About Registration Tokens
A registration token is used to generate auth tokens. Individual auth tokens are required by users/devices to run the licensed application in the Connected (Cloud LM) deployment mode. When REST APIs are directly integrated into the application, each instance of a licensed application, even on the same device, requires a registration token so that it can get individual auth tokens. The step of creating auth tokens must be performed only once; afterwards, the access token/refresh token cycle should be performed.
During the registration token generation, a count value must be specified to control the number of auth tokens that can be generated. A registration token cannot be used to generate additional auth tokens if all the counts are consumed. Each registration token also has an expiration date beyond which the token cannot be used.
NOTE The limits and values specified for creating the registration tokens are not related to licensing and entitlement or the values specified such as entitlement quantity and hard limit. Registration tokens are only used to generate auth tokens.
The table that follows lists additional scenarios related to registration tokens:
| Scenario | Recommendation |
|---|---|
| How to generate a registration token? |
The Contact Administrator can create a registration token using the: >Sentinel EMS Customer Portal. Refer to the Sentinel EMS Customer Portal Guide. >Token Management Service REST APIs: •/token/api/v5/idpConfigurations: Provides the token end-point and realm used in the next API. •tokenEndpoint}}realms/{{realm/protocol/openid-connect/token: Provides the bearer token used in the next API. However, this API is not included in the API Reference Guide. •/token/api/v5/registrationTokens: Provides the registration token. |
|
The expiration date in the registration token was reached, but not all of the possible auth tokens have been generated. |
The registration token cannot be used beyond the expiration date even if one or more counts remain in the token. |
| Can a single registration token be used to generate all the auth tokens required? | Yes. In an enterprise, a single registration token provides a hassle-free way to enable all users/devices to obtain their individual access tokens, without requiring a mechanism such as saving a username/password on a machine. The administrator also has the option of deleting the auth tokens to prevent further use of any generated auth token. |
| Should the administrator allow use of the same registration token to generate auth tokens for multiple users? |
The administrator can create multiple registration tokens. Use of the same registration token by all the users depends on the enterprise policy. The administrator needs to weigh the security aspects of sharing the same registration token versus the convenience of quicker user onboarding by using the same registration token.
>If the administrator wants ease of use, one registration token can be shared among all users/devices in an enterprise with the count value set accordingly. For example, if there are 100 users/devices in an enterprise seeking licenses, the administrator can create a registration token with 100 counts so that each user/device receives its unique auth token (This assumes that one instance of the licensed application is run by each user/device). However, if each user/device plans to run multiple application instances, then counts needs to set accordingly. So, for example, if 2 instances are to be run by each user/device, then 200 count value needs to be set. >If the administrator wants to ensure greater security, then different registration tokens should be provided to each recipient. |
| The users failed to use the registration token initially and are now receiving a message about registration token expiration. | If the licensed application is not used even once before the registration token expiration, then the administrator needs to provide a new registration token to generate a new auth token. |
| Error about the token count consumption is appearing. |
This can happen when: >The count value specified is less than the actual number of users/devices using the registration token. >Possibly, unexpected users have depleted the count. To investigate this, the administrator may need to track the auth token users. |
