Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

Chat now with support

2.2.1 Displaying the Current Protection Mode 2.2.2 Migrating from Software Mode to Hardware Mode 2.2.3 Managing Administrators whose Administration Keys are Protected by Software Encryption

3 Searching the Directory Tree

3.1 Searching for Directory Objects 3.2 Deleting Search Requests

4 Managing Administrators

4.1 Administration Modes - Presentation

4.1.1 The Classic Administration Mode 4.1.2 The Advanced Administration Mode 4.1.3 Administration Role Inheritance

4.2 Delegating Administration Roles 4.3 Managing Administration Profiles

4.3.1 Creating/Editing an Administration Profile 4.3.2 Deleting an Administration Profile

4.4 Transferring an Administration Role 4.5 Deleting an Administration Role 4.6 Displaying your Administration Role 4.7 Modifying the Parent Administrator 4.8 Adding/Removing Primary Administrators

5 Managing Security Profiles

5.1 Managing Time Slices

5.1.1 Creating/Modifying Time Slices 5.1.2 Configuring Time Slices 5.1.3 Displaying Timeslice Object Event Logs 5.1.4 Renaming Timeslice Objects 5.1.5 Deleting Timeslice Objects

5.2 Managing Password Format Control Policies

5.2.1 Creating/Modifying Password Format Control Policies 5.2.2 Configuring Password Format Control Policy 5.2.3 Displaying Password Format Control Policy Event Logs 5.2.4 Renaming Password Format Control Policies 5.2.5 Deleting Password Format Control Policies

5.3 Managing User Security Profiles

5.3.1 Creating/Modifying User Security Profiles 5.3.2 Configuring User Security Profiles

5.3.2.1 Authentication Tab 5.3.2.2 Security Tab 5.3.2.3 Unlocking Tab (Fast User Switching Feature) 5.3.2.4 Self Service Password Request Tab 5.3.2.5 Biometrics Tab 5.3.2.6 Session Delegation Tab 5.3.2.7 Audit Tab 5.3.2.8 OTP Tab

5.3.3 Displaying User Security Profile Event Logs 5.3.4 Renaming User Security Profiles 5.3.5 Deleting User Security Profiles

5.4 Managing Access Point Security Profiles

5.4.1 Creating/Modifying Access Point Security Profiles 5.4.2 Configuring Access Point Security Profiles

5.4.2.1 Security Services Tab 5.4.2.2 Advanced Login Tab 5.4.2.3 QESSO SSOWatch Tab 5.4.2.4 Multi-User Desktop Tab 5.4.2.5 Biometrics Tab 5.4.2.6 Self Service Password Request Tab 5.4.2.7 Active RFID Tab 5.4.2.8 Audit Tab

5.4.3 Displaying Access Point Security Profile Event Logs 5.4.4 Renaming Access Point Security Profiles 5.4.5 Deleting Access Point Security Profiles

5.5 Managing Application Security Profiles

5.5.1 Managing Password Generation Policies

5.5.1.1 Creating/Modifying Password Generation Policies 5.5.1.2 Configuring the Password Generation Policy 5.5.1.3 Displaying Password Generation Policy Event Logs 5.5.1.4 Renaming Password Generation Policies 5.5.1.5 Deleting Password Generation Policies

5.5.2 Creating/Modifying Application Security Profiles 5.5.3 Configuring Application Security Profiles

5.5.3.1 General Tab 5.5.3.2 Account Tab 5.5.3.3 Authentication Method Tab 5.5.3.4 Delegation Tab 5.5.3.5 IP Address Constraints Tab

5.5.4 Displaying Application Security Profile Event Logs 5.5.5 Renaming Application Security Profiles 5.5.6 Deleting Application Security Profiles

5.6 Defining Security Profiles Default Values 5.7 Managing User and Access Point Security Profiles Priorities

6 Managing Directory Objects

6.1 Managing Applications

6.1.1 Creating an Application

6.1.1.1 Creating an Application without Using a Template 6.1.1.2 Creating an Application Using Templates

6.1.2 Defining the General Properties of an Application 6.1.3 Creating the Account Properties of an Application

6.1.3.1 Defining Account Base Parameters 6.1.3.2 Defining Account Properties

6.1.4 Defining the Single Sign-On Properties of an Application 6.1.5 Defining External Names 6.1.6 Assigning Users to an Application 6.1.7 Sharing the Administration of an Application 6.1.8 Generating/Importing Accounts for an Application 6.1.9 Assigning Access Points to an Application 6.1.10 Displaying Accounts Associated with the Application 6.1.11 Displaying Application Event Logs 6.1.12 Displaying/Modifying Application Information 6.1.13 Renaming Applications 6.1.14 Deleting Applications

6.2 Managing Users

6.2.1 Displaying User General Information 6.2.2 Defining User Connection Parameters

6.2.2.1 Suspending or Limiting Temporarily a User Access 6.2.2.2 Displaying User Authentication Information and Administering Roaming Sessions 6.2.2.3 Predefine a New User's Primary Password 6.2.2.4 Managing User SSPR 6.2.2.5 Defining an Audit Identifier 6.2.2.6 Creating a Welcome Message

6.2.3 Assigning a User Security Profile to a User 6.2.4 Declaring a User as an Administrator 6.2.5 Assigning/Forbidding Access Points to a User 6.2.6 Managing User Accounts 6.2.7 Sending SSO Account Passwords to Users 6.2.8 Defining Additional Security Policy Parameters for Groups of Users 6.2.9 Managing User Smart Cards 6.2.11 Displaying and Deleting User Biometric Data 6.2.12 Assigning Applications to a User 6.2.13 Displaying Delegated Sessions 6.2.14 Managing User RFID Tokens 6.2.15 Displaying User Event Logs 6.2.16 Deleting SSO Data of Disabled User Accounts 6.2.17 Adding or Removing a User from a Group

6.3 Managing Access Points

6.3.1 Displaying Access Point General Information 6.3.2 Defining Access Point Configuration Parameters

6.3.2.1 Assigning an Access Point Security Profile to an Access Point 6.3.2.2 Managing the Quest ESSO Controller Services

6.3.3 Assigning/Forbidding Users to Access Points 6.3.4 Assigning/Forbidding Applications to Access Points 6.3.5 Adding or Removing an Access Point from a Group 6.3.6 Displaying Access Point Event Logs

6.4 Managing Representative Objects

6.4.1 Managing Inbound Representative Objects

6.4.1.1 Creating/Modifying an Inbound Representative Object 6.4.1.2 Defining the Set of Users to Represent 6.4.1.3 Assigning a User Security Profile to the Inbound Representative Object 6.4.1.4 Selecting the Access Points Available to the Representative

6.4.2 Managing Outbound Representative Objects

6.4.2.1 Creating/Modifying an Outbound Object 6.4.2.2 Defining the Set of Access Points to Represent 6.4.2.3 Selecting the Applications Available to the Representative

6.4.3 Displaying Representative Event Logs 6.4.4 Renaming Representative Objects 6.4.5 Deleting Representative Objects

6.5 Managing Clusters of Access Points

6.5.1 Creating and Configuring a Cluster of Access Points 6.5.2 Managing Users' Permissions on a Cluster

6.5.2.1 Authorizing Users to Access Workstations of the Cluster 6.5.2.2 Displaying the Cluster Composition Made by Authorized Users

6.5.3 Displaying Cluster Event Logs 6.5.4 Renaming Clusters 6.5.5 Deleting Clusters

6.6 Selecting a Domain Controller

7 Importing/Exporting Security Profiles and Directory Objects

7.1 Exporting Objects From Quest ESSO Console 7.2 Importing Objects in Quest ESSO Console

8 Managing Smart Cards

8.1 Assigning Smart Cards to Users

8.1.1 Assigning Smart Cards to Many Users 8.1.2 Assigning a Smart Card to a User 8.1.3 Assigning a new Smart Card Allowing a User to Log on a Workstation which is Disconnected from the Directory

8.2 Formatting Smart Cards 8.3 Forcing a new PIN 8.4 Disabling Temporarily Smart Cards

8.4.1 Disabling Temporarily Smart Cards from the Smart Card Panel 8.4.2 Disabling Smart Cards of a User from the Directory Panel

8.5 Unlocking Smart Cards

8.5.1 Unlocking Smart Cards from the Smart Card Panel 8.5.2 Unlocking Smart Cards from the Directory Panel 8.5.3 Defining Contact Information

8.6 Sending Smart Cards to a Blacklist

8.6.1 Sending Smart Cards to a Blacklist from the Smart Card Panel 8.6.2 Sending Smart Cards to a Blacklist from the Directory Panel

8.7 Extending the Validity of a Smart Card 8.8 Allowing Users to Renew their Smart Card Certificates 8.9 Displaying Smart Card Properties 8.10 Displaying the List of Supported Smart Cards 8.11 Managing Smart Card Configuration Profiles

8.11.1 Creating / Modifying Configuration Profiles 8.11.2 Renaming Configuration Profiles 8.11.3 Deleting Configuration Profiles

8.12 Managing Loan Cards

8.12.1 Assigning a Loan Card to a User 8.12.2 Returning a Loan Card

8.12.2.1 Returning a Loan Card from the Directory Panel 8.12.2.2 Returning a Loan Card from the Smart Card Panel

8.13 Managing Smart Cards' Authentication Parameters 8.14 Managing Batches of Smart Cards

8.14.1 Defining a Stock of Tokens 8.14.2 Displaying Information on a Stock 8.14.3 Forcing the Use of Smart Cards Defined in the Batch

9 Managing SA Server Devices

9.1 Configuring Quest ESSO for SA Server Management

9.1.1 Configuring SA Server Connection 9.1.2 Configuring the SA Server Device Management

9.2 Managing SA Server Devices

9.2.1 Assigning an SA Server Device to a User 9.2.2 Formatting an SA Server Device 9.2.3 Blacklisting an SA Server Device 9.2.4 Managing the Link Between User and SA Server Device

10 Managing RFID Tokens

10.1 Assigning an RFID Token 10.2 Locking and Unlocking an RFID Token

10.2.1 Locking and Unlocking an RFID Token from the Directory Panel 10.2.2 Locking and Unlocking an RFID Token from the RFID Panel

10.3 Blacklisting and Deleting an RFID Token

10.3.1 Blacklisting and Deleting an RFID Token From the Directory Panel 10.3.2 Blacklisting and Deleting an RFID Token From the RFID Panel

10.4 Modifying the Detection Areas and the Grace Period 10.5 Exporting a List of RFID Tokens

11 Managing Biometric Enrolment

11.1 Defining the Biometric Enrolment Policy

11.1.1 Defining the User Biometric Profile 11.1.2 Adjusting the Biometrics Enrolment Tool Behavior

11.2 Defining the Biometric Workstation Parameters 11.3 Managing the User Enrolment 11.4 Displaying and Exporting the Biometric Enrolment Report

13 Enabling the Public Key Authentication Method

13.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method 13.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities

13.2.1 Activating the PKA Authentication Method 13.2.2 Configuring the Set of Authorized Certification Authorities

13.2.2.1 Importing Certification Authorities from PEM or DER Encoded Files 13.2.2.2 Importing Certification Authorities from Windows System Storage 13.2.2.3 Deleting a Certification Authority

13.3 Configuring the Automatic Update of the Revocation Information

13.3.1 Importing a CRL Point of Distribution 13.3.2 Importing an OCSP Responder 13.3.3 Deleting a CRL Point of Distribution or an OCSP Responder

14 Managing the Emergency Plan 15 Managing Audit Events

15.1 Displaying Audit Events 15.2 Defining an Audit Population 15.3 Managing and Applying Audit Filters

15.3.1 Creating an Audit Filter 15.3.2 Saving an Audit Filter 15.3.3 Loading an Audit Filter 15.3.4 Applying an Audit Filter

15.3.4.1 Applying an Audit Filter to Audit Records 15.3.4.2 Assigning an Audit Filter to Specific Objects

15.4 Interpreting Audit Events

15.4.1 The Audit Main Window 15.4.2 The "Event Details" Window 15.4.3 Detailed Information on Administration Audit Events

15.5 Exporting Audit Events 15.6 Archiving Audit Records 15.7 Retrieving User ID from Audit ID 15.8 Retrieving Event Codes

16 Managing Reports

16.1 Generating Reports

16.1.1 Generating Application Account Reports 16.1.2 Generating User Account Reports 16.1.3 Generating Administrators Report 16.1.4 Generating Analysis and Statistics Reports

16.2 Exporting the Generated Report

17 Customizing Configuration Files

17.1 Importing a List of Supported Authentication Tokens 17.2 Adding User Attribute Information

18 Creating Scripts

18.1 Using the Script Editor 18.2 Script Commands

18.2.1 CREATE_ROLE 18.2.2 CREATE_ACCESS 18.2.3 CREATE_ACCOUNT

18.3 Importing Script Files

Appendix A: Regular Expressions - Basic Syntax Appendix B: Listing Audit Events and Error Codes

B.1 Listing Audit Events B.2 Listing Error Codes

Appendix C: Correspondence Between Profile and Administration Rights

15.3.2 Saving an Audit Filter

Subject

To be able to reuse the audit filter you have built, you can save it locally on your system as a .afd file. This way, you can load it whenever needed.

Procedure

1.	In the Audit panel, click Advanced Filter.

The audit database search filter window appears.

2.	Build an audit filter as explained 15.3.1 Creating an Audit Filter.

3.	In the Audit Database Search Filter window, click the Save button.

The Windows Explorer window appears.

4.	Select the location you want to save the filter, name it and click Save.

The filter is saved as an .afd file and can then be reused.

15.3.3 Loading an Audit Filter

Subject

The following procedure explains how to reuse an audit filter you have previously created and saved (as a .afd file).

Procedure

1.	In the Audit panel, click Advanced Filter.

The audit database search filter window appears.

2.	Click the Load button.

The Windows Explorer window appears.

3.	Select the .afd file corresponding to the filter you want to load and click Open.

The filter is loaded in the Audit Database Search Filter window and is ready to be applied (see 15.3.4 Applying an Audit Filter).

15.3.4 Applying an Audit Filter

The audit filters allow you to filter the events:

At the time of their visualization: see 15.3.4.1 Applying an Audit Filter to Audit Records.

•

At the time of the event creation for specific objects (administration role, user security profile, access point security profile, application): 15.3.4.2 Assigning an Audit Filter to Specific Objects. All defined audit filters will be applied before the Quest ESSO Security Services decide whether this operation should be audited. If at least one filter indicates that the operation should be audited, then the associated audit event is created.

15.3.4.1 Applying an Audit Filter to Audit Records

Subject

To adapt to your needs the list of audit events displayed in the report, you can apply an audit filter.

Before Starting

To perform the task described in this section, you must have at least the following administration role:

•	In classic administration mode: "Security Object administrator".

•	In advanced administration mode, your role must contain the following rights: "Audit filter: Creation/Modification" and "Audit filter: Deletion".

For more information on administration role, see Section 4., "Managing Administrators".

Procedure

1.	In the Audit panel, click Advanced Filter.

The audit database search filter window appears.

2.	Do one of the following:

•	Create a new audit filter as explained in 15.3.1 Creating an Audit Filter.

•	Load an existing audit filter as explained in 15.3.3 Loading an Audit Filter.

3.	In the Audit Database Search Filter window, click Apply.

The filter is instantly taken into account.

4.	Click Close to display in the Audit panel the event records corresponding to the selected filter.

To interpret audit events, see 15.4 Interpreting Audit Events.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Enterprise Single Sign-On 8.0.6 - Quest ESSO Console Administrator Guide

15.3.2 Saving an Audit Filter

15.3.3 Loading an Audit Filter

15.3.4 Applying an Audit Filter

15.3.4.1 Applying an Audit Filter to Audit Records