Chat now with support
Chat with Support

Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

1. Overview 2 Authenticating to Quest ESSO Console and Managing Protection Modes 3 Searching the Directory Tree 4 Managing Administrators 5 Managing Security Profiles
5.1 Managing Time Slices 5.2 Managing Password Format Control Policies 5.3 Managing User Security Profiles 5.4 Managing Access Point Security Profiles 5.5 Managing Application Security Profiles 5.6 Defining Security Profiles Default Values 5.7 Managing User and Access Point Security Profiles Priorities
6 Managing Directory Objects
6.1 Managing Applications 6.2 Managing Users 6.3 Managing Access Points 6.4 Managing Representative Objects 6.5 Managing Clusters of Access Points 6.6 Selecting a Domain Controller
7 Importing/Exporting Security Profiles and Directory Objects 8 Managing Smart Cards
8.1 Assigning Smart Cards to Users 8.2 Formatting Smart Cards 8.3 Forcing a new PIN 8.4 Disabling Temporarily Smart Cards 8.5 Unlocking Smart Cards 8.6 Sending Smart Cards to a Blacklist 8.7 Extending the Validity of a Smart Card 8.8 Allowing Users to Renew their Smart Card Certificates 8.9 Displaying Smart Card Properties 8.10 Displaying the List of Supported Smart Cards 8.11 Managing Smart Card Configuration Profiles 8.12 Managing Loan Cards 8.13 Managing Smart Cards' Authentication Parameters 8.14 Managing Batches of Smart Cards
9 Managing SA Server Devices 10 Managing RFID Tokens 11 Managing Biometric Enrolment 13 Enabling the Public Key Authentication Method 14 Managing the Emergency Plan 15 Managing Audit Events 16 Managing Reports 17 Customizing Configuration Files 18 Creating Scripts Appendix A: Regular Expressions - Basic Syntax Appendix B: Listing Audit Events and Error Codes Appendix C: Correspondence Between Profile and Administration Rights

5.4.1 Creating/Modifying Access Point Security Profiles

1.
In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your access point security profile and select New\Access Point Security Profile.
1.
In the tree structure of the Directory panel, select the access point security profile to modify.

5.4.2 Configuring Access Point Security Profiles

Click the button to display and if necessary modify the selected Timeslice configuration, as described in 5.1.1 Creating/Modifying Time Slices.
b)
To configure Advanced Login parameters, see 5.4.2.2 Advanced Login Tab.
c)
To configure SSOWatch module of Quest ESSO, Enterprise SSO Studio and Quest ESSO Console parameters, see Section 5.4.2.3 QESSO SSOWatch Tab.
d)
To configure Multi User Desktop parameters, see 5.4.2.4 Multi-User Desktop Tab.
e)
To configure Biometrics parameters, see 5.4.2.5 Biometrics Tab.
f)
To configure Self Service Password Request parameters, see 5.4.2.6 Self Service Password Request Tab.
g)
To configure Active RFID parameters, see 5.4.2.7 Active RFID Tab.
h)
To configure Audit parameters, see 5.4.2.8 Audit Tab.

5.4.2.1 Security Services Tab

Activate cache and Cache properties button
IMPORTANT: In this mode, if the cache data is outdated, they are synchronized after the authentication of the user (asynchronously). The updated cache data will be used at the next authentication of the user.
Frequency at which the Quest ESSO Controller checks that the connection to the LDAP directory works.
1.
Select the Use Cache option available in the User security profile and set the cache data validity (see 5.3.2.1 Authentication Tab).
The Cache properties window allows you to configure the synchronization parameters of the user data (User data area), as for example his/her secondary accounts... And the data related with the applications associated with the access point (Application data (primary domain) and Application data (External domain)), as for example the technical references, application profiles, PFCP...
The Application data (External domains) area is functional only with Active Directory, as it concerns only inter domain and multi domain infrastructures.
The Synchronize data every <xdays> between <hour1> and <hour2> option allows you to set the update frequency of the cache data in days, within a specified time slot. The data synchronization is started randomly within the specified time slot. This method avoids the systematic data synchronization when the user authenticates connected mode on his/her workstation. Thus the network and the directory are not overloaded during the critical hours (9 a.m. for example), and the authentication process duration decreases.
You can set only the day value, and enter null values for hour1 and hour2. In this case, the data synchronization is started randomly within the day.
To use this mode, select Performance cache validity period <hour> and the check box Refresh automatically on expiration. In this mode, when the validity period is outdated, the application data is automatically synchronized with the directory and the validity is reset.
To use this mode, select Performance cache validity period <hour> and clear the check box Refresh automatically on expiration. In this mode, when the validity period is outdated, the user must authenticate in connected mode on his/her workstation to synchronize the application data and reset the validity duration.

5.4.2.2 Advanced Login Tab

For more details about the Advanced Login application, see Advanced Login for Windows User Guide.
To modify the logo displayed on screen, save a WGLock.bmp file corresponding to the wanted logo in the Quest ESSO Client installation folder (the default folder is Programs\Quest Software\Enterprise SSO).
Time elapsed before Advanced Login applies the action defined in the Default action when token removed drop-down list.
Select this check box to allow SSOWatch module of Quest ESSO to use the last selected Role upon restart of the workstations associated with this security profile.
When the architecture is not based on Active Directory environment, Advanced Login allows authentication on the security directory and, if allowed, locally.
When a user authorized to access roaming sessions (see 5.3.2.2 Security Tab) authenticates on the computer, a roaming session is automatically created for the user.
For more information on FUS, see Session Management Administrator Guide.
For details, see Manage Accounts Window, below.
By default, the Manage Accounts window is empty. This means that Advanced Login is always used to open Windows sessions.
1.
Click Add to select a Group containing user accounts to include or exclude from the Access Points associated with this Profile.
2.
Click Change meaning to set the Group state (included or excluded).
3.
Click Change scope to set specific Access Points (and not all the Access Points associated with this Profile), according to their operating system type. The scope of the included/excluded accounts can be:
All the Access Points.
4.
To exclude local administrators, select Perform operating system authentication for local administrators
5.
To exclude accounts that are not able to perform a Quest ESSO authentication, select Perform operating system authentication when QESSO authentication fails.
You can complete the list of group set in the Manage Accounts window by creating the following registry key: IncludedGroupList (String). This key allows you to define group of users allowed to open their Windows session using Advanced Login:
During the security services start, if the IncludedGroupList registry value is set, the group names are transformed into SID and GUID and the result is stored under the IncludedGroupSIDList and IncludedGroupGUIDList registry values. These registry values are a cache; this cache is refreshed if:
Quest ESSO must be configured for Active Directory.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating