The eToken is the University's multi-factor authentication (MFA) product, and is used to connect to high-value applications like AMS, ARBOR, and ROSI. eTokens allow a method of authentication that provides high assurance of identity, as multi-factor authentication is often defined as a combination of something you have (the eToken) with something you know (your UTORid and password). This method of authentication provides higher assurance of identity compared to using a UTORid and password alone. The eToken service is provided by SafeNet.
For the majority of end users, an eToken is a small USB device that is plugged into your computer or laptop when you require access to highly sensitive applications that the University utilizes.
Who needs an eToken?
The services and applications that make use of eTokens at the University are ever expanding, and ultimately, it is up to the individual's assigned department to determine if an individual needs an eToken, depending on which applications that individual are designated to use.
The most common applications in the University that use an eToken are listed below. Note that this list is a non-exhaustive list.
- ROSI
- AMS
- ARBOR
- StarRez
- UtorAUTH
How are eTokens distributed?
Information Security and Enterprise Architecture supplies the hardware to departments. From there, the department, specifically the department administrators, distributes and manages eToken usages at a departmental level.
Is there any software I need to install to use my eToken?
In order to use the eToken service, you need the SafeNet Authentication Client installed onto your desktop or laptop. Below are the instructions for your specific operating system (MAY CHANGE LINKS FOR ESC):
Solving common eToken problems
Your Departmental eToken Administrator (UTORid and password required), can assist with the most common problems that you may run into. If your Departmental Administrator is not able to help with your problem, please contact us with the following information (MAY CHANGE TO ESC TICKETING INSTRUCTIONS):
- Name
- UTORid
- Department/Division (Faculty)
- System you are trying to connect to
- Description of the problem, including any steps taken so far to fix the problem
In addition, there are several common issues listed below, and what appropriate action to take.
| Issue: | Action: |
| Request an eToken | Contact Departmental Administrator |
| Forgotten Password/Locked eToken | Contact Departmental Administrator |
| Lost or Forgotten eToken | Contact Departmental Administrator |
| Cannot connect to Cisco Anyconnect | Contact eToken service desk : auth.admin@utoronto.ca |
| Can connect to Cisco Anyconnect but cannot connect to AMS (FIS, HRIS, etc) | Contact AMS help: access.easi@utoronto.ca |
| Can connect to Cisco Anyconnect but cannot connect to ROSI | Contact ROSI help: rosi.help@utoronto.ca |
| Transferring to a different U of T Department | Keep your eToken |
| Leaving the University | Return eToken to Departmental Administrator |
In addition, you can visit the FAQ tab for additional help.
Staff and faculty are eligible for this service. Students may be granted a special exception upon request of departmental representative.
eTokens are University assets that are managed at a departmental level. There is at least one eToken administrator assigned to each department with larger departments having a team of administrators.
If you are a New Employee at the University …
- Contact your department’s eToken administrator
- To Access a list of current token admins. Please visit our eToken Admin List. You can Log-in to the view the list by providing your UTORid and UTORid password
- If your department administrator is not listed or if you seek additional assistance please contact your business officer
If you are an existing staff member transferring to a new department…
- Giving the new funding model, there is no reason for a department to take back the eToken of a person who is changing positions.
If You are leaving employment at the University …
- eTokens must be returned prior to termination of employment or contract
General
Connection and Access Issues
ROSI
AMS
For Departmental Administrators
eToken Self Service
January 22 2019 : SAM Management Server Migration
October 01 2018 : Safenet Authentication Client(SAC) Compatibility
September 27 2018 : New auditing and notification procedures for eToken Administrators
May 08 2018 : Incorrect version of Safenet Authentication Client posted for download
April 20 2018 : eToken Certificate Expiry and Renewal
- Request eToken Inventory
- eToken User Reports for Departmental Administrators
- Departmental eToken Administrators
Note: SAM management site is only accessible from a U of T IP address. If you work from home, make sure you connect to UTORvpn before you go to the website.
- Connect your admin token to your computer
- Access SAM by inserting your eToken, open Internet Explorer, and access the URL https://ekey.utoronto.ca/sammanage
- Select ‘Deployment’
- Search for ‘USER BY USERNAME’
- Enter the UTORid of the enrollee under Search criteria
- Select ‘GO’
- Check the box beside the correct UTORid and select ‘ENROLL’
- Select ‘RUN’
- Select ‘DONE’ after processing has finished and provide the token to user
- Take possession of the user’s token
- Connect your admin token to your computer
- Access SAM by inserting your eToken, open Internet Explorer, and access the URL https://ekey.utoronto.ca/sammanage
- Search for 'USER BY USERNAME'
- Enter the UTORid of the user to be assigned under Search criteria
- Check the box beside the correct UTORid and select 'UNASSIGN'
- Select 'RUN'
- Select 'DONE' after processing has finished and retain the spare token for future enrollment
- Connect your admin token to your computer
- Access SAM by accessing URL: https://ekey.utoronto.ca/sammanage
- Search for "Tokens by users"
- Enter the locked user's UTORid
- Select the eToken to be unlocked and select "Unlock". The eToken admin will wait for the user to complete the next step.
- Have the user immediately connect to eToken on local system and open the SAC client
- On user's SAC client, select "Unlock eToken"
- In the pop-up window, user records the challenge code and sends it to the eToken admin. Please note that the user shall not close the SAC window until a response code is received and entered. The challenge code will change every time when the SAC window is reopened.
- When receiving a challenge code, the eToken admin will enter it in the unlock window in the sammanage.
- eToken admin selects "Run", then a response code will be displayed and the eToken admin will send this back to the user.
- User will enter the response code in the SAC window, and new password, and selects "OK".
- Take possession of the user's token and connect it to your computer.
- Connect your admin token to your computer
- Access SAM by inserting your eToken, open Internet Explorer, and access the URL https://ekey.utoronto.ca/sammanage
- Search for 'CONNECTED TOKENS'
- Highlight the account name of the user requesting a password reset. Select 'RESET PWD'.
- Select 'RUN'.
- Select 'DONE' afer processing has finished. The token is now unlocked and the password has been set back to default.
- Have the user immediately select a new password consisting of at least 6 characters and must contain at least 3 of the following (a number, an uppercase, a lowercase, and/or symbol).
Temporarily misplaced or forgotten eTokens are to be returned to the DA as soon as the token is locaed, so that it may be initialized and re-assigned at a later date.
- Take possession of the user's token and connect it to your computer
- Connect your admin token to your computer
- Access SAM by inserting your eToken, open Internet Explorer and access the URL https://ekey.utoronto.ca/sammanage
- Connect a new unassigned/blank eToken
- 'Search for': Tokens by user. Enter UTORid of User and select 'GO'
- Highlight the account name of the user with the lost/forgotten eToken. Select the 'replace' option from the drop down menu.
- Select 'LOST' from drop down menu citing reason for replacement (please note: all lost and/or forgotten are to be labelled lost until returned)
- Select the 'RUN' button
- Select 'DONE' after processing has finished. The eToken is now ready for the user.
The DA is to complete a two-step process: first, unassigning the eToken from the previous User and second, initializing it in order to remove the restrictions automatically placed on 'lost' tokens within the system
Step One: Unassigning the lost eToken
- Take possession of the user's token and connect it to your computer
- Conenct your admin token to your computer
- Access SAM by inserting your eToken, open Internet Explorer, and access the URL https://ekey.utoronto.ca/sammanage
- Search for 'CONNECTED TOKENS'
- Highlight token with status reading 'REVOKED, LOST'. Select the 'Unassign' button. Select 'Run'.
- Select 'DONE' after processing has finished. Do not remove the obsolete token and move forward with Step 2: initializaiton
Step 2: initialization
- Select 'INVENTORY'
- Search for 'CONNECTED TOKENS'
- Select the 'NOT ASSIGNED' token and initialize
- Select 'RUN' button
- Select 'DONE' after processing has finished
- The eToken is now active again, all restrictions have been removed. Retain the spare token for future enrolment.
- Take possession of the user's token and connect it to your computer
- Connect your admin token to your computer
- Access SAM by inserting your eToken, open Internet Explorer, and access the URL https://ekey.utoronto.ca/sammanage
- Connect a new unassigned/blank eToken
- Search for 'CONNECTED TOKENS'
- Highlight the account name of the user with damaged eToken. Select the 'replace' option from the drop down menu
- Select "damaged" from drop down ,menu citing reason for replacement
- Select the 'Run' button
- Select the 'Done' button. The old token is now 'damaged' and new enrolled eToken is ready for the user.