Solved: Re: ISE 2.2: Single-Click-Sponsor-Approval with email alias

Martin H. · ‎09-21-2017

Hi Experts,

I have the following request and I'm not sure if it works.

Single-Click-Sponsor-Approval:

There will be max. 4 person who will be the sponsor
There will one email alias which incl. email addresses from above mentioned sponsors
There will be one sponsor account on ISE (assgined to sponsor group) with the alias as email address
SINGLE-CLICK-APPROVAL is required w/o typing the credentials for the sponsor portal. The solution should be as easy as possible.
- SPONSOR will receive an email (email alias) with time based token which includes links to APPROVE or DENY option.
- SPONSOR can approve with single click and does not need to login to sponsor portal
- If token is timed out then login to sponsor portal is required

So in this scenario all sponsors would receive an email and one of the sponsor need to take ownership and approve.

My concern is, if this works and the sponsors don't need to type credentials again.

If I select “person being visited”, I can select or de-select “Require sponsor to provide credentials…” and the approval process is simplified.

BUT when I select “Email approval request to: sponsor email”, then the checkbox is no longer there. Does this mean if I select this process the sponsor needs to enter credentials… yes or no?

Jason Kunst · ‎09-21-2017

There is a solution that's mentioned under the sponsor approval faq did you see that?

Http://cs.co/ise-Community

Guest web auth page

If it's still not what you need and can't live without then please reach out through sales channel for feature request to our pm Ameet Kulkarni (amekulka)

View solution in original post

Jason Kunst · ‎09-21-2017

There is a solution that's mentioned under the sponsor approval faq did you see that?

Http://cs.co/ise-Community

Guest web auth page

If it's still not what you need and can't live without then please reach out through sales channel for feature request to our pm Ameet Kulkarni (amekulka)

Martin H. · ‎09-21-2017

Hi Jason,

I guess you mean this:

How can I send the single click (with token credentials) to a group of sponsors so anyone receiving doesn’t have to enter their credentials?

since the person being visited option is required to create a single click tokenized URL then the Sponsor email address listed below option won't work. Here is an idea on how this would work:

Create a generic sponsor account in AD with email address like sponsors@mycompany.com, this would be entered by the guest on the self-reg page.

Jason Kunst · ‎09-21-2017

yes you're correct, they will have to enter credentials otherwise we won't know who it belongs to since there is no generic sponsor that can be assigned to the guest, we need to assign a specific sponsor.

Jason Kunst · ‎09-21-2017

The behavior maybe different then noted.

Please try it out and let us know so I can update the FAQ.

Unfortunately, right now I can’t validate this

Martin H. · ‎09-21-2017

I will let u know but the workaround is also an option

Jason Kunst · ‎09-21-2017

Yes please let me know if what stated is inaccurate or can be better listed

Jason Kunst · ‎09-27-2017

Do you have any clarification updated we can work on?

csavas · ‎10-11-2017

Hi Jason,

I understand that the sponsor must belong to an AD group if we want to use single-click-approval.

Can you please explain why we need an AD for this? Can we also use an internal group?

Its a small guest environment with one sponsor group. There is no AD in this setup. We have to install an AD just to realise this feature. Is there any other option maybe?

Thanks in advance,

Cengiz

Jason Kunst · ‎10-11-2017

Because that’s the way it was designed

Please reach out via sales and ask the pm to add the local database