Chat now with support
Chat with Support

Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

1. Overview 2 Authenticating to Quest ESSO Console and Managing Protection Modes 3 Searching the Directory Tree 4 Managing Administrators 5 Managing Security Profiles
5.1 Managing Time Slices 5.2 Managing Password Format Control Policies 5.3 Managing User Security Profiles 5.4 Managing Access Point Security Profiles 5.5 Managing Application Security Profiles 5.6 Defining Security Profiles Default Values 5.7 Managing User and Access Point Security Profiles Priorities
6 Managing Directory Objects
6.1 Managing Applications 6.2 Managing Users 6.3 Managing Access Points 6.4 Managing Representative Objects 6.5 Managing Clusters of Access Points 6.6 Selecting a Domain Controller
7 Importing/Exporting Security Profiles and Directory Objects 8 Managing Smart Cards
8.1 Assigning Smart Cards to Users 8.2 Formatting Smart Cards 8.3 Forcing a new PIN 8.4 Disabling Temporarily Smart Cards 8.5 Unlocking Smart Cards 8.6 Sending Smart Cards to a Blacklist 8.7 Extending the Validity of a Smart Card 8.8 Allowing Users to Renew their Smart Card Certificates 8.9 Displaying Smart Card Properties 8.10 Displaying the List of Supported Smart Cards 8.11 Managing Smart Card Configuration Profiles 8.12 Managing Loan Cards 8.13 Managing Smart Cards' Authentication Parameters 8.14 Managing Batches of Smart Cards
9 Managing SA Server Devices 10 Managing RFID Tokens 11 Managing Biometric Enrolment 13 Enabling the Public Key Authentication Method 14 Managing the Emergency Plan 15 Managing Audit Events 16 Managing Reports 17 Customizing Configuration Files 18 Creating Scripts Appendix A: Regular Expressions - Basic Syntax Appendix B: Listing Audit Events and Error Codes Appendix C: Correspondence Between Profile and Administration Rights

6.3.3 Assigning/Forbidding Users to Access Points

This section describes how to authorize a user to logon an access point, from the access point object. This access is checked by Advanced Login or by the GINA of the workstation client. A user not authorized who is attempting to log on a workstation will obtain the following message "You are not authorized to log in on this access point".
If you are working in "no-access-point-management" mode, it is not possible to configure user access to individual access points or to objects representing sets of access points (groups, organizations and so on). The User Access tab is not displayed.
A user is authorized to connect to an access point of his/her domain only if his/her user security profile indicates
Allow on all Access Points (see Section 5.3.2.1, "Authentication Tab").
1.
In the tree structure of the Directory panel, select the wanted access point.
2.
Click the Authorized Users tab.
The Authorized Users tab appears.
3.
If the Allow on all Access Points parameter of the user security profile associated with this user is selected (for details see Section 5.3.2.1, "Authentication Tab"), you can let this tab blank to authorize all the access points of the directory domain for the selected users. If you want to define authorized/forbidden users, do the following:
Allow/Forbid
If you have added a group of users and you want to forbid one or more user(s) of this group, use the Allow and Forbid buttons.
Modules
To prevent users from accessing some of the software modules installed on the access point (Advanced Login, Quest ESSO Console, SSOWatch module of Quest ESSO or Enterprise SSO Studio), use the Modules button.
The Quest ESSO Controller uses the following algorithm to assign or forbid access points to users:

6.3.4 Assigning/Forbidding Applications to Access Points

The Quest ESSO Controller uses the following algorithm to assign or forbid applications to access points:
1.
In the tree structure of the Directory panel, select the wanted access point.
2.
Click the Available Applications tab.
3.
Click the Add/Remove buttons to select the applications that you want to be accessible to the selected access point.
Allow/Forbid: if you have added a group of applications and you want to forbid one or more application(s) of this group, use the Allow and Forbid buttons.
Propagation method: if you want to specify a specific application, and if your application uses the SSO propagation method, you must indicate a technical reference. By default, the technical reference specified on the application is used, as described in 6.1.4 Defining the Single Sign-On Properties of an Application.

6.3.5 Adding or Removing an Access Point from a Group

Quest ESSO Console allows you to add or remove users and Access Points from groups directly through the GUI, without using a third-party group management console.
1.
In the tree structure of the Directory panel, select the wanted Access Point.
The Information tab appears.
2.
Use the Add and Remove buttons to add or remove the Access Point to/from groups.
1.
In the tree structure of the Directory panel, select the wanted group.
The Information tab appears.
2.
Use the Add computer and Remove buttons to add or remove Access Points to/from the selected group.

6.3.6 Displaying Access Point Event Logs

The Events tab allows you to display all the events that are directly or indirectly linked to the selected object, for a defined period (the last two days by default). This report contains both user action and administration log entries. If the selected object is a group of access points, an organization or a directory, the default events displayed are only related to the group, organization or directory, and the events related to its members are not available.
The
Audit population area of the Events tab allows you explicitly mark the group, organization or directory for audit, so that audit events on objects members of the group, directory or organization can be displayed.
The Events tab appears only if you have at least the following administration role:
1.
In the tree structure of the Directory panel, select the wanted access point.
2.
Click the Events tab.
The Events tab appears.
3.
If you have selected a group of access points, an organization or a directory, you can set it as an audit population in the Audit Population area, as explained in Section 15.2, "Defining an Audit Population".
4.
In the Filter area, define a period of time to filter the log entries and click Apply (for more information on event logs, see Section 15., "Managing Audit Events").
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating