Chat now with support
Chat with Support

Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

1. Overview 2 Authenticating to Quest ESSO Console and Managing Protection Modes 3 Searching the Directory Tree 4 Managing Administrators 5 Managing Security Profiles
5.1 Managing Time Slices 5.2 Managing Password Format Control Policies 5.3 Managing User Security Profiles 5.4 Managing Access Point Security Profiles 5.5 Managing Application Security Profiles 5.6 Defining Security Profiles Default Values 5.7 Managing User and Access Point Security Profiles Priorities
6 Managing Directory Objects
6.1 Managing Applications 6.2 Managing Users 6.3 Managing Access Points 6.4 Managing Representative Objects 6.5 Managing Clusters of Access Points 6.6 Selecting a Domain Controller
7 Importing/Exporting Security Profiles and Directory Objects 8 Managing Smart Cards
8.1 Assigning Smart Cards to Users 8.2 Formatting Smart Cards 8.3 Forcing a new PIN 8.4 Disabling Temporarily Smart Cards 8.5 Unlocking Smart Cards 8.6 Sending Smart Cards to a Blacklist 8.7 Extending the Validity of a Smart Card 8.8 Allowing Users to Renew their Smart Card Certificates 8.9 Displaying Smart Card Properties 8.10 Displaying the List of Supported Smart Cards 8.11 Managing Smart Card Configuration Profiles 8.12 Managing Loan Cards 8.13 Managing Smart Cards' Authentication Parameters 8.14 Managing Batches of Smart Cards
9 Managing SA Server Devices 10 Managing RFID Tokens 11 Managing Biometric Enrolment 13 Enabling the Public Key Authentication Method 14 Managing the Emergency Plan 15 Managing Audit Events 16 Managing Reports 17 Customizing Configuration Files 18 Creating Scripts Appendix A: Regular Expressions - Basic Syntax Appendix B: Listing Audit Events and Error Codes Appendix C: Correspondence Between Profile and Administration Rights

11.3 Managing the User Enrolment

11.4 Displaying and Exporting the Biometric Enrolment Report

The Biometrics panel allows you to display and export the list of users who have enrolled biometric patterns, as explained in the following procedure.
In the Biometrics panel, click the View button.
To export the list in a .csv file, click the Export button and fill-in the Save As window.

13 Enabling the Public Key Authentication Method

Quest ESSO provides smart card authentication. This authentication method is used to store the user’s directory credentials necessary to access the user’s SSO data. In addition, Quest ESSO supports Microsoft smart card logon authentication, but this authentication method is limited to Microsoft compliant Public Key Infrastructures.
The Public Key Authentication (PKA) is another authentication method supported by Quest ESSO that can be used to grant SSO to users. The goal of Quest ESSO PKA is to provide user authentication and SSO based on X.509 certificates: authentication and access to SSO is provided only if the user’s certificate is valid and if the user can prove his certificate ownership. Quest ESSO PKA supports smart card driven certificates, the most widespread method of deploying certificates.
Once the PKA authentication method enabled, the Quest ESSO PKA authentication process is as follows:
If the smart card is PKA compliant, the Quest ESSO client reads the certificate and retrieves the user’s name using the attribute mapping rules. (contents of the certificate on one side and user’s attributes in the LDAP directory on the other side).
Once the user has been identified, the Quest ESSO client prompts the user for his/her smart card PIN.
Certificate enrollment: if this is the first time the user logs on his/her workstation using the PKA authentication method, the Quest ESSO Controller automatically creates in the Quest ESSO directory an object that contains the user’s LDAP credentials (login name and password). To create the LDAP object, the Quest ESSO Controller does the following:
If the certificate is valid, Quest ESSO prompts the user for his LDAP credentials (login name and password).
If these credentials grant access to the LDAP directory, Quest ESSO encrypts them using the user’s public key certificate.
Quest ESSO then creates an LDAP object where the user’s encrypted LDAP credentials are stored. Access to this LDAP object is restricted to that user; moreover, that user must authenticate using that certificate to gain access to his LDAP credentials.
Using the decrypted LDAP credentials to retrieve Quest ESSO data from the LDAP directory.
The Quest ESSO PKA authentication process relies on a public key certificate to identify the incoming user. It is therefore necessary to ensure that any public key certificate used to authenticate a user is valid and properly trusted. This requires external PKI material such as a set of public key certificates for each Certification Authority and an access to an On-line Certificate Status Protocol responder or to a set of Certificate Revocation Lists (CRL). During the certificate enrollment, the user’s public key certificate is validated as follows:
The revocation engine is included in the Quest ESSO Controller. Its job is to maintain the accuracy of the revocation status of all public key certificates used for Quest ESSO PKA. For each CRL distribution point or OCSP responder defined, the revocation engine:
Anytime a user’s public key certificate is revoked, its status is updated in the Quest ESSO directory and the user’s smart card is automatically blacklisted

13.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method

The Password authentication method must also be selected.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating