Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Version

Summary

8/10/22

Updated process and link to new AWS VPN instructions

02/22/2022

Updated EC2 instance and VPN instructions

12/28/2021

Updated format to align with policy version tables

12/15/2021

Added version tracking table.

07/08/2021

Updated

...

Table of Contents
maxLevel5

...

Overview

One of the configuration options when setting up an Access Requirement (AR) is user type. Both click-wraps and ACT-managed ARs can be configured so that users must be validated in order to be granted data access. Users who are not validated will not be able to click the “Agree” button on a click-wrap and will not be able to submit a data access application for an ACT-managed AR.

Profile validation is a process by which users have their identity verified by ACT. Users submit an ORCID profile, a signed Synapse Pledge, and a signed identity attestation document to ACT, and then ACT must review the documentation to ensure the documents are acceptable and match the user’s Synapse profile information. For privacy and security reasons, ACT must utilize a remote desktop to review profile validation requests so that submitted documents are not downloaded onto any personal devices.

Configuring the Profile Validation Request Environment

Before validating Synapse profiles, ACT must set up VPN access and a Windows instance using Amazon Web Services (AWS). This allows ACT to validate profiles without downloading users’ personal information onto an ACT member’s laptop. You must always utilize a remote desktop to review profile validation requests.


1. Establish VPN Access 

Instructions for establishing a an AWS VPN instance client can be found /wiki/spaces/IT/pages/7222394951705246745. Please reach out to the Sage IT Team if you have any questions.

Once you have downloaded the VPN, message #sageit on slack and request that you be added to the Sage VPN group.

2. Download a remote desktop application

First, make sure you have created a Jumpcloud JumpCloud account. Most new employees at Sage create a Jumpcloud JumpCloud account during their first week at Sage. You will use your Jumpcloud JumpCloud account credentials when setting up your remote desktop.

For Macs: Once you connect to your VPN, you will need to download a remote desktop application. The most secure way to do this is to go through the Mac app store and download a remote desktop app. “Microsoft Remote Desktop” is a good option. Use your http://sagebase.org email to create your Apple ID. As you proceed through the steps of creating your account, choose “none” under payment methods to avoid applying a credit card to the account. 

Note that you may get an error stating that you do not have any Microsoft devices connected to your application. Once you establish your EC2 Windows Instance following the steps in the next section, your remote desktop will be established for the profile validation.

For PCs: Remote For remote desktop applications instructions for PCs are located here https://sagebionetworks.jira.com/wiki/spaces/SC/pages/938836322/Service+Catalog+Provisioning#Connect-to-Windows-desktop ., please see instructions below.

3. Establish your EC2 Windows Instance using the Service Catalogue

The instructions below will allow you to configure your remote desktop environment:

  1. Start Tunnelblick (Macs) or Sophos SSL (PCs)your AWS VPN client with JumpCloud integration.

  2. To create your virtual windows machine (or ‘instance’) please follow the steps listed for your device here: Service Catalog Provisioning. You will be creating an EC2 Windows Instance with Jumpcloud JumpCloud Integration. 

  3. Once your instance has been created in the Service Catalogue scroll down to AWS events. From there click on Output Value and then the Outputs Tab. You should see the following information:

...

4. You will need the “WindowsInstancePrivateIpAddress” value for your remote desktop. To install Microsoft Remote Desktop Client refer to these instructions https://sagebionetworks.jira.com/wiki/spaces/SC/pages/938836322/Service+Catalog+Provisioning#Connect-to-Windows-desktop Next, in your Windows search bar, type “Remote Desktop Connection” and open the app. Type in the IP address and your JumpCloud user name. Click connect.

5. If you are using Microsoft Remote Desktop client, the PC tab will look like this:

...

6. Test that you can access your remote desktop by following the steps listed under “Validating Profiles” below (you can skip steps 9-15 unless you have profiles to validate). To launch the remote desktop, double click on the PC instance that you established in the remote desktop app.


Reviewing Profile Validation Requests

Once a user submits a profile validation request, an email will be triggered to ACT@sagebionetworks.org. Therefore, ACT does not need to check the Profile Validation Dashboard daily for new requests, and instead can just review the dashboard when an email is received.

How to Navigate to the Profile Validation Dashboard in your Remote Desktop

  1. Start your VPN instance (Tunnelblick for Mac users or Sophos SSL for PC users)AWS VPN client.

  2. Go to https://sc.sageit.org and login log in.

  3. Go to your “Provisioned products list” and select the Windows EC2 instance you have established for validating profiles.

  4. Click the “Actions” button and select “Start” and then “Perform Action” when prompted.

  5. On the top right of the “Provisioned product details”, click the refresh button next to the Actions button. The status will change to “Under Change”. Periodically click the refresh button until the status changes to “Available”. Now your Instance is available for use.

  6. Open your remote desktop app (likely “Microsoft Remote Desktop”) and select your instance.

  7. Click “Connect” when prompted and this should launch your instance (it will look like a Windows Desktop). Open an Internet browser to access the Profile Validation page.

  8. Note, the first time you access the Internet within your Windows instance you’ll need to log into Synapse with your credentials (your VPN browser will not know your login or password the first time). It is a good idea to bookmark the Synapse site on your VPN browser for future access and have Google remember your password. Once logged into Synapse, all of your starred pages will be available and accessible like usual. If you haven’t already, it can be useful to star the ACT Zone page for quick access.

  9. From the main ACT Zone page, go to ‘Profile Validation Dashboard’ which can be found in the left hand side menu towards the bottom.  

  10. Click the “Profile Validation Dashboard” link in the Wiki to review requests. 

How to Review Requests

  1. For the profile validation request to be approved:

    1. Check the requestor’s Synapse profile to verify the user is Certified.

    2. Ensure the user’s ORCID profile is public and contains at least one piece of information (i.e. education, employment, etc.).

    3. Ensure the user has completely filled out the Synapse Pledge by typing their name, checking the bubbles, and signing their name at the bottom. Typed signatures are not acceptable, but electronic signatures are acceptable.

    4. Ensure the user attached an identity attestation document in English. Document options include:

      1. Letter from a signing official (not themselves) on official letterhead attesting to their identity

      2. Notarized letter attesting to their identity

      3. A copy of a professional license (i.e. medical license, etc.)

  2. If all of the above criteria are met, you can approve the user by clicking the ‘Approve’ button. The user will automatically receive a confirmation email that their profile validation is approved.

  3. If the user does not meet all of the above criteria, you will click the ‘Reject’ box, which will generate text for a rejection email:

    1. Click the checkbox(s) for the appropriate rejection reasons - be sure to select all that apply

    2. Click “Generate Response"

    3. Review email message and make any necessary changes or additions

    4. Scroll down and click “Send”

  4. After approving or rejecting the request, you will see a comments box. 

    1. If they were approved, leave the box blank.

    2. If they were rejected, write a brief explanation for the rejection (e.g., Pledge not signed, ORCID profile not public, Missing identity document).

How to Close Out of your Environment

  1. Once you have reviewed all pending requests, exit out of the browser and close your remote desktop window.

  2. Go to your “Provisioned product details” and select the Windows instance you have established for validating profiles.

  3. Click the “Actions” button and select “Stop”.

  4. Click “Perform Action”.

  5. Disconnect your VPN connection.

Common User Errors

  1. ORCID profile:

    1.  Not public: “No Public Info Available”

    2.  Does not have one piece of information (i.e. education, employment, etc.)

  2. The Synapse Pledge:

    1. Has typed a signature instead of a signed signature

  3. Identity Attestation Document:

    1. Not on letterhead

    2. Not in English

    3. Student or Work Identification Badge

...

Resources

Certification Quiz

ORCID Profile settings

...