Enterprise Single Sign-On 9.0.2 - Authentication Manager Cluster Administration Guide

Configuring and Administering Session Delegation

For a general overview of the session delegation mechanism, see Session Delegation - Mechanism.

For more details on the conditions under which a user can delegate a session, see Managing Session Delegation.

Authorizing Users to Delegate Their Windows Session

To authorize users to delegate their Windows session, you can:

• Set delegation permissions to users in and outside clusters in their user security profile, so that they can delegate their Windows session to other users that you can define: see Authorizing Users to Delegate Their Session to other Users.
• Set delegation permissions to a group of cluster users, so that they can delegate their Windows session to members of the same group: see Authorizing Users of the same Group to Delegate Their Session toMembers of their Group.

Authorizing Users to Delegate Their Session to other Users

Subject

The Session delegation tab of a user security profile allows you to authorize users to delegate their Windows session to another user.

Procedure

1. In the tree structure of the Directory panel, click the user security profile that applies to users for which you want to authorize session delegation.
2. Click the Session Delegation tab.

   The tab appears.

3. In the Session delegation type field, select Temporary and define the delegation parameters for temporary delegation as described in the following "Session delegation" Tab Description.
4. In the Session delegation type field, select Permanent and define the delegation parameters for permanent delegation as described in the following "Session delegation" Tab Description.
5. Click Apply.

"Session delegation" Tab Description

Figure 6: Session Delegation tab

• Session delegation type

  The user can decide to delegate his/her session temporarily or permanently. Both options are available to the user, so you must configure each of them.

  • Temporary: when a user delegates his/her session, the session is delegated until he/she re-authenticates.
  • Permanent: when a user delegates his/her session, the session is delegated until he/she ends the delegation authorization through the Manage Session Delegation menu in Authentication Manager.

• Re-authentication is needed check box

  This check-box allows you to define whether users must re-authenticate when they want to access the Cluster wizard (from which they can delegate their session) or the Set temporary session delegation shortcut command. See Managing a Cluster from your Workstation for more details on how users can access these tools. For Session delegation outside a cluster, this check box must be selected.

  • Check box selected: when the user launches one of the delegation tool, an authentication window appears on his/her workstation.
  • Check box cleared: the user does not need to authenticate again on his/her workstation when he/she launches one of the delegation tool.

• Temporary delegation needs an approval check box

  This check box is only available if the Temporary session delegation type is selected.

  • Check box selected: a user who wants to delegate his/her session needs the approval of the delegate.

    In this case, when a user selects a user to whom he/she wants to delegate his/her session, a delegation proposal window appears on the delegate’s workstation. The delegate can accept or reject the proposal. The asking user window is frozen until all selected users have given an answer.

    Delegate has x seconds to accept/decline the delegation demand

    Period of time during which the delegation proposal window appears on the delegate’s workstation. If no answer is given during this period of time, the delegation demand is either sent to the Backup delegate (if any), or declined.

  • Check box cleared: a user can delegate his/her session to another user without collecting his/her approval. An information window appears on the delegate’s workstation to inform him/her that a delegation has been set.

For Session delegation, one of the following check boxes must be selected:

• Authorize delegation to all users check box
  • Check box selected: users are authorized to delegate their Windows session to all users of the directory.
  • Check box cleared: users are not authorized to delegate their Windows session to all users of the directory.
• Authorize delegation to members of the same group check box
  • Check box selected: users are only authorized to delegate their Windows session to members of the same group of users.
  • Check box cleared: users are not authorized to delegate their Windows session to members of the same group of users.
• Authorize delegation to members of the same organizational entity check box
  • Check box selected: users are only authorized to delegate their Windows session to members of the same organizational unit.
  • Check box cleared: users are not authorized to delegate their Windows session to members of the same organizational unit.
• Advanced mode (build the list of authorized users/groups/organizational entities check box
  • Check box selected: users are only authorized to delegate their Windows session to the users listed in the Advanced Mode area (see below).

  Advanced Mode area

  Displays the list of users to whom users of the profile are authorized to delegate their session.

  • Add button: opens the user selection window, which allows you to add users to the list.
    Use the Browse tab to browse the directory tree structure or use the Search tab to find the user by typing its name.
  • Remove button: removes the selected user/group/organizational unit from the list.

• Check box cleared: no specific of authorized users is defined.

Authorizing Users of the same Group to Delegate Their Session toMembers of their Group

Authorizing Users of the same Group to Delegate Their Session to
Members of their Group

Subject

You can define additional security policy parameters on groups of users. These parameters are added to the user security profiles applied to the members of the group.

The Policies tab (only available from a group object) is dedicated to Cluster users and allows you to authorize members of the group to delegate their Windows session to another member of the group.

Before Starting

• This section only applies to groups of users who use cluster of access points.
• To perform the task described in this section, you must have at least the following administration role:
  • In classic administration mode: "Security object administrator".
  • In advanced administration mode: your role must contain the following right: "Group policy: Modification".

  NOTE: For more information on administration roles, see One Identity EAM Console Administrator's Guide.

Procedure

1. In the tree structure of the Directory panel, select the wanted group of users.
2. Click the Policies tab:

   Figure 7: Policies tab

3. Select the Define additional Security Policies for members of this group check box.
4. In the Windows Session Delegation Policy area, select the check box corresponding to the type of delegation you want to authorize to members of the group:
   • Allow permanent delegation: when a user delegates his/her session, the session is delegated until he/she ends the delegation authorization through the Cluster wizard.
   • Allow temporary delegation: when a user delegates his/her session, the session is delegated until he/she re-authenticates.
5. Click Apply.