Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Authentication Manager for Linux Thin Clients Installation Configuration Guide

Preface

Preface

Subject This guide explains how to install, configure and use rsUserAuth (Authentication Manager roaming session) on Linux systems (32&64 bit and ARM).
Audience This guide is intended for system integrators.
Required Software EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes.
Typographical Conventions

Bold Indicates:

  • Interface objects, such as menu names, buttons, icons and labels.
  • File, folder and path names.
  • Keywords to which particular attention must be paid.
  Italics - Indicates references to other guides.
  Code - Indicates portions of program codes, command lines or messages displayed in command windows.
  CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules).
  < > Identifies parameters to be supplied by the user.
 

Legend

Warning: A WARNING icon indicates a potential for property damage, personal injury, or death.

Caution: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
   
Documentation support The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website.

Overview

Overview

rsUserAuth Usage

rsUserAuth is the authentication module of the EAM (Enterprise Access Management) suite on Linux thin clients. It enables rapid implementation of connection procedures using authentication mechanisms with physical tokens (smart cards and RFID badges), in addition to the standard authentication method of login/password.

rsUserAuth is used to implement strong authentication in the following scenarios of use:

  • Authentication with smart cards.
  • Authentication with RFID badges.

NOTE:

  • For RFID badges, only PCSC type badges are supported.
  • The list of other supported authentication devices and software versions are provided in One Identity EAM Release Notes.

rsUserAuth requires EAM Web Services to retrieve the RFID badge or smart card owner credentials. These credentials are used by a specified start script which for example allows access to a Windows session through a Citrix client. A specified end script is then called at the end of the process.

Architecture

Architecture

rsUserAuth can only be installed in Active Directory mode or in Active Directory/AD LDS mode.

NOTE:

  • Credentials are checked on the controller each time a roaming session is started and retrieved.
  • For users who are not allowed to use a roaming session, the Windows credentials are required. The validity of the credentials is then checked.

RFID Badge Integration

RFID Badge Integration

Depending on your EAM configuration, you may be using RFID badges with PIN. If it is the case, a PIN replacing the primary directory password is associated with each RFID badge.

  1. The RFID badge serial number is read on the thin client by the rsUserAuth authentication module.
  2. rsUserAuth sends a request to the EAM Web Services to retrieve the owner’s name and his credentials.
  3. The EAM Security Service sends an LDAP request to the directory to retrieve the information.
  4. The result is returned to rsUserAuth.
  5. rsUserAuth processes the result as follows. If:
    • The badge is associated with a user and a roaming session is active, the user credentials are returned to a specified script (start script) that can be executed. Example: a Citrix session is opened.
    • The badge is associated with a user but there is no active roaming session, either the user’s Windows password or PIN is requested to start a roaming session. The user credentials are then returned to a specified script that can be executed.
    • The badge is not associated with a user, then a self-enrollment procedure is proposed. In that case, the user credentials are required. A roaming session is then started and the specified script is executed.
      In an RFID+ PIN configuration, in addition to the user credentials, a PIN must be chosen. This PIN must respect the PIN policy defined in EAM.
    • The user password needs to be changed, the current and the new password are required. A roaming session is then started and the specified script is executed.
    • The PIN must be changed when the RFID+ PIN authentication method is used: the current PIN is required and a new PIN must be chosen.
    • The badge is blacklisted or locked, an error message is returned.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents