Chat now with support
Chat with Support

Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

1. Overview 2 Authenticating to Quest ESSO Console and Managing Protection Modes 3 Searching the Directory Tree 4 Managing Administrators 5 Managing Security Profiles
5.1 Managing Time Slices 5.2 Managing Password Format Control Policies 5.3 Managing User Security Profiles 5.4 Managing Access Point Security Profiles 5.5 Managing Application Security Profiles 5.6 Defining Security Profiles Default Values 5.7 Managing User and Access Point Security Profiles Priorities
6 Managing Directory Objects
6.1 Managing Applications 6.2 Managing Users 6.3 Managing Access Points 6.4 Managing Representative Objects 6.5 Managing Clusters of Access Points 6.6 Selecting a Domain Controller
7 Importing/Exporting Security Profiles and Directory Objects 8 Managing Smart Cards
8.1 Assigning Smart Cards to Users 8.2 Formatting Smart Cards 8.3 Forcing a new PIN 8.4 Disabling Temporarily Smart Cards 8.5 Unlocking Smart Cards 8.6 Sending Smart Cards to a Blacklist 8.7 Extending the Validity of a Smart Card 8.8 Allowing Users to Renew their Smart Card Certificates 8.9 Displaying Smart Card Properties 8.10 Displaying the List of Supported Smart Cards 8.11 Managing Smart Card Configuration Profiles 8.12 Managing Loan Cards 8.13 Managing Smart Cards' Authentication Parameters 8.14 Managing Batches of Smart Cards
9 Managing SA Server Devices 10 Managing RFID Tokens 11 Managing Biometric Enrolment 13 Enabling the Public Key Authentication Method 14 Managing the Emergency Plan 15 Managing Audit Events 16 Managing Reports 17 Customizing Configuration Files 18 Creating Scripts Appendix A: Regular Expressions - Basic Syntax Appendix B: Listing Audit Events and Error Codes Appendix C: Correspondence Between Profile and Administration Rights

5.3.2.1 Authentication Tab

The Session authentication method works only with Active Directory.
For smart card authentication methods (as Cryptoflex smart card, CyberFlex PKCS#11 or Rainbow iKey3000 for example), you can assign a specific configuration using the Select Configuration button. These configurations are defined in the Smart Card panel. For more details, see Section 8.11, "Managing Smart Card Configuration Profiles".
The Biometrics Store-On-Server and Biometrics Store-On-PC methods cannot be used simultaneously. You must only select one of them. For more information on available biometric methods, see section 11., "Managing Biometric Enrolment".
The RFID authentication method can be configured in the RFID panel: see section 10., "Managing RFID Tokens" for more details.
The OTP authentication method:
The default Timeslice is selected by default. Click the  button to select another existing Timeslice.
Click the  button to display and if necessary modify the selected time slice, as described in 5.1.1 Creating/Modifying Time Slices.
When the cache data validity is outdated, the user must be in connected mode to open his/her Windows session. The cache data validity is then reset to zero .
In "no-access-point-management" mode, a user can open a Quest ESSO session on an access point of his/her domain only if the Allow on all access points field is selected.
To interconnect Quest ESSO with Web Access Manager (WAM).
If this option is selected, Quest ESSO stores the user primary password as an SSO account.
Then, SSOWatch module of Quest ESSO uses this SSO account for each application configured to use primary accounts.
In Smart Card Logon mode, if the Windows password is not yet stored as an SSO account, of if a bad password is detected by SSOWatch module of Quest ESSO upon the SSO process, SSOWatch module of Quest ESSO requests the user to re-authenticate with his/her smart card and asks for his/her primary password.
User, administrators and external key: allows an external application to decipher the user's SSO primary account using a public key. For example, you must select this entry if you want to use Quest ESSO with WAM. By selecting this entry, you allow WAM to decipher the Quest ESSO SSO primary account of the user so that it can perform SSO with this account.
Quest ESSO must be configured in "manage-access-point" mode.
A Quest ESSO Controller must be available.
As Double-Login Prevention information is stored in the directory, the directory architecture and replication time (in case several servers are replicated) must be taken into account. The Double-Login Prevention feature can only work if the time it takes for the user to change computer is longer than the time it takes to replicate data between all directory servers.
If replication time is too long, you can configure Quest ESSO Controllers to make them use a list of directory servers according to their availability. As Double-Login Prevention information is stored in the directory, the directory architecture and replication time (in case several servers are replicated) must be taken into account. The Double-Login Prevention feature can only work if the time it takes for the user to change computer is longer than the time it takes to replicate data between all directory servers.
If replication time is too long, you can configure Quest ESSO Controllers to make them use a list of directory servers according to their availability.
For more details, see Session Management Administrator Guide.

5.3.2.2 Security Tab

Note: If you also select the Change password on token every<n> days check box, the present option is disabled for users whose authentication method does not require to provide the primary password (smart cards, biometrics).
Note: Click the  button to display and if necessary modify the selected PFCP, as described in 5.2.1 Creating/Modifying Password Format Control Policies.
Change password on token every <n> days and on collect or expiration
Select this check box to enable the automatic change of the smart card or USB token password every <n> days. This operation has no consequence on the user authentication tasks (the user still uses his/her PIN to authenticate).
If the automatic password change policy detects expiration date of the password when the user authenticates offline, the automatic password change is not performed (it is performed upon the next authentication in connected mode of the user).
You can force the user to re-authenticate when the directory is available again in the opened session, so that the directory password can be automatically changed. For this, set the following registry key to 1:
"AutoPwdChangeMandatory" (DWORD), which is located in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Enatel\WiseGuard\Framework\Authentication.
on collect, that is when the password is collected upon the first use of the token.
or on expiration of the password in the directory.
Note: This option is unavailable if the Change password on token every <n> days check box is cleared.
Note: Click the  button to display and if necessary modify the selected PFCP, as described in 5.2.1 Creating/Modifying Password Format Control Policies
Select this check box to allow users to ask for their password to be sent by email through the Self Service Admin Portal. The list of passwords sent to the user is controlled by the option set on the application. For more information, see Section 6.1.3.2, "Defining Account Properties".
x hours: type a duration time for the roaming session. The roaming session is created as soon as the user authenticates on an authorized access point, and the session duration time starts from that moment. At the end of the duration time, the user will have to type a secret.
No duration limit: if you select this check box the roaming session is created as soon as the user authenticates on an authorized access point, with no duration time. The user will never have to type a secret again.
Defines the time of inactivity of SSOWatch module of Quest ESSO before its state switches to locked.
Note: The "0" value means infinite time: SSOWatch module of Quest ESSO never locks.
Allow SSOWatch refresh
Allow SSOWatch stop
Show SSOWatch launcher in foreground
When SSOWatch module of Quest ESSO is started, this check box allows you to define if the SSOWatch desktop can be opened on the application launcher.

5.3.2.3 Unlocking Tab (Fast User Switching Feature)

The Unlocking tab allows you to activate and use the Fast User Switching (FUS) feature.
For more information on the FUS feature, see
Session Management Administrator Guide.
Enter a user hierarchy level (0 is the lowest level, and 50000 is the highest).
Consider the following situation: you want that user 1, who is a user associated with User Security Profile 1 can unlock or close sessions of other users associated with User Security Profile 1. To do so, you must configure the Unlocking tab as follows:
1.
Use Advanced Login to log on as User 1.
3.
Unlock the session with another user associated with User Security Profile 1 (User 2 for example).
SSOWatch module of Quest ESSO is restarted with the SSO data of User 2, and the Session Information window of Advanced Login displays the following:
Quest ESSO user: User 2.

5.3.2.4 Self Service Password Request Tab

The Self Service Password Request tab allows you to activate and configure the Self Service Password Reset feature (SSPR), which allows a user who has lost his/her smart card or forgotten his/her password (or PIN code) to get new credentials on his/her own (with or without the intervention of the helpdesk), in order to authenticate on his/her workstation in a brief delay.
For a complete description of the SSPR feature (installation, administration...), see Advanced Login Self Service Password Request Administrator Guide.
In this mode, the user cannot reset his/her PIN code.
You must set the list of the SSPR servers to be used, as detailed in 5.4.2.6 Self Service Password Request Tab.
If the user runs the SSPR feature whereas he/she has locked his/her account, the account is automatically unlocked by the SSPR server upon the password reset.
Always available: the user is always able to run the SSPR feature, even if the workstation is not connected to the network or if the SSPR server is not available. You can configure this mode so that the SSPR server can be used if it is available; by selecting item 10 in the SSPR Policy window (see description of the Security Services Tab below).
If Advanced Login is installed, you are advised to use this mode. You must activate the cache. For details, see Section 5.4.2.1, "Security Services Tab".
If the directory is not available when the user resets his/her password, you can configure the use of a temporary new password; by selecting item 11 in the SSPR Policy window (see description of the Security Services tab below). In this case, when the workstation switches to the connected mode (directory available again), the user is prompted to re-authenticate and to change his/her password (which will then be updated in the directory).
If the directory is available (connected mode), the password is immediately updated in the directory.
The PIN code is updated in the smart card.
Not available: the SSPR feature is disabled.
This option is only available if the Always available mode is selected.
It allows you to force the user to call the help desk to reset his/her password.
For PIN reset, the check box is ignored because the help desk call is mandatory.
Check box cleared: the user answers to Self Service Password Request (SSPR) questions (set with Advanced Login or the web portal); he/she is then automatically prompted to reset his/her password on his own (correct answers to questions are sufficient to decrypt the password stored in the cache).
Check box selected: the user answers to Self Service Password Request (SSPR) questions (set with Advanced Login or the web portal), which allows him/her to obtain a challenge (unlock code). He/she is then prompted to give this challenge to the Help Desk, which will have to give him a challenge in exchange (see Section 6.2.2.4, "Managing User SSPR") that will allows him to reset his password or PIN.
This option is only available if the Always available mode is selected.
It allows you to set the Self Service Password Request (SSPR) feature as an authentication method:
Check box selected: the SOS button (Windows XP) or the Forgotten password tile (Windows 7) located in the Advanced Login authentication window allows users to open their session without resetting their password: if they answer correctly to their Self Service Password Request (SSPR) questions, the session opens.
Check box cleared: the SOS button (Windows XP) or the Forgotten password tile (Windows 7) located in the Advanced Login authentication window allows users to reset their password/PIN: if they answer correctly to their Self Service Password Request (SSPR) questions, they are allowed to reset their password or PIN code.
For details, see "Question List Management Procedures", below.
The Advanced button allows you to define other security parameters, as explained in the following table:
To force the user to populate his/her questions and answers before he/she can use SSOWatch module of Quest ESSO on his/her workstation.
This option is only available if you have selected the Always available mode.
Select this check box to set a waiting period before allowing the user to attempt to answer questions again on his/her workstation.
This option is only available if you have selected the Always available mode.
To try the use of the
Self Service Password Request (SSPR) server before using the disconnected mode.
1.
In the Questions area, click the Select button, and in the displayed window, click Manage questions.
a)
Click the New button.
The Question Properties area is activated.
d)
Set the Question text.
Click Translations.
Click Add.
f)
Set the Answer constraints:
Fill in Must match regular expression, to set restrictions on the string corresponding to the answer entered by the end user. For details on the syntax of regular expressions, see Appendix A. "Regular Expressions - Basic Syntax".
g)
Click Apply.
The question appears in the Existing Questions area.
3.
Repeat Step 2 as many times as necessary and click Close to finish.
4.
Set a question number to an available question to define a list of available questions for each Question field of the Self Service Password Request wizard (available through Advanced Login):
b)
Select a question in the Select a Question window and click OK.
c)
To import a set of questions, a .csv file containing the questions must have been generated with the Export button.
If there are more questions in the .csv file than in the Existing Questions, then the additional questions are added to the Existing Questions.
If both the .csv file and the Existing Questions contain the same questions with a few discrepancies, then the Existing Questions are replaced by the questions of the .csv file.
1.
In the Questions area, click the Select button, and in the displayed window, click Manage questions.
2.
Click the Import button.
4.
Click Open.
5.
Click Close to finish.
a)
In the list of questions drop down list, select the Question number, click the Add button.
b)
Select a question in the Select a Question window and click OK.
c)
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating