Sandbox is an authorization framework provided by Cipher. Using this framework, you can control who can access the resources in your application. To know more about sandbox, please refer this artcile

No. As an admin, you can't create roles using Authentication Center as of today. However if you need this anyway, please reach out to the developer team, as they can create the roles using Cipher APIs (link).

Based on the resource that you want to expose to your employee, you can decide whether to use an existing sandbox or create a new one. To know more about sandbox, please refer this artcile

If your business use case is such that you need a separate environment for storing employee details and challenging employees differently during login, then you can create a new domain. Else, you can continue using the existing domain.

Client is a registered website or mobile application that employee use to sign-in. We offer two types of clients as of today i.e. one for OIDC and another for SAML protocol. To know more about client creation, please refer this article

You can find the logs using kibana. Please find the URLs below-

Environment/Zone	URL
Stage	https://kibana.internal.mum1-pp.zetaapps.in/app/kibana#/discover
Preprod	https://kibana.internal.mum1-pp.zetaapps.in/app/kibana#/discover
Prod	https://kibana.internal.mum1.zetaapps.in/app/kibana#/discover
Axon Stage	https://kibana.internal.ohio1-axonstage.zetaapps.in/app/kibana#/discover
Sodexo UK	https://kibana.internal.lon1.zetaapps.in/app/kibana#/discover

Proteus is basically a gateway that is used to send requests to OMS (Olympus Messaging Service) application from a spring boot application. OMS is an internal framework of Directi similar to the spring boot framework.

If you want to make API calls over a public network, please use the below set of URLs:

Environment/Zone	URL
Stage	https://sb1-god-cipher.mum1-stage.zetaapps.in/proteus
Preprod	https://sb1-god-cipher.mum1-pp.zetaapps.in/proteus
Prod	https://sb1-god-cipher.mum1.zetaapps.in/proteus
Axon Stage	https://sb1-god-cipher.ohio1-axonstage.zetaapps.in/proteus
Axon Stage	https://api.ohio1-axonstage.zetaapps.in/
Sodexo UK	https://api.lon1.zetaapps.in
Sodexo UK	https://sb1-god-cipher.lon1.zetaapps.in/proteus

In case you want to make API calls over a private network, please use the below set of URLs:

Environment/Zone	URL
Production	https://cipher.internal.mum1.zetaapps.in/proteus/
Preprod	https://cipher.internal.mum1-pp.zetaapps.in/proteus/
Stage	https://cipher.internal.mum1-stage.zetaapps.in/proteus/

Please find the URLs below-

Environment/Zone	URL
Stage	https://sso-stage.zetaapps.in/
Preprod	https://sso-pp.zetaapps.in/
Prod	https://sso.zetaapps.in/
Axon Stage	https://sso.ohio1-axonstage.zetaapps.in/
Sodexo UK	https://sso.lon1.zetaapps.in/

Please find the URLs below-

Environment/Zone	URL
Stage	https://oauth-stage.zetaapps.in/
Preprod	https://oauth-pp.zetaapps.in/
Prod	https://oauth.zetaapps.in/
Axon Stage	https://oauth.ohio1-axonstage.zetaapps.in/
Sodexo UK	https://oauth.lon1.zetaapps.in/

Please check out this link to find auth center base URL for a particular tenant.

Sessions database access is not given to developers as it contains sensitive information.

In case you need it for any specific purpose, please raise a ticket with the devops team to get relevant information with proper approval from your manager. Refer this link for sample ticket.

No, you cannot create a zetauser token for a system user because zetauser token is like a super token which has the privilege to perform any action on any resource across any given tenant. Therefore, it is adviced not to use zetauser token for system users.

There are 2 ways to enable auth center for a domain and sandbox as mentioned below:

1. You can either use the Hercules platform. Please check out this link for more details.

OR

2. You can reach out to Cipher PSE team.

If you onboard your tenant using elenchos, then CIAM default roles (link) should be automatically configured for the root sandbox of your tenant.

In case you want to configure custom roles for your sandbox, you can use sandbox-setup script (link).

There are 2 ways as mentioned below:

1. You can either use Cipher Index Pages for searching the application URL. Please refer this link for more details.

OR

2. You can check the SSOT document that has been created by the DevOps team for your zone. If you can’t find it there, please raise it with Plutus devops team and ask them to add it.

a. No, you cannot use the zone config token. Ideally you should create a bot and generate LLT and provide the privilege you want to use to it (link).
b. You can also integrate CRUX for generating the bot token as an alternative.

Once an auth profile is blocked, the admin will be not able to re-enable it again. All the data of the auth profile will be persisted by Cipher until admin chooses to delete it. Please refer this link for more details

But if an auth profile is disabled, admin can re-enable it again in future based on the business requirement. Please refer this link for more details

a. Issues related to SEV 4 incidents and below - Cipher PSE
b. If the issues are not resolved with these FAQs:
    i. Issues related to authentication/authorization - Cipher IAM
    ii. Issues related to payment - Cipher 3DS
    iii Issues related to front end services - Cipher FE

Cipher helps you to track 2 types of events as follows:

If you want to know which roles are assigned to any employee or revoked from any employee by the administrator, then you follow the below steps:

1. Sign in to Olympus portal (link) and select the respective zone from the top right corner.

2. In the right hand side, navigate to Logs section and select Kafka.

3. Search the topic "_system_0_privilege" if you want to look the data for all tenants.

4. Search the topic "_tenant_(tenantId)_privilege" if you want to look the data for any specific tenants

If you want to know which actions were performed on the employee profile by the administrator, then you follow the below steps:

1. Sign in to Olympus portal (link) and select the respective zone from the top right corner.

2. In the right hand side, navigate to Logs section and select Kafka.

3. Search the topic "_system_0_authProfile" if you want to look the data for all tenants.

4. Search the topic "_tenant_(tenantId)_authProfile" if you want to look the data for any specific tenants

Details of auth token are as follows:

1. Upper limit on validity in minutes beyond which session validity can’t be configured is 120 Minutes

2. Lower limit on validity in minutes below which session validity can’t be configured is 30 Minutes

3. Default value is 30 Minutes

Details of refresh token are as follows:

1. Upper limit on validity in minutes beyond which session validity can’t be configured is 1 Year

2. Lower limit on validity in minutes below which session validity can’t be configured is 60 minutes

3. Default value is 1 Year

Details of http session are as follows:

1. Upper limit on validity in minutes beyond which session validity can’t be configured is 2 Days

2. Lower limit on validity in minutes below which session validity can’t be configured is 5 Minutes

3. Default value is 2 days

1. To get the secKey, nonce_value sessions DB can be queried.
2. Resource will be 1 for the first time, else it will be nonce_value + 1.
3. Query: select secret_key, nonce_value from sessions.public.resource_data where user_id = “”;