Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

Table of Contents

1.1 Quest ESSO Concepts 1.2 Quest ESSO Controllers

1.2.1 Quest ESSO Services 1.2.2 Domain Controller Selection

1.3 A Multi-Domain Architecture 1.4 General Ergonomic Design

1.4.1 Home Window 1.4.2 Directory Panel Overview

2 Authenticating to Quest ESSO Console and Managing Protection Modes

2.1 Starting/Stopping Quest ESSO Console

2.1.1 Starting Quest ESSO Console

2.1.1.1 Starting Quest ESSO Console in Hardware Protection Mode 2.1.1.2 Starting Quest ESSO Console in Software Protection Mode

2.1.2 Stopping Quest ESSO Console

2.2 Managing Protection Modes

2.2.1 Displaying the Current Protection Mode 2.2.2 Migrating from Software Mode to Hardware Mode 2.2.3 Managing Administrators whose Administration Keys are Protected by Software Encryption

3 Searching the Directory Tree

3.1 Searching for Directory Objects 3.2 Deleting Search Requests

4 Managing Administrators

4.1 Administration Modes - Presentation

4.1.1 The Classic Administration Mode 4.1.2 The Advanced Administration Mode 4.1.3 Administration Role Inheritance

4.2 Delegating Administration Roles 4.3 Managing Administration Profiles

4.3.1 Creating/Editing an Administration Profile 4.3.2 Deleting an Administration Profile

4.4 Transferring an Administration Role 4.5 Deleting an Administration Role 4.6 Displaying your Administration Role 4.7 Modifying the Parent Administrator 4.8 Adding/Removing Primary Administrators

5 Managing Security Profiles

5.1 Managing Time Slices

5.1.1 Creating/Modifying Time Slices 5.1.2 Configuring Time Slices 5.1.3 Displaying Timeslice Object Event Logs 5.1.4 Renaming Timeslice Objects 5.1.5 Deleting Timeslice Objects

5.2 Managing Password Format Control Policies

5.2.1 Creating/Modifying Password Format Control Policies 5.2.2 Configuring Password Format Control Policy 5.2.3 Displaying Password Format Control Policy Event Logs 5.2.4 Renaming Password Format Control Policies 5.2.5 Deleting Password Format Control Policies

5.3 Managing User Security Profiles

5.3.1 Creating/Modifying User Security Profiles 5.3.2 Configuring User Security Profiles

5.3.2.1 Authentication Tab 5.3.2.2 Security Tab 5.3.2.3 Unlocking Tab (Fast User Switching Feature) 5.3.2.4 Self Service Password Request Tab 5.3.2.5 Biometrics Tab 5.3.2.6 Session Delegation Tab 5.3.2.7 Audit Tab 5.3.2.8 OTP Tab

5.3.3 Displaying User Security Profile Event Logs 5.3.4 Renaming User Security Profiles 5.3.5 Deleting User Security Profiles

5.4 Managing Access Point Security Profiles

5.4.1 Creating/Modifying Access Point Security Profiles 5.4.2 Configuring Access Point Security Profiles

5.4.2.1 Security Services Tab 5.4.2.2 Advanced Login Tab 5.4.2.3 QESSO SSOWatch Tab 5.4.2.4 Multi-User Desktop Tab 5.4.2.5 Biometrics Tab 5.4.2.6 Self Service Password Request Tab 5.4.2.7 Active RFID Tab 5.4.2.8 Audit Tab

5.4.3 Displaying Access Point Security Profile Event Logs 5.4.4 Renaming Access Point Security Profiles 5.4.5 Deleting Access Point Security Profiles

5.5 Managing Application Security Profiles

5.5.1 Managing Password Generation Policies

5.5.1.1 Creating/Modifying Password Generation Policies 5.5.1.2 Configuring the Password Generation Policy 5.5.1.3 Displaying Password Generation Policy Event Logs 5.5.1.4 Renaming Password Generation Policies 5.5.1.5 Deleting Password Generation Policies

5.5.2 Creating/Modifying Application Security Profiles 5.5.3 Configuring Application Security Profiles

5.5.3.1 General Tab 5.5.3.2 Account Tab 5.5.3.3 Authentication Method Tab 5.5.3.4 Delegation Tab 5.5.3.5 IP Address Constraints Tab

5.5.4 Displaying Application Security Profile Event Logs 5.5.5 Renaming Application Security Profiles 5.5.6 Deleting Application Security Profiles

5.6 Defining Security Profiles Default Values 5.7 Managing User and Access Point Security Profiles Priorities

6 Managing Directory Objects

6.1 Managing Applications

6.1.1 Creating an Application

6.1.1.1 Creating an Application without Using a Template 6.1.1.2 Creating an Application Using Templates

6.1.2 Defining the General Properties of an Application 6.1.3 Creating the Account Properties of an Application

6.1.3.1 Defining Account Base Parameters 6.1.3.2 Defining Account Properties

6.1.4 Defining the Single Sign-On Properties of an Application 6.1.5 Defining External Names 6.1.6 Assigning Users to an Application 6.1.7 Sharing the Administration of an Application 6.1.8 Generating/Importing Accounts for an Application 6.1.9 Assigning Access Points to an Application 6.1.10 Displaying Accounts Associated with the Application 6.1.11 Displaying Application Event Logs 6.1.12 Displaying/Modifying Application Information 6.1.13 Renaming Applications 6.1.14 Deleting Applications

6.2 Managing Users

6.2.1 Displaying User General Information 6.2.2 Defining User Connection Parameters

6.2.2.1 Suspending or Limiting Temporarily a User Access 6.2.2.2 Displaying User Authentication Information and Administering Roaming Sessions 6.2.2.3 Predefine a New User's Primary Password 6.2.2.4 Managing User SSPR 6.2.2.5 Defining an Audit Identifier 6.2.2.6 Creating a Welcome Message

6.2.3 Assigning a User Security Profile to a User 6.2.4 Declaring a User as an Administrator 6.2.5 Assigning/Forbidding Access Points to a User 6.2.6 Managing User Accounts 6.2.7 Sending SSO Account Passwords to Users 6.2.8 Defining Additional Security Policy Parameters for Groups of Users 6.2.9 Managing User Smart Cards 6.2.11 Displaying and Deleting User Biometric Data 6.2.12 Assigning Applications to a User 6.2.13 Displaying Delegated Sessions 6.2.14 Managing User RFID Tokens 6.2.15 Displaying User Event Logs 6.2.16 Deleting SSO Data of Disabled User Accounts 6.2.17 Adding or Removing a User from a Group

6.3 Managing Access Points

6.3.1 Displaying Access Point General Information 6.3.2 Defining Access Point Configuration Parameters

6.3.2.1 Assigning an Access Point Security Profile to an Access Point 6.3.2.2 Managing the Quest ESSO Controller Services

6.3.3 Assigning/Forbidding Users to Access Points 6.3.4 Assigning/Forbidding Applications to Access Points 6.3.5 Adding or Removing an Access Point from a Group 6.3.6 Displaying Access Point Event Logs

6.4 Managing Representative Objects

6.4.1 Managing Inbound Representative Objects

6.4.1.1 Creating/Modifying an Inbound Representative Object 6.4.1.2 Defining the Set of Users to Represent 6.4.1.3 Assigning a User Security Profile to the Inbound Representative Object 6.4.1.4 Selecting the Access Points Available to the Representative

6.4.2 Managing Outbound Representative Objects

6.4.2.1 Creating/Modifying an Outbound Object 6.4.2.2 Defining the Set of Access Points to Represent 6.4.2.3 Selecting the Applications Available to the Representative

6.4.3 Displaying Representative Event Logs 6.4.4 Renaming Representative Objects 6.4.5 Deleting Representative Objects

6.5 Managing Clusters of Access Points

6.5.1 Creating and Configuring a Cluster of Access Points 6.5.2 Managing Users' Permissions on a Cluster

6.5.2.1 Authorizing Users to Access Workstations of the Cluster 6.5.2.2 Displaying the Cluster Composition Made by Authorized Users

6.5.3 Displaying Cluster Event Logs 6.5.4 Renaming Clusters 6.5.5 Deleting Clusters

6.6 Selecting a Domain Controller

7 Importing/Exporting Security Profiles and Directory Objects

7.1 Exporting Objects From Quest ESSO Console 7.2 Importing Objects in Quest ESSO Console

8 Managing Smart Cards

8.1 Assigning Smart Cards to Users

8.1.1 Assigning Smart Cards to Many Users 8.1.2 Assigning a Smart Card to a User 8.1.3 Assigning a new Smart Card Allowing a User to Log on a Workstation which is Disconnected from the Directory

8.2 Formatting Smart Cards 8.3 Forcing a new PIN 8.4 Disabling Temporarily Smart Cards

8.4.1 Disabling Temporarily Smart Cards from the Smart Card Panel 8.4.2 Disabling Smart Cards of a User from the Directory Panel

8.5 Unlocking Smart Cards

8.5.1 Unlocking Smart Cards from the Smart Card Panel 8.5.2 Unlocking Smart Cards from the Directory Panel 8.5.3 Defining Contact Information

8.6 Sending Smart Cards to a Blacklist

8.6.1 Sending Smart Cards to a Blacklist from the Smart Card Panel 8.6.2 Sending Smart Cards to a Blacklist from the Directory Panel

8.7 Extending the Validity of a Smart Card 8.8 Allowing Users to Renew their Smart Card Certificates 8.9 Displaying Smart Card Properties 8.10 Displaying the List of Supported Smart Cards 8.11 Managing Smart Card Configuration Profiles

8.11.1 Creating / Modifying Configuration Profiles 8.11.2 Renaming Configuration Profiles 8.11.3 Deleting Configuration Profiles

8.12 Managing Loan Cards

8.12.1 Assigning a Loan Card to a User 8.12.2 Returning a Loan Card

8.12.2.1 Returning a Loan Card from the Directory Panel 8.12.2.2 Returning a Loan Card from the Smart Card Panel

8.13 Managing Smart Cards' Authentication Parameters 8.14 Managing Batches of Smart Cards

8.14.1 Defining a Stock of Tokens 8.14.2 Displaying Information on a Stock 8.14.3 Forcing the Use of Smart Cards Defined in the Batch

9 Managing SA Server Devices

9.1 Configuring Quest ESSO for SA Server Management

9.1.1 Configuring SA Server Connection 9.1.2 Configuring the SA Server Device Management

9.2 Managing SA Server Devices

9.2.1 Assigning an SA Server Device to a User 9.2.2 Formatting an SA Server Device 9.2.3 Blacklisting an SA Server Device 9.2.4 Managing the Link Between User and SA Server Device

10 Managing RFID Tokens

10.1 Assigning an RFID Token 10.2 Locking and Unlocking an RFID Token

10.2.1 Locking and Unlocking an RFID Token from the Directory Panel 10.2.2 Locking and Unlocking an RFID Token from the RFID Panel

10.3 Blacklisting and Deleting an RFID Token

10.3.1 Blacklisting and Deleting an RFID Token From the Directory Panel 10.3.2 Blacklisting and Deleting an RFID Token From the RFID Panel

10.4 Modifying the Detection Areas and the Grace Period 10.5 Exporting a List of RFID Tokens

11 Managing Biometric Enrolment

11.1 Defining the Biometric Enrolment Policy

11.1.1 Defining the User Biometric Profile 11.1.2 Adjusting the Biometrics Enrolment Tool Behavior

11.2 Defining the Biometric Workstation Parameters 11.3 Managing the User Enrolment 11.4 Displaying and Exporting the Biometric Enrolment Report

13 Enabling the Public Key Authentication Method

13.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method 13.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities

13.2.1 Activating the PKA Authentication Method 13.2.2 Configuring the Set of Authorized Certification Authorities

13.2.2.1 Importing Certification Authorities from PEM or DER Encoded Files 13.2.2.2 Importing Certification Authorities from Windows System Storage 13.2.2.3 Deleting a Certification Authority

13.3 Configuring the Automatic Update of the Revocation Information

13.3.1 Importing a CRL Point of Distribution 13.3.2 Importing an OCSP Responder 13.3.3 Deleting a CRL Point of Distribution or an OCSP Responder

14 Managing the Emergency Plan 15 Managing Audit Events

15.1 Displaying Audit Events 15.2 Defining an Audit Population 15.3 Managing and Applying Audit Filters

15.3.1 Creating an Audit Filter 15.3.2 Saving an Audit Filter 15.3.3 Loading an Audit Filter 15.3.4 Applying an Audit Filter

15.3.4.1 Applying an Audit Filter to Audit Records 15.3.4.2 Assigning an Audit Filter to Specific Objects

15.4 Interpreting Audit Events

15.4.1 The Audit Main Window 15.4.2 The "Event Details" Window 15.4.3 Detailed Information on Administration Audit Events

15.5 Exporting Audit Events 15.6 Archiving Audit Records 15.7 Retrieving User ID from Audit ID 15.8 Retrieving Event Codes

16 Managing Reports

16.1 Generating Reports

16.1.1 Generating Application Account Reports 16.1.2 Generating User Account Reports 16.1.3 Generating Administrators Report 16.1.4 Generating Analysis and Statistics Reports

16.2 Exporting the Generated Report

17 Customizing Configuration Files

17.1 Importing a List of Supported Authentication Tokens 17.2 Adding User Attribute Information

18 Creating Scripts

18.1 Using the Script Editor 18.2 Script Commands

18.2.1 CREATE_ROLE 18.2.2 CREATE_ACCESS 18.2.3 CREATE_ACCOUNT

18.3 Importing Script Files

Appendix A: Regular Expressions - Basic Syntax Appendix B: Listing Audit Events and Error Codes

B.1 Listing Audit Events B.2 Listing Error Codes

Appendix C: Correspondence Between Profile and Administration Rights

13.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities

To perform the task described in this section, you must have at least the following administration role:

In classic administration mode: "Security object administrator"

•	In advanced administration mode, your role must contain the following right: "PKA authority: Creation/Modification", "PKA authority: Deletion".

13.2.1 Activating the PKA Authentication Method

1.	In Quest ESSO Console File menu, click Configuration, and in the displayed window select the Public Key Authentication tab.

The Public Key Authentication tab only appears upon a successful extension of the Quest ESSO directory and a successful creation of the default objects. For more information, see Quest ESSO Installation Guide.

2.	Select the first check box: Users can authenticate using a public key Certificate. Any valid certificate (…) to authenticate users.

This check box enables all the other options of the tab.

3.	Select the second check box: Users can enroll their public key Certificate. Any valid certificate (…) may be enrolled.

It is mandatory to select this check box with this version of Quest ESSO.

4.	If you do not want that users provide their password at enrollment if the certificate is valid, select the Upon enrolment of a new certificate, reinitialize the user's password if the current password cannot be recovered.

With this option, if the user password is wrong or not known at PKA authentication:

•	If the Primary password is stored as an SSO account, encrypt by option is set in the user security profile, the option is used: see Section 5.3.2.1, "Authentication Tab" for details.

•	If the password is not recovered or incorrect, a PKA signed request is sent to the controller to reset the password in the directory. The password matches the user profile automatic PFCP.

5.	You must then configure the set of authorized certification authorities by filling in the Certification Authorities area, as described below.

13.2.2 Configuring the Set of Authorized Certification Authorities

Only public key certificates issued by explicitly identified certification authorities can be used for Quest ESSO PKA. It is therefore necessary to configure the set of authorized certification authorities.

You can import Certification Authorities using different methods, as described in the following sub-sections. You can combine these methods.

13.2.2.1 Importing Certification Authorities from PEM or DER Encoded Files

1.	In the Certification Authorities area, click the Import button, and use the displayed window to select a CA certificate from a DER-encoded (.cer or .crt) or a PEM encoded (*.pem) file.

A summary window appears.

2.	To view the detailed contents of the certificate, click Details.

3.	To confirm the activation of the Certification Authority as a permitted emitter of users’ public key certificate for Quest ESSO PKA, click the Import button

The imported Certification Authority appears.

If the imported CA certificate contains the URL of a point of distribution of certification revocation information (available in the form of a CRL or an OCSP responder), the creation of the Certification Authority in the Quest ESSO directory also creates an object corresponding to each point of distribution (this is the case in our example).

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy