Configuring a front-end authentication method
Microsoft® Active Directory® authentication
Configuring smart card authentication
LDAP authentication
Microsoft® Active Directory® LDS
389 Directory Service
Novell® eDirectory™
Windows Azure™ Active Directory® authentication
SAML federated
WS-Federated
Social authenticators
Integration with password management applications
Primary credentials
Configuring user front-end authentication method selection
Adding a web application
Integrated Windows Authentication
Form fill authentication
Proxy-less form fill authentication
SAML federation
Configuring advanced SAML token settings
Configuring advanced WS-Federation token settings
OpenID Connect/OAuth 2.0
Manual user provisioning
HTTP basic authentication
HTTP header value
No back-end SSO
Exporting an application configuration template
Forwarding claims to federated applications
Adding HTTP headers to proxy applications
Configuring step-up authentication
Configuring front-end authenticators
Configuring each application
Configuring for external users
Configuring Defender as a Service with Cloud Access Manager
Using Dell's Security Analytics Engine
Enabling Dell's Security Analytics Engine
Configuring Cloud Access Manager to use Dell's Security Analytics Engine for access control
Managing your SSL certificate
Obtaining a signed certificate
Replacing an expiring certificate
Installing a fully signed certificate from a certificate archive file
Installing a certificate authority certificate
Changing the Cloud Access Manager service account password
Cloud Access Manager IIS Application Pool
Dell Redistributable Secure Token Server
Front-end authenticators
Reporting
Customizing Dell™ One Identity Cloud Access Manager
Further considerations
When you have added an application to Dell™ One Identity Cloud Access Manager, you may want to ensure users only access the application using Cloud Access Manager. This may be required if you use Cloud Access Manager to enforce strong authentication for the application, or want to use Cloud Access Manager’s auditing features to monitor application usage. For further information on how to ensure that users access the application using Cloud Access Manager, please refer to Preventing direct access to applications protected by Cloud Access Manager in the Dell™ One Identity Cloud Access Manager Security and Best Practice Guide.
Form fill authentication
This example will guide you through the steps required to configure single sign-on for Microsoft® Outlook® Web App using the form fill authentication method.
Log in to the Administration Console using the desktop shortcut Cloud Access Manager Application Portal and select Add New from the Applications section on the home page.
|
1 |
Click Configure Manually. |
|
2 |
|
3 |
If you have not already done so while adding a previous Form Fill application, save the Inspect Login Form bookmarklet to your browser's favorites. To do this, right-click the Inspect Login Form link, then click Add to favorites. |
|
4 |
Enter the URL of the application into the box provided and click Go. For example, for Microsoft® Outlook® Web App (OWA) enter https://webmail.prod.local/owa, where webmail.prod.local is the hostname of the host running OWA. This will take you to the application's login page. If you are taken directly to the application, check that you are not already signed in and if necessary, sign out. |
|
5 |
With the application’s login page displayed, click the browser's Favorites icon and click Inspect Login Form. The Cloud Access Manager Login Form Inspection Tool will now appear in the bottom-right corner of the browser window. |
|
NOTE: If you are using the Cloud Access Manager Login Form Inspection Tool in Internet Explorer, your Cloud Access Manager website will need to be in the Local intranet zone. This can be selected by going to the Internet Options | Security tab in Internet Explorer while viewing your site. If Local Intranet is not highlighted as shown, click Local intranet |Sites | Advanced then add your Cloud Access Manager site.  |
|
6 |
Use the tool to obtain the field IDs for the login form. For example, click in the Username field, then click in the Password field, then finally click the Submit button.  |
|
7 |
Click Save to save the form IDs and return to the Cloud Access Manager configuration wizard. |
|
8 |
After using the Login Form Inspection Tool to identify the username and password fields and action URL, you are presented with the Form Fill Method page. This is where you choose whether or not to proxy the application with Cloud Access Manager, if you choose not to proxy the application Step 11 and Step 12 will not apply. Click Next. |
|
9 |
Review the detected Form Fill Details. |
|
NOTE: If the application displays the password field on a separate page to the username field, check the box titled The password field is located on a separate page. You will then be able to manually enter the field identifiers for the password field and submit button. |
|
10 |
|
NOTE: Some applications use URLs where only the query string portion of the URL changes when navigating between pages. For example, pages in an Oracle application may only differ by a function id in the query string. The home page might have the ID of 150, for example https://server/OA_HTML/RF.jsp?functionId=150 and the login page an ID of 200, for example https://server/OA_HTML/RF.jsp?functionId=200. To configure this type of application you need to select the box labelled Information in the query string is required to identify the login page of the application. Cloud Access Manager will then allow you to select the query string parameter that identifies the login page, for example the functionId=200 parameter used in the previous Oracle example. If an application uses multiple query string parameters, only check the parameters that identify the login page. For example, some applications use additional parameters to store information unique to a particular user or access attempt. These parameters should not be selected as they would prevent the login page being detected for all users/requests. |
|
13 |
You will now see the Permissions page, which enables you to control which users can access the application. By default, all Cloud Access Manager users have access to the application. You can restrict access to the application to users who belong to a specific role, but for this example simply click Next to allow all users to access the application. |
|
15 |
Select Use primary credentials to log into this application. This will ensure that OWA uses the user's Active Directory domain credentials rather than a different username or password unique to the application, for example the same credentials that the user used to authenticate to Cloud Access Manager. For applications that require different credentials make sure this option is left clear. Click Next. |
|
16 |
You can now configure how the application is displayed on the Cloud Access Manager Portal. Enter the Title and Description you want to display on the Cloud Access Manager Portal. Many applications will require you to configure a particular entry point, for example with Microsoft Outlook Web App you may need to append the URL with OWA if Outlook is not configured to automatically redirect to /OWA when no path is specified in the URL. |
|
NOTE: Take care to ensure that the URL entered is unaltered, even down to subtle changes such as character case. In the example Microsoft Outlook Web App, the URL must be appended with OWA. The Add application to application portal home and Allow user to remove application from application portal home options allow you to specify whether the application should appear automatically on each user’s portal page, and how the user can manage the application from the application portal. The options are shown in Table 2. |
 |
 |
|
|
|
|
|
|
|
|
To access the application catalog from the application portal, the user simply needs to click their username, then select Application Catalog. Depending on the settings in the Add application to application portal home and Allow user to remove application from application portal options, the user can add or remove applications to/from the application portal.
|
1 |
Close Internet Explorer® to end your Cloud Access Manager session. |
|
2 |
Open the Cloud Access Manager Portal by using the desktop shortcut Cloud Access Manager Application Portal. |
|
3 |
Log in to the Cloud Access Manager Portal and click the OWA application. |
|
5 |
From OWA, click Sign Out and close Internet Explorer. |
|
7 |
Click the OWA application and you are signed in automatically. |
If a web application supports change password or expired password pages, you can configure Cloud Access Manager to fill and capture these pages.
|
1 |
Log in to the Cloud Access Manager administrator console using the desktop shortcut Cloud Access Manager Application Portal. |
|
4 |
With the application’s change password page displayed, click the browser's favorites icon and click Inspect Login Form. The Cloud Access Manager Login Form Inspection Tool is now displayed in the bottom-right corner of the browser window. The tool will detect that the application is already known to Cloud Access Manager and display a Change Password Form/Expired Password Form list. Select the type of form you want to configure. |
|
5 |
Use the tool to obtain the field IDs for the login form. For example, if required click in the Username field for the field where a username needs to be entered, then if required click in the Old password field for where to enter the old password, and finally click in the New password field for where to capture the new password from.  |
|
6 |
Click Save to return to the Cloud Access Manager configuration wizard with your additional configuration. |
Further considerations
When you have added an application to Dell™ One Identity Cloud Access Manager, you may want to ensure users only access the application using Cloud Access Manager. This may be required if you use Cloud Access Manager to enforce strong authentication for the application, or want to use Cloud Access Manager’s auditing features to monitor application usage. For further information on how to ensure that users access the application using Cloud Access Manager, please refer to Preventing direct access to applications protected by Cloud Access Manager in the Dell™ One Identity Cloud Access Manager Security and Best Practice Guide.
Proxy-less form fill authentication
In proxy-less form fill, Dell™ One Identity Cloud Access Manager attempts to emulate the application's login form with an unsolicited post to the action URL within the login form. Configuring an application in this way involves fewer steps than the form fill authentication method described in Form fill authentication. This example guides you through the steps required to configure single sign-on to an application using the proxy-less form fill authentication method.
Log in to the Administration Console using the desktop shortcut Cloud Access Manager Application Portal, and select Add New from the Applications section on the home page. Cloud Access Manager provides a set of application templates to automatically configure common applications. This example describes how to configure an application manually, rather than using a template.
|
1 |
Click Configure Manually. |
|
2 |
|
3 |
If you have not already done so while adding a previous form fill application, save the Inspect Login Form bookmarklet to your browser's favorites. To do this, right-click the Inspect Login Form link. Click Add to favorites. |
|
4 |
Enter the URL of the application into the box provided and click Go, this will take you to the application's login page. If you are taken directly to the application, check that you are not already signed in and if necessary, sign out. |
|
5 |
With the application's login page displayed, click the browser's Favorites icon and click Inspect Login Form. The Cloud Access Manager Login Form Inspection Tool is now displayed in the bottom-right corner of the browser window. |
|
6 |
Use the tool to obtain the field IDs for the login form. For example, click in the Username field, for example, Domain\user name, then click in the Password field, then finally, click the Submit button, for example, Sign in.  |
|
7 |
Review the detected form IDs and click Save to save the form IDs and return to the Cloud Access Manager Configuration wizard. |
|
8 |
After using the Login Form Inspection Tool to identify the username and password fields, proxy-less form fill does not use the submit button, and action URL, you are presented with the Form Fill Method configuration page, which is where you choose whether or not to proxy the application with Cloud Access Manager. |
|
9 |
The next page contains the form fill details (the Username Field ID/Name and Password Field ID/Name) and the Login Form Action URL (the login form’s action URL) configuration detected by the Login Form Inspection Tool. |
|
12 |
Choose whether or not to Use primary credentials to log into this application. If selected, this feature will use Active Directory domain credentials rather than a different username or password unique to the application. For example, the same credentials that the user used to authenticate to Cloud Access Manager. For applications that require different credentials make sure this option is left clear. |
|
NOTE: The Add application to application portal home and Allow user to remove application from application portal home options allow you to specify whether the application should appear automatically on each user's portal page, and how the user can manage the application from the application portal. The options are shown in Table 3. |
Table 3. Application portal options
|
|
|
|
|
|
|
|
|
|
|
To access the application catalog from the application portal, the user simply clicks their username, then selects Application Catalog. Depending on the settings in the Add application to application portal home and Allow user to remove application from application portal home options, the user can add or remove applications to/from the application portal.
|
2 |
Open the Cloud Access Manager Portal using the desktop shortcut Cloud Access Manager Application Portal. |
|
3 |
Log in to the Cloud Access Manager Portal and click the application. When a user first accesses an application configured for proxy-less form fill they are presented with a pop-up to enter their login credentials. Cloud Access Manager will then pass the credentials to the application's target URL and store them in the user's Password Wallet for future access. |
|
5 |
From the application, click Sign Out and close Internet Explorer. |
|
7 |
Click the application and you are signed in automatically. |