Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

Table of Contents

1.1 Quest ESSO Concepts 1.2 Quest ESSO Controllers

1.2.1 Quest ESSO Services 1.2.2 Domain Controller Selection

1.3 A Multi-Domain Architecture 1.4 General Ergonomic Design

1.4.1 Home Window 1.4.2 Directory Panel Overview

2 Authenticating to Quest ESSO Console and Managing Protection Modes

2.1 Starting/Stopping Quest ESSO Console

2.1.1 Starting Quest ESSO Console

2.1.1.1 Starting Quest ESSO Console in Hardware Protection Mode 2.1.1.2 Starting Quest ESSO Console in Software Protection Mode

2.1.2 Stopping Quest ESSO Console

2.2 Managing Protection Modes

2.2.1 Displaying the Current Protection Mode 2.2.2 Migrating from Software Mode to Hardware Mode 2.2.3 Managing Administrators whose Administration Keys are Protected by Software Encryption

3 Searching the Directory Tree

3.1 Searching for Directory Objects 3.2 Deleting Search Requests

4 Managing Administrators

4.1 Administration Modes - Presentation

4.1.1 The Classic Administration Mode 4.1.2 The Advanced Administration Mode 4.1.3 Administration Role Inheritance

4.2 Delegating Administration Roles 4.3 Managing Administration Profiles

4.3.1 Creating/Editing an Administration Profile 4.3.2 Deleting an Administration Profile

4.4 Transferring an Administration Role 4.5 Deleting an Administration Role 4.6 Displaying your Administration Role 4.7 Modifying the Parent Administrator 4.8 Adding/Removing Primary Administrators

5 Managing Security Profiles

5.1 Managing Time Slices

5.1.1 Creating/Modifying Time Slices 5.1.2 Configuring Time Slices 5.1.3 Displaying Timeslice Object Event Logs 5.1.4 Renaming Timeslice Objects 5.1.5 Deleting Timeslice Objects

5.2 Managing Password Format Control Policies

5.2.1 Creating/Modifying Password Format Control Policies 5.2.2 Configuring Password Format Control Policy 5.2.3 Displaying Password Format Control Policy Event Logs 5.2.4 Renaming Password Format Control Policies 5.2.5 Deleting Password Format Control Policies

5.3 Managing User Security Profiles

5.3.1 Creating/Modifying User Security Profiles 5.3.2 Configuring User Security Profiles

5.3.2.1 Authentication Tab 5.3.2.2 Security Tab 5.3.2.3 Unlocking Tab (Fast User Switching Feature) 5.3.2.4 Self Service Password Request Tab 5.3.2.5 Biometrics Tab 5.3.2.6 Session Delegation Tab 5.3.2.7 Audit Tab 5.3.2.8 OTP Tab

5.3.3 Displaying User Security Profile Event Logs 5.3.4 Renaming User Security Profiles 5.3.5 Deleting User Security Profiles

5.4 Managing Access Point Security Profiles

5.4.1 Creating/Modifying Access Point Security Profiles 5.4.2 Configuring Access Point Security Profiles

5.4.2.1 Security Services Tab 5.4.2.2 Advanced Login Tab 5.4.2.3 QESSO SSOWatch Tab 5.4.2.4 Multi-User Desktop Tab 5.4.2.5 Biometrics Tab 5.4.2.6 Self Service Password Request Tab 5.4.2.7 Active RFID Tab 5.4.2.8 Audit Tab

5.4.3 Displaying Access Point Security Profile Event Logs 5.4.4 Renaming Access Point Security Profiles 5.4.5 Deleting Access Point Security Profiles

5.5 Managing Application Security Profiles

5.5.1 Managing Password Generation Policies

5.5.1.1 Creating/Modifying Password Generation Policies 5.5.1.2 Configuring the Password Generation Policy 5.5.1.3 Displaying Password Generation Policy Event Logs 5.5.1.4 Renaming Password Generation Policies 5.5.1.5 Deleting Password Generation Policies

5.5.2 Creating/Modifying Application Security Profiles 5.5.3 Configuring Application Security Profiles

5.5.3.1 General Tab 5.5.3.2 Account Tab 5.5.3.3 Authentication Method Tab 5.5.3.4 Delegation Tab 5.5.3.5 IP Address Constraints Tab

5.5.4 Displaying Application Security Profile Event Logs 5.5.5 Renaming Application Security Profiles 5.5.6 Deleting Application Security Profiles

5.6 Defining Security Profiles Default Values 5.7 Managing User and Access Point Security Profiles Priorities

6 Managing Directory Objects

6.1 Managing Applications

6.1.1 Creating an Application

6.1.1.1 Creating an Application without Using a Template 6.1.1.2 Creating an Application Using Templates

6.1.2 Defining the General Properties of an Application 6.1.3 Creating the Account Properties of an Application

6.1.3.1 Defining Account Base Parameters 6.1.3.2 Defining Account Properties

6.1.4 Defining the Single Sign-On Properties of an Application 6.1.5 Defining External Names 6.1.6 Assigning Users to an Application 6.1.7 Sharing the Administration of an Application 6.1.8 Generating/Importing Accounts for an Application 6.1.9 Assigning Access Points to an Application 6.1.10 Displaying Accounts Associated with the Application 6.1.11 Displaying Application Event Logs 6.1.12 Displaying/Modifying Application Information 6.1.13 Renaming Applications 6.1.14 Deleting Applications

6.2 Managing Users

6.2.1 Displaying User General Information 6.2.2 Defining User Connection Parameters

6.2.2.1 Suspending or Limiting Temporarily a User Access 6.2.2.2 Displaying User Authentication Information and Administering Roaming Sessions 6.2.2.3 Predefine a New User's Primary Password 6.2.2.4 Managing User SSPR 6.2.2.5 Defining an Audit Identifier 6.2.2.6 Creating a Welcome Message

6.2.3 Assigning a User Security Profile to a User 6.2.4 Declaring a User as an Administrator 6.2.5 Assigning/Forbidding Access Points to a User 6.2.6 Managing User Accounts 6.2.7 Sending SSO Account Passwords to Users 6.2.8 Defining Additional Security Policy Parameters for Groups of Users 6.2.9 Managing User Smart Cards 6.2.11 Displaying and Deleting User Biometric Data 6.2.12 Assigning Applications to a User 6.2.13 Displaying Delegated Sessions 6.2.14 Managing User RFID Tokens 6.2.15 Displaying User Event Logs 6.2.16 Deleting SSO Data of Disabled User Accounts 6.2.17 Adding or Removing a User from a Group

6.3 Managing Access Points

6.3.1 Displaying Access Point General Information 6.3.2 Defining Access Point Configuration Parameters

6.3.2.1 Assigning an Access Point Security Profile to an Access Point 6.3.2.2 Managing the Quest ESSO Controller Services

6.3.3 Assigning/Forbidding Users to Access Points 6.3.4 Assigning/Forbidding Applications to Access Points 6.3.5 Adding or Removing an Access Point from a Group 6.3.6 Displaying Access Point Event Logs

6.4 Managing Representative Objects

6.4.1 Managing Inbound Representative Objects

6.4.1.1 Creating/Modifying an Inbound Representative Object 6.4.1.2 Defining the Set of Users to Represent 6.4.1.3 Assigning a User Security Profile to the Inbound Representative Object 6.4.1.4 Selecting the Access Points Available to the Representative

6.4.2 Managing Outbound Representative Objects

6.4.2.1 Creating/Modifying an Outbound Object 6.4.2.2 Defining the Set of Access Points to Represent 6.4.2.3 Selecting the Applications Available to the Representative

6.4.3 Displaying Representative Event Logs 6.4.4 Renaming Representative Objects 6.4.5 Deleting Representative Objects

6.5 Managing Clusters of Access Points

6.5.1 Creating and Configuring a Cluster of Access Points 6.5.2 Managing Users' Permissions on a Cluster

6.5.2.1 Authorizing Users to Access Workstations of the Cluster 6.5.2.2 Displaying the Cluster Composition Made by Authorized Users

6.5.3 Displaying Cluster Event Logs 6.5.4 Renaming Clusters 6.5.5 Deleting Clusters

6.6 Selecting a Domain Controller

7 Importing/Exporting Security Profiles and Directory Objects

7.1 Exporting Objects From Quest ESSO Console 7.2 Importing Objects in Quest ESSO Console

8 Managing Smart Cards

8.1 Assigning Smart Cards to Users

8.1.1 Assigning Smart Cards to Many Users 8.1.2 Assigning a Smart Card to a User 8.1.3 Assigning a new Smart Card Allowing a User to Log on a Workstation which is Disconnected from the Directory

8.2 Formatting Smart Cards 8.3 Forcing a new PIN 8.4 Disabling Temporarily Smart Cards

8.4.1 Disabling Temporarily Smart Cards from the Smart Card Panel 8.4.2 Disabling Smart Cards of a User from the Directory Panel

8.5 Unlocking Smart Cards

8.5.1 Unlocking Smart Cards from the Smart Card Panel 8.5.2 Unlocking Smart Cards from the Directory Panel 8.5.3 Defining Contact Information

8.6 Sending Smart Cards to a Blacklist

8.6.1 Sending Smart Cards to a Blacklist from the Smart Card Panel 8.6.2 Sending Smart Cards to a Blacklist from the Directory Panel

8.7 Extending the Validity of a Smart Card 8.8 Allowing Users to Renew their Smart Card Certificates 8.9 Displaying Smart Card Properties 8.10 Displaying the List of Supported Smart Cards 8.11 Managing Smart Card Configuration Profiles

8.11.1 Creating / Modifying Configuration Profiles 8.11.2 Renaming Configuration Profiles 8.11.3 Deleting Configuration Profiles

8.12 Managing Loan Cards

8.12.1 Assigning a Loan Card to a User 8.12.2 Returning a Loan Card

8.12.2.1 Returning a Loan Card from the Directory Panel 8.12.2.2 Returning a Loan Card from the Smart Card Panel

8.13 Managing Smart Cards' Authentication Parameters 8.14 Managing Batches of Smart Cards

8.14.1 Defining a Stock of Tokens 8.14.2 Displaying Information on a Stock 8.14.3 Forcing the Use of Smart Cards Defined in the Batch

9 Managing SA Server Devices

9.1 Configuring Quest ESSO for SA Server Management

9.1.1 Configuring SA Server Connection 9.1.2 Configuring the SA Server Device Management

9.2 Managing SA Server Devices

9.2.1 Assigning an SA Server Device to a User 9.2.2 Formatting an SA Server Device 9.2.3 Blacklisting an SA Server Device 9.2.4 Managing the Link Between User and SA Server Device

10 Managing RFID Tokens

10.1 Assigning an RFID Token 10.2 Locking and Unlocking an RFID Token

10.2.1 Locking and Unlocking an RFID Token from the Directory Panel 10.2.2 Locking and Unlocking an RFID Token from the RFID Panel

10.3 Blacklisting and Deleting an RFID Token

10.3.1 Blacklisting and Deleting an RFID Token From the Directory Panel 10.3.2 Blacklisting and Deleting an RFID Token From the RFID Panel

10.4 Modifying the Detection Areas and the Grace Period 10.5 Exporting a List of RFID Tokens

11 Managing Biometric Enrolment

11.1 Defining the Biometric Enrolment Policy

11.1.1 Defining the User Biometric Profile 11.1.2 Adjusting the Biometrics Enrolment Tool Behavior

11.2 Defining the Biometric Workstation Parameters 11.3 Managing the User Enrolment 11.4 Displaying and Exporting the Biometric Enrolment Report

13 Enabling the Public Key Authentication Method

13.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method 13.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities

13.2.1 Activating the PKA Authentication Method 13.2.2 Configuring the Set of Authorized Certification Authorities

13.2.2.1 Importing Certification Authorities from PEM or DER Encoded Files 13.2.2.2 Importing Certification Authorities from Windows System Storage 13.2.2.3 Deleting a Certification Authority

13.3 Configuring the Automatic Update of the Revocation Information

13.3.1 Importing a CRL Point of Distribution 13.3.2 Importing an OCSP Responder 13.3.3 Deleting a CRL Point of Distribution or an OCSP Responder

14 Managing the Emergency Plan 15 Managing Audit Events

15.1 Displaying Audit Events 15.2 Defining an Audit Population 15.3 Managing and Applying Audit Filters

15.3.1 Creating an Audit Filter 15.3.2 Saving an Audit Filter 15.3.3 Loading an Audit Filter 15.3.4 Applying an Audit Filter

15.3.4.1 Applying an Audit Filter to Audit Records 15.3.4.2 Assigning an Audit Filter to Specific Objects

15.4 Interpreting Audit Events

15.4.1 The Audit Main Window 15.4.2 The "Event Details" Window 15.4.3 Detailed Information on Administration Audit Events

15.5 Exporting Audit Events 15.6 Archiving Audit Records 15.7 Retrieving User ID from Audit ID 15.8 Retrieving Event Codes

16 Managing Reports

16.1 Generating Reports

16.1.1 Generating Application Account Reports 16.1.2 Generating User Account Reports 16.1.3 Generating Administrators Report 16.1.4 Generating Analysis and Statistics Reports

16.2 Exporting the Generated Report

17 Customizing Configuration Files

17.1 Importing a List of Supported Authentication Tokens 17.2 Adding User Attribute Information

18 Creating Scripts

18.1 Using the Script Editor 18.2 Script Commands

18.2.1 CREATE_ROLE 18.2.2 CREATE_ACCESS 18.2.3 CREATE_ACCOUNT

18.3 Importing Script Files

Appendix A: Regular Expressions - Basic Syntax Appendix B: Listing Audit Events and Error Codes

B.1 Listing Audit Events B.2 Listing Error Codes

Appendix C: Correspondence Between Profile and Administration Rights

6.2 Managing Users

This section describes the operations specific to user management. They are specific to the user object and related to his/her primary authentication.

If your directory infrastructure is composed of several LDAP domains, the operations related to users are saved only in the domain where they are done.

Before Starting

Before reading the following sub-sections, check that the following steps are carried out:

1.	Your LDAP directory perimeter contains all the users that you will manage using Quest ESSO Console.

2.	Organizational Units, groups and users are sorted according to the organizations in which they are to be placed.

All these tasks must be carried out with the appropriate LDAP tools, as for example Microsoft Users and Computers for Active Directory.

6.2.1 Displaying User General Information

You can display user general information. This data is retrieved from the LDAP directory.

1.	In the tree structure of the Directory panel, select the wanted user.

2.	Click the Information tab.

The tab appears.

•	User area: if you have defined specific data to add in this tab, you can click the Other button to display it. For more details, see Section 17.2, "Adding User Attribute Information".

•	Member of area: for details on how to add or remove the user from a group, see 6.2.17 Adding or Removing a User from a Group.

6.2.2 Defining User Connection Parameters

This section describes how to set the user's authentication parameters to your created applications.

Before Starting

To perform the tasks described in this section, you must have the following administration role:

•	In classic administration mode: "Security object administrator".

•	In advanced administration mode, your role must contain the following right: "User: Modification".

For more details on administration roles, see Section 4., "Managing Administrators").

6.2.2.1 Suspending or Limiting Temporarily a User Access

You can suspend a user access. When the user is suspended, he/she is informed of this during the authentication phase.

1.	In the tree structure of the Directory panel, select the wanted user.

2.	In the Connection tab, click the General tab:

3.	From this panel, you can lock/unlock the user and set an Acceptance date and an Expiry date to limit temporarily the user access.

4.	Click Apply to validate your modifications.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy