Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

Table of Contents

1.1 Quest ESSO Concepts 1.2 Quest ESSO Controllers

1.2.1 Quest ESSO Services 1.2.2 Domain Controller Selection

1.3 A Multi-Domain Architecture 1.4 General Ergonomic Design

1.4.1 Home Window 1.4.2 Directory Panel Overview

2 Authenticating to Quest ESSO Console and Managing Protection Modes

2.1 Starting/Stopping Quest ESSO Console

2.1.1 Starting Quest ESSO Console

2.1.1.1 Starting Quest ESSO Console in Hardware Protection Mode 2.1.1.2 Starting Quest ESSO Console in Software Protection Mode

2.1.2 Stopping Quest ESSO Console

2.2 Managing Protection Modes

2.2.1 Displaying the Current Protection Mode 2.2.2 Migrating from Software Mode to Hardware Mode 2.2.3 Managing Administrators whose Administration Keys are Protected by Software Encryption

3 Searching the Directory Tree

3.1 Searching for Directory Objects 3.2 Deleting Search Requests

4 Managing Administrators

4.1 Administration Modes - Presentation

4.1.1 The Classic Administration Mode 4.1.2 The Advanced Administration Mode 4.1.3 Administration Role Inheritance

4.2 Delegating Administration Roles 4.3 Managing Administration Profiles

4.3.1 Creating/Editing an Administration Profile 4.3.2 Deleting an Administration Profile

4.4 Transferring an Administration Role 4.5 Deleting an Administration Role 4.6 Displaying your Administration Role 4.7 Modifying the Parent Administrator 4.8 Adding/Removing Primary Administrators

5 Managing Security Profiles

5.1 Managing Time Slices

5.1.1 Creating/Modifying Time Slices 5.1.2 Configuring Time Slices 5.1.3 Displaying Timeslice Object Event Logs 5.1.4 Renaming Timeslice Objects 5.1.5 Deleting Timeslice Objects

5.2 Managing Password Format Control Policies

5.2.1 Creating/Modifying Password Format Control Policies 5.2.2 Configuring Password Format Control Policy 5.2.3 Displaying Password Format Control Policy Event Logs 5.2.4 Renaming Password Format Control Policies 5.2.5 Deleting Password Format Control Policies

5.3 Managing User Security Profiles

5.3.1 Creating/Modifying User Security Profiles 5.3.2 Configuring User Security Profiles

5.3.2.1 Authentication Tab 5.3.2.2 Security Tab 5.3.2.3 Unlocking Tab (Fast User Switching Feature) 5.3.2.4 Self Service Password Request Tab 5.3.2.5 Biometrics Tab 5.3.2.6 Session Delegation Tab 5.3.2.7 Audit Tab 5.3.2.8 OTP Tab

5.3.3 Displaying User Security Profile Event Logs 5.3.4 Renaming User Security Profiles 5.3.5 Deleting User Security Profiles

5.4 Managing Access Point Security Profiles

5.4.1 Creating/Modifying Access Point Security Profiles 5.4.2 Configuring Access Point Security Profiles

5.4.2.1 Security Services Tab 5.4.2.2 Advanced Login Tab 5.4.2.3 QESSO SSOWatch Tab 5.4.2.4 Multi-User Desktop Tab 5.4.2.5 Biometrics Tab 5.4.2.6 Self Service Password Request Tab 5.4.2.7 Active RFID Tab 5.4.2.8 Audit Tab

5.4.3 Displaying Access Point Security Profile Event Logs 5.4.4 Renaming Access Point Security Profiles 5.4.5 Deleting Access Point Security Profiles

5.5 Managing Application Security Profiles

5.5.1 Managing Password Generation Policies

5.5.1.1 Creating/Modifying Password Generation Policies 5.5.1.2 Configuring the Password Generation Policy 5.5.1.3 Displaying Password Generation Policy Event Logs 5.5.1.4 Renaming Password Generation Policies 5.5.1.5 Deleting Password Generation Policies

5.5.2 Creating/Modifying Application Security Profiles 5.5.3 Configuring Application Security Profiles

5.5.3.1 General Tab 5.5.3.2 Account Tab 5.5.3.3 Authentication Method Tab 5.5.3.4 Delegation Tab 5.5.3.5 IP Address Constraints Tab

5.5.4 Displaying Application Security Profile Event Logs 5.5.5 Renaming Application Security Profiles 5.5.6 Deleting Application Security Profiles

5.6 Defining Security Profiles Default Values 5.7 Managing User and Access Point Security Profiles Priorities

6 Managing Directory Objects

6.1 Managing Applications

6.1.1 Creating an Application

6.1.1.1 Creating an Application without Using a Template 6.1.1.2 Creating an Application Using Templates

6.1.2 Defining the General Properties of an Application 6.1.3 Creating the Account Properties of an Application

6.1.3.1 Defining Account Base Parameters 6.1.3.2 Defining Account Properties

6.1.4 Defining the Single Sign-On Properties of an Application 6.1.5 Defining External Names 6.1.6 Assigning Users to an Application 6.1.7 Sharing the Administration of an Application 6.1.8 Generating/Importing Accounts for an Application 6.1.9 Assigning Access Points to an Application 6.1.10 Displaying Accounts Associated with the Application 6.1.11 Displaying Application Event Logs 6.1.12 Displaying/Modifying Application Information 6.1.13 Renaming Applications 6.1.14 Deleting Applications

6.2 Managing Users

6.2.1 Displaying User General Information 6.2.2 Defining User Connection Parameters

6.2.2.1 Suspending or Limiting Temporarily a User Access 6.2.2.2 Displaying User Authentication Information and Administering Roaming Sessions 6.2.2.3 Predefine a New User's Primary Password 6.2.2.4 Managing User SSPR 6.2.2.5 Defining an Audit Identifier 6.2.2.6 Creating a Welcome Message

6.2.3 Assigning a User Security Profile to a User 6.2.4 Declaring a User as an Administrator 6.2.5 Assigning/Forbidding Access Points to a User 6.2.6 Managing User Accounts 6.2.7 Sending SSO Account Passwords to Users 6.2.8 Defining Additional Security Policy Parameters for Groups of Users 6.2.9 Managing User Smart Cards 6.2.11 Displaying and Deleting User Biometric Data 6.2.12 Assigning Applications to a User 6.2.13 Displaying Delegated Sessions 6.2.14 Managing User RFID Tokens 6.2.15 Displaying User Event Logs 6.2.16 Deleting SSO Data of Disabled User Accounts 6.2.17 Adding or Removing a User from a Group

6.3 Managing Access Points

6.3.1 Displaying Access Point General Information 6.3.2 Defining Access Point Configuration Parameters

6.3.2.1 Assigning an Access Point Security Profile to an Access Point 6.3.2.2 Managing the Quest ESSO Controller Services

6.3.3 Assigning/Forbidding Users to Access Points 6.3.4 Assigning/Forbidding Applications to Access Points 6.3.5 Adding or Removing an Access Point from a Group 6.3.6 Displaying Access Point Event Logs

6.4 Managing Representative Objects

6.4.1 Managing Inbound Representative Objects

6.4.1.1 Creating/Modifying an Inbound Representative Object 6.4.1.2 Defining the Set of Users to Represent 6.4.1.3 Assigning a User Security Profile to the Inbound Representative Object 6.4.1.4 Selecting the Access Points Available to the Representative

6.4.2 Managing Outbound Representative Objects

6.4.2.1 Creating/Modifying an Outbound Object 6.4.2.2 Defining the Set of Access Points to Represent 6.4.2.3 Selecting the Applications Available to the Representative

6.4.3 Displaying Representative Event Logs 6.4.4 Renaming Representative Objects 6.4.5 Deleting Representative Objects

6.5 Managing Clusters of Access Points

6.5.1 Creating and Configuring a Cluster of Access Points 6.5.2 Managing Users' Permissions on a Cluster

6.5.2.1 Authorizing Users to Access Workstations of the Cluster 6.5.2.2 Displaying the Cluster Composition Made by Authorized Users

6.5.3 Displaying Cluster Event Logs 6.5.4 Renaming Clusters 6.5.5 Deleting Clusters

6.6 Selecting a Domain Controller

7 Importing/Exporting Security Profiles and Directory Objects

7.1 Exporting Objects From Quest ESSO Console 7.2 Importing Objects in Quest ESSO Console

8 Managing Smart Cards

8.1 Assigning Smart Cards to Users

8.1.1 Assigning Smart Cards to Many Users 8.1.2 Assigning a Smart Card to a User 8.1.3 Assigning a new Smart Card Allowing a User to Log on a Workstation which is Disconnected from the Directory

8.2 Formatting Smart Cards 8.3 Forcing a new PIN 8.4 Disabling Temporarily Smart Cards

8.4.1 Disabling Temporarily Smart Cards from the Smart Card Panel 8.4.2 Disabling Smart Cards of a User from the Directory Panel

8.5 Unlocking Smart Cards

8.5.1 Unlocking Smart Cards from the Smart Card Panel 8.5.2 Unlocking Smart Cards from the Directory Panel 8.5.3 Defining Contact Information

8.6 Sending Smart Cards to a Blacklist

8.6.1 Sending Smart Cards to a Blacklist from the Smart Card Panel 8.6.2 Sending Smart Cards to a Blacklist from the Directory Panel

8.7 Extending the Validity of a Smart Card 8.8 Allowing Users to Renew their Smart Card Certificates 8.9 Displaying Smart Card Properties 8.10 Displaying the List of Supported Smart Cards 8.11 Managing Smart Card Configuration Profiles

8.11.1 Creating / Modifying Configuration Profiles 8.11.2 Renaming Configuration Profiles 8.11.3 Deleting Configuration Profiles

8.12 Managing Loan Cards

8.12.1 Assigning a Loan Card to a User 8.12.2 Returning a Loan Card

8.12.2.1 Returning a Loan Card from the Directory Panel 8.12.2.2 Returning a Loan Card from the Smart Card Panel

8.13 Managing Smart Cards' Authentication Parameters 8.14 Managing Batches of Smart Cards

8.14.1 Defining a Stock of Tokens 8.14.2 Displaying Information on a Stock 8.14.3 Forcing the Use of Smart Cards Defined in the Batch

9 Managing SA Server Devices

9.1 Configuring Quest ESSO for SA Server Management

9.1.1 Configuring SA Server Connection 9.1.2 Configuring the SA Server Device Management

9.2 Managing SA Server Devices

9.2.1 Assigning an SA Server Device to a User 9.2.2 Formatting an SA Server Device 9.2.3 Blacklisting an SA Server Device 9.2.4 Managing the Link Between User and SA Server Device

10 Managing RFID Tokens

10.1 Assigning an RFID Token 10.2 Locking and Unlocking an RFID Token

10.2.1 Locking and Unlocking an RFID Token from the Directory Panel 10.2.2 Locking and Unlocking an RFID Token from the RFID Panel

10.3 Blacklisting and Deleting an RFID Token

10.3.1 Blacklisting and Deleting an RFID Token From the Directory Panel 10.3.2 Blacklisting and Deleting an RFID Token From the RFID Panel

10.4 Modifying the Detection Areas and the Grace Period 10.5 Exporting a List of RFID Tokens

11 Managing Biometric Enrolment

11.1 Defining the Biometric Enrolment Policy

11.1.1 Defining the User Biometric Profile 11.1.2 Adjusting the Biometrics Enrolment Tool Behavior

11.2 Defining the Biometric Workstation Parameters 11.3 Managing the User Enrolment 11.4 Displaying and Exporting the Biometric Enrolment Report

13 Enabling the Public Key Authentication Method

13.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method 13.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities

13.2.1 Activating the PKA Authentication Method 13.2.2 Configuring the Set of Authorized Certification Authorities

13.2.2.1 Importing Certification Authorities from PEM or DER Encoded Files 13.2.2.2 Importing Certification Authorities from Windows System Storage 13.2.2.3 Deleting a Certification Authority

13.3 Configuring the Automatic Update of the Revocation Information

13.3.1 Importing a CRL Point of Distribution 13.3.2 Importing an OCSP Responder 13.3.3 Deleting a CRL Point of Distribution or an OCSP Responder

14 Managing the Emergency Plan 15 Managing Audit Events

15.1 Displaying Audit Events 15.2 Defining an Audit Population 15.3 Managing and Applying Audit Filters

15.3.1 Creating an Audit Filter 15.3.2 Saving an Audit Filter 15.3.3 Loading an Audit Filter 15.3.4 Applying an Audit Filter

15.3.4.1 Applying an Audit Filter to Audit Records 15.3.4.2 Assigning an Audit Filter to Specific Objects

15.4 Interpreting Audit Events

15.4.1 The Audit Main Window 15.4.2 The "Event Details" Window 15.4.3 Detailed Information on Administration Audit Events

15.5 Exporting Audit Events 15.6 Archiving Audit Records 15.7 Retrieving User ID from Audit ID 15.8 Retrieving Event Codes

16 Managing Reports

16.1 Generating Reports

16.1.1 Generating Application Account Reports 16.1.2 Generating User Account Reports 16.1.3 Generating Administrators Report 16.1.4 Generating Analysis and Statistics Reports

16.2 Exporting the Generated Report

17 Customizing Configuration Files

17.1 Importing a List of Supported Authentication Tokens 17.2 Adding User Attribute Information

18 Creating Scripts

18.1 Using the Script Editor 18.2 Script Commands

18.2.1 CREATE_ROLE 18.2.2 CREATE_ACCESS 18.2.3 CREATE_ACCOUNT

18.3 Importing Script Files

Appendix A: Regular Expressions - Basic Syntax Appendix B: Listing Audit Events and Error Codes

B.1 Listing Audit Events B.2 Listing Error Codes

Appendix C: Correspondence Between Profile and Administration Rights

5.4.5 Deleting Access Point Security Profiles

If you delete an access point security profile used by access points, these access points will use the default access point security profile.

Before Starting

To perform the task described in this section, you must have at least the following administration role:

•	In classic administration mode: "Security object administrator".

•	In advanced administration mode, your role must contain the following right: "Access point security profile: Deletion".

•	In the Directory panel, right-click the access point security profile to delete and select Delete.

The access point security profile is deleted from the directory tree structure.

5.5 Managing Application Security Profiles

Managing application security profiles consists in creating, modifying and deleting application security profiles.

As Password Generation Policies (PGP) are only used to define application security profiles, they are also described in this section.

Object Definition

Application security profiles are security objects that define a set of rights and properties that are applied generically for one or more applications.

Application security profiles apply to applications.

5.5.1 Managing Password Generation Policies

This section describes how to create, modify and delete Password Generation Policies (PGP).

Object Definition

The Password Generation Policies define the way an application must generate for a password.

PGP are required to define application security profiles.

5.5.1.1 Creating/Modifying Password Generation Policies

Before Starting

To perform the task described in this section, you must have at least the following administration role:

•	In classic administration mode: "Security object administrator".

•	In advanced administration mode, your role must contain the following right: "Password generation policy: Creation/Modification".

Creating Password Generation Policies

1.	In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your PGP and select New\Password Generation Policy.

The PGP configuration tab appears.

2.	Fill in this window as described in 5.5.1.2 Configuring the Password Generation Policy and click Apply.

The PGP appears in the directory tree structure.

Modifying Password Generation Policies

If you modify a PGP already used by target objects, your modifications apply on all the target objects associated with this security object.

1.	In the tree structure of the Directory panel, select the PGP to modify.

The PGP configuration tab appears.

2.	Fill in this window as described in 5.5.1.2 Configuring the Password Generation Policy and click Apply.

The PGP is modified.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy