Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Enterprise Access Management Session Management Guide

The Roaming Session Mode

Roaming Session Mode - Overview and Use

Definition

The roaming session mode allows users to open a session (using Authentication Manager) on one or several computer(s) with their physical authentication token, without having to type a secret, during a defined period of time.

Mechanism Description

Figure 32: Mechanism Description

 

 

 

Table 7: Mechanism Description

Phase

Description

The administrator configures the roaming session mode on appropriate access points, and for a number of users for a defined duration.

A user authenticates on a computer on which the roaming session mode is available, whatever the authentication method is (login/password, smart card, active or passive RFID device, biometry).

This automatically creates a roaming session in the EAM Controller.
If no EAM Controller is available, the roaming session is not created.

When the computer (on which the roaming session mode is activated) detects a physical authentication token (smart card, active or passive RFID), the roaming session is retrieved from the EAM Controller and the user is authenticated without having to type the secret associated with the token.
The session duration time is displayed to the user in a task bar balloon help.

If the roaming session expires when it is open on a computer, or if the user password expires or is changed, the session remains open, but the user will have to authenticate at next session opening.

Prerequisites
  • Make sure you have the "Session Management" license key.
  • If users authenticate with a smart card for the roaming session, the smart card must meet the following requirements:
    • The smart card configuration must allow the owner name to be read without typing the PIN.
    • The smart card contains only one account.
    • No SSO account is stored on the smart card.
Restriction

In a roaming session, users cannot change their password or PIN with Authentication Manager.

Configuring the Roaming Session Mode

Subject

To make available the roaming session mode, you must activate it for concerned users, and on appropriate access points, as explained in the following sections.

Before Starting

To perform the tasks described in this section, you must have at least the following administration role:

  • In classic administration mode: "Security object administrator".
  • In advanced administration mode, your role must contain the following right: "User security profile: Creation/Modification" and "Access point security profile: Creation/Modification".

Activating the Roaming Session Mode for Users

Subject

You must activate the roaming session mode in the user security profile. For users associated with this profile, a roaming session will be automatically created after they have authenticated themselves with Authentication Manager on a computer that authorizes roaming sessions.

Procedure
 
  1. In EAM Console, from the Directory panel, click the user security profile that applies to users that will use the roaming session mode.
  2. Click the Security tab.

    The Security tab appears.

  3. Select the Roaming session check-box and define the duration:
    • x hours: number of hours you want the session to be active.The roaming session is created as soon as the user authenticates on an authorized access point, and the session duration time starts from that moment. At the end of the duration time, the user will have to type a secret.
    • No duration limit: if you select this check-box the roaming session is created as soon as the user authenticates on an authorized access point, with no duration time. The user will never have to type a secret again.

      Figure 33: Roaming Session

    IMPORTANT: If you change the duration time parameter once the roaming session has started, the new value will only be taken into account once the session in progress has expired, or has been deleted by the user (see Administering Current Roaming Session From the User’s Workstation) or by the administrator (see Administering User’s Roaming Sessions From EAM Console).

  4. Click Apply.

 

Activating the Roaming Session Mode on Computers

Subject

You must activate the roaming session mode in the access point security profile. For computers associated with this profile:

  • A roaming session is automatically created when authorized users authenticate on these computers.
  • The roaming session is automatically retrieved when an authorized user presents a physical authentication token; this automatically opens the user session if it exists.
  • To optimize the session opening time, we recommend to allow the roaming session mode only on access point that will actually use it.
Procedure
 
  1. In EAM Console, from the Directory panel, click the access point security profile that applies to computers on which activating the roaming session mode is necessary.
  2. In the Authentication Manager tab, select the Allow roaming session check-box.

    Figure 34: Authentication Manager

  3. Click Apply.

Administering User’s Roaming Sessions

From EAM Console, you can display information on users' roaming session duration, and decide to delete it for a selected user: see Administering User’s Roaming Sessions From EAM Console

From his/her workstation, the user can also display information on his/her own roaming session duration, and also delete it: see Administering Current Roaming Session From the User’s Workstation.

Administering User’s Roaming Sessions From EAM Console

Subject

You can see information on user roaming sessions from EAM Console, as explained in the following procedure.

You can decide to delete a roaming session. In this case, the current user session remains open, but this forces the user to authenticate again at next session opening.
This also allows you to disable the roaming session in case a user has lost his/her token.

Before Starting

To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Roaming: Delete user’s sessions".

For more information on administration modes, see Evidian EAM Console - Guide de l'administrateur.

Procedure

 

  1. In EAM Console, from the Directory panel, click the user for whom you want to display the roaming session information.
  2. In the Connection tab, select the Authentication tab.

    The roaming session duration time left for the selected user appears.

    Figure 35: Authentication tab

  3. To delete the displayed roaming session, click the Delete roaming session button.

    The current user session remains open on the computer, but he/she will have to authenticate again at next session opening.

 

Administering Current Roaming Session From the User’s Workstation

Subject

From his/her workstation, a user can administer his/her own roaming session: he can decide to delete a roaming session. In this case, the current user session remains open.

The functionality described in this section is not available if the user has authenticated with his password, or with Biometrics.

Procedure
  1. On the workstation, in the notification area, right-click the Authentication Manager icon  and click Roaming Session.

    The following window appears, it displays the roaming session duration time left.

    Figure 36: Roaming Session Management

  2. To delete the roaming session, click Terminate.

    The current user session remains open.

 

The Double-Login Prevention Feature

Double-Login Prevention - Overview and Use

Definition

The Double-Login Prevention feature ensures that when a user is authenticating on a computer, the session opened on the previously used computer is locked.

Mechanism Description

Figure 37: Double-Login Prevention

 

 

Table 8: Double-Login Prevention

Phase

Description

The administrator configure the Double-Login Prevention function for a number of users.

A user authenticates on a computer by password, passive RFID or biometrics.

The session opens.

The user authenticates on another computer by password, passive RFID or biometrics, without having locked his/her previous session.

The session opens on the current computer, and the session which was open on the previous computer is locked.

Prerequisites
  • EAM must be configured in "manage-access-point" mode.
  • An EAM Controller must be available.
  • For this functionality to work properly, the computers must be connected to the network.
  • Port 3644 must be open on computers so that SSO Clients can communicate.

Configuring EAM Controllers (Optional)

Subject

As Double-Login Prevention information is stored in the directory, directory architecture and replication time (in case several servers are replicated) must be taken into account. The Double-Login Prevention feature can only work if the time it takes for the user to change computer is longer than the time it takes to replicate data between all directory servers.

If replication time is too long, you can configure EAM Controllers to make them use a list of directory servers according to their availability, as detailed in the following procedure.

Procedure
  • If EAM is installed in Corporate directory mode (in this mode, security objects are stored in the company directory), set the following registry key (REG_SZ. or Policies type):

    Enatel\WiseGuard\FrameWork\Directory\UniquenessSessionServerList

    NOTE: With this key, the Double-Login Prevention feature does not work in case of inter-domain (e.g the user authenticates on a computer that is not part of his/her domain).
  • If EAM is installed in Dedicated directory mode (in this mode, security objects are stored in a dedicated directory), set the following registry key (REG_SZ. or Policies type):

    Enatel\WiseGuard\FrameWork\WGDirectory\UniquenessSessionServerList

    NOTE: With this key, inter-domain can work.

 

 

Activating Double-Login Prevention From EAM Console

Subject

You must activate the Double-Login Prevention function in the user security profile, as explained in the following procedure. For users associated with this profile, Double-Login Prevention function will be automatically active after they have authenticated themselves with Authentication Manager.

Procedure
  1. In EAM Console, from the Directory panel, click the user security profile that applies to users that will use the Double-Login Prevention function.
  2. Click the Authentication tab.
  3. Select the User can have only one active Windows session check-box.

    Figure 38: Authentication tab

  4. Click Apply.

 

Related Documents