Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Authentication Manager for Linux Thin Clients Installation Configuration Guide

Smart Card Integration

Smart Card Integration

  1. The smart card serial number and owner are read on the thin client by the rsUserAuth authentication module.
  2. rsUserAuth sends a request to the EAM Web Services to check the owner and retrieve his credentials.
  3. The EAM Security Service sends an LDAP request to the directory to retrieve the information.
  4. The result is returned to rsUserAuth.
  5. rsUserAuth processes the result as follows. If:
    • The card is associated with the card user and a roaming session is active, the user credentials are returned to a specified script that can be executed. Example: a Citrix session is opened.
    • The card is not associated with the right user, an error is returned.
    • The card is associated with a user but there is no active roaming session, the card PIN is requested to retrieve the user credentials stored on the card and start a roaming session. The credentials are then returned to the specified script that is executed (for example opening a Citrix session).
      If this fails, the user’s Windows password is requested for starting a roaming session, the specified script is then started and the credentials on the card are updated.
    • The user password needs to be changed, the PIN and new password are required (the current password is read on the token if available, otherwise it is requested). A roaming session is then started and the specified script is executed and the credentials on the card are updated.
    • The card is blacklisted or locked, an error message is returned.

NOTE: PIN management is not supported: modifying and unblocking PINs must be done through the CardOS API tool.

Installing rsUserAuth

Installing rsUserAuth

Depending on your thin client system type, you must copy the corresponding rsUserAuth binary with the execution right.

Then, you must copy the message catalog file rsUserAuth.cat in the same directory as the rsUserAuth binary, or in the directory that is specified by the message catalog parameter (in this case the name of the message catalog can be modified).

NOTE: You can customize these messages. For more information, see Customizing Messages.

Configuring EAM

Configuring EAM

Configuring the EAM console

rsUserAuth supports the self-enrollment for RFID badges feature and allows the user to change his password if required.

To enable these features, you must provide the authorizations to the following modules in the EAM console:

  • Password authentication method and Roaming session for users, in the User Security Profile.
  • Enterprise SSO for the Web Service workstation, in the Access Point Profile.

You must also initialize and assign smart cards to users.

For more information, see One Identity EAM Console - Guide de l'administrateur.

Configuring the EAM controller

Configuring the EAM controller

Roaming Secret

IMPORTANT: Security requirement: the data exchanged between the EAM Web Service and rsUserAuth is ciphered. Therefore, a shared secret is mandatory.

 

The shared secret is stored in the Windows register string value: ExternalRoamingSessionSecret.

This value is set under the HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\
WiseGuard\Framework\Authentication
key.

Related Documents