1. Overview
1.1 Quest ESSO Concepts
1.2 Quest ESSO Controllers
1.3 A Multi-Domain Architecture
1.4 General Ergonomic Design
2 Authenticating to Quest ESSO Console and Managing Protection Modes
2.1 Starting/Stopping Quest ESSO Console
3 Searching the Directory Tree
4 Managing Administrators
2.1.1 Starting Quest ESSO Console
2.2 Managing Protection Modes
2.1.1.1 Starting Quest ESSO Console in Hardware Protection Mode
2.1.1.2 Starting Quest ESSO Console in Software Protection Mode
2.1.2 Stopping Quest ESSO Console
4.1 Administration Modes - Presentation
5 Managing Security Profiles
4.1.1 The Classic Administration Mode
4.1.2 The Advanced Administration Mode
4.1.3 Administration Role Inheritance
4.2 Delegating Administration Roles
4.3 Managing Administration Profiles
4.4 Transferring an Administration Role
4.5 Deleting an Administration Role
4.6 Displaying your Administration Role
4.7 Modifying the Parent Administrator
4.8 Adding/Removing Primary Administrators
5.1 Managing Time Slices
6 Managing Directory Objects
5.1.1 Creating/Modifying Time Slices
5.1.2 Configuring Time Slices
5.1.3 Displaying Timeslice Object Event Logs
5.1.4 Renaming Timeslice Objects
5.1.5 Deleting Timeslice Objects
5.2 Managing Password Format Control Policies
5.2.1 Creating/Modifying Password Format Control Policies
5.2.2 Configuring Password Format Control Policy
5.2.3 Displaying Password Format Control Policy Event Logs
5.2.4 Renaming Password Format Control Policies
5.2.5 Deleting Password Format Control Policies
5.3 Managing User Security Profiles
5.3.1 Creating/Modifying User Security Profiles
5.3.2 Configuring User Security Profiles
5.4 Managing Access Point Security Profiles
5.3.2.1 Authentication Tab
5.3.2.2 Security Tab
5.3.2.3 Unlocking Tab (Fast User Switching Feature)
5.3.2.4 Self Service Password Request Tab
5.3.2.5 Biometrics Tab
5.3.2.6 Session Delegation Tab
5.3.2.7 Audit Tab
5.3.2.8 OTP Tab
5.3.3 Displaying User Security Profile Event Logs
5.3.4 Renaming User Security Profiles
5.3.5 Deleting User Security Profiles
5.4.1 Creating/Modifying Access Point Security Profiles
5.4.2 Configuring Access Point Security Profiles
5.5 Managing Application Security Profiles
5.4.2.1 Security Services Tab
5.4.2.2 Advanced Login Tab
5.4.2.3 QESSO SSOWatch Tab
5.4.2.4 Multi-User Desktop Tab
5.4.2.5 Biometrics Tab
5.4.2.6 Self Service Password Request Tab
5.4.2.7 Active RFID Tab
5.4.2.8 Audit Tab
5.4.3 Displaying Access Point Security Profile Event Logs
5.4.4 Renaming Access Point Security Profiles
5.4.5 Deleting Access Point Security Profiles
5.5.1 Managing Password Generation Policies
5.6 Defining Security Profiles Default Values
5.7 Managing User and Access Point Security Profiles Priorities
5.5.1.1 Creating/Modifying Password Generation Policies
5.5.1.2 Configuring the Password Generation Policy
5.5.1.3 Displaying Password Generation Policy Event Logs
5.5.1.4 Renaming Password Generation Policies
5.5.1.5 Deleting Password Generation Policies
5.5.2 Creating/Modifying Application Security Profiles
5.5.3 Configuring Application Security Profiles
5.5.3.1 General Tab
5.5.3.2 Account Tab
5.5.3.3 Authentication Method Tab
5.5.3.4 Delegation Tab
5.5.3.5 IP Address Constraints Tab
5.5.4 Displaying Application Security Profile Event Logs
5.5.5 Renaming Application Security Profiles
5.5.6 Deleting Application Security Profiles
6.1 Managing Applications
7 Importing/Exporting Security Profiles and Directory Objects
8 Managing Smart Cards
6.1.1 Creating an Application
6.2 Managing Users
6.1.1.1 Creating an Application without Using a Template
6.1.1.2 Creating an Application Using Templates
6.1.2 Defining the General Properties of an Application
6.1.3 Creating the Account Properties of an Application
6.1.4 Defining the Single Sign-On Properties of an Application
6.1.5 Defining External Names
6.1.6 Assigning Users to an Application
6.1.7 Sharing the Administration of an Application
6.1.8 Generating/Importing Accounts for an Application
6.1.9 Assigning Access Points to an Application
6.1.10 Displaying Accounts Associated with the Application
6.1.11 Displaying Application Event Logs
6.1.12 Displaying/Modifying Application Information
6.1.13 Renaming Applications
6.1.14 Deleting Applications
6.2.1 Displaying User General Information
6.2.2 Defining User Connection Parameters
6.3 Managing Access Points
6.2.2.1 Suspending or Limiting Temporarily a User Access
6.2.2.2 Displaying User Authentication Information and Administering Roaming Sessions
6.2.2.3 Predefine a New User's Primary Password
6.2.2.4 Managing User SSPR
6.2.2.5 Defining an Audit Identifier
6.2.2.6 Creating a Welcome Message
6.2.3 Assigning a User Security Profile to a User
6.2.4 Declaring a User as an Administrator
6.2.5 Assigning/Forbidding Access Points to a User
6.2.6 Managing User Accounts
6.2.7 Sending SSO Account Passwords to Users
6.2.8 Defining Additional Security Policy Parameters for Groups of Users
6.2.9 Managing User Smart Cards
6.2.11 Displaying and Deleting User Biometric Data
6.2.12 Assigning Applications to a User
6.2.13 Displaying Delegated Sessions
6.2.14 Managing User RFID Tokens
6.2.15 Displaying User Event Logs
6.2.16 Deleting SSO Data of Disabled User Accounts
6.2.17 Adding or Removing a User from a Group
6.3.1 Displaying Access Point General Information
6.3.2 Defining Access Point Configuration Parameters
6.4 Managing Representative Objects
6.3.2.1 Assigning an Access Point Security Profile to an Access Point
6.3.2.2 Managing the Quest ESSO Controller Services
6.3.3 Assigning/Forbidding Users to Access Points
6.3.4 Assigning/Forbidding Applications to Access Points
6.3.5 Adding or Removing an Access Point from a Group
6.3.6 Displaying Access Point Event Logs
6.4.1 Managing Inbound Representative Objects
6.5 Managing Clusters of Access Points
6.4.1.1 Creating/Modifying an Inbound Representative Object
6.4.1.2 Defining the Set of Users to Represent
6.4.1.3 Assigning a User Security Profile to the Inbound Representative Object
6.4.1.4 Selecting the Access Points Available to the Representative
6.4.2 Managing Outbound Representative Objects
6.4.2.1 Creating/Modifying an Outbound Object
6.4.2.2 Defining the Set of Access Points to Represent
6.4.2.3 Selecting the Applications Available to the Representative
6.4.3 Displaying Representative Event Logs
6.4.4 Renaming Representative Objects
6.4.5 Deleting Representative Objects
6.5.1 Creating and Configuring a Cluster of Access Points
6.5.2 Managing Users' Permissions on a Cluster
6.6 Selecting a Domain Controller
6.5.2.1 Authorizing Users to Access Workstations of the Cluster
6.5.2.2 Displaying the Cluster Composition Made by Authorized Users
6.5.3 Displaying Cluster Event Logs
6.5.4 Renaming Clusters
6.5.5 Deleting Clusters
8.1 Assigning Smart Cards to Users
9 Managing SA Server Devices
10 Managing RFID Tokens
8.1.1 Assigning Smart Cards to Many Users
8.1.2 Assigning a Smart Card to a User
8.1.3 Assigning a new Smart Card Allowing a User to Log on a Workstation which is Disconnected from the Directory
8.2 Formatting Smart Cards
8.3 Forcing a new PIN
8.4 Disabling Temporarily Smart Cards
8.4.1 Disabling Temporarily Smart Cards from the Smart Card Panel
8.4.2 Disabling Smart Cards of a User from the Directory Panel
8.5 Unlocking Smart Cards
8.5.1 Unlocking Smart Cards from the Smart Card Panel
8.5.2 Unlocking Smart Cards from the Directory Panel
8.5.3 Defining Contact Information
8.6 Sending Smart Cards to a Blacklist
8.6.1 Sending Smart Cards to a Blacklist from the Smart Card Panel
8.6.2 Sending Smart Cards to a Blacklist from the Directory Panel
8.7 Extending the Validity of a Smart Card
8.8 Allowing Users to Renew their Smart Card Certificates
8.9 Displaying Smart Card Properties
8.10 Displaying the List of Supported Smart Cards
8.11 Managing Smart Card Configuration Profiles
8.11.1 Creating / Modifying Configuration Profiles
8.11.2 Renaming Configuration Profiles
8.11.3 Deleting Configuration Profiles
8.12 Managing Loan Cards
8.13 Managing Smart Cards' Authentication Parameters
8.14 Managing Batches of Smart Cards
10.1 Assigning an RFID Token
10.2 Locking and Unlocking an RFID Token
11 Managing Biometric Enrolment
10.2.1 Locking and Unlocking an RFID Token from the Directory Panel
10.2.2 Locking and Unlocking an RFID Token from the RFID Panel
10.3 Blacklisting and Deleting an RFID Token
10.3.1 Blacklisting and Deleting an RFID Token From the Directory Panel
10.3.2 Blacklisting and Deleting an RFID Token From the RFID Panel
10.4 Modifying the Detection Areas and the Grace Period
10.5 Exporting a List of RFID Tokens
11.1 Defining the Biometric Enrolment Policy
11.2 Defining the Biometric Workstation Parameters
11.3 Managing the User Enrolment
11.4 Displaying and Exporting the Biometric Enrolment Report
13 Enabling the Public Key Authentication Method
13.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method
13.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities
14 Managing the Emergency Plan
15 Managing Audit Events
13.2.1 Activating the PKA Authentication Method
13.2.2 Configuring the Set of Authorized Certification Authorities
13.3 Configuring the Automatic Update of the Revocation Information
15.1 Displaying Audit Events
15.2 Defining an Audit Population
15.3 Managing and Applying Audit Filters
16 Managing Reports
15.3.1 Creating an Audit Filter
15.3.2 Saving an Audit Filter
15.3.3 Loading an Audit Filter
15.3.4 Applying an Audit Filter
15.4 Interpreting Audit Events
15.4.1 The Audit Main Window
15.4.2 The "Event Details" Window
15.4.3 Detailed Information on Administration Audit Events
15.5 Exporting Audit Events
15.6 Archiving Audit Records
15.7 Retrieving User ID from Audit ID
15.8 Retrieving Event Codes
16.1 Generating Reports
17 Customizing Configuration Files
18 Creating Scripts
Appendix A: Regular Expressions - Basic Syntax
Appendix B: Listing Audit Events and Error Codes
Appendix C: Correspondence Between Profile and Administration Rights
16.1.1 Generating Application Account Reports
16.1.2 Generating User Account Reports
16.1.3 Generating Administrators Report
16.1.4 Generating Analysis and Statistics Reports
16.2 Exporting the Generated Report
5.3.2.5 Biometrics Tab
The Biometrics tab allows you to define the biometric enrolment policy for users. Users can enroll their biometrics data from Advanced Login.
 |
|
• |
Enrolment procedure area |
|
• |
Approval not required: the user biometric data enrolment does not need anybody’s authentication. |
|
• |
A Quest ESSO administrator: the user biometric data enrolment requires the authentication of an administrator who has at least the following administration right: "Bio: Is enable to allow biometrics pattern enrolment" (advanced administration mode only). |
|
• |
Another Quest ESSO user: the user biometric data enrolment requires the authentication of another user of the directory. |
|
• |
Policy area |
|
a) |
User must enrol between x and x finger(s): number of fingers you want the user to enrol. |
|
b) |
Allow user to abort the enrolment process: when this check box is selected, the user is allowed to cancel the enrolment process by closing the enrolment window. |
|
c) |
Remember Passwords: when this check box is: |
|
|
5.3.2.6 Session Delegation Tab
The Session delegation tab is dedicated to users in or outside a cluster (for more details on clusters, see Section 6.5, "Managing Clusters of Access Points"): if for any reason a user has to leave his/her cluster, you can authorize him/her to delegate his/her Windows session to one or more delegate(s) to monitor or intervene in any of his/her ongoing operations.
|
|
You can also set delegation permissions to members of the same group of users: see Section 6.2.8, "Defining Additional Security Policy Parameters for Groups of Users".
For more details on the conditions under which a user can delegate a session, see Administrator Guide for Cluster Mode of Advanced Login.
|
• |
Temporary: when a user delegates his/her session, the session is delegated until he/she re-authenticates. |
|
• |
Permanent: when a user delegates his/her session, the session is delegated until he/she ends the delegation authorization through the Manage Session Delegation menu in Advanced Login. |
|
• |
Re-authentication is needed check box |
This check-box allows you to define whether users must re-authenticate when they want to access the Cluster wizard (from which they can delegate their session) or the Set temporary session delegation shortcut command. See Administrator Guide for Cluster Mode of Advanced Login for more details on how users can access these tools. For Session delegation outside a cluster, this check box must be selected.
|
• |
Check box selected: when the user launches one of the delegation tool, an authentication window appears on his/her workstation. |
|
• |
Check box cleared: the user does not need to authenticate again on his/her workstation when he/she launches one of the delegation tool. |
|
• |
Temporary delegation needs an approval check box |
|
• |
Check box selected: a user who wants to delegate his/her session needs the approval of the delegate. |
|
• |
Check box cleared: a user can delegate his/her session to another user without collecting his/her approval. An information window appears on the delegate’s workstation to inform him/her that a delegation has been set. |
|
• |
Authorize delegation to all users check box For Session delegation outside a cluster, this check box must be selected. |
|
• |
Check box selected: users are authorized to delegate their Windows session to all users of the directory. |
|
• |
Check box cleared: users are not authorized to delegate their Windows session to all users of the directory. |
|
• |
Check box selected: users are only authorized to delegate their Windows session to members of the same group of users. |
|
• |
Check box cleared: users are not authorized to delegate their Windows session to members of the same group of users. |
|
• |
Check box selected: users are only authorized to delegate their Windows session to members of the same organizational unit. |
|
• |
Check box cleared: users are not authorized to delegate their Windows session to members of the same organizational unit. |
Check box selected: users are only authorized to delegate their Windows session to the users listed in the "Advanced Mode area" (see below).
Advanced Mode area
|
• |
Add button: opens the user selection window, which allows you to add users to the list. Use the Browse tab to browse the directory tree structure or use the Search tab to find the user by typing its name. |
|
• |
Remove button: removes the selected user/group/organizational unit from the list. |
|
d) |
Check box cleared: no specific of authorized users is defined. |
5.3.2.7 Audit Tab
5.3.2.8 OTP Tab
The OTP tab allows you to configure the OTP authentication method. This authentication method is only available with RSA: make sure the RSA authentication server is installed and that the RSA Authentication agent is installed on each access point on which you want to use OTP in offline mode (see Quest ESSO Installation Guide for more details).
This authentication method must be activated for users in the Authentication tab (see 5.3.2.1 Authentication Tab), and for access points (see 5.4.2.1 Security Services Tab).
|
a) |
In this mode, a Quest ESSO Controller must be available when the user authenticates by OTP on his/her workstation. The Quest ESSO Controller verifies the OTP and gives back the user password to the workstation, so that the session can open.
The user’s primary password is stored in the directory.
The user’s primary password is stored in the directory.
|
• |
If the workstation can connect to the Quest ESSO Controller, the controller verifies the OTP as in the online mode and the user’s password stored in the directory is used to open the session. |
|
• |
If the workstation cannot connect to the Quest ESSO Controller, the OTP is verified locally and the user’s password stored in the cache is used to open the session. |