User-Based Licensing
User-based licensing is available with Sentinel LDK Cloud Licensing (CL).
Sentinel LDK Cloud Licensing (CL) provides various ways to consume cloud licenses that are hosted by Thales.
>With user-based licensing, described on this page, the user is authorized instead of the device. Users can log on to the vendor's protected application (or service) on any device using their user credentials, such as a user name and password.
>With identity string-based licensing, the device is authorized instead of the user. When you set up machine accounts, users install identity strings on their devices. Any user that has access to those devices can access the vendor's protected application (or service). For details, see Machine Accounts.
|
>What Is User-Based Licensing? |
New to Sentinel EMS?
|
What Is User-Based Licensing?
User-based licensing uses OAuth to enable end users to access the vendor's application or service using login credentials—for example, their user name or email address and their password. End users can log in to the application from any supported device without the need to activate a license or install anything special on the device. With user-based licensing, the user is authorized instead of the device.
Compare with identity string-based licensing
To implement user-based licensing, a customer's users must be associated with an identity provider that authenticates their identity when accessing the vendor's application. Thales provides an out-of-the-box identity provider that you can use—Sentinel IDP. As an alternative to Sentinel IDP, you can integrate your own identity provider instead.
After an entitlement is marked as complete or is activated using Produce and Push, you or your customer's administrator user need to associate products with users as described in Product-to-User Association. This step makes the products available to the specified users. If you later need to modify the list of available products for specific users without changing the license details, you can simply update the product-to-user association without the need for creating new entitlements. For example, suppose you offer training for your products, and the trainees change every few weeks. Instead of creating new entitlements every training cycle, you can simply switch the users that are associated with the relevant products.
The user-based licensing process uses OAuth to authorize users, so you need to set up the OAuth client in Sentinel EMS for the vendor's application. To complete the process, you use Sentinel LDK to integrate these OAuth client details with the vendor's application. Although this last step is not part of Sentinel EMS, the step is described here because the integration is required to enable the vendor's application to "know" how to authorize users.
For details on how to set up user-based licensing, see Cloud Licensing Flow for User-Based Licensing.
You set up user-based licensing using different areas in Sentinel EMS. This topic is intended to guide you through the process. When the process is complete, end users can log on to the vendor's application using their credentials.
Prerequisites for User-Based Licensing
Each step in the user-based licensing process requires different roles in Sentinel EMS. You can find more information on each of the pages linked in the section below.
Cloud Licensing Flow for User-Based Licensing
The following diagram illustrates the unique steps that comprise the cloud licensing flow for user-based licensing. This diagram assumes that you already set up your catalog with products and features for your protected applications. The tasks related to the OAuth client are not dependent on other steps performed in Sentinel EMS and can done at any time.
1: Vendor: Sentinel EMS Vendor Portal |
|
|---|---|
|
|
Create customers. Then create administrator users for those customers. User-based licensing relies on product-to-user association to enable end users to access licenses. To achieve this, every entitlement must be associated with a customer, and, usually, a customer administrator user. A customer's administrator user manages entities on behalf of the customer using the Sentinel EMS customer portal. If you plan to delegate product-to-user association management to customers via the Sentinel EMS customer portal, an administrator user must be associated with the customer. Add a customer administrator user if one does not exist and associate that user with the customer. Although you can create and associate customer administrator users before or after you create entitlements, you must associate a customer's administrator user with an entitlement before you activate the entitlement. If you already have the relevant details, you can create administrator users for one or more customers in advance. For details, see Users. |
|
|
When you create an entitlement, you must: >Assign a customer. For details, see Customers. >Associate a customer administrator user if needed. For details, see Users. >Select products that include: •One of the SL-AdminMode locking types. For details, see Locking Type. •Features whose license model supports concurrency on a network and specifies the maximum number of concurrent instances. For details, see Configure License Model and Sentinel LDK Enforcement - License Models. Depending on your configuration, you may also need to set some attributes in the Additional Attributes section of the Define Entitlement Attributes pane. For details, see Entitlements for Sentinel LDK Cloud Licensing (CL) (Produce and Push). |
|
|
Activate the entitlement using Produce and Push To enable user-based licensing, you must use Produce and Push to activate the entitlement. Activating an entitlement generates a CL (cloud licensing) key for the relevant products. In addition, when you use Produce and Push for the first time, a new Service-Hosted Cloud Licensing Permissions tab is added to the customer details on the Customers page as described in Create an entitlement. This is relevant only for machine accounts and can safely be ignored for user-based licensing. Do not change the cloud licensing permission settings. |
2: Vendor or Customer's Administrator User: Sentinel EMS Vendor Portal or Customer Portal |
|
|
|
Create users You or the customer's administrator user can create users for the entitlement that you activated earlier. The users must be associated with the customer to enable user-based licensing. You create users from the Users page, which is available on both the Sentinel EMS vendor portal and customer portal. When you create a user, you set the identity provider, which is responsible for authenticating and verifying the identity of users. When users log in to the vendor's application with their credentials, the identity provider verifies their identity, granting them access. The identity provider acts as a trusted service that manages the identification and authentication process for users. You can set: >Sentinel IDP. By default, all users are automatically associated with Sentinel IDP unless you select another identity provider. >Your own identity provider. If you have your own identity provider that you want to associate with your customers, you can connect with Thales Professional Services to integrate it. Then, when you create users, you can select your identity provider instead of Sentinel IDP. If you use your own identity provider and not Sentinel IDP, you must also set the External ID value for each user. This federated identity approach simplifies the user login experience while still maintaining control and security. For details, see Users. |
|
|
Associate products with the users You or the customer's administrator user can now associate products with the customers' users. All of the products included in all of the entitlements associated with that customer are available for user association. You associate products with users from the Product-to-User Association page, which is available on both the Sentinel EMS vendor portal and customer portal. The first step is to select the customer. This loads all of the products and users associated with that customer. Next, you scroll to the product that you want to associate with users and, in the Actions column, you select Manage User Association. This opens a page where you can select the users that you want to associate with the product. There is no limit to the number of users that you can associate. Using the Product-to-User Association page or the Sentinel EMS REST API, you can upgrade, downgrade, cross-sell, and so on, by selecting the relevant customer and product, and associating that product with the relevant users. There is no need to create a new entitlement. For details, see Product-to-User Association. |
3: Vendor: Sentinel EMS Vendor Portal and Sentinel LDK |
|
|
NOTE The following steps are not dependent on other steps performed in Sentinel EMS and can be done at any time. |
|
|
|
Set the OAuth client User-based licensing leverages OAuth authentication to enable users to access a vendor's application. When you create an OAuth client, the attribute values that you set depend on the type of application. For example, if you are setting the OAuth client for a public application, which is suitable for an on-premises or desktop application, you would: > Select the Public client type. >Set the Redirect URI to >Set the PKCE Code Challenge Method to Plain. Similarly, if you are setting the OAuth client for a confidential application, which is suitable for SaaS applications, you would set the confidential client credentials. For details, see OAuth Clients. |
|
|
Add the OAuth client details to your protected application This step is not part of the Sentinel EMS flow, but you need to perform this step to support user-based licensing for vendor applications that are protected and/or licensed using Sentinel LDK. For details, see Sentinel LDK Software Protection and Licensing Guide. |
