we typically suggest to create, query and manage transactions only via (sub)account admin's API Key, instead of each sender's API Key (This is because there's a permission called "API Access" and regular senders won't have this access)
#3 For example your main account admin is also the admin of the 3 subaccounts. The main account admin will have 3 different API Keys under 3 subaccounts, which can be retrieved by this API:
GET /api/account/subaccountApiKeys
PS: Your admin account needs to have at least "User Management", "Sub Account Management" and "Api Access" permission in different sub account in order to get the Api Key
#4 With admin's API Key, you can create on behalf of a sender, query and manage sender's transactions. For more details, please refer to my blog series:
https://www.onespan.com/blog/onespan-sign-developers-manage-senders-transactions-part-1
https://www.onespan.com/blog/onespan-sign-developers-manage-senders-transactions-part-2
Duo