Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Enterprise SSO Administration Guide

Preface

Preface

Subject

This guide explains how to use the Enterprise SSO Configuration Editor, which enables you to describe the applications for which Enterprise SSO will implement Single Sign-On (SSO).

Audience

This guide is intended for:

  • System Integrators.

  • Administrators.

Required Software

EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes.

Typographical Conventions

Bold Indicates:

  • Interface objects, such as menu names, buttons, icons and labels.
  • File, folder and path names.
  • Keywords to which particular attention must be paid.

 

Italics - Indicates references to other guides.

 

Code - Indicates portions of program codes, command lines or messages displayed in command windows.

 

CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules).

 

< > Identifies parameters to be supplied by the user.

 

Warning: A WARNING icon indicates a potential for property damage, personal injury, or death.

 

Caution: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

 

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Documentation support

The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website.

Overview

Overview

In this section:

Enterprise SSO Principles

This section presents Enterprise SSO basic concepts.

In this section:

Application Modeling

ESSO Enterprise Studio, the Enterprise SSO configuration editor is used to describe the applications for which Enterprise SSO will enable Single Sign-On (SSO).

An application is defined by:

  • A set of associated user accounts (referred to as the link to the security system).
  • A set of windows or HTML pages.

The application windows or HTML pages that refer to the authentication management tool must be described in Enterprise SSO using the configuration editor tools.

This description allows to recognize the window or HTML page whenever it is displayed to the user. Enterprise SSO intercepts these pages and implements SSO.

In addition to the elements that allow window/page detection, the description contains the actions that the SSO engine has to perform.

Each window is defined by a type that characterizes the target application technology and the actions that the SSO engine will perform. Indeed, the events that refer to the user’s authentication in an application can be of different kinds: authentication, password update request, etc.

Enterprise SSO manages the different events relating to the application behavior.

Application Access Profiles

Application profiles include the parameters of one or more applications that can then be defined differently, depending on the users that access them.

These profiles are used to assign applications to users.

An application access profile is includes by the following parameters:

  • The password format managed by the application.
  • The Enterprise SSO options.
  • The SSO policy: requirement for reauthentication, the user’s ability to modify SSO data, hide/show password, etc.
  • Delegation parameters.

Password Format Control Policies (PFCP)

A PFCP defines:

  • The format of the passwords managed by an application: characters that are allowed/forbidden, length, authorized repetitions.
  • Whether a password is to be randomly generated (following the format required), or asked to the user.

The PFCP is applied only when E-SSO detects a password update is requested by the application (example: see Updating the Password of a User Account upon Application Request). When the password is changed manually or when the account data is collected for the first time, the PFCP is not applied.

Application Behavior

A user authenticates to a secure application as follows:

  • He tries to log on to the application.
  • If the security data provided is correct, the user is authenticated by the application and can work normally.
  • If the data is incorrect, the application will display a message or re-display the authentication window, informing the user that he has made a mistake during the authentication process. The user is prompted to try again until validation by the application.

    Once connected, the user can change the password, either at will or at the application’s request:

  • The user enters a new password and (sometimes) confirms it.
  • Either the new password is accepted by the application and the user can continue to work normally, or the application informs the user that the new password has been rejected.

The following schema illustrates the diagram of an application behavior.

Enterprise SSO manages the application behavior regarding to the user authentication we have just described. This behavior is configured by choosing a type for the defined windows.

Window Types

A window type indicates the SSO engine behavior and the technology of the managed application.

An application’s behavior includes:

  • Detecting the connection step (Login).
  • Detecting a wrong password/username (BadPassword).
  • Detecting a new password request (NewPassword).
  • Detecting an incorrect new password (BadNewPassword).
  • Confirming this new password (ConfirmPassword).

The technologies managed by Enterprise SSO are:

  • Microsoft Win32 standard Windows.
  • HTML pages in Internet Explorer.
  • Windows of type "Terminal in text mode".
  • Some particular cases or optimizations of standard types.

LDAP Directories

Several types of LDAP directories are supported for user security data storage.

NOTE:

  • For more information on the supported LDAP directory versions, see Evidian EAM Release Notes.
  • For a description of the procedures for modifying your LDAP directory, see Evidian EAM Installation Guide

The Access Collector Mode

The Access Collector mode is an option of Enterprise SSO; which automatically collects all user accounts and stores them in the users' directory. This mode only works if the workstations are configured as "without Controller".

The goal of this feature is to report to the administrators all the accounts used to access the applications of the enterprise, so that they can create an access policy adjusted to the needs. Only one account can be collected for one application (multi-account is not supported).

Mechanism

When a user launches an application that is detected by Enterprise SSO, the latter starts the account collect.

  • If the account was already collected, nothing happens and the SSO is not performed.
  • If a BadPassword window is detected in the collect context, the collected account is deleted or a new account is collected. The account is not deleted if the BadPassword occurs at any other moment.

Once the account is collected, the SSO is deactivated for the application.

Enterprise SSO Behavior

The SSO is only performed if there is no collected account for the detected application login window.

The passwords entered by the users are never sent to the directory: they are only kept temporarily in memory for SSO purposes.

Users are not allowed to stop or suspend Enterprise SSO, they have no access to the Personal SSO Studio and cannot manage their accounts through the user Account panel.

Updating the configuration

Only the Application, Technical definition and Parameter objects are retrieved from the directory. They are retrieved in an asynchronous way to avoid the update during the user authentication.

All users can access all the applications downloaded by the workstation.

The Components

Enterprise SSO is built with the components described in this section.

In this section:

ESSO Enterprise Studio

ESSO Enterprise Studio is the Enterprise SSO configuration editor. It allows the creation of Enterprise SSO configuration files and the management of the Enterprise SSO LDAP objects.

This program is designed to be used by people who define and setup SSO.

SSO Studio can be used in Enterprise or Personal mode, to modify the corresponding configuration files:

  • The Enterprise configuration file is common to a group of users and is usually saved in an LDAP directory or in a simple file. When a simple file is used, the configuration can be stored in a central location for an easier deployment.
  • The Personal configuration file is specific to one user, and is saved in the person’s personal profile (Windows profile or the person’s LDAP attributes).

SSO configuration is easily performed through "drag and drop".

Enterprise SSO Plug-ins

Enterprise SSO plug-ins are extensions of the Enterprise SSO and of the Enterprise SSO configuration editor; they add SSO management methods for different types of applications.

Besides the management of standard Windows applications, several plug-ins are available:

  • Internet Explorer, enabling SSO in HTTP/HTML applications running under Internet Explorer 4 or later.
  • Google Chrome.
  • Lotus Notes.
  • Microsoft TelnetW2KXP.
  • SAP R/3.
  • HLLAPI.
  • Custom Scripts, to enable SSO in Windows/HTML applications not managed by the standard window types.

NOTE: For more information on the supported versions, see Evidian EAM Release Notes.

The SSO Engine

The administration module of the SSO engine enables to manage:

  • Enterprise SSO: you can activate, suspend or update the E-SSO configuration to take the modifications into account.
  • The user accounts: you can visualize or update you user accounts.

Enterprise SSO

Enterprise SSO

This section describes the Enterprise SSO interface and how to use it.

In this section:

Overview

Enterprise SSO Definition

Enterprise SSO is in charge of the following SSO operations:

  • It retrieves SSO data for the E-SSO middleware, which runs on the workstation, and provides this information to the application login windows.
  • It offers self administration features, for example to allow you to register yourself to applications or change your passwords.
  • In Access Collector mode, it starts the account collect when the user launches an application and deactivates the SSO once the account is collected.
Enterprise SSO Configuration

The Enterprise SSO configuration stores the SSO data. It can be defined by two kinds of users:

  • The EAM security administrators, through ESSO Enterprise Studio. This tool allows administrators to create and modify the Enterprise SSO configuration common to many end-users.
  • The end-users, through Personal SSO Studio if the component is installed on the workstation. This tool allows you to define your personal SSO data used to log on your personal applications.

Enterprise SSO Interface

This section gives an overview of the Enterprise SSO interface. Depending on the E-SSO version installed on your station (connected to the Enterprise or the Cloud), some elements of the graphical interface may differ. When you are connected to the:

  • Enterprise, a check appears.
  • Cloud, a cloud appears.

In this section:

Enterprise SSO Icon

The Enterprise SSO icon is displayed in the Windows notification area.

Depending on the Enterprise SSO state, this icon can have several states:

 

Table 1: Enterprise SSO Icons

Icons

Description

Enterprise

Cloud

 

Enterprise SSO is activated: the SSO feature is enabled (whenever it detects a configured application login window, Enterprise SSO automatically provides the required SSO data).

 

Enterprise SSO is suspended: the SSO feature is disabled.

 

 

Enterprise SSO is locked: when the Enterprise SSO detects a configured application login window, or when you want to display the user accounts associated with applications (see Displaying your Enterprise SSO User Accounts), Enterprise SSO may ask you to reauthenticate. Upon a successful authentication, Enterprise SSO state switches to activated.

Enterprise SSO Pop-up Menu

The Enterprise SSO pop-up menu appears when you right-click the Enterprise SSO icon. It enables you to control Enterprise SSO:

IMPORTANT: Depending on your Enterprise SSO configuration, some menu commands may not appear, as detailed in the following table.Replace this text with a notation that requires the reader's attention.

The following table describes the Enterprise SSO pop-up menu.

 

Table 2: Enterprise SSO pop-up menu

Menu Command

Description

About Enterprise SSO

 

 

 

 

 

Displays the Enterprise SSO version and the storage mode of the Enterprise SSO configuration file:

  • LDAP: centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.
  • File: the configuration is saved in a file in the Windows registry.
  • Self Registration: a centralized configuration is defined in the LDAP directory, to collect all the accounts used for the applications of the enterprise (for more information, see The Access Collector Mode).

Account delegation

Enables you to delegate one or several of your accounts to specific users of your choice during a specific length of time.

Open ESSO Enterprise Studio

 

 Opens the SSO Account panel; which allows you to manage your user accounts.

NOTE: This menu command is bold, which means that this is a default command: double-click the Enterprise SSO icon to run it.Replace this text with a description of a feature that is noteworthy.
Add application  

Starts Enterprise SSO Wizard, which is the easiest way to set up your personal Enterprise SSO configuration. For an example of how to use the Enterprise SSO Wizard, see Evidian EAM in a Nutshell.

NOTE: This menu command does not appear if Personal SSO Studio is not installed on the workstation, or if Enterprise SSO is used in Access Collector or Cloud mode.

Open ESSO Enterprise Studio  

Starts Personal SSO Studio, the editor tool of your personal Enterprise SSO configuration. For details on how to use ESSO Enterprise Studio, see Configuration Editor: ESSO Enterprise Studio.

NOTE: This menu command does not appear if Personal SSO Studio is not installed on the workstation, or if Enterprise SSO is used in Access Collector or Cloud mode.

Suspend, Activate

 

Manages the states of Enterprise SSO.

NOTE: Depending on your configuration, this menu command may not appear (unavailable in Access Collector mode).
Reset Configuration

 

 

 Stops and restarts Enterprise SSO to take into account modifications of the Enterprise SSO configuration.In Access Collector mode, this command only synchronizes SSO Account data.
Exit Enterprise SSO 

Closes Enterprise SSO.

NOTE: Depending on your configuration, this menu command may not appear (unavailable in Access Collector mode).

The Enterprise SSO Window

The Enterprise SSO window appears when you click Open in the pop-up menu, or just by double-clicking the Enterprise SSO icon. It is composed of the following panels:

  • The Account panel ( button).
  • The Home panel ( button).

In this section:

The "Account" Panel

When you open the Enterprise SSO window, the Account panel appears. It lists your user accounts managed by Enterprise SSO. From this panel, you can modify several user account parameters, as described in Managing User Accounts.

The "Home" Panel

From the Home panel, you can perform the following tasks:

Manage the states of Enterprise SSO (Area 1), as described in the following sections:

If you are using several user accounts for a same application, select the Current role (Area 2) that will be valid only for the current Windows session and/or until Enterprise SSO is reinitialized.

Creating a Cloud E-SSO Account

Subject

To execute Cloud E-SSO, you must have a corresponding account.

Procedure

 

  1. Click the Enterprise SSO tile.

    The authentication window appears.

  2. Click I want to register.

    The register form appears.

  3. Enter your first name, last name and email address, then click Next.

    		IMPORTANT: The email address must be unique, valid and accessible.
 

A confirmation code is sent to the email address provided for validation.

  1. Enter the confirmation code and click Next.

    The password creation window appears.

  1. Enter and confirm your password by following the imposed policy, then click Next.

    Your account has been created, you can now authenticate to access Cloud E-SSO (see E-SSO connected to the Cloud).

 

Starting/Exiting Enterprise SSO

This section describes how to start and exit Enterprise SSO.

In this section:

Starting Enterprise SSO

Subject

Usually, Enterprise SSO starts automatically when you log on. You must start it manually in the following cases:

  • If Enterprise SSO has not been configured to start automatically.
  • If you manually exit Enterprise SSO and want to restart it.

Depending on the E-SSO version installed on your station, connected to your enterprise (see E-SSO connected to the Enterprise) or to the Cloud (see E-SSO connected to the Cloud); the E-SSO start will be different.

E-SSO connected to the Enterprise

Procedure

 

  1. To manually start Enterprise SSO, do one of the following:
  • Click the Enterprise SSO tile.
  • Use the command line: the following table lists the command line arguments that you can use to start Enterprise SSO (ssoengine.exe):
    • /notrayicon : starts Enterprise SSO without displaying the icon located in Windows notification area.
    • /nosplashscreen : starts Enterprise SSO without displaying the welcome window (splash screen).
    • The configuration file to be used can be added as a parameter to the SSOEngine.exe program (no option).
      Example:
      C:\Configs SSOWatch\SSOConfig2.sso
  1. Enter your identifier and password to authenticate.

    The Enterprise SSO window appears.

    A welcome message appears in a balloon help on the bottom right-hand side of your screen.

    		 NOTE: This is configurable in the EAM Console by creating one message per user.

    If you are using a roaming session, a balloon help appears telling you when your session expires. You can display it at all times by passing the cursor over the Enterprise SSO icon in the notification area.

 

E-SSO connected to the Cloud

Before starting

To use Cloud E-SSO, you must own a Cloud E-SSO account. If it is not the case, when starting Cloud E-SSO, click the I want to register link and go to Creating a Cloud E-SSO Account.

Procedure
  1. To start Cloud Enterprise SSO manually, click the Enterprise SSO tile ().

 IMPORTANT: If the Cloud server was not provided during installation, you must enter the DNS name of this server.
  1. Enter your email and password to authenticate.

IMPORTANT:If you have forgotten your password, click I have forgotten my password. You must provide your email to receive the confirmation code to provide for the reset.
  1. If the Cloud server is not reachable, click the Servers button to check or change the Cloud server.

 IMPORTANT: If the certification authority was not defined during the installation, you must accept the proposed certificate by clicking Yes, always.

The Enterprise SSO window appears.

 NOTE: This is configurable in the EAM Console by creating one message per user.

 

Exiting Enterprise SSO

Procedure

To exit Enterprise SSO, right-click the Enterprise SSO icon and select Exit Enterprise SSO.

The Enterprise SSO icon disappears. The SSO feature is disabled.

 NOTE: Depending on your configuration, this menu command may not be available (unavailable in Access Collector mode).

Suspending/Activating Enterprise SSO

Subject
  • By default, Enterprise SSO is automatically activated when you log on. You must suspend it manually, as described in the following procedure.

 NOTE: In Access Collector mode, this feature is deactivated.
Procedure
  • To suspend Enterprise SSO, right-click the Enterprise SSO icon and select Suspend.

    The Enterprise SSO icon state changes, as described in The Enterprise SSO Window. While it is suspended, no single sign-on is performed.

NOTE:

  • Depending on your configuration, this menu command may not be available.
  • Enterprise SSO automatically suspends itself when the smart card or USB token used for authentication is removed.
  • To resume Enterprise SSO, right-click the Enterprise SSO icon and select Activate.

    The Enterprise SSO icon state changes, as described in Enterprise SSO Icon. The SSO feature is enabled.

 

Resetting the Enterprise SSO Configuration

Subject

By default, if the Enterprise SSO configuration changes, a notification message automatically appears asking you if you want to take the modifications into account, as shown in the following illustration:

You can take manually the modifications of the Enterprise SSO configuration file into account, using the Reset Configuration command, as described in the following procedure.

In Access Collector mode, this command only synchronizes SSO Account data.

NOTE: In Access Collector mode, Enterprise SSO automatically reloads the SSO configuration every 6 hours: this allows taking into account modifications in the SSO data updated by the asynchronous update. You can change this value (in hours) in the following registry key/GPO: HKLM\Software\Enatel\SSOWatch\CommonConfig\
AutomaticRefresh

Procedure
  • In the Windows notification area, right-click the Enterprise SSO icon and select Reset Configuration.

 

Managing User Accounts

This section describes how to manage your Enterprise SSO user accounts from the Enterprise SSO Account panel.

In this section:

Providing SSO Data When Launching an SSO Enabled Application for the First Time

At the first launch of an SSO enabled application, when the application requests the user’s authentication, the Enterprise SSO collect window appears in the foreground (the application is temporarily unavailable) and requests the user name and password for the application.

Simply provide your usual user name for this application, your password (and confirm it to avoid mistype errors), and validate by clicking the OK button.

This data will be stored in a secure way by Enterprise SSO so that it can reuse it afterwards, without requesting any new data. Single Sign-On is now enabled for this application.

Depending on your configuration:

 NOTE: The dialog box may not appear if you start another application instance (without exiting the first one). In this case, exit all the application instances and restart the application.

The following controls can be available:

  • The Cancel button: if available, click this button to cancel the authentication data collection. You can then log on manually or exit the application.
    For more information on the actions of this button, see Generic Plug-in Actions.
  • The Disable SSO for this application check box. If you select this option and click OK, the authentication data collection execution is canceled until further notice for the application. To reactivate the collection, see Disabling/Enabling SSO for Applications.
  • The I don’t have any account for this application link may appear. Click this link to request an access to the application through the Request Manager portal.

For more information on how to enable/disable these controls and this link, see Access Strategy Tab of an Application Profile or Evidian EAM Console - Guide de l'administrateur.

Displaying your Enterprise SSO User Accounts

Subject

This section describes how to display the user accounts that are defined in your Enterprise SSO configuration.

Procedure
  • To display the list of your Enterprise SSO user accounts, double-click the Enterprise SSO icon located in the Windows notification area.

    The Enterprise SSO window appears.

 

Window description

The Account panel displays one line per user account. For each account, the following information is available:

 

Table 3: Account panel information

Column Name

Description

Application

Name of the application, as defined in.

  • EAM console for the applications.
  • Personal SSO Studio for the personal applications.

For accounts that are not associated with an application, <None> is displayed.

Login Name

 

 

 

Login name of the user account. If you have not used this application yet, <not registered> is displayed (the login name and password of the account have never been collected).

Note: You can hide applications for which the user is not registered. To do so, right-click any application and select Hide applications without credential.

Account

By default, Standard Account is displayed. If you are using several user accounts for a same application, this column displays the name of the account. For more information, see Creating a New Account for an Application.

Displaying the Properties of a User Account

Restriction

In Access Collector mode, this feature is deactivated.

Procedure

 

  • In the Account panel, select the wanted user account and click the button or right-click the wanted user account and click Properties.

    The following window appears:

 

Window description

The Information Tab

Depending on your user account properties, you may be allowed to modify your user account security data. For more details, see Changing the Login Name and/or Password of a User Account.

The Properties Tab

The Properties tab is a read-only tab. It displays the account properties and application properties available for the selected user account.

The Delegation Tab

Depending on your EAM configuration, the Delegation tab may not appear. It allows you to delegate your user account to other users.

Changing the Login Name and/or Password of a User Account

Restriction

Depending on your Enterprise SSO configuration, this command may be disabled for some or all the listed user accounts (unavailable in Access Collector mode).

For information on how to enable/disable this command, see Access Strategy Tab of an Application Profile.

Procedure

 

  1. In the Account panel, select a user account and click the button or right-click the wanted user account and click Change Password.

    The following window appears:

  1. Modify the wanted fields and click OK.

    The modification is taken immediately into account.

 NOTE: You can also modify the login name and/or password of a user account from the Account details window, which is described in Displaying the Properties of a User Account.

Updating the Password of a User Account upon Application Request

Subject

When an SSO enabled application requests a password update, this request is intercepted by Enterprise SSO, which displays the Password Change window.

To check the validity of your new password, execute the following procedure:

Procedure

 

  1. Click the Show Password Format Control Policy link.

    The following area appears:

  1. Type in a new password (and confirm it to avoid mistype errors) and validate it by clicking the OK button.

    Enterprise SSO updates and stores the data in the security database, so that it can reuse afterwards, without requesting any new data.

 

Creating a New Account for an Application

Restriction

Depending on your Enterprise SSO configuration, this command may be disabled for some or all the listed applications (unavailable in Access Collector mode).

 NOTE: For information on how to enable/disable this command, see The "Application Profile" Tab.
Procedure

 

  1. In the Account panel, select an application and click the button or right-click the wanted user account and click New account.

    The following window appears:

  1. In the Account field, either type the name of a new account, or, if you want to use an additional account that you have already created, select it in the drop-down list.
  2. Click OK.

    The new account appears in the Account panel.

 

Going Further

If you have several accounts for an application, the following window appears by default when Enterprise SSO detects the authentication window of the application:

This window allows you to select an account to log on to the application.

IMPORTANT: If you select:

  • Disable SSO for this application: the SSO is disabled for the selected account for the current SSO session. For more information on this key, see Disabling/Enabling SSO for Applications.
  • Set current role: Enterprise SSO will always use the selected account and this window will no longer appear. To redisplay this window, in the Home panel, select No selected role in the Current role drop-down list (see The "Home" Panel).

NOTE: You can also log on to the application with one of the accounts by double-clicking the desired account in the Enterprise SSO Window.

Deleting a User Account

Subject

This section describes how to delete one or more accounts associated with an application.

NOTE: In Access Collector mode, this feature is deactivated.

 

Procedure

 

  1. In the Account panel, select an application and click the button or right-click the wanted user account and click Delete.

    A warning message appears.

  2. Read this message carefully. If you agree, click YES.

    The account is deleted.

NOTE: If many accounts are associated with an application, the account line will be deleted. If you delete the last account, <not registered> will be displayed instead of the login name.

 

Displaying the User Account Password

Restriction

Depending on your Enterprise SSO configuration, this command may be disabled for some or all the listed user accounts (unavailable in Access Collector mode).

 NOTE: For information on how to enable/disable this command, see Access Strategy Tab of an Application Profile.

 

Procedure

 

  1. In the Account panel, select a user account and click the button or right-click the wanted user account and click Show Password.

    The EAM re-authentication window appears.

  2. Log on using your Windows user account.

    The following window appears:

  1. Click Close.

 

Delegating a User Account

Subject

You can delegate one or several user accounts by using the Wizard, the EAM Portal (see Evidian EAM Portal - Guide de l’utilisateur) or by doing it manually.

Restriction

Depending on your Enterprise SSO configuration, this command may be disabled for some or all the listed user accounts (unavailable in Access Collector mode).

 NOTE: For information on how to enable/disable this command, see Delegation Tab of an Application Profile.

In this section:

Delegating a User Account With the Wizard

Use the Account Delegation Wizard to delegate one or several user accounts quickly and simply. To do so, follow this procedure:

 

  1. Right-click the Enterprise SSO icon.

    The Enterprise SSO pop-up menu appears.

  2. Select Account delegation.
  3. Re-authenticate if needed.

    The Account Delegation Wizard appears.

  1. Click Next.

    The Account delegation window appears.

  1. Select the account(s) you want to delegate by selecting the corresponding check box(es) or click the Select all button to select all the accounts.
  2. Select a start and an expiration date and click the Next button.

    The User Selection window appears.

  1. In the Username field, enter the name of the user or part of it and click the Search button.

    The list of users found in the directory is displayed.

  2. Select the user(s) to whom you want to delegate the account by selecting the corresponding check box(es) and click the Next button.

    Your selected account(s) has/have been delegated to the selected user(s).

 

Delegating a User Account Manually

 

  1. In the Account panel, select one or several user accounts and click the button or right-click the wanted user account and click Delegate.
  2. Re-authenticate if needed.

    The Account Delegation window appears.

  1. In the User name field, type the name or a part of the user name and click Search.

    The list of users found in the directory is displayed.

  2. Select the user to whom you want to delegate the account.
  3. Select a start and an expiration date and click the Delegate button.

    The account is delegated to the selected user from the start date to the expiration date.

 

Removing a User Account Delegation

 

  1. Right-click the Enterprise SSO icon.

    The Enterprise SSO pop-up menu appears.

  2. Select Account delegation.

    The Account Delegation Wizard appears.

  3. Select Manage existing account delegations and click Next.

    The Account Delegation List window appears.

  1. Select an account delegation and click the Remove button.

    The account is not delegated anymore.

 

Disabling/Enabling SSO for Applications

Subject

By default, SSO is enabled for all the applications listed in the Enterprise SSO Account panel.

You can disable SSO for an application in a permanent way, or only for the current SSO session, as explained in the following procedure.

In Access Collector mode, the SSO is automatically disabled for the applications for which the account has been collected.

 IMPORTANT: Depending on your configuration, the commands of the following procedure may be disabled. For more information, see Access Strategy Tab of an Application Profile, or Evidian EAM Console - Guide de l'administrateur.
Procedures

Disabling SSO for an Application

 

  • To disable SSO for an application during the SSO session:

    In the Account panel, right-click the wanted application and select Disable the application

    The SSO is disabled for the application during the SSO session. At SSO Engine restart or reset, the SSO will be re-enabled.

  • To permanently disable SSO for an application:
  1. Set the following registry key to DWORD 1:
    Software\Enatel\SSOWatch\CommonConfig\StoreIfApplicationIsDisabled
  2. In the Account panel, right-click the wanted application and select Disable the application.

    The SSO is permanently disabled for the application: the application stays disabled even if the Enterprise SSO is restarted.

 

Enabling SSO for an Application

 

  • In the Account panel, right-click the wanted application and select Enable the application.

NOTE: If you have several disabled applications and want to enable all of them at the same time, select Enable all applications.

Requesting an Access to an Application Through the Request Manager Portal

Subject

When Enterprise SSO is integrated with Identity & Access Manager, you can request an access to an SSO enabled application in the following cases:

Restrictions
  • You have access to the Request Manager portal.
  • The administrator has enabled the Request Access command for the selected application.
Procedure

 

  1. In the Account panel, right-click the wanted application and select Request Access.

    The Request Manager portal appears.

  2. Log on to the portal and send a request to access the application.

 

Testing the SSO Configuration of an Application

Subject

The Enterprise SSO engine includes a test tool, which allows you to check if an application is correctly configured. It tests the following elements:

  • Main window or Web page detection.
  • URL detection if applicable.
  • Advanced detection parameters (variable URLs, Look for text option, list of constraints).
Before starting

You have configured the Application Profile associated with the application to test: the test tool is launched by clicking Test application on the shortcut menu that appears when you right-click an application displayed in the Account panel. This command is available only if the Application Profile associated with the selected application is correctly configured, as detailed in:

Procedure

 

  1. In the Account panel, right-click the application to test and select Test application.
  2. Complete the window.

 

Additional Information
  • The Window configuration information area displays by default information on the window selected in the drop-down list (window title and URL configuration if any). You can change this information by selecting another window using the target button. This feature is useful to check if an SSO configuration works with a new version of an application for example.
  • When the main window detection succeeds, the Enterprise SSO engine does the following tests:
    • It checks the variable URLs and Look for text parameters if any. The test stops at the first detected invalid parameter. You can bypass the test of these parameters by selecting the Bypass the advanced detection control check box.
    • Then, it checks the list of constraints if any. The test does not stop, even if an error occurs.
    • Finally, the engine tests the detection of the configured fields. The test stops at the first detected invalid field. If the field detection succeeds, you can select the Perform SSO check box. This immediately starts the real SSO process.
  • The Export button allows you to save in a plain text file the information displayed in the Live report area.

Starting Personal SSO Studio

Subject

Personal SSO Studio is your personal configuration editor. It allows you to describe personal applications for which you want to enable SSO.

In Access Collector mode, the access to Personal SSO Studio is forbidden.

Procedure

 

  • To start Personal SSO Studio from the Account panel, right-click any application and select Open SSO Studio.

NOTE: You can also open Personal SSO Studio from the Start menu.

This menu command is disabled if Personal SSO Studio is not installed on the workstation, or if Enterprise SSO is used in Access Collector mode.

 

Starting an Application

Subject

To start an application from the Account panel, execute the following procedure.

NOTE: In Access Collector mode, this feature is deactivated.

Procedure
  • In the Account panel, right-click the wanted application and select Start application.

    The application starts and Enterprise SSO performs SSO.

 

Creating a Shortcut for an Application

Subject

You can create shortcuts for applications from the Account panel, as described in the following procedure.

NOTE: In Access Collector mode, this feature is deactivated.

 

Procedure
  • In the Account panel, right-click the wanted application and select Create Shortcut.

    A shortcut for the selected application is created on your Windows desktop.

 

Removing the Icon from the Notification Area

Subject

Once Enterprise SSO is started, an icon appears in the Windows notification area. In some cases, it is preferable to remove this icon:

  • To prevent the user from displaying the application list.
  • In a Citrix Metaframe/Windows Terminal Server environment, when published applications are used in conjunction with Enterprise SSO, an icon representing Enterprise SSO running on the server appears on the client PC notification area (in addition to any local Enterprise SSO which may be running).
Procedure

 

  • To remove the icon, do one of the following:

NOTE: The first key has precedence over the second; the /notrayicon command line has precedence over the Registry.

 

 

  • In the Enterprise SSO command line (see Starting Enterprise SSO), add the /notrayicon parameter .
  • In the Registry, create a non-null DWORD type entry called NoTrayIcon in one of these keys:
    • HKLM\SOFTWARE\Policies\Enatel\SSOWatch\CommonConfig
    • HKLM\SOFTWARE\Enatel\SSOWatch\CommonConfig

 

Configuration Editor: Enterprise SSO Studio

Configuration Editor: ESSO Enterprise Studio

Subject

ESSO Enterprise Studio is the Enterprise SSO configuration editor. It allows you to describe the applications for which you want Enterprise SSO to enable Single Sign-On or account collect (in Access Collector mode), but which could not be configured through the Enterprise SSO Wizard (as explained in the One Identity EAM in a Nutshell).

Additionally, for those applications that have been configured using Enterprise SSO Wizard, ESSO Enterprise Studio enables you to modify or enhance their configuration.

If Enterprise SSO is used in Access Collector mode, ESSO Enterprise Studio allows the administrator to configure all the enterprise applications for the users, so that users' account can be automatically collected in the users' directory.

ESSO Enterprise Studio provides a graphical interface for defining these elements. It is dedicated to application administrators, or to "super-users" who have access to all necessary parameters.

Application Definition

An application is defined by:

  • Its properties, such as acceptable password formats, its behavior as seen by the Enterprise SSO, the account(s) that the user will use to connect to the application.
  • The windows displayed to the user and regarding to authentication or password management. These windows may be HTML pages from a web application.
ESSO Enterprise Studio

The two following ESSO Enterprise Studio configurations are available:

  • ESSO Enterprise Studio: the application configuration is shared by a number of users.
  • Personal SSO Studio: the application configuration is dedicated to a single user. It is automatically accessible when opening Personal SSO Studio.

    Personal SSO Studio is not available in Access Collector mode.

Storage Modes

The SSO Studio configuration can be stored in the Windows registry (file storage mode) or in the LDAP directory (LDAP storage mode).

NOTE: The storage mode is defined during the installation phase.

 

  • In LDAP storage mode, a centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.

    NOTE: The Access Collector mode works only in LDAP storage mode.

  • In local storage mode (file storage mode), the configuration is saved in a file in the Windows registry.In Enterprise mode, the administrator can create as many configurations as he wants, and each configuration is saved in a file.
Operating Modes

ESSO can be installed in two different modes: With and without Controller (for more details, see One Identity EAM Installation Guide).

  • Without Controller, the configuration of applications can be entirely done with SSO Studio.

    NOTE: The Access Collector mode works only without Controller.

  • With Controller (Client/Server) mode, the configuration of applications is only partly done with ESSO Enterprise Studio: the technical definition of applications can be done with ESSO Enterprise Studio, but the application definition must be finished from the EAM administration console (see One Identity EAM Console - Guide de l'administrateur).
In this section:

Interface Overview

Main Window Interface

ESSO Enterprise Studio presents target application parameters as SSO objects organized in a tree structure.

ESSO Enterprise Studio enables you to create, modify or delete objects and to store them in an LDAP directory (LDAP mode) or in an Enterprise SSO configuration file (local storage mode). It is a "single-document" application (only one configuration can be edited at a time):

  • In ESSO Enterprise Studio used in LDAP storage mode, the displayed tree corresponds to the associated LDAP directory defined at initialization time.

    The following screenshot illustrates an interface example of ESSO Enterprise Studio used in LDAP storage with Controller.

    In LDAP mode, the objects can be created anywhere the administrator has object-creation rights.

    The LDAP administrator is responsible for ensuring that the structure has a branch reserved for the management of EAM objects.

    As the objects are created directly in the LDAP directory, the directory must be accessible when ESSO Enterprise Studio is being used.

  • In ESSO Enterprise Studio used in local storage mode, or in Personal SSO Studio, the tree displayed is not linked to an LDAP directory.

    The following screenshot illustrates an interface example of Personal SSO Studio.

    In local storage mode, the configuration is defined with a root node called Local Enterprise SSO Configuration, to which two other nodes are attached: Applications and Configuration Objects, used for EAM object declarations.

Main Window Areas

The ESSO Enterprise Studio main window is composed of:

  • A menu bar.
  • A toolbar offering shortcuts to some menu bar options, as described in the following table. The toolbar appearance depends on the SSO Studio mode used (Without and with Controller, LDAP/File storage, Personal/Enterprise).

 

    ESSO Enterprise Studio Mode

    Button

    Description

    Common buttons

     

     

     

     

     

     

     

     

     

     

    (ESSO Enterprise Studio only)
    Creates a new SSO configuration.

    (ESSO Enterprise Studio only)
    Opens an existing SSO configuration.

    Cuts the selected item.

    Copies the selected item.

    Pastes the selected item.

    Displays the properties of the selected item.

    (LDAP storage mode only) Refreshes the displayed LDAP directory.

    Deletes the selected item.

    Renames the selected item.

    Without Controller buttons

     

     

     

     

     

     

     

    Creates a new Application.

    Creates a new Window object.

    Creates a new Application profile.

    Creates a new PFCP.

     

    (ESSO Enterprise Studio only)
    Opens the SSO Settings by Population window, which allows you to define the population allowed to access the application.

    Saves the configuration.

    With Controller buttons

     

     

     

     

     

    Creates a new Technical Definition.

    Saves the Directory modifications.

    Tests the selected SSO.

    Adds the selected item to the test list.

    removes the selected item from the test list.

  • A workspace showing a tree structure that allows you to select elements and to perform actions directly by double-clicking the objects or using a popup menu for each object.

Starting and Stopping ESSO Enterprise Studio

This section explains how to start and stop ESSO Enterprise Studio or Personal SSO Studio.

In this section:

Starting SSO Studio
Subject

The following procedure explains how to start ESSO Enterprise Studio or Personal SSO Studio.

Procedures

Starting SSO Studio Using the Windows Taskbar

  1. In the Windows taskbar, execute one of the following procedures, depending on the ESSO Enterprise Studio operating mode you want to open:
    1. For ESSO Enterprise Studio:
      Start/All apps/One Identity EAM/ESSO Enterprise Studio
    2. For Personal SSO Studio:
      Start/All apps/One Identity EAM/Personal SSO Studio

    An authentication window appears.

  2. Fill-in the authentication window and click OK.

    ESSO Enterprise Studio appears.

 

Starting ESSO Enterprise Studio Using Command Lines

 

The following table lists the command line arguments that you can use to start ESSO Enterprise Studio (builder.exe):

  • /user : starts Personal SSO Studio.
  • /wizard : starts the Enterprise SSO wizard.

 

Stopping ESSO Enterprise Studio
Subject

The following procedure explains how to stop ESSO Enterprise Studio or Personal SSO Studio.

Procedure
  • In the File menu, click Exit.

 

 

Creating or Opening a Configuration
Subject

With ESSO Enterprise Studio used in local storage mode, you can create as many configurations as you wish (each configuration is saved in a different file).

This section explains how to create a new configuration, or open an existing one.

NOTE: In local storage mode, the configuration file to be used can be specified during installation. For more information, see One Identity EAM Installation Guide
Restriction

The feature described in this section is only available in ESSO Enterprise Studio used in local storage mode.

Procedure

To open an existing configuration:

  1. In the File menu, click Open.

    The Explorer window appears.

  2. Select the configuration you want to open and click OK.

    The selected configuration appears in ESSO Enterprise Studio main window.

  3. To create a new configuration, in the File menu, click New.

    ESSO Enterprise Studio displays the default configuration.

 

Configuring General SSO Parameters

Subject

The following procedure explains how to define the general SSO configuration parameters.

Restriction

The configuration described in this section is only available in ESSO Enterprise Studio used in local storage mode without Controller.

Procedure
  1. In the Edit menu, click Configuration.

    The following window appears:

  • The Performance tuning area allows you to set the window detection timing.
  • The Security Parameters area allows you to define permissions.
  1. Fill-in the window and click OK to save the configuration and close the window.

 

Defining PFCP and Application Profiles

If you use ESSO Enterprise Studio without Controller or Personal SSO Studio, you can define the following properties:

  • The Password Format Control Policies: PFCP.
  • The Application profiles.

NOTE: With Controller, this configuration can be performed with the EAM administration console (see One Identity EAM Console - Guide de l'administrateur.

In this section:

Defining Password Format Control Policies (PFCP)

Subject

This section explains how to create or modify a PFCP for the applications for which you want to activate the SSO.

A default PFCP configuration exists in ESSO Enterprise Studio: you can modify it or create a new one.

Restriction

The PFCP configuration is only available if you use ESSO Enterprise Studio without Controller mode or Personal SSO Studio.
With Controller, the PFCP configuration must be done with the administration console (see One Identity EAM Console - Guide de l'administrateur).

Procedure
  1. In the ESSO Enterprise Studio main window, do one of the following:
    • To create a new PFCP, right-click the Configuration objects node and click New PFCP.
    • To modify an existing PFCP, right-click the PFCP you want to modify and click Properties.
    • The PFCP Properties window appears. Fill-in the window as described in the following sections:
    • For basic parameter definition, fill-in the Password Management Policy tab: see The "Password Management Policy" Tab.
  2. Click OK to save the configuration and close the window.

 

In this section:

The "Password Management Policy" Tab

The Password Management Policy tab allows you to define the following PFCP elements:

  • Password Policy
    The PFCP name.
  • New Password generation policy
    The behavior required when the user is prompted for password change: automated password generation or user prompted for a password compatible with the PFCP.
  • Advanced
    • An "invalid password" string: if the security system is provided with this string for SSO use, Enterprise SSO prompts the user for a new password.
    • The period for which a password is valid.
    • The number of old passwords retained.

The "Password Format Policy" Tab

The Password Format Policy tab allows you to define the advanced parameters:

  • Password Format
    Defines the number of upper-case letters, lowercase letters, numbers, special characters and the list of special characters authorized in the passwords as well as their position within the password.

    The following special characters are allowed:

     

    &

    ~

    "

    #

    '

    {

    (

    [

    -

    |

    `

    £

    _

    \

    @

    )

    °

    ]

    =

    +

    }

    $

    %

    *

    ,

    ?

    ;

    .

    :

    /

    !

     

 IMPORTANT: Accented characters are forbidden.
  • The Special character list field enables you to specify which of these characters must appear in the password.
  • Forbidden characters
    List of forbidden characters in the password.
  • Advanced
    Specifies the maximum number of occurrences of a given character in a password.
  • Test Password Generation
    This button allows you to see an example of a password generated using the rules you have configured.

Defining the Application Profiles

Subject

Application profiles are security objects that define a set of rights and properties that are applied generically for one or more applications.

This section explains how to configure the application profiles for the applications for which you want to activate the SSO.

A default Application profile configuration exists in ESSO Enterprise Studio: you can modify it or create a new one.

Restriction

The Application profile configuration is only available if you use ESSO Enterprise Studio without Controller or Personal SSO Studio.
With Controller, the Application profile configuration must be done with the administration console (see One Identity EAM Console - Guide de l'administrateur).

Procedure
  1. In the ESSO Enterprise Studio main window, do one of the following:
    • To create a new Application profile, right-click the Configuration objects node and click New Application Profile.
    • To modify an existing Application profile, right-click the Application profile you want to modify and click Properties.

    The application profile properties window appears.

  2. Fill-in the window as described in the following sections:
  3. Click OK to save the configuration and close the window.

 

In this section:

Properties Tab of an Application Profile

The Properties tab allows you to configure the following parameters:

  • Application Profile name.
  • Password Policy associated with this Application Profile.

For details on how to create a Password Policy, see Defining Password Format Control Policies (PFCP).

Enterprise SSO Desktop options:

  • Display the applications associated with this profile in the user’s Enterprise SSO Account panel.
  • Automatically launch the applications associated with this profile when Enterprise SSO starts.

Test the applications associated with this profile to check if the SSO configuration works. For details on how to use the test mode, see Testing the SSO Configuration of an Application.

NOTE: This option is available with Personal SSO Studio. It is also available with ESSO Enterprise Studio in the Application Profile in EAM Console.

Access Strategy Tab of an Application Profile

The Access Strategy tab allows you to configure the following parameters:

  • Credential storage
    Storage location of the SSO accounts used by the applications associated with the Application Profile.

    		IMPORTANT: If you select Store on token, check that the proper authentication method is supported. For more information, contact your security administrator.
  • Single Sign-On Policy
    • Users must re-authenticate
      Before each SSO, the user must confirm his primary password, PIN or biometric identity.
    • Users can modify account
      This option is selected by default. If unchecked, the user will not be allowed to change the password through the user account management screen.
    • Users can display password
      The user can ask for the password to be displayed. If this is the case, he will be asked to re-authenticate.
    • User can cancel Single Sign-On
      • If this option is cleared, the user cannot cancel the SSO execution when he/she starts an application associated with the security profile:
      • If the user starts an application for the first time, he must complete the authentication data collection dialog box.
      • If the user has several accounts for an application, he must select an account in the account selection dialog box (the Cancel button is unavailable).

    		NOTE: If a problem occurs (for example, if the authentication data cannot be saved due to network issues), the Cancel button is available again to allow the user to log on manually or to quit the application.
  • Select this option to allow users to temporarily cancel the SSO execution for applications associated with the security profile, then select in the drop-down list the scope of this option:
    • For the current session only: if the user cancels the SSO execution for an application, he can then start as many application instances as required, the SSO execution remains disabled.
      The SSO is enabled again when the user quits all the application instances and restarts the application (or resets the configuration or restarts Enterprise SSO).
    • For the application (until reset): the user can disable the SSO execution: either for the current SSO session (see above) or until further notice. In this latter case, to enable again the SSO execution for the suspended applications, the user must use the appropriate contextual command from the Enterprise SSO Account panel (or reset the configuration, or restart Enterprise SSO).
    • For the current window only: if the user cancels the SSO execution for an application, the SSO is disabled for this application instance only.

     

 NOTE:

For more details on the commands and controls that are modified by this option, see the following sections:

 IMPORTANT: If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her secondary accountsReplace this text with a notation that requires the reader's attention.

 

  • User, administrators: the user and you can decipher his secondary accounts. Thus, if you force a new primary password or assign a new smart card using the EAM Console, the user's secondary accounts are recovered.
  • User, administrators and external key: select this entry to allow an external application to decipher the user's secondary accounts using a public key For example, you must select this entry if you want to use EAM with Web Access Manager (WAM). By selecting this entry, you allow WAM to decipher the EAM secondary accounts of the user so that WAM can perform SSO with these accounts. For more information, see Mobile E-SSO Installation and Configuration Guide.

Delegation Tab of an Application Profile

The Delegation tab is only available if you use ESSO Enterprise Studio without Controller and in LDAP storage mode.

The Delegation tab allows you to define the methods for delegating accounts to another user:

  • Authorize delegation to everybody.
  • Authorize delegation to a member of the same user group.
  • Authorize delegation to a member of the same organizational entity.
  • Advanced mode: person/group/organizational entity.
  • Authorize the delegated user to change passwords: the delegated user is authorized to modify the password for the delegated account.

You can ask the person delegating the account(s) to reauthenticate on the workstation where the Studio is installed by setting the following registry key: SOFTWARE\Enatel\SSOWatch\CommonConfig\
ReauthOnDelegate DWORD 1.

Defining Application and Technical Definition Objects

This section explains how to create and define Application and Technical definition objects.

  • Without Controller, SSO Studio allows you to entirely configure Application objects.

    An application object implies the definition of:

    • An application name as shown in ESSO Enterprise Studio and in Enterprise SSO, and some options regarding the access rights for this object.
    • Parameters that associate this application with the SSO data in the security system.
    • Access strategy (in registry or personal configuration modes), or assignment to user groups (in LDAP mode); the application profile should be defined for each association to a user group.

    ESSO Enterprise Studio allows you to create application objects with some predefined parameters for SAP and Windows applications: see Creating a New Application Object or Technical Definition.

  • With Controller, ESSO Enterprise Studio allows you to configure Technical Definitions.
    A Technical definition object is a technical description of an application, and particularly to produce single sign-on in a EAM environment. The application configuration must then be completed in the administration console (see     One Identity EAM Console - Guide de l'administrateur).

In this section:

Creating/Modifying Application Objects and Technical Definitions

In this section:

Creating a New Application Object or Technical Definition

Subject

For Application objects, ESSO Enterprise Studio allows you to use templates to create SAP and Windows application objects.

The Template Application item allows you to create an Application object with a number of pre-defined parameters. They are used for specific authentication scenarios. The predefined template applications are:

  • SAP, for SAP R/3 application authentication (for more details, see The SAP R/3 Plug-in).
  • Windows, for authentication to an external LDAP directory.

Template applications are managed in the same way as Application objects. They enable the Single Sign-On feature for specific authentication procedures. An application template has a number of predefined parameters.

The following procedure explains how to create a new technical definition or application (with or without template).

Procedure
  1. In the ESSO Enterprise Studio main window, do one of the following:
    • To create a new application or technical definition: Right-click the node where you want to create a new Application or Technical Definition and click New Application or New Technical Definition.
    • To create a new application using a template: Click the node where you want to create a new template application and in the Edit menu, click New Template-based Application/SAP or Windows.

    The Application properties window appears.

  2. Fill-in the Application properties window (or modify it in case of template application) as described in Filling-in the Application Properties Window.

 

Modifying an Application Object or Technical Definition Configuration

Subject

The following procedure explains how to modify the properties of an existing Application Object or Technical Definition.

Procedure

 

  1. In the ESSO Enterprise Studio main window, right-click the Application or Technical Definition you want to modify and click Properties.

    The Application properties window appears.

  2. Fill-in the Application properties window as described in Filling-in the Application Properties Window.
    • For Application objects, fill-in the following tabs:

 

Filling-in the Application Properties Window

In this section:

"Properties" Tab of an Application Object

The Properties tab described in this section only appears if you use ESSO Enterprise Studio without Controller, or Personal SSO Studio.

The Properties tab of an Application Object allows you to define the basic parameters of an Application.

  • Application Name and Account label
    • Application name: this field will be displayed in the objects tree of ESSO Enterprise Studio and in the data collection and account management dialog boxes of Enterprise SSO.
    • Account label: fill-in this field for this label to be suggested when the account is first created and at first collection. This field will be displayed in Enterprise SSO as well as in all the SSO data collection windows and in the user account management window.
  • Session management
    Indicates whether all the application’s windows depend on the same application instance.
  • OLE/Automation
    Grants OLE/Automation access to this application (and all the associated security objects) through the OLE/Automation interface of Enterprise SSO. For greater security, you can enter a password. This password will have to be provided by the OLE client. See OLE/Automation Interface.
  • Options
    • Enable this application (this option is selected by default)
      If this option is cleared, Enterprise SSO will ignore this application. This is used to temporarily disable an application without deleting it from the configuration file.
    • Try previous password when "bad password" windows detected
      If this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not immediately taken into account by the application).
    • User must provide credentials
      This check box only appears in Access Collector mode.
      If this check box is cleared, the user will be able to cancel the collect (or the BadPassword) window that appears when he launches an application.

"Properties" Tab of a Technical Definition Object

The Properties tab described in this section only appears if you use ESSO Enterprise Studio with Controller.

The Properties tab of a Technical Definition object allows you to define the basic parameters of a Technical definition.

  • Identification
    The Technical Definition name. This field will be displayed in the objects tree of ESSO Enterprise Studio.
  • Session management
    Indicates whether all the application’s windows depend on the same application instance.
  • Try previous password when "bad password" windows detected
    If this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not immediately taken into account by the application).

"Account Base" tab of an Application Object

The Account Base tab only appears if you use ESSO Enterprise Studio without Controller or Personal SSO Studio.

The Account base tab allows you to define the Account Base associated with an application. An Account is a username/password pair that allows connection to an application. There is also an account parameter that can store complementary authentication data; for instance: a Windows Domain name is a complementary parameter of a Windows account.

The account name is internal to Enterprise SSO: it is used to store and retrieve security data and to give a user-friendly name to this data. A user-friendly name is particularly useful when using multiple accounts: you can give names such as: "Notes Admin" or "Notes User" if a Notes user is also the administrator.

NOTE: Accounts are shared: by applications as well as Enterprise SSO configurations, since they refer to objects stored in the security system storage and which is bound to the user.

  • For simple cases, one single account is associated with an application: it is called a Standard account.
  • For particular cases, it is possible to use the Windows username and password to perform SSO on an application. An example is the Windows Terminal Server login. To use this security credential in SSO, you must associate the Primary Authentication Identifier with the application (select the corresponding check box). The Windows username can be sent to the application in different forms:
    • Short name: username only.
    • Windows 2000 (and later):username including the Windows domain, for instance: jsmith@oneidentity.com.
    • NT4: username preceded by NETBIOS domain, for instance: EVIDIAN\jsmith.
  • Share Account Base with Another Application: for this, indicate in an application that you consider as account reference, the applications authorized to use this reference base.

    You can also share an account base between two Applications using command line arguments. This feature may allow you to create batch files to automate this task.

NOTE: You can combine this feature with the possibility of importing objects using command lines. This is described in Importing Objects using Command Line Arguments (without Controller).
Before starting
  • The Applications must be created.
  • Close the ESSO Enterprise Studio graphical interface.

Procedure

To share an Account base, at the Windows prompt, type the following command:

<SSOWatch Installation Directory>/SSOBuilder.exe [/login <name>][/password] /share <Master Application> <Slave Application>

NOTE: Arguments between square brackets [ ] are optional.

Explanations in the following table:

 

Argument name

Values

<Enterprise SSO installation folder>

C:\Program Files\Evidian\WG SSOWatch\SSOBuilder.exe" by default.

/login <name> and /password <password>

 

 

 

 

 

Login name and password of the EAM administrator

Note:

Use the DOMAIN\login format.

If the login name and password of the administrator are not specified, the ESSO Enterprise Studio authentication window will appear.

The administrator account used to run the import must own sufficient rights.

/share

<MasterApplication>

<SlaveApplication>

 

<MasterApplication>: name of the Application owning the Account base to share.

<SlaveApplication>: name of the Application that will use the Account base.

NOTE: This parameter works only with Application objects..

Example

The following command allows you to share the Account Base AB1 owned by APP1 with APP2:

"C:\Program Files\Evidian\WG SSOWatch\SSOBuilder.exe" /login DOMAIN\WGAdmin /password AdminPWD /share APP1 APP2

External Names: this button only appears if you use ESSO Enterprise Studio without Controller and in LDAP storage mode. It allows you to define a mapping between the EAM application that you are configuring and the name of an external application that must be identified by EAM. This option is particularly useful to integrate Web Access Manager with EAM. For example, if you are defining an application called MyHTMLApplication that already uses Web Access Manager Account Bases, click this button and in the displayed window, enter the names of the Web Access Manager Account Bases defined for this application. This way, EAM will be able to use these Web Access Manager Account Bases to perform SSO with this application. For more information, see Mobile E-SSO Installation and Configuration Guide.

NOTE: Each external application name must be unique in the directory.

 

The "Launcher" Tab

The Launcher tab is used to define how Enterprise SSO can start an application.

This window allows you to define the following parameters:

  • Change Icon button
    The icon associated with the application, which will be displayed in Enterprise SSO.
  • Application description for user
    The application description, which will be displayed in Enterprise SSO.
  • Target
    The command line or URL (for web applications), which opens the application.
  • Start in folder
    The directory where the command line should start.
  • Command line parameters
    The SSO parameters to be sent to the command line, if necessary.
    The Insert button inserts in the command line the item selected in the drop down list (identifier/password).

  • Authentication methods required if automatic start is used

    Since Enterprise SSO can launch applications during session opening, this option enables you to control which applications are launched regarding the authentication method used to log on.

    Select the check box and in the drop down list, select the authentication methods required to launch the applications.

The "QRentry keyboard" Tab

The QRentry keyboard tab enables you to configure the behavior of the key of the QRentry keyboard to perform an SSO in a Store application (Android only). For more information on Store applications, refer to the QRentry - Guide de l’utilisateur.

This window allows you to define the following parameters:

  • Application package identifier field
    Enter the Store application name that you retrieved beforehand in QRentry, as described in QRentry - Guide de l’utilisateur.
  • SSO data validation method
    Select the credentials validation method:
    • Tap a specific validation button: QRentry fills-in the fields and activates the next field in the application (example: Next, Connection, Cancel etc.).
    • Tap the Enter button: QRentry fills-in the fields and activates the Enter button of the keyboard.
    • Do nothing: QRentry fills-in the fields, the user must validate.

The "Parameters" Tab

Parameters Tab of an Application Object (without Controller)

Subject

The Parameters tab allows you to add a list of additional authentication parameters (such as Windows Domains or Languages for example). These parameters will enable you to define more fields than simply the couple of fields user name/password of the target application authentication window.

Window description
  • Add button: click this button to add a parameter. The following window appears:

    • To add an existing parameter, select it and click OK.

      		NOTE: The Windows Domain parameter must be used only with Applications that may use Authentication Manager.

    • To create a new parameter, type its name in the Name field and click Add.
    • To delete or rename an existing parameter, select it and click Delete or Rename.
    • To define an External Name for a parameter, select the wanted parameter and click External Name. For more information, seeManaging External Names hereunder.

  • Delete button:
    select a parameter and click     Delete.
  • Properties button:
    Select a parameter, then click this button to define the properties of the selected parameter.

    The properties to defines are the following:

    • Description: mandatory description of the parameter for a better understanding.
    • Parameter type is associated with the value that can be provided to the user.

      Default: the value of the parameter is collected for each SSO account and can be modified by the user.

    • Global: the value of the parameter is the same for all SSO accounts and is not suggested to the user.
    • Rule: the value is dynamically defined as a user data function, and cannot be changed.
    • Value: this is the default value assigned to the parameter; if nothing is entered here, it will be requested at first authentication (data collection) as a function of the parameter type defined previously.

      If you have selected Rule in the Parameter type area, between parentheses, retrieve the exact LDAP attribute name (using an LDAP browser) and type it in the Value field. For example, type (mail) to indicate that the parameter value is the user's mail address.

 NOTE: If you want to add several LDAP attributes, type them one after another, without a comma. Example: (mail)(dn).

You can be more specific about the parameter value by using the following rules:
To keep only the first n characters of the LDAP value, use the (attLDAP,n) syntax.
Three functions are used to process LDAP values: UPPER, LOWER and CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case.

Managing External Names

This window appears when you click the External Name button. It allows you to define a mapping between the parameter that you are configuring in EAM and the name of an external parameter (created using another SSO tool) that must be identified by EAM.

 

NOTE: This option is particularly useful to integrate User Provisioning or Web Access Manager with EAM. For more information, see Mobile E-SSO Installation and Configuration Guide.

Parameters Tab of a Technical Definition Object (With Controller)
Subject

The Parameters tab allows you to add a list of additional authentication parameters (as Windows Domains or Languages for example). These parameters will enable you to define more fields than simply the couple of fields name/password of the target application authentication window.

IMPORTANT: The list of authentication parameters for the technical definition must be compatible with the parameters defined at application level.The creation of an application is described in the Evidian EAM Console - Guide de l'administrateur.

Window description
  • Add button: click this button to add a parameter:

    To add an existing parameter, select it and click OK.

    The parameter called Windows Domain (which is created upon the installation of ESSO), must be used only without Controller.

    NOTE: To create or modify the parameters present in the list, use the EAM Console. For more information, see Evidian EAM Console - Guide de l'administrateur

  • Delete button: select a parameter a click Delete.
  • Properties button: this button is always disabled.

The "Application Profile" Tab

By default, every user is authorized to access the application with an application profile. The Application Profile tab allows you to define the application profile, with an access right granted to all the users by default.

IMPORTANT: In LDAP storage mode and Personal mode, only one profile may be assigned per application.

 

To:

  • Allow the user to dynamically create new accounts from Enterprise SSO, select the User can create additional accounts check box.
  • Allow the user to access the application on QRentry, select the This application is available on QRentry check box.
  • Add a logo to the application for QRentry, click the Set logo button and select a logo.

IMPORTANT: The logo must be <30 Ko and in PNG format.

For more information on QRentry, refer to the QRentry - Guide de l’utilisateur.

Defining Advanced Access Rights

Subject

ESSO Enterprise Studio allows you to define advanced management of access rights, as explained in the following procedure.

Restriction

The feature is only available in ESSO Enterprise Studio used without Controller and LDAP storage mode.

Procedure
  1. In the ESSO Enterprise Studio main window, right-click the application for which you want to define advanced access permissions and click SSO Settings by population.

    The SSO Settings by population window appears.

  2. Fill-in the window as described in Window description.

 

Window description

 

The SSO settings by population window allows you to define the population (user, organizational group or units) that accesses the application. It is necessary to assign an application profile to each one.

If several profiles are associated with a user, priority is given to the profile:

  1. User.
  2. Group.

    NOTE: If there are several groups, the notion of priority indicated on the interface is applied. It is dedicated only to groups (with 0 as the highest priority level).

  1. Organizational Unit.

Defining Window Objects

Subject

Since window objects are subordinated to Application or Technical definition objects, the window objects can only exist if they are associated with an application object.

Procedure
  1. In the ESSO Enterprise Studio main window, right-click the application for which you want to define a window object and click New Window.

    The Window Properties window appears.

  2. Fill-in the Window Properties window as described in the following sections:
    • The Detection and Actions tabs are described in the sections of this guide that are related to the "plug-in types", as their content depends on the selected window type.

 

In this section:

The "General" Tab

The General tab allows you to give a name to the window object and to set its type (the type cannot be modified once the window has been created).

  • Window Name
    By default, this field is automatically filled-in with the name of the selected Window Type. It is recommended to enter a name clearer than the default name.
  • Window Type
    Displayed Window types are loaded from the different Enterprise SSO plug-ins. The following table shows the window types provided by the different plug-ins and their associated technology:

    The Window Type Description area displays the description of the selected window type.

 

Window Type

Technology

Behavior

Description

Generic windows

StandardLogin

Win32/Java

Login

 

BadPassword

Win32/Java

BadPassword

 

NewPassword

Win32/Java

NewPassword

 

BadNewPassword

Win32/Java

BadNewPassword

 

ConfirmPassword

Win32/Java

ConfirmPassword

 

Terminal

Terminal

All

 

HTML Pages (reserved for old versions. Do not use to detect new windows)

IELogin

Win32

Login + BadPassword

HTTP authentication window

HTMLLogin

HTML/IE

Login

Authentication in HTML pages

 

 

HTMLBadPassword

HTML/IE

BadPassword

HTMLNewPassword

HTML/IE

NewPassword + ConfirmPassword

HTMLBadNewPassword

HTML/IE

BadNewPassword

Customizable window types

CustomScript

 

Win32

 

All

 

Graphical scripts enabling customized SSO creation.

CustomScriptHTML

 

 

HTML/IE

 

 

All

 

 

Graphical scripts allowing customized SSO creation for web applications in Internet Explorer.

Microsoft applications

MSTelnet

Terminal

All

Not supported.

MSTelnetW2KXP

Terminal

All

Telnet Microsoft for Windows 2000 and XP

Lotus Notes windows

NotesLogin

Win32

Login

Lotus 4.x and 5.x authentication

SAP windows

SAPLogin

Win32

Login

SAP R/3 Authentication

SAPExpired

Win32

NewPassword

SAPGUI Scripting

Win32

Login

Authentication for SAP R/3 version 6.20

Plugin HLL API windows

HLLAPI Login

Win32

Login

 

HLLAPI Bad Password

Win32

BadPassword

 

HLLAPI New Password

Win32

NewPassword + LoginNewPassword

 

HLLAPI Confirm Password

Win32

ConfirmPassword

 

HLLAPI Bad New Password

Win32

BadNewPassword

 

HLLAPI Standard

Win32

 

 

The "Options" Tab

The Options tab allows you to define the following elements:

  • Specific detection conditions to trigger the SSO when the window appears (Detection criteria area).
  • Enterprise SSO execution options to carry out SSO (Execution Options area).
  • Advanced SSO options (Advanced options area).

In this section:

The Detection Criteria Area

Use language criteria

This option allows you to trigger the SSO only if the selected language is one of the input languages installed on the computer. This option can be useful to optimize response times.

NOTE:

  • To display the input languages installed on the computer, from the Windows Control Pane, double-click Regional and Language Options and in the Languages tab, click Details.
  • Click the Configure button to select the wanted system languages.
  • Select Show local language variants to display the speech communities of each language.
Use SSO State criteria

This option allows you to trigger the SSO only if the selected SSO states are met.

 

NOTE: This option is particularly useful for the Customizable Window Type (Custom Script and Custom Script HTML types).

Click the Configure button to select the conditions of the window activation depending on the state of the application. The following table lists the available options:

Option name

Description

The window is always detected This option is selected by default: the window is always detected and processed by Enterprise SSO, without any condition.
SSO has not been performed

 

 Select this option to trigger Enterprise SSO only if the SSO operation has not been performed. With this option, Enterprise SSO can perform SSO upon the first detection of the window, then, as long as the application runs, this window is no longer detected.
SSO has been performed and the password is valid The window is detected and processed by Enterprise SSO only if the SSO operation has been performed with a valid password.
SSO has been performed and the password has expired and must be changed This option depends on the password validity period parameter (defined in the PFCP properties window). This window is detected and processed only if the SSO operation has been performed and that the password validity period has expired.
The password has been refused and resynchronized (BadPassword) These options can be particularly useful for applications that use several authentication windows that you have defined using custom scripts. For example, if you have to define the following windows for the same application:A custom BadPassword window.A custom NewPassword window, which contains only a field for the old password and a field for the new password.A custom ConfirmPassword window, which contains only one field to confirm the new password.A custom BadNewPassword window, which appears when the user enters a wrong new password.To avoid inopportune detection and processing of these windows by Enterprise SSO, select for each window, the appropriate option in the Application State Conditions window.
A new password has been provided but not confirmed
The new password has been confirmed
A new password has been refused (after a rollback)

 

Example of use with the "SSO has been performed and the password has expired and must be changed" option

To display automatically the change password window of an application, do the following:

 

 

NOTE: We consider in the following example that the change password window appears when you click a button.

Procedure

 

  1. In ESSO Enterprise Studio, create the Application object (for details, see Defining Application and Technical Definition Objects).
  2. From this object, define the Login and Change Password windows (for details, see Defining Window Objects).
  3. Define the Password Expire window, with the following guidelines:
    • In the General tab, select Custom script (Window type).
    • In the Options tab, select Use SSO state criteria, then click the Configure button and select SSO has been performed and the password has expired and must be changed.
    • Detection tab: drag and drop the target button to the window where the Change Password button is located.
    • Fill-in the Actions tab as follows:

NOTE: The Password Expire window is a virtual window, which allows you to display automatically the Change Password window when the password has expired.

 

The Execution options Area

Activate window masking

This option allows you to hide the window of an application with an Enterprise SSO window displaying a customizable text. You can use this option if you do not want that the user to see his login/password for example.

Consider the reappearance of the window as meaning 'bad password'

Select this option for login windows that are displayed at least twice in case of bad login/password values: the application rejecting the authentication redisplays its connection window, which is considered by E-SSO as a bad password window; this prompts a login/password collect window.

NOTE: To benefit from this bad password feature on an E-SSO window of type CustomScript, you must declare a special event in the script.

User the timer associated with this field as follows: if the authentication window reappears before x seconds, this window is then considered as a bad password window.

This is the case for the authentication window used by Internet Explorer to log on to restricted areas.

Redetect the window after

Select this option to reactivate the window detection after a certain delay (seconds).

The Advanced Options area

Select the check boxes to activate the following actions:

Do not disable the window during SSO and Do not disable the window when asking for user input

Select these options so that the user can interact with the window detected during SSO.

 

IMPORTANT: This is only relevant for IE, Firefox and Chrome.

 

Use alternative field detection method...

Select this option so that:

  • The window definition for IE 6, 7 and 8 is the same for all three of them.
  • If the web page is modified, SSO is still executed.

NOTE: If this option slows down the window detection then you must select one window for each IE version.

You must start the configuration over again if you select this option.

Try to use for Firefox...

NOTE: This option may not work with all web pages.

Select this option so that the window definition for IE is also applied to Firefox.

NOTE: If this option does not work, you must create a specific window definition for Firefox.

You must start the configuration over again if you select this option.

Enterprise SSO for mobiles: this is a basic authentication dialog

Select this option if you are using this window for QRentry E-SSO and that this window is an HTTP authentication window.

NOTE: For more information on QRentry, refer to the QRentry - Guide de l’utilisateur.

Don’t cache value

Select this option to force E-SSO to update continuously the information of the application.

Make this definition compatible with all Internet Explorer versions

Forces the compatibility of the technical definition with all the versions of Internet Explorer.

Wait for an URL change before performing SSO again

Select this check box to not perform SSO again as long as the URL of the page is identical.

System information

Select one or more check boxes to refine the SSO detection of windows by process architecture and/or Operating System:

  • Perform SSO only if the process is:
    • a 32 bits process.
    • a 64 bits process.
  • Perform SSO only if the operating system is:
    • Windows XP/2003
    • Windows 7/2008
    • Windows 8/2012
    • Windows 10

IMPORTANT: By default, all the check boxes are selected.

The "Detection" and "Actions" Tabs

The Detection and Actions tabs are described in the sections of this guide that are related to the "plug-in types", as their content depends on the selected window type.

Testing the SSO

Subject

ESSO Enterprise Studio allows you to test the SSO configuration you have created.

Restriction

This feature is available only if you use ESSO Enterprise Studio with Controller.

This feature is not available with Personal SSO Studio.

Procedure

 

  1. In the ESSO Enterprise Studio main window, right-click the Technical definitions you want to add to the test list and click Add to Test List.

NOTE: To remove a technical definition from the list, right-click the object and select Remove from Test List.

A small check appears in the Technical definition icon.

  1. Right-click one of the selected items and click Test.

    A confirmation window appears, to inform you that Enterprise SSO is about to be started in test mode.

  2. Click OK.

    The Enterprise SSO Account panel displays only the selected technical definitions: you can start the applications corresponding to these technical definitions to test the windows detection and the collection of the security data, without any modifications in the directory.

  3. To disable the test mode, right-click one of the tested items and click on Test again.

    The following window appears:

  4. Select one of the following options:
    • Reset SSOEngine configuration: resets the SSO Engine.
    • Stop test mode: test mode is stopped but the technical definitions that are tested are still available in ESSO Enterprise Studio.
    • Stop test mode and restart SSOEngine: test mode is stopped and the SSO Engine is reset.

 

Backuping Objects

Before starting

The backup of the EAM Services solution is done at the same time as the backup of the directory that hosts EAM.

Therefore there is no backup of the EAM solution alone, however you can backup the objects created in EAM such as: user/group/OU.

Subject

The Import/Export feature allows you to backup and therefore reuse SSO configurations.

Description

When testing SSO configurations: if the Application and Window objects that you have created in your test environment are working, use the import/export feature to exploit them in the live environment.

You can export/import the following objects:

  • An Application (without Controller) or an External Reference (with Controller) and its associated windows.
  • Windows, PFCPs (without Controller) or Application Profiles (without Controller).

NOTE: Each exported object is saved in an .SSE (Enterprise SSO Export) file.

In this section:

Exporting/Importing Objects using the Graphical Interface

Exporting procedure

To export an object, do the following:

  1. In the ESSO Enterprise Studio main window, right-click the object you want to export and click Export.

    The Explorer window appears.

  2. Choose a saving location for the object and click OK.
Importing procedure

 

To import an object, do the following:

  1. In the ESSO Enterprise Studio main window, right-click the node where you want to import the file and click Import.

NOTE: To import a window, select the application that will receive this window.

The Explorer window appears.

  1. Select the object to import and click OK.

    The object appears in the tree, at the selected location.

 

Importing Objects using Command Line Arguments (without Controller)

Subject

You can import .SSE files using command line arguments/ This feature can allow you to create batch files to automate the import of several objects from your test environment to the live environment.

IMPORTANT: This feature is more powerful than the import of objects using the graphical interface. You can use it to define accesses to applications in addition to the import operation.

 

Before starting

NOTE: For more details on the objects that you can import, see Backuping Objects.

  • Close the ESSO Enterprise Studio graphical interface.
  • You can combine this feature with the possibility to share account base using command lines, which is described in "Account Base" tab of an Application Object.
Procedure

To import an object, at the Windows prompt, type the following command:

<Installation directory of Enterprise SSO>/SSOBuilder.exe [/login <name>][/password <password>]
/import <filename.sse> /location <Organization DN>
[/access <group>] [/profile <profile>]

Arguments between square brackets [ ] are optional.

Explanations in the following table:

 

Argument name

Value

<SSOWatch installation folder>

"C:\Program Files\Evidian\WG SSOWatch\SSOBuilder.exe" by default.

/login <name> and /password <password>

 

 

 

Login name and password of the EAM administrator.

Note:

Use the DOMAIN\login format.

If the login name and password of the administrator are not specified, the ESSO Enterprise Studio authentication window will appear.

The administrator account used to run the import must own sufficient rights.

/import <filename.sse>

 

 

 

Full path name of the .SSE file, which contains the object(s) to import.

Note: if the object to import is associated with another ESSO object (an Application associated with a PFCP for example), and if the name of this object (PFCP) is used by other objects, the first name found is used. If no object is found, the default object is used.

/location <Organization DN>

Distinguished Name of the organization where the object will be created.

/access <group>

 

 

 

 

Name of the group of users for whom you want to specify an access to the imported Application.

Note:

You can use either the format "Group Name" or "Group DN".

If you do not specify this argument, check the access configuration using ESSO Enterprise Studio.

This argument works only with Application objects.

/profile <profile>

 

 

 

Name of the Application Profile that will be associated with the imported Application.

Note:

You can use either the format "Group Name" or "Group DN".

If you do not specify this argument, the default Application profile will be used.

This argument works only with Application objects.

Examples

The following command allows you to import MyExportedFile.sse into the Applications container.

"C:\Program Files\Evidian\WG SSOWatch\SSOBuilder.exe"
/login DOMAIN\WGAdmin /password AdminPWD /import C:\MyExportedFile.sse /location OU=Applications,OU=Organization,DC=domain,DC=acme,
DC=com

You have created the APP application, for which the access is restricted to the group of users GROOP. To import this application and keep the restricted access to GROOP, use the following command:

"C:\Program Files\Evidian\WG SSOWatch\SSOBuilder.exe"
/login DOMAIN\WGAdmin /password AdminPWD /import C:\MyExportedAPP.sse /location OU=Applications,OU=Organization,DC=domain,DC=acme,DC=com /access GROOP

Managing Objects in the Tree

This section explains how to copy, cut, paste, rename and delete objects of the tree.

In this section:

Copying/Cutting/Pasting Objects

Subject

You can perform basic operations with tree objects, as explained in the following procedure.

Procedure
  1. In the ESSO Enterprise Studio main window, right-click the object you want to copy and click one of the following commands:
    • Copy, to duplicate the selected object.
    • Cut, to copy the object and remove it from its current location (the object will not be removed if it is not pasted afterwards).
  2. In the tree, right-click the node where you want to paste the copied object and click Paste.

    The object appears in the tree at the selected location.

 

Renaming an Object

Procedure
  1. In the ESSO Enterprise Studio main window, right-click the object you want to rename and click Rename.

    The object name is selected.

  2. Type the name you want to display for the object and press the ENTER key.

    The object is renamed.

 

Deleting an Object from the Tree

Subject

If you use ESSO Enterprise Studio in LDAP mode, the tree displayed corresponds to the LDAP directory. If you delete an object from the tree, it will not be deleted from the LDAP directory as long as you have not updated it (see Refreshing the Tree).

Procedure

 

  1. In the ESSO Enterprise Studio main window, right-click the object you want to delete and click Delete.

    A confirmation window appears.

  2. Click OK.

    The object is deleted from the tree.

 

Saving Object Configurations

This section explains how to save the object configurations. In ESSO Enterprise Studio used in:

  • Local storage mode, Enterprise and Personal configurations are stored differently:
    • Enterprise mode: you can create as many configurations as you wish, and each configuration is saved in a file.
    • Personal mode: a single and unique configuration is dedicated to you. It is automatically accessible when opening Personal SSO Studio, and is stored in the security database defined during the installation phase (LDAP directory or Windows Registry).
  • LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.

In this section:

Saving Object Configurations in LDAP Storage Mode (with Controller)

Subject

In LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.

  • Without Controller, the configuration is immediately and automatically saved in the LDAP directory.
  • With Controller, you must save the directory modifications, as explained in the following procedure.
Procedure

In ESSO Enterprise Studio (used in LDAP storage and with Controller), in the File menu, click Update directory.

The LDAP directory is updated with the configurations defined in ESSO Enterprise Studio.

 

Saving Object Configurations in Local Storage Mode

Subject

In local storage mode, the storage operation depends on the ESSO Enterprise Studio version used:

  • With Personal SSO Studio, a single and unique configuration is dedicated to each user. It is accessible automatically when opening Personal SSO Studio.
  • With ESSO Enterprise Studio, you can save as many configurations as wanted: each configuration is saved in a file.
Procedure
  • In Personal SSO Studio (local storage mode), click File/Save.

    The configuration is saved in the Windows Registry.

  • In ESSO Enterprise Studio (local storage mode), click File/Save.

    The Explorer window appears.

    Name the configuration and select the location where you want to save the configuration.

    The configuration is saved in an .SSO file in the selected location.

 

Managing Configuration Updates

Subject

To optimize network traffic, you can use the update management feature: by default: by default, the EAM workstations retrieve the whole SSO configuration periodically. The update management feature allows you to post an update, which generates a unique identifier. The workstations retrieve the application data and this identifier. As long as the identifier is unchanged between the directory and the cache of the workstations, the workstations do not update their SSO configuration.

Restriction

The feature described in this section is only available in ESSO Enterprise Studio used in LDAP storage mode and without Controller.

Procedure
  • To enable the update management feature: In the File menu of ESSO Enterprise Studio, select Manage Updates and click Disable Update Management.
  • To post an update, which generates a unique identifier: In the File menu of ESSO Enterprise Studio, select Manage Updates and click Post an Update.

NOTE: When a workstation runs an update, it retrieves the entire configuration (and not only the configuration corresponding to the last posted update). So this feature does not avoid workstations retrieving the applications configured by administrators after the last posted update if the data on the workstation is older than the last posted update.

Refreshing the Tree

Subject

Refreshing the tree means updating it so that it displays the current corresponding LDAP directory.

IMPORTANT: If you have performed modifications in the tree and have not saved them, refreshing the tree will cancel all your unsaved modifications.

Restriction

This feature is only available in ESSO Enterprise Studio used in LDAP storage mode.

Procedure

In ESSO Enterprise Studio main window, in the Edit menu, click Refresh.

The displayed tree is updated with the current LDAP directory.

 

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents