User Tools

Site Tools


start

Entitlement User Guide for Access from the Internet

Authentication methods

The available authentication methods for internet users are:

  1. Entitlement E-Mail Login
  2. Soft PKI Login
  3. OTP (One-time Password) Login *

* Is a 2nd factor authentication method that is needed for additional stronger authentication

For Siemens Employees and Known Business Partners (KBP) there can be two additional methods:

  1. PKI Smartcard Login
  2. Entrust IdentityGuard App

1. Entitlement E-Mail Login

Authentication with E-Mail address and password is available for all entitlement users and is mainly used from the internet. Due to the low authentication strength of this method, this authentication method is only recommended as an alternative to any of the other stronger authentication methods such as PKI. For most applications, a stronger authentication method is required. In that case, the user will be prompted for a second-step authentication (e.g. one-time password per SMS). But for now, we'll only focus on the e-mail authentication.

  • In the login box “E-Mail Login” enter your e-mail address in the field “My e-mail address”.

Activate “Remember my e-mail address” to remember your e-mail address for future logins.

  • Enter your Entitlement password.
  • Click “login” in the login box “E-Mail Login” on the login page.
  • After successful authentication you will be automatically forwarded to the application

[ Back to top ]


2. Soft PKI Login

In case you own a digital certificate from the Siemens PKI (Public Key Infrastructure) as a file, you can use this authentication method, to access several applications. Multi-purpose business partner certificates as they're called are commonly provided to general business partners (XGID users) per download. A link is sent to the general business partner per e-mail as soon as the order process by the Siemens contact was completed. This link directs the business partner to the PKI download server.

  • Follow the link to the PKI Download Server: https://pkidownload.siemens.com
  • Click the “Proceed with Entitlement Login” button
  • Login using the Entitlement e-mail login
  • Accept the privacy and PKI rules
  • Download the certificate file (.p12 / .pfx)
  • Install the certificate on your operating system using the TransportPIN that was sent to you per e-mail when downloading the certificate.

For Soft PKI authentication to the application of choice:

  • Click “login” in the login box “Soft PKI Login” on the login page.

  • In the next dialog, please select the correct certificate (installed on your system) and enter your personal PIN / password

soft_pse_selection.jpg
soft_pse_authentication.jpg

[ Back to top ]


3. OTP (One-time Password) Login

One-time Password (OTP) via SMS is a 2nd step to the overall authentication procedure. The 1st step of the authentication is mostly E-mail Login. However, for some applications a second authentication step is needed to guarentee for a stronger user authentication.

  • Login using the Entitlement e-mail login
  • Depending on whether the requested web application requires a second level of authentication, you will be redirected automatically to a second page.
  • Enter the received one-time password (SMS/ginlo or Threema) in the following page to finish the login process.

  • After successful authentication you will be automatically forwarded to the application

4. ginlo

ginlo is free to download from the app store and free to use (nothing will be charged).

The ginlo app is available for use with the corporate entitlement service. ginlo is a freely available app for IOS and Android. More information on ginlo can be found

[ Back to top ]


5. Threema

Since SMS is not the most reliable of technologies, the external message provider of the Entitlement Service offers an additional possibility to use Threema instead. Threema is a messaging app, comparable to Whatsapp, and can be used in the Siemens corporate environment. As soon as you have the Threema app installed and configured, all SMS messages will be sent to Threema and SMS will become the fallback option.

To correctly configure Threema, please use the following QR Code:
support_otpsms_threema_qr-code_siemens.jpg

Especially in regions that are oftentimes affected by SMS outages (e.g. India, Venezuela, New Zealand), we strongly recommend using the Threema app instead of the older, more unstable SMS technology.

Note: Since the SMS service is provided by an external message provider, Siemens Entitlement holds no accountability for the end-to-end delivery of SMS messages. In any case you do have issues with the SMS delivery, our support is willing to take your ticket and to address the issue with the external message provider. Please contact your Siemens contact person for more information.

[ Back to top ]


Additional Authentication methods for Siemens Employees and Known Businnes Partner (KBP)

1. PKI Smartcard Login

The most secure authentication method is the Siemens PKI ( or public key infrastructure). Should you have your own personalized PKI card, you will be able to authenticate directly to most Siemens entitlement protected applications.

Before you start: Please make sure, that your smart card is working and inserted sucessfully in your smart card reader.

Right-click the cardOS 
api symbol on the right
bottom of your screen

Should you not have the cardOS api installed on your PC, please install it from the UCMS basket on your desktop.
Should you wish to use the cardOS api on a non-Siemens PC, please request the CardOS api here: https://intranet.for.siemens.com/wll/0015/en/isec/sol/pki/Pages/card_os_api.aspx

For Entitlement PKI authentication:

  • 1) Click “login” in the login box “Smart Card PKI Login” on the login page.
  • 2) In the next dialog please enter your personal smart card PIN and click OK.
  • 3) After successful authentication you will be automatically forwarded to the application, that was originally called.

[ Back to top ]


2. Entrust IdentityGuard App

The Entrust app authentication is only a 2nd step of the authentication. The 1st step of the authentication is a “weak” authentication method such as Windows or E-Mail login. When the Entrust app login step (2nd authentication) is successfully completed, the authentication level is at it's highest. As an exception, there are some applications that only allow PKI as the strongest authentication method.

  • 2) Select the “Mobile app” login method
  • 3) Start the Entrust IdentityGuard app on your mobile device
  • 4) Enter the code from the Entrust app into the correct input field on the Entitlement webpage
  • 5) After successful authentication you will be automatically forwarded to the application, that was originally called.

[ Back to top ]


User Self Service Portal

Entitlement Account Data

Your Entitlement account data used by the Corporate Entitlement Service can be viewed in the Entitlement User Self Service.

The top section displays general account data The bottom section displays authentication data




Another important feature of the Self-Service Portal is the activation of the mobile number for the 2 factor authentication.

Data Ownership and Modification

All general business partner (XGID) data is provided to the Siemens Entitlement Service by a business application (e.g. SharePoint, GAMA, Identity and Access Management (IAM)). This means, that the ownership of the data is NOT with the Entitlement service, but rather with the business application that manages and delivers the identity data.

Therefore, making changes to identity data, such as the mobile phone number, e-mail address or last name, are not allowed for the Entitlement service to do. Instead, the general business partner must contact their Siemens contact person (or sponsor) in order to clarify which application (or adminstrative body) is responsible for editing the general identity data.

[ Back to top ]


(Re)Set the Entitlement Password

In order to set your password, you must click on the link provided in the welcome mail that was sent to you when your account was created. Performing a password reset when your account is inactive, or hasn't been activated yet, will result in an error message.

Note: We additionally advise to perform the password reset on a PC instead of a mobile environment.

To reset your password

  • The e-mail with a password link will be sent to the mailbox. Please read the password e-mail carefully and click on the password link.
  • The link will direct you to the Password Management Page.

  • Please set a new password by entering your desired password twice.
  • Confirm the password change by clicking “Save new password”.

When choosing a password, the validation rules set by Siemens ISEC must be complied to.

Entitlement Password Rules

Rule Value Description
PASSWORD_ATTEMPTS_BEFORE_LOCK 3 Attempts wrong password before account is locked
PASSWORD_LOCK_TIME 10 Time in Minutes the account is locked after entering the wrong password
Password_Expiry_Time 180 days Password Expiry Time enforced by the system. User is asked to change password at login, if expiry time is reached.
PASSWORD_MINIMUM_LENGTH 8 Minimum password length
REQUIRE_LOWER_CASE_CHARACTER YES If enabled, the password must contain lower cases
REQUIRE_UPPER_CASE_CHARACTER YES If enabled, the password must contain upper cases
REQUIRE_NUMERIC_CHARACTERS YES If enabled, the password must contain numeric characters
REQUIRE_NON_ALPHANUMERIC_CHARACTERS YES If enabled, the password must contain special characters *1)
NO_USR_LOGIN_PASSWORD_LENGTH YES If enabled, the password must not contain parts of the login name
NO_CHARACTER_PASSWORD_LENGTH YES If enabled, the password must not contain recuring characters (like xxxxXXXX)
NO_USER_FIRST_NAME YES If enabled, the password may not contain the users' first name
NO_USER_LAST_NAME YES If enabled, the password may not contain the users' last name
CHECK_AGAINST_PASSWORD_HISTORY 8 Number of history passwords, which must not be reused

Allowed special characters in password management and for registration of general business partners (XGIDs):

. : ; , - _ / \ ( ) < > @ * # $ % ^ & + = ! ? ' "

Additionally, a password blacklist was implemented to prevent choosing potentially weak passwords.

  • Alphabetical (a-z, A-Z, wrap = true)
  • Numerical (0-9, wrap = true)
  • Qwerty, ignore case (English keyboard layout, wrap = true, like qwertyuiop[]\)
  • Qwertz (German keyboard layout, wrap = true)
  • Repeated character, ignore case (like 11111, aAaAa or BBBBB)
  • and dictionary rules, including popular but trivial passwords like company names, politiotions, artists, and several other words

Should you have trouble setting the password of your choice, please try another password instead using the above rules and regulations to avoid any violations.

[ Back to top ]


Mobile Number Activation

The mobile number delivered by the business application, can be activated in the Entitlement User Self Service.
otppwmanagement.jpg

OTP Delivery Number

In case the 2-factor authentication is already enabled for your account, the middle column should display the correct mobile number and the outer right column should say: *active*

Available mobile numbers for OTP delivery

In case no mobile number exists for your account or the number is incorrect, please contact the responsible business application (e.g. GAMA, IAM, SharePoint) at Siemens to update the XGID record data.

To enable One-time Password via SMS for your account use the activate button below the mobile number(s) available for your account.
otppwmanagement.jpg
These are the mobile numbers available to use with 2-factor authentication.

This will open a screen guiding you through the following steps of activation. In case more than one mobile number is available for your account, please select the correct number. Only one mobile number can be used as one-time password delivery number at a time.


optactivationfield.jpg

To verify authenticity and correctness of this mobile device, a 4-digit code is sent to the selected number.


checkmobile.jpg

optactivationnr.jpg

optactivationconfirmed.jpg

The activation is completed. You can now use the OTP (One-Time-Password) Login.

[ Back to top ]


General

Decentral Adminstration

General Business Partners receive XGIDs. Normally, both Siemens Employees and Known Business Partners receive ZGIDs in the SCD, since these GIDs start with a Z (e.g. Z001ABCD). However, XGIDs are GIDs starting with X, hence XGID (e.g. XP00ABCD or XA00ABCD).

There is a slight technical distinction between XGIDs starting with “XP” or starting with “XA”. XP-GIDs only live in the productive system. XA-GIDs also live on our reference system. Should this information be too technical, then it will probably not apply to your situation.

The XGID System

All general business partners (or XGID records) live in a database collaboratively managed by the Siemens Corporate Entitlement Service (CES) and the Siemens Corporate Directory (SCD). There are three basic components to this system:

  1. An Interface accepting data from outside business applications (functional accounts) and people
  2. A Database that stores the data records (e.g. name, e-mail address)
  3. An Application that stores user account specific data to later perform the user authentication (Entitlement Account)

XGID records are stored by the SCD team in such a way, that the XGID records are not visible through the “normal” SCD front-end. XGID data can only be viewed by the business application owners and by Entitlement Support / IT Service Desk (MyIT).

Data Ownership

All XGID data is delivered FROM the business TO Entitlement. No matter if the record is newly created or modified, all data related matters are owned and managed by the affected business unit. The Siemens Corporate Entitlement Service merely provides the framework for business (applications) to align and connect their identities to the Entitlement Authentication system.

Origins

Business (applications) and people managing XGIDs in a certain part of the organization are granted access to a so-called “origin”. An origin is basically a pre-defined space in the database where only an authorized set of people and business (applications) are allowed to manage data. The origins are (12/2018):

Business Application Origin
CC Brandville cc
CF-PORTAL cfportal
CT Wiki ct
Identity and Access Management (IAM) energy
File Sharing Service fileshareservice
HEALTHENEERS healthcare
ONELMS onelms
Supply Chain Financing scf
SCMStar / Vendor Master Data Management (SCM) scmstar
SFS Siesmart and SFS COFEA Front-End sfs
SPE Ebis Portal spe
BT Service Platform (BT) swamp
FIONA swamp
Partner Workspace Service (Sharepoint) swamp
Servicenow swamp
SiemensVendorPortal swamp

The origin that stands out is the SWAMP origin. This cross-origin is managed by multiple business applications simultaniously. This means that for example:

ServiceNow can edit user data that was delivered from the BT Service Platform initially.

Please contact your Siemens Business Associate (e.g. sponsor) to discuss the proceedings in case of incidents or specific questions.

[ Back to top ]


Welcome Process

The most prominent and visible process is the welcome process. The XGID record will be created, an Entitlement account will be created and the general business partner will receive a welcome e-mail. This welcome e-mail contains information regarding the welcome process and a link that will allow the general business partner to set his/her Entitlement password and therewith activate the Entitlement account.


xgid_create_activation.jpg

Note: This diagram must be read from top to bottom.

Description in more Detail

  1. An XGID administrator in the business unit creates a new user record in the business application (e.g. GAMA)
  2. This data (e-mail address, name etc) is verified for any current duplicates in the system
  3. If the verification returns success, an XGID is generated and an (inactive) Entitlement account is created for the user. The actual GID is returned to the business application when successful.
  4. Some provisioning (SharePoint Access, ServiceNow Groups) might be needed for the user. After this is completed, the business application requests the Entitlement service to send the welcome e-mail to the new user
  5. The welcome e-mail with the activation URL is sent to the user by the Entitlement service
  6. The new general business partner (XGID user) is now able to set his password, activating the Entitlement account for first use

When all steps completed successfully, the user should be able to authenticate using the Entitlement e-mail login method. The OTP login method will need additional activation of the mobile number.

[ Back to top ]


FAQ Section

I did not receive the welcome e-mail

In case you did not receive a welcome e-mail could be one of following reasons:

  • You have not gone through the welcome process, since you have already been at Siemens before
  • The e-mail was caught by the SPAM filter
  • Your Entitlement account is inactive and must be activated using the welcome process first
  • Your Entitlement account is inactive due to an expired LeaveDate. This must be corrected by the Business Application

In any case, please contact your Sponsor or Siemens Business Associate to discuss further actions. Your business application administrator is able to resend the welcome e-mail in case the need exists.

[ Top of FAQ ]

I receive an Error Message when using the OTP SMS functionality

This error probably indicates that you haven't yet activated your mobile number for this functionality. Should you receive an error when activating your mobile number or not receive any message needed for activation, please consult your Siemens Sponsor.

[ Top of FAQ ]


[ Back to top ]

start.txt · Last modified: 2019/06/26 08:37 by z003ff2f