Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Enterprise Access Management Session Management Guide

Preface

Preface

Subject This guide describes how to use the Primary account, Access to applications and Self Enrollment menus of the Enterprise Access Management (EAM) portal.
Audience This guide is intended for end-users.
Required Software EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes.
Typographical Conventions

Bold Indicates:

  • Interface objects, such as menu names, buttons, icons and labels.
  • File, folder and path names.
  • Keywords to which particular attention must be paid.
  Italics - Indicates references to other guides.
  Code - Indicates portions of program codes, command lines or messages displayed in command windows.
  CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules).
  < > Identifies parameters to be supplied by the user.
 

Legend

Warning: A WARNING icon indicates a potential for property damage, personal injury, or death.

Caution: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
   
Documentation support The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website.

Overview

Session Management Functions

This section gives an overview of the features offered by the Session Management option.

Fast User Switching (FUS)

Fast User Switching (FUS) simplifies the access to computers used by several employees.

FUS modifies the Microsoft session unlocking method by allowing users to unlock or close an other user’s session, by using one of the following methods:

  • Hierarchized access FUS: users are only authorized to unlock or close the session of other users whose level is below or equal to their own level.
  • Shared access FUS: several users have in their Windows account list the one that has open the session, so they can unlock or close the session of all other users who have the same account.
  • Public access FUS: the workstation session remains open and is the same for all users, but the SSO context and application opening/closing are handled individually for each user.

This function is particularly used in retail store workstations where salespersons want to check stocks or register orders before their customers change their minds.

Fast User Switching can work with Roaming Session Mode or with Cluster Mode.

To know how to configure and use the Fast User Switching, see The Fast User Switching (FUS) Feature.

Multi-User Desktop

Description

The Multi-User Desktop feature provides advanced Fast User Switching features for workstations used simultaneously by a large number of users, such as kiosk computers or computers used by medical staff in hospitals.

To provide Fast User Switching and save computer resources, the Multi-User Desktop uses a single Windows Desktop to display all the user applications and launches a single instance of Enterprise SSO engine.

Requirements
  • To be compatible with Multi-User Desktop, applications must support several instances running simultaneously.
  • Specific configuration is needed with Internet Explorer: for more information, please contact the Expertise Evidian Center.
  • The Multi-User Desktop is designed for computers where the Windows session is always and automatically opened and never locked. Do not enable the screensaver.
Session Management
Session authentication/disconnection

Upon a successful authentication, the Enterprise SSO engine loads the user's set of accounts. It can then automatically start the user's applications and perform the SSO.

Upon disconnection, Enterprise SSO closes the user's set of accounts and some of his applications if necessary. Multi-User Desktop then hides the applications started by the user.

If no user authenticates, the welcome dialog box appears. If another user authenticates, his own session is created or re-connected.

Session termination

Upon termination of a session, Enterprise SSO closes the user's set of accounts and his applications. Multi-User Desktop then terminates all applications started by the user before displaying the welcome dialog box.

NOTE: Multi-User Desktop can automatically disconnect an active session and terminate a disconnected session.
 

When a new user session must be created, Multi-User Desktop can automatically terminate the oldest disconnected session if a maximum number of concurrent sessions has been set in Enterprise SSO Console.

To know how to configure and use the Multi-User Desktop feature, see The Multi-User Desktop Feature.

Roaming Session

The Roaming Session mode simplifies the successive authentication to several computers.

When a user needs to access several computers during the day, he/she only has to authenticate once on the first computer; then he/she only needs his/her device to open the other computers sessions.

This function is particularly used in hospitals emergency desks, where nurses and doctors need immediate access to information.
It can be combined with Fast User Switching, and can be used on Clusters of computers.

To know how to configure and use the Roaming Session mode, see The Roaming Session Mode.

Double-Login Prevention

By default, when a user authenticates on a computer, the computer session on which he/she was previously connected (by password, passive RFID or biometrics) remains open.

The Double-Login Prevention function ensures that, when a user is authenticating on a computer, the session opened on the previously used computer is locked.

To know how to configure and use the Double-Login Prevention feature, see The Double-Login Prevention Feature.

Session Management Authentication Methods

The following table lists the authentication methods that can be used for each of the Session Management functions.

 

Table 1: Session Management Authentication Methods

 

 

Function

Authentication Method

Password

Smart Card

Active RFID

Passive RFID

Biometrics

Mobile device

Hierarchized Access FUS

ü

ü

ü

ü

ü

-

Shared Access FUS

ü

ü

ü

ü

ü

-

Public Access FUS

-

ü

ü

-

-

-

Multi-User Desktop

ü

ü

ü

ü

ü

ü

Roaming Session Mode

Not relevant

ü

ü

ü

Not relevant

-

Double-Login Prevention

ü

Not relevant

Not relevant

ü

ü

-

Required EAM Modules

The following table lists the EAM (Enterprise Access Management) modules that you must install to use each of the Session Management functions.

 

Table 2: EAM Modules

 

 

Function

EAM Module

EAM Client

EAM Console

Enterprise SSO

Authentication Manager

Hierarchized Access FUS

Optional

ü

ü

Shared Access FUS

Optional

ü

ü

Public Access FUS

ü

 

ü

Multi-User Desktop

ü

Not compatible

ü

Roaming Session Mode

Optional

ü

ü

Double-Login Prevention

Optional

ü

ü

 

The Fast User Switching (FUS) Feature

Fast User Switching - Overview and Use

Definition

EAM Fast User Switching (FUS) is a functionality that allows multiple users to easily share the same workstation, by allowing them to change the SSO context quickly, without closing the Windows session.

Fast User Switching Modes

The Fast User Switching function works in three modes so that it can perfectly fit your needs. These modes are detailed in the following sub-sections.

In Hierarchized Access FUS and Shared Access FUS, the access to the Windows session is protected: the Windows session locking and unlocking is managed by Authentication Manager. All authentication methods can be used, but if an authentication device is used, it ensures that when a user removes his/her device, the session is automatically locked. If the same user comes back to the same workstation, he/she will find his/her applications still open.

In Public Access FUS, the access to the Windows session is not protected: the session is the same for all users, but each user can access his/her own applications.

You can also use FUS with AutoLogon. You can configure Windows to automate the logon process by storing authentication data in the registry database. This feature allows any user to start a workstation in public access and use the account configured for automatic logon.

This enables a user to gain time when:

  • Opening a Windows session for the first time.
  • The network is not available for your first authentication.

Turn on automatic logon:

Hierarchized Access FUS

In hierarchized Access FUS, users are associated with an "unlocking level" and a "closing level". They are only authorized to unlock or close the session of other users whose level is below or equal to their own level.

Figure 1: Hierarchized Access FUS

In the above illustration, the Windows user is still User A, and the Enterprise SSO user is User B.

To configure this FUS mode, see Configuring Hierarchized Access FUS.

Shared Access FUS

In Shared Access FUS, all users who need to authenticate to the same workstation have the same Windows account. All these users have in their account list the one that has open the session. This way, they can unlock the session open by another user of the same group.

Figure 2: Shared Access FUS

To configure this FUS mode, see Configuring Shared Access FUS.

Public Access FUS

The Public Access FUS is adapted to computers used in public access.
In this mode, the access to the Windows session is not protected: the workstation session remains open, but the SSO context and application opening/closing are handled individually for each user, as illustrated in the following figure:

Figure 3: Public Access FUS

Upon detection of a smart card or an active RFID device, Enterprise SSO starts and prompts the user for his/her PIN (smart card) or password (RFID). Once the user is authenticated, he/she can access his/her own applications. When the device is removed, Enterprise SSO is closed. The Windows session can use a generic account that has no particular right of its own.

NOTE: If the roaming session is allowed on the access point (see The Multi-User Desktop Feature), each time an RFID device is presented or a smart card is inserted, Public Access FUS checks if a roaming session can be used before prompting for the password or the PIN to the user.

 

To install and configure this FUS mode, see Installing and Configuring Public Access FUS.

Configuring Hierarchized Access FUS

Evidian provides hierarchized access Fast User Switching with Authentication Manager. The functionality is managed from EAM Console.

Authorizing FUS on Workstations

Subject

You must authorize the use of FUS on all computers on which you plan to set up hierarchized access FUS, as explained in the following procedure.

Procedure

 

  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers that will be used for hierarchized Fast User Switching.
  2. In the Authentication Manager tab, select Allow unlock if allowed by user security profile:

    Figure 4: Authenticatin Manager tab

  3. Click Apply.

 

Activating Hierarchized Access FUS

Subject

You activate hierarchized access FUS from the user security profile, as explained in the following procedure.

Before Starting
  • Make sure Authentication Manager is installed on the workstation you want to be used for Fast User Switching.
  • Make sure you have the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain the following rights: "User security profile: Creation/Modification", "Application profile: Creation/Modification" and "Access point security profile: Creation/Modification".

    NOTE: For more details on administration roles, see Evidian EAM Console - Guide de l'administrateur.
Procedure
  1. In EAM Console, from the Directory panel, click the user security profile that applies to users that will use the hierarchized Fast User Switching.
  2. Click the Unlocking tab.

    The Unlocking tab appears.

  3. Fill-in the tab as explained in the following Unlocking Tab Description section.

 

Unlocking Tab Description

Figure 5: Unlocking Tab

 

 

Table 3: Unlocking tab

Tab Element

Description

User level

Enter a user hierarchy level (0 is the lowest level, and 50000 is the highest).

We recommend to set a big interval between levels (for example 10; 20; 30 and so on), so that you can add sub-levels in between if needed.

User can unlock sessions of users below level

Select this check-box to allow a user to unlock a session locked by another user whose level is below the specified level.

User can close sessions of users below level

Select this check-box to allow a user to close a session opened by another user whose level is below the specified level.

NOTE: When a user tries to perform a FUS on a workstation, EAM refers to the unlocking level before the closing level.

Overriding the User "Unlocking Level" (Optional)

Subject

In the application security profile, you can define a different user level than the one specified in the user security profile.
In this case, when a user launches an application that is associated with this application security profile, the user "unlocking level" is overridden with the level set in the application security profile (usually set to a higher level).

Procedure
  1. In EAM Console, from the Directory panel, click the application security profile that applies to applications for which you want to override the user unlocking level.
  2. Click the Configuration/General tab.

    The General tab appears.

    Figure 6: Configuration/General tab

  3. Select the When application is used, set user’s "unlocking level" to: select the check-box and set the level number.
  4. Click Apply.

 

Configuring Shared Access FUS

The shared access FUS is used when no hierarchy can be set between employees that need to access a workstation.

Authorizing FUS on Workstations

You must authorize the use of FUS on all computers on which you plan to set up shared access FUS, as explained in Authorizing FUS on Workstations.

Associating Users with a Shared Windows Account

Subject

In shared access FUS, all users who need to access the same workstation have in their account list the one that has open the session. The easiest way to configure this is to gather these users in a group of users. The following procedure explains how to associate a group of users with a shared windows account.

Before Starting

To perform the task described in this section, you must have at least the following administration role:

  • In classic administration mode: "Security object administrator"
  • In advanced administration mode, your role must contain the following right: "Application: Creation/Modification".
Procedure
 
  1. In EAM Console, from the Directory panel, right-click the Organizational Unit that must contain your Application and select New/Template-based Application/Windows.

    The Windows Application window appears.

    Figure 7: Windows Application

  2. Fill-in the window by typing the application name and Windows domain.
  3. In the group of users that you want to make share the same Windows account, add the application and define it as shared, as follows:
    1. Click the group of users and select the Application Access tab.

      The Application Access tab appears.

    2. In the Application Access tab, add the application you have just created, and set the Account type to Shared.

      Figure 8: Application Access tab

  4. In the group of users, assign an owner for the application, as follows:
    1. Click the group of users and select the Accounts tab.

      The Accounts tab appears.

      Figure 9: Accounts tab

    2. Click the application and click the Properties button.

      The Account Properties window appears.

    3. In the SSO Data tab, create credentials for the account.

      Figure 10: Account Properties

    4. In the Ownership tab, you can assign an owner for the account. In this case, this owner becomes the only user authorized to modify the account password.

    NOTE: EAM allows you to manage password modification of a shared application account: if you do not set ownership, all users who are part of the group of users sharing the same application account are authorized to modify the shared account password. The other users automatically retrieve the new password.

 

Activating Shared Access FUS on Dedicated Access Points (Optional)

Subject

By default, FUS is authorized on all access points, without need of any configuration. This section explains how to reserve some workstations only for shared access FUS users. The configured workstations will only be accessible to shared access FUS users.

Procedure
  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers reserved for shared access FUS users.
  2. In the Authentication Manager tab, select Allow unlock if the same Windows credential is used:

    Figure 11: Authentication Manager

    IMPORTANT:If you select both Allow unlock if allowed by user security profile and Allow unlock if the same Windows credential is used check-boxes, you must take into account that FUS will be applied to users from a same Windows account, at the same hierarchy level.

  1. Click Apply.

 

Installing and Configuring Public Access FUS

Subject

Evidian provides Fast User Switching at the session level with Enterprise SSO, with the "Session Management" extra license.

The process listens for incoming events from activated authentication devices. These devices are:

  • Smart cards managed from Evidian.
  • Smart cards managed externally for which the PKA authentication is activated in Evidian.
  • Active RFID devices.

In Public Access FUS, the Windows session is the same for all users. The Windows session used is the one of the first user who has open a Windows session on the workstation. Then users use their authentication device to access their own SSO context and applications.

NOTE: You can set a generic Windows account that has no particular right on its own, to keep the Windows session open for all users.

Procedure
  1. Log-on as system administrator.
  2. Run the EAM installation wizard and follow the displayed instructions with the following guidelines:
    1. If you use the EAM Quick installation, select the Public access authentication mode in the EAM Client modules selection window:

      Figure 12: Enterprise Access Management Wizard

    NOTE: For more details on EAM quick installation, see Evidian EAM Quick Installation Guide.
  
  • If you use the EAM advanced installation, select Public Access FUS in the features selection window:

    Figure 13: Public Access FUS

IMPORTANT:

  • Make sure the Authentication Manager and Integration with Windows features are not selected for installation.
  • For more details on EAM advanced installation, see Evidian EAM Installation Guide.
 

Configuring Keyboard and Mouse Locking

IMPORTANT:

  • The following configuration settings are unique to Public Access FUS for smart cards or RFID devices.

  • For compatibility reasons with Windows Vista/2008 and later versions, do one of the following:

    • Add the string value (REG_SZ type) named C:\%EAM installation folder%\SSOFus.exe with the VISTARTM value.
      The registry key is located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers.

    • Deactivate the User Account Control after having set the following keys.

Locking Keyboard and Mouse if Enterprise SSO is Stopped

Subject

This section explains how to lock keyboard and mouse when Enterprise SSO is stopped and no Authentication Manager authentication is asked.

Procedure
  • Set the FUSBlockInput registry key (DWORD) to 1.
    (default value: 0).

    This registry key is located in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\CommonConfig

 

Locking Keyboard and Mouse at Startup

Subject

By default, at startup keyboard and mouse are not locked. If you want to lock keyboard and mouse at startup (because you are using the automatic logon in Windows for example) then you have to set the following registry key.

Procedure
  • Set the FUSBlockInputAtStartup registry key (DWORD) to 1.
    (default value: 0).

    This registry key is located in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\CommonConfig

 

Configuring the Keyboard and Mouse Locking Timer

Subject

When a badge or a smart card is detected, keyboard and mouse are released to allow the user to type his secret. If no secret is entered after 300 seconds, then the authentication window is automatically closed and keyboard and mouse are locked.
You can configure this timer as follows.

Procedure
  • Set the FUSAuthenticationDelay registry key (DWORD) to the number of seconds you want before the authentication window closes.
    Default value is 300. 0 means deactivated.

    This registry key is located in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\CommonConfig

 

Configuring the Inactivity Timer

Subject

By default, if no user activity is detected during a while, Enterprise SSO goes into secure mode; a new authentication is then needed to perform SSO.

If you want to lock keyboard and mouse on inactivity timer, then the following registry key must be used.
When this option is activated, Enterprise SSO is closed on inactivity timer. So Public Access FUS locks automatically keyboard and mouse since Enterprise SSO is not running.

Procedure
  • Set the StopSSOEngineOnSecurityEvent registry key (DWORD) to 1.
    (default value: 0).

    This registry key is located in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\CommonConfig

 

Configuring Application Closing

When a user locks a session (for Hierarchized and Shared Access FUS) or withdraws his/her device (for Public Access FUS), Enterprise SSO is closed but the user’s running applications remains open. To force Enterprise SSO to automatically close the user’s applications before switching context, an extension DLL must be written.

Tips for Writing and Using an Extension DLL

Description

The extension DLL exports the following functions:

 

Table 4: Tips for Writing and Using an Extension DLL

Function

Description

OnSessionLocked
OnSessionUnLocked

Enterprise SSO calls these functions when it switches to the lock state (upon a smart card removal or an elapsed inactivity timeout).

EngineStarted
EngineStartedV2
EngineStopped
EngineRestarted

Enterprise SSO calls these functions when it is started, stopped or when its configuration is reset. For more information: see .Special Case 1 below and for more information on the EngineStartedV2 function, see Special Case 2.).

OnWindowsSessionLocked
OnWindowsSessionUnlocked

Enterprise SSO calls these functions when the Windows session is locked or unlocked

OnWindowsSessionReconnected
OnWindowsSessionDisconnected

Enterprise SSO calls these functions when the user logs on or logs off (locally or remotely) a workstation.

Special Case 1

When a user unlocks his/her workstation using an authentication device which is not the same as the device used to log on the workstation (for example, John Smith logs on the workstation at 8.00am using his smart card, then unlocks it using his RFID card at 02.00pm), Authentication Manager proceeds as follows:

  1. It sets the HKCU\SOFTWARE\Enatel\SSOWatch\WillRestartForUPN registry value with the Windows user name
  2. It stops Enterprise SSO.

NOTE: During shutdown, Enterprise SSO calls the EngineStopped function only if the WillRestartForUPN registry value is not set.
 
  1. It starts Enterprise SSO.

NOTE: During startup, Enterprise SSO calls the EngineRestarted function only if WillRestartForUPN is set with the Windows user name. Else, Enterprise SSO calls the EngineStarted function and the registry value is deleted.

Format

The functions must be written according to the following format:

typedef struct _CUSTOMPARAMETERS

{

      LPCSTR szUser;

} CUSTOMPARAMETERS, *PCUSTOMPARAMETERS;

BOOL APIENTRY OnSessionLocked(HWND hParent, const PCUSTOMPARAMETERS pcapParameters)

{

      return TRUE;

}

BOOL APIENTRY OnSessionUnLocked(HWND hParent, const PCUSTOMPARAMETERS pcapParameters)

{

      return TRUE;

}

BOOL APIENTRY EngineStarted(HWND hParent, const PCUSTOMPARAMETERS pcapParameters)

{

      return TRUE;

}

BOOL APIENTRY EngineStopped(HWND hParent, const PCUSTOMPARAMETERS pcapParameters)

{

      return TRUE;

}

BOOL APIENTRY EngineRestarted(HWND hParent, const PCUSTOMPARAMETERS pcapParameters)

{

      return TRUE;

}

BOOL APIENTRY OnWindowsSessionLocked(HWND hParent, const PCUSTOMPARAMETERS pcapParameters)

{

      return TRUE;

}

BOOL APIENTRY OnWindowsSessionUnLocked(HWND hParent, const PCUSTOMPARAMETERS pcapParameters);

{

      return TRUE;

}

BOOL APIENTRY OnWindowsSessionReconnected(HWND hParent, const PCUSTOMPARAMETERS pcapParameters);

{

      return TRUE;

}

BOOL APIENTRY OnWindowsSessionDisconnected(HWND hParent, const PCUSTOMPARAMETERS pcapParameters);

{

      return TRUE;

}

DLL location

Enterprise SSO calls the extension DLL using the path set in the HKLM\Software\Enatel\SSOWatch\ExternalCall\CustomDLLName registry value.

Example: CustomDLLName = C:\SSO\MyDll.dll

Special Case 2

The EngineStartedV2 function provides the authentication method used, as follows:

 

Table 5: Authentication Method

Method

Returned Information

Password

PWD

Non-EAM card

EXTCARD

Biometrics

BIO

Temporary password

TPA

EAM card

CARD

Badge

RFID

Session mode

SESSION

OTP

OTP

This function must be written according to the CUSTOMV2 definition as follows:

typedef struct _CUSTOMPARAMETERSV2

{

LPCSTR szUser;

LPCSTR szAuthMethod;

} CUSTOMPARAMETERSV2, *PCUSTOMPARAMETERSV2;

typedef BOOL (APIENTRY *CUSTOMV2)(HWND hParent, const PCUSTOMPARAMETERSV2 pcapParameters);

Using the FUS Extension DLL Tool

Subject

The FUS Extension DLL once installed (see Installing the DLL), enables you to use the Configuration of FUS DLL tool. This tool is designed to help you configure automated actions on running applications when Enterprise SSO starts or stops on a workstation configured for Fast User Switching without Authentication Manager installed.

Description

The Configuration of FUS DLL tool is located here: %EAM installation folder%\UAConfFUSDll.exe and looks like this:

Figure 14: Configuration of FUS DLL

This tool enables you to execute the following actions:

IMPORTANT: Once you have finished the configuration, you must save it by clicking Save configuration. You must then select the directory where the configuration file is to be saved under the following form: UAConfFus_<Date>_<Time>.reg)
Example : UAConfFus_01082014_17h23.reg).

Installing the DLL

 

  1. Log-on as system administrator.
  2. Run the EAM installation wizard and follow the instructions displayed in the wizard with the following guideline: at the features selection step, select FUS extension DLL.

 

 

 

 

 

 

IMPORTANT:

  • Make sure the Authentication Manager and Integration with Windows features are not selected for installation.Replace this text with a notation that requires the reader's attention.
  • Make sure Enterprise SSO is selected for installation.
  • Make sure the Authentication Manager and Integration with Windows features are not selected for installation.
  • For more details on EAM advanced installation, see Evidian EAM Installation Guide.

Activating the call to the FUS library

IMPORTANT: You must activate the call to use the UAConfFUSDll.exe tool.

  1. Execute UAConfFUSDll.exe.

    The tool opens.

  2. Select the Activate the call to the library FUS check box.

    The name of the library is automatically filled in the corresponding field.
    Depending on your environment (32 or 64 bits), the name can be:

    • 32 bits : <FUS library installation directory>\ExtSessionMgr.dll,
    • 64 bits : <FUS library installation directory>\ExtSessionMgr64.dll

  3. Click Change if the name or path are not correct and select the correct name/path.
  4. Click Save configuration.

 

Configuring the window detection

This window enables you to configure the actions executed by the SSOEngine on the window detection. You can configure up to 32 window detections.

  1. Execute UAConfFUSDll.exe.

    The tool opens.

  2. Click Actions on window detection.

    The following window appears:

    Figure 15: Action on window detection

  3. Configure the window and click Ok.

    NOTE: You must fill-in the Title field.
  4. Click Save configuration.

 

Executing specific commands at a given time

You can configure up to 32 commands.

  1. Execute UAConfFUSDll.exe.

    The tool opens.

  2. Click Command execution.

    The following window appears:

    Figure 16: Command execution

  3. Click the button corresponding to the moment when you want the command to be executed.

    The following window appears (example: when SSOEngine is stopped):

    Figure 17: Command execution

  4. Configure the window and click Ok, then Quit.
  5. Click Save configuration.

 

Configuring the browsers

You can configure IE and Firefox to stop at the same time as the SSOEngine.

 
  1. Execute UAConfFUSDll.exe.

    The tool opens.

  2. Click Treatment on browsers when the SSOEngine stops.

    The following window appears:

  3. Configure the window and click Ok.
  4. Click Save configuration.

Activating the Citrix Receiver (PNAgent)

The actions will be executed on the Citrix Receiver. If you activate this configuration, the:

  • PNAgent will be started due to SSOEngine start.
  • PNAgent will be stopped due to SSOEngine stop (execution of 'PNAgent /disconnect' then 'PNAgent /logoff' and finally 'PNAgent /Terminate').
  • 'PNAgent /disconnect' action is also executed during Windows session lock.
  • 'PNAgent /reconnect' action is executed during Windows session unlock.
  1. Execute UAConfFUSDll.exe.

    The tool opens.

  2. Click PNAgent (CITRIX).

    The following window appears:

    Figure 18: Citrix

    If needed, execute the following actions:

    1. Modify the title or the class defined by default if they are incorrect.
    2. Fill-in the fields of the Parameters for PNAgent area to execute the PNAgent (SSOEngine start) with commands.
    3. Click the Removing Citrix shortcuts button to define the shortcuts to delete when PNAgent stops and therefore when SSOEngine stops.

      You can delete up to 20 shortcuts.

  3. Click Ok.
  4. Click Save configuration.

 

Configuring the forced stop of a process

You can configure a process to stop at the same time as the SSOEngine stops. You can enter up to 32 process names.

  1. Execute UAConfFUSDll.exe.

    The tool opens.

  2. Click Killed process when the SSOEngine stops.

    The following window appears:

    Figure 19: Kill Process

  3. Enter the name of the processes and click Ok.
  4. Click Save configuration.
 

Calling a FUS client library

  1. Execute UAConfFUSDll.exe.

    The tool opens.

  2. Click Call Customer DLL.

    The following window appears:

    Figure 20: Calling a client library

  3. Select the library and click Ok.
  4. Click Save configuration.

 

Other actions

  1. Execute UAConfFUSDll.exe.

    The tool opens.

  2. Click Various.

    The following window appears:

    Figure 21: Miscellaneous

  3. If needed, select the following check boxes and click Ok:
    • If the client "RemoteApp" This menu then select "Disconnect all connections": when SSOEngine stops, if the RemoteApp client of Microsoft is detected on the workstation, then all the connections are disconnected.
    • Use "SplashScreen.exe" (No with MUD ou Authentication Manager): when SSOEngine stops, a SplashScreen window type is displayed on the whole of the screen for 5 seconds to warn the new user that a user switch is occurring.
      This mode does not work if the MUD or Authentication Manager are installed on the workstation.
  4. Click Save configuration.

 

The Multi-User Desktop Feature

Overview and Use

Presentation

The Multi-User Desktop allows hosting several secure sessions in the same Windows session.

Welcome Screen

Multi-User Desktop is automatically started when the Windows session opens. A Welcome screen displays the list of available authentication methods and the list of disconnected user sessions. Authentication methods that are not authorized by the Access Point Security Profile are hidden, as shown hereunder for the contactless badge authentication method.

Figure 22: Multi User Desktop

NOTE:

  • To use the Press if you have forgotten your password tile, you must have previously chosen a set of questions and recorded the associated answers using the SSPR wizard, which is available in the Enterprise SSO popup menu.
  • When a user authenticates in Multi-User Desktop mode with an unassigned RFID badge, he will be able to assign it with his credentials. He will have to choose a PIN if the RFID+PIN authentication method is activated.

This welcome screen either hides:

  • The whole screen: Kiosk mode: see Kiosk Mode.
  • Part of the screen, as a dialog box: Control mode: see Control Mode. In this mode, the welcome screen moves automatically or can be moved using the arrow keys. This enables the user to see the running applications in the background.

NOTE: The Multi-User Desktop feature is not compatible with a multi-screen display.

 

Virtual Desktops

When a user authenticates, only his applications are displayed. All other applications are automatically hidden and are unavailable for this user. When this user disconnects, his applications are automatically hidden and the welcome screen appears.

NOTE: You can exclude a set of these hidden applications to make them always visible for any user who authenticates.

Multi-User Desktop Authentication Modes

IMPORTANT: To use the mobile device authentication mode, you must have previously enrolled your mobile device from a workstation that does not use the Multi-User Desktop mode.

Kiosk Mode

This is the default mode. In Kiosk mode, the welcome screen of Multi-User Desktop uses the whole desktop space and hides the content of the Windows desktop.

In Kiosk mode, all authentication methods are allowed, including password, SSPR and mobile device. However, users cannot move/hide/terminate the welcome screen. To configure this mode, go to Configuring the Kiosk Mode.

Control Mode

In Control mode, the welcome screen appears in the center of the desktop.

The welcome screen changes position: it automatically moves clockwise on the desktop.

As an alternative to this automatic move, you can allow users to move the welcome screen using the arrow keys. Even if the keyboard is locked, the following keys are enabled:

 
Table 6: Control Mode

Key

Direction

Left arrow

10 pixels to the left

Right arrow

10 pixels to the right

Up arrow

10 pixels up

Down arrow

10 pixels down

Home

Top-left corner

End

Bottom-right corner

Page up

Top

Page down

Bottom

The mouse and keyboard can be locked: users cannot use these devices outside the welcome screen.

The welcome screen can be resized manually with the + and - keys and displays the following elements depending on its size:

  • Full screen:
    • Customizable bitmap.
    • Authentication method buttons and texts.
    • List of users.

    For more information on the customizable bitmap, please refer to Evidian EAM Customization Guide.

  • Normal screen:
    • Title.
    • Authentication method buttons and texts.
    • List of users.
  • No user:
    • Title.
    • Authentication method buttons and texts (no list of users).
  • Minimum: only authentication method buttons.
  • Invisible. To make it visible again, press the + key.

To configure this mode, go to Configuring the Control Mode.

Installing the Multi-User Desktop

  1. Log-on as system administrator.
  2. Run the EAM installation wizard and select the Custom installation mode.
  3. Select the Multi User Desktop feature.
    • Make sure the Authentication Manager and Integration with Windows features are not selected for installation.

    • For more details on EAM advanced installation, see Evidian EAM Installation Guide.

      Figure 23: Multi User Desktop

     

  4. Click Next and follow the rest of the Wizard instructions.
  5. Depending on your Windows version, execute one of the following actions:
    • Windows XP/2003: restart the workstation.
    • Windows 7/2008: close the session.

    The Multi-User Desktop feature has been installed.

 

Configuring the Multi-User Desktop Modes

Configuring the Kiosk Mode

 

  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers that is used for Multi-User Desktop.
  2. In the Multi User Desktop tab, Welcome screen area, select Full screen mode:

    Figure 24: Multi User Desktop:Full screen mode

  3. Click the to specify the background color of the welcome screen (default color: white).
  4. Click Apply.

Configuring the Control Mode

 
  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers that is used for Multi-User Desktop.
  2. In the Multi User Desktop tab, Welcome screen area, select Transparent mode:

    Figure 25: Multi User Desktop:Transperent Mode

  3. Configure the following elements:
    • Lock keyboard and mouse check box: users cannot use these devices outside the welcome screen.
    • Move information window every:
      • Seconds field: enter the number of seconds after which the welcome screen changes position.
      • Manually check box: enables users to move the welcome screen manually with the arrow keys.
    • Information window is resizable check box: enables users to resize the welcome screen by pressing the:
      • + key to increases the size.
      • - key to reduce the size.
    • Allow reboot check box: enables users to restart the workstation by clicking the Reboot button in the Welcome screen.
    • Show help url check box and field: enter a help URL in the field and select the check box to display a link in the Welcome screen.
  4. Click Apply.

NOTE: Fore more information on the keys, please refer to Control Mode.

Configuring the Exclusion of Applications

When switching between user sessions, Multi-User Desktop hides, displays or terminates applications unless they are listed in the Always display windows of these processes field. Applications in this list are ignored by Multi-User Desktop and are always displayed on the desktop.

  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers that is used for Multi-User Desktop.
  2. In the Multi User Desktop tab, Welcome screen area, enter the list of applications as named in the windows process list in the Always display windows of these processes field:

    Figure 26: Multi User Desktop:Welcome Screen

    NOTE:

    • Separate the applications by commas or spaces.
    • Some applications are automatically ignored by Multi-User Desktop: the Multi User Desktop itself, Enterprise SSO and the Windows task manager.

  3. To activate this option for all opened applications, enter the * character in the process field. The windows of the opened application will always be displayed.
  4. Click Apply.

 

Configuring Multi-User Desktop Session Management

Configuring Session Lock

Multi-User Desktop automatically locks a user session, i.e. disconnects it when the session has been inactive (neither keyboard nor mouse event) for a given period of time. The user is also automatically disconnected if another user authenticates.

However, you can allow users to disconnect themselves manually. They can either:

  • Use the Multi-User Desktop icon in the notification area and click Disconnect.
  • Press the Win + K keys.
  • Swipe their finger or withdraw their smart card or tap/withdraw their badge.

The default configuration is as follows:

  • No automatic lock.
  • No countdown.
  • Users can disconnect manually.
 
  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers that is used for Multi-User Desktop and select the Multi User Desktop tab, Session Management area.

    Figure 27: Multi User Desktop:Session Management

  2. Configure the following elements:
    • Automatically disconnect users after field: enter the number of seconds after which the user is automatically disconnected.
    • Show count down for last ... seconds before lock: select this check box and enter a non null value to display a pop-up window which indicates the remaining seconds before automatic lock.
    • Users can disconnect manually check box: users can use the Multi-User Desktop icon in the notification area to lock their session.
  3. Click Apply.

 

Configuring Session Log Off

Multi User Desktop automatically logs off a disconnected session after a given period of time.

However, you can allow users to logoff manually. They can either:

  • Use the Multi-User Desktop icon in the notification area and click Logoff.
  • Press the Win + Q keys.

The default configuration is as follows:

  • No automatic logoff.
  • Users can log off manually.
  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers that is used for Multi-User Desktop and select the Multi User Desktop tab, Session Management area.

    Figure 28: Multi User Desktop:Session Management

  2. Configure the following elements:
    • Automatically logoff users after field: enter the number of seconds after which the user is automatically logged off.
    • Users can logoff manually check box: users can use the Multi-User Desktop icon in the notification area to log off.
  3. Click Apply.

 

Configuring Concurrent Sessions

You can define the maximum number of concurrent sessions managed by Multi-User Desktop.

When a new user authenticates and creates a new session, Multi-User Desktop terminates the oldest session if needed, i.e. the session that has been locked for the longest period of time.

 
  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers that is used for Multi-User Desktop and select the Multi User Desktop tab, Session Management area.

    Figure 29: Multi User Desktop:Session Management

  2. Set the Max. number of concurrent sessions field to configure the maximum number or concurrent sessions.

    Set this field to 0 (default value) to disable this feature.

  3. Click Apply.
 

Configuring Biometrics Enrolment

For a user to enroll his fingerprints, you must configure the Biometric enrolment parameter in E-SSO Console to enable the Enroll button in the User Identification window.

  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers that is used for Multi-User Desktop and select the Multi User Desktop tab, Session Management area.

    Figure 30: Multi User Desktop:Session Management

  2. Check the Allow biometrics enrolment check box.

    Default behavior: biometrics enrolment is allowed.

  3. Click Apply.

 

Configuring the Information Display

You can display information about the connected user either directly on the Windows desktop wallpaper or on a toolbar that appears on the desktop.

NOTE: In addition to displaying information about the connected user, the toolbar provides a lock and a disconnect button.

  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers that is used for Multi-User Desktop and select the Multi User Desktop tab, Session Management area.

    Figure 31: Multi User Desktop: Session Management

  2. Select the Show infos check box and select either On the wallpaper or As a toolbar in the drop down list. To customize the available information, see Evidian EAM Console - Guide de l'administrateur.

 

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents