User-Based Licensing
User-based licensing is available with Sentinel LDK CL.
For Sentinel LDK CL you can consume cloud licenses hosted by Thales in the following ways:
>With user-based licensing, described on this page, the user is authorized instead of the device. Users can log on to the vendor's protected application (or service) on any device using their user credentials, such as a user name and password.
>With device-based licensing (formerly identity string-based licensing or identity-based licensing), the device is authorized instead of the user. When you set up machine accounts, users install identity strings on their devices. Any user that has access to those devices can access the vendor's protected application (or service). For details, see Machine Accounts.
|
>What Is User-Based Licensing? >Prerequisites for User-Based Licensing |
New to Sentinel EMS?
|
What Is User-Based Licensing?
User-based licensing assigns licenses to specific users rather than to devices. Access to products is granted based on user identity, and license usage is tracked per user. This enables you to manage the entitlements with greater control and visibility. Users can access the application from anywhere, on any device. Additionally, you can enforce limits on the number of devices per user based on your selected enforcement policy to prevent password sharing and reduce license misuse.
User-based licensing can be configured to use OAuth, allowing end users to access the vendor’s application or service using their login credentials—for example, a user name or email address and a password. In user-based licensing, the user is authorized instead of the device.
Compare with device-based licensing
To implement user-based licensing, you must associate your users with an identity provider (IdP) that authenticates their identity when they access your application or service. Thales provides Sentinel IDP as an out-of-the-box identity provider, but you can integrate your own identity provider instead.
After you activate an entitlement
You can also use named users to control and limit the number of users that can access the application. You apply named user limit directly to Products. To create entitlements with products that have named user limit enabled, see Named Entitlements for User-Based Licensing.
User-based licensing uses OAuth to verify and authorize each user, so you need to set up the OAuth client in Sentinel EMS for your application. To complete the process, use Sentinel LDK to integrate these OAuth client details with your application. You perform this step outside of Sentinel EMS to ensure the application knows how to authorize users.
You configure user-based licensing using various entities in Sentinel EMS. This topic guides you through the process. After the setup is complete, your end users can sign in to your application using their credentials.
For setup details, see Cloud Licensing Flow for User-Based Licensing.
Prerequisites for User-Based Licensing
Each step in the user-based licensing process requires different roles in Sentinel EMS. You can find more information on each of the pages linked in the section below.
Before you begin, ensure that your environment meets the following requirements:
•User-based licensing requires a Sentinel LDK CL subscription.
•On-premises applications require the hasp library to be installed together with your application. To avoid compromising application security, do not use Sentinel Licensing REST APIs. If your application cannot include the hasp library, contact Thales Customer Support for assistance
•SaaS applications require the use of OAuth with Sentinel REST APIs. For details, see Sentinel EMS Workflow with OAuth Clients.
Cloud Licensing Flow for User-Based Licensing
The following diagram illustrates the unique steps that comprise the cloud licensing flow for user-based licensing. This diagram assumes that you have already set up your catalog with products and features for your protected applications. You can perform the OAuth client-related tasks at any time, as they are not dependent on other steps in Sentinel EMS.
1: Vendor: Sentinel EMS Vendor Portal |
|
|---|---|
|
|
Create customers. Then create administrator users for those customers. User-based licensing relies on user association to enable end users to access licenses. To achieve this, every entitlement must be associated with a customer, and, usually, a customer administrator user. A customer's administrator user manages entities on behalf of the customer using the Sentinel EMS customer portal. If you plan to delegate user association management to customers via the Sentinel EMS customer portal, you must associate an administrator user with the customer. You can create and associate customer administrator users either before or after you create entitlements. If you need to associate a customer’s administrator user with an entitlement, you must do so before you activate the entitlement. For details, see Users. |
|
|
When you create an entitlement, do the following: >Assign a customer. For details, see Customers. >Associate a customer administrator user if needed, to enable the customer administrator to receive email notifications. For details, see Users. >Select a product whose features include the same enforcement type. >Select products that include: •One of the SL-AdminMode locking types. For details, see Locking Type. •Features whose license model supports concurrency on a network and specifies the maximum number of concurrent instances. For details, see Configure License Model and Sentinel LDK Enforcement - License Models. >(Optional) You can enable a user limit for products if you want to limit the number of users. When creating a product, set Enable Named Users to Yes, set the concurrent instances to Unlimited and enable Network. For details, see Named Entitlements for User-Based Licensing. >Depending on your configuration, you may also need to set some attributes in the Additional Attributes section of the Define Entitlement Attributes pane. For details, see Entitlements for Sentinel LDK CL (Produce and Push). |
|
|
Activate the entitlement Activate the entitlement using Produce and Push to generate a CL (cloud licensing) key for the relevant products. When you use Produce and Push for the first time, a new Service-Hosted Cloud Licensing Permissions tab is added to the customer details on the Customers page. By default, the customer inherits these permissions from the global Cloud Licensing Permissions. You can change the cloud licensing permissions for a customer, if needed. Your changes affect only those users that are associated with a product after these changes are applied. Any users that were already associated with a product retain the previous cloud licensing permissions. |
2: Vendor or Customer's Administrator User: Sentinel EMS Vendor Portal or Customer Portal |
|
|
|
Create users You or the customer's administrator user can create users for customers with activated entitlements. To enable user-based licensing, the users must be associated with the customer. You create users from the Users page, which is available on both the Sentinel EMS vendor portal and customer portal. For vendors: When you create a user, you set the identity provider, which is responsible for authenticating and verifying the identity of users. When users log in to the vendor's application with their credentials, the identity provider verifies their identity, granting them access. The identity provider acts as a trusted service that manages the identification and authentication process for users. You can set: >Sentinel IDP. By default, all users are automatically associated with Sentinel IDP unless you select another identity provider. >Your own identity provider. If you have your own identity provider that you want to associate with your customers, you can connect with Thales Professional Services to integrate it. Then, when you create users, you can select your identity provider instead of Sentinel IDP. If you use your own identity provider and not Sentinel IDP, you must configure User Attribute for Identity Federation. This federated identity approach simplifies the user login experience while still maintaining control and security. For details, see Users or the Guide to the Sentinel EMS Customer Portal. |
|
|
Associate users with products or Sentinel keys You or the customer's administrator can associate users with various entities—products, or Sentinel keys. This process is possible only with activated line items (products) that are part of a customer's entitlements. To associate users directly with products, you must also set the Enable User-Product Association attribute in the Administration Console to Yes and ensure that the named user limit attributes are not enabled for that specific product. You associate users from the User Association page, which is available on both the Sentinel EMS vendor portal and customer portal. The first step is to select the customer. This loads all of the activated products for that customer. Next, you scroll to the product that you want to associate with users and, in the Actions column, you select Manage User Association. This opens a page where you can select the users to associate with the relevant entity—product, or Sentinel key. Using the User Association page or the Sentinel EMS REST API, you can select a customer and associate the customer's users with a relevant entity to upgrade, downgrade, cross-sell, and so on, without creating a new entitlement. Cloud Licensing Permissions at the Customer Level are applied to the customer's users. |
|
Maintain the registered machines Either you or the customer's administrator user can manage the registered machines for users as needed. For example, the customer's administrator user may need to enable or disable a registered machine. This prevents password sharing and license misuse. The customer's administrator user manages registered machines in the Sentinel EMS customer portal. |
1: Vendor: Sentinel EMS Vendor Portal /
|
|
|---|---|
|
NOTE The following steps are not dependent on other steps performed in Sentinel EMS and can be done at any time. |
|
|
|
Set the OAuth client in Sentinel EMS User-based licensing leverages OAuth authentication to enable users to access a vendor's application. When you create an OAuth client, the attribute values that you set depend on the type of application, either public application or SaaS application. For example, if you are setting the OAuth client for a public application, which is suitable for an on-premises or desktop application, you would: >Select the Public client type. >Set the Redirect URI to >Set the PKCE Code Challenge Method to Plain. Similarly, if you are setting the OAuth client for a confidential application, which is suitable for SaaS applications, you would set the confidential client credentials. For details, see OAuth Clients. |
|
|
Add the OAuth client details to your protected application If you are accessing Sentinel REST APIs from your application, use the standard OAuth workflow to authenticate users and get the OAuth Tokens. For details, see Sentinel EMS Workflow with OAuth Clients. This step is not part of the Sentinel EMS flow, but you need to perform this step to support user-based licensing for vendor applications that are protected and/or licensed using Sentinel LDK. If you are using the hasp library, see Sentinel LDK Software Protection and Licensing Guide for details. |
|
|
Integrate Licensing APIs into your licensed application To integrate Licensing APIs into your licensed application: •For on-premises applications, use the hasp library. •For SaaS applications, use Sentinel REST APIs. For details, see Sentinel LDK API References section in Sentinel LDK guides. |
Registered Machines
When end users access licenses using user-based licensing, their devices may be registered automatically when they open a protected application. Automatic registration occurs only if a specific number is defined for the Maximum Number of Registered Machines setting in the Service-Hosted Cloud Licensing Permissions. (If this value is set to Unlimited, then devices are not registered.) You and the customers' administrator users can view the list of registered machines for each of that customer's end users through the Registered Machines tab on the Users page.