How to calculate the number of ESSO User licenses used? How does the controller check how many user licenses are being used?
ESSO calculates the number of licenses used by enumerating the number of users having an enatelSSOStorageV3 or enatelSSOStorageV2 container. All containers are taken into account even empty ones (an empty container corresponds to a user who has not collected any SSO account or a deactivated user). The controller uses the LDAP search (objectClass=enatelSSOStorage) to detect the licensed users.
From 8.0.3 SP3 the Help | "About" menu of the Enterprise SSO console shows the number of purchased licenses and used licenses. The query calculating this number is launched by the ESSO Controller every 24 hours. (This timer cannot be modified and is reset at each controller restart.) Consequently, the number of used licenses can be slightly differ from the number of enatelSSOStorage objects. (This query is not executed at ESSO Controller start for performance reasons.)
To recover licenses used by users who do not use ESSO anymore, delete their enatelSSOStorageV2 or enatelSSOStorageV3 containers. These containers can be seen in "Active Directory Users & Computers" by enabling the View | "User, Contacts, Groups, and Computers as containers" option.
Performing an LDAP search for (objectClass=enatelSSOStorage) will show which users are currently using a license. Alternately, use LDIFDE to return results with a specific attribute such as DN:
ldifde -d "DC=yourdomain,DC=com" -f c:\output.txt -l "distinguishedname" -r "(objectClass=enatelSSOStorage)
This will provide a text output of the results, e.g.:
From 8.0.5 SP5 when using AD or AD+AD/LDS (AD+ADAM) architecture, you can use the SSO & Active Directory deactivated accounts tool under the File menu (at the left-top of the Console) to search and selectively delete enatelSSOStorage objects belonging to deactivated users in Active Directory to recover their used license. Note, this will destroy the SSO data collected by these users.
If you have exceeded the amount of licenses, when opening the console you will receive the below message, and in some versions a delay of 60 seconds.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center