Chat now with support
Chat with Support

Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

1. Overview 2 Authenticating to Quest ESSO Console and Managing Protection Modes 3 Searching the Directory Tree 4 Managing Administrators 5 Managing Security Profiles
5.1 Managing Time Slices 5.2 Managing Password Format Control Policies 5.3 Managing User Security Profiles 5.4 Managing Access Point Security Profiles 5.5 Managing Application Security Profiles 5.6 Defining Security Profiles Default Values 5.7 Managing User and Access Point Security Profiles Priorities
6 Managing Directory Objects
6.1 Managing Applications 6.2 Managing Users 6.3 Managing Access Points 6.4 Managing Representative Objects 6.5 Managing Clusters of Access Points 6.6 Selecting a Domain Controller
7 Importing/Exporting Security Profiles and Directory Objects 8 Managing Smart Cards
8.1 Assigning Smart Cards to Users 8.2 Formatting Smart Cards 8.3 Forcing a new PIN 8.4 Disabling Temporarily Smart Cards 8.5 Unlocking Smart Cards 8.6 Sending Smart Cards to a Blacklist 8.7 Extending the Validity of a Smart Card 8.8 Allowing Users to Renew their Smart Card Certificates 8.9 Displaying Smart Card Properties 8.10 Displaying the List of Supported Smart Cards 8.11 Managing Smart Card Configuration Profiles 8.12 Managing Loan Cards 8.13 Managing Smart Cards' Authentication Parameters 8.14 Managing Batches of Smart Cards
9 Managing SA Server Devices 10 Managing RFID Tokens 11 Managing Biometric Enrolment 13 Enabling the Public Key Authentication Method 14 Managing the Emergency Plan 15 Managing Audit Events 16 Managing Reports 17 Customizing Configuration Files 18 Creating Scripts Appendix A: Regular Expressions - Basic Syntax Appendix B: Listing Audit Events and Error Codes Appendix C: Correspondence Between Profile and Administration Rights

5.3.2.5 Biometrics Tab

Approval not required: the user biometric data enrolment does not need anybody’s authentication.
A Quest ESSO administrator: the user biometric data enrolment requires the authentication of an administrator who has at least the following administration right: "Bio: Is enable to allow biometrics pattern enrolment" (advanced administration mode only).
Another Quest ESSO user: the user biometric data enrolment requires the authentication of another user of the directory.
Policy area
a)
User must enrol between x and x finger(s): number of fingers you want the user to enrol.
b)
Allow user to abort the enrolment process: when this check box is selected, the user is allowed to cancel the enrolment process by closing the enrolment window.
c)
Remember Passwords: when this check box is:

5.3.2.6 Session Delegation Tab

The Session delegation tab is dedicated to users in or outside a cluster (for more details on clusters, see Section 6.5, "Managing Clusters of Access Points"): if for any reason a user has to leave his/her cluster, you can authorize him/her to delegate his/her Windows session to one or more delegate(s) to monitor or intervene in any of his/her ongoing operations.
For more details on the conditions under which a user can delegate a session, see Administrator Guide for Cluster Mode of Advanced Login.
Temporary: when a user delegates his/her session, the session is delegated until he/she re-authenticates.
Permanent: when a user delegates his/her session, the session is delegated until he/she ends the delegation authorization through the Manage Session Delegation menu in Advanced Login.
This check-box allows you to define whether users must re-authenticate when they want to access the Cluster wizard (from which they can delegate their session) or the Set temporary session delegation shortcut command. See Administrator Guide for Cluster Mode of Advanced Login for more details on how users can access these tools. For Session delegation outside a cluster, this check box must be selected.
Check box selected: when the user launches one of the delegation tool, an authentication window appears on his/her workstation.
Check box cleared: the user does not need to authenticate again on his/her workstation when he/she launches one of the delegation tool.
This check box is only available if the Temporary session delegation type is selected.
Check box selected: a user who wants to delegate his/her session needs the approval of the delegate.
Check box cleared: a user can delegate his/her session to another user without collecting his/her approval. An information window appears on the delegate’s workstation to inform him/her that a delegation has been set.
Authorize delegation to all users check box
For Session delegation outside a cluster, this check box must be selected.
Check box selected: users are authorized to delegate their Windows session to all users of the directory.
Check box cleared: users are not authorized to delegate their Windows session to all users of the directory.
Check box selected: users are only authorized to delegate their Windows session to members of the same group of users.
Check box cleared: users are not authorized to delegate their Windows session to members of the same group of users.
Check box selected: users are only authorized to delegate their Windows session to members of the same organizational unit.
Check box cleared: users are not authorized to delegate their Windows session to members of the same organizational unit.
Check box selected: users are only authorized to delegate their Windows session to the users listed in the "Advanced Mode area" (see below).
Add button: opens the user selection window, which allows you to add users to the list.
Use the
Browse tab to browse the directory tree structure or use the Search tab to find the user by typing its name.
Remove button: removes the selected user/group/organizational unit from the list.
d)
Check box cleared: no specific of authorized users is defined.

5.3.2.7 Audit Tab

The Audit tab allows you to assign an audit filter to user security profile.

5.3.2.8 OTP Tab

The OTP tab allows you to configure the OTP authentication method. This authentication method is only available with RSA: make sure the RSA authentication server is installed and that the RSA Authentication agent is installed on each access point on which you want to use OTP in offline mode (see Quest ESSO Installation Guide for more details).
a)
In this mode, a Quest ESSO Controller must be available when the user authenticates by OTP on his/her workstation. The Quest ESSO Controller verifies the OTP and gives back the user password to the workstation, so that the session can open.
The user’s primary password is stored in the directory.
If the workstation can connect to the Quest ESSO Controller, the controller verifies the OTP as in the online mode and the user’s password stored in the directory is used to open the session.
If the workstation cannot connect to the Quest ESSO Controller, the OTP is verified locally and the user’s password stored in the cache is used to open the session.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating