Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - Enterprise SSO Administration Guide

The Generic Plug-in

The Generic Plug-in

Subject

The "generic plug-in" allows you to define SSO or account collect (in Access Collector mode) configurations by detecting windows used by the following types of applications:

  • All Microsoft Windows applications.
  • Web applications (Internet Explorer, Firefox or Chrome).
  • Java applications or applets.

IMPORTANT: The configuration of SSO for Java requires advanced skills. To deliver SSO access to Java applications, integration service is required. Please contact
srv-expertise@oneidentity.com at One Identity services..

The window objects that allow you to perform the SSO belong to the Generic Windows, as shown in the following figure:

IMPORTANT: These window types allow you to detect any Microsoft Windows applications, including any HTML pages displayed by web browsers such as Internet Explorer, Firefox or Chrome.Do not use the Microsoft Internet Explorer plug-in (HTML Pages) to define new windows.
Before starting

If you want to detect a Java application, make sure the following components are properly installed on your workstation:

  • A supported Java version (for more details about the supported JRE versions, see Evidian EAM Release Notes).
  • The Evidian SSOJava Plug-in, which must imperatively be installed after the JRE (for more information, see Evidian EAM Installation Guide.

In this section:

Window Detection

When you create a Window in the configuration editor, you have to define the window that must be detected by Enterprise SSO. You must carry out this operation through the Detection tabbed panel:

To define the window detection, you must do the following:

  1. Select the window that must be detected by Enterprise SSO, using the target button. For more details, see Simple Detection.
  2. If necessary, modify the detection parameters for the selected window by filling in the Parameters of the selected window area.
    • Upon the detection of the window (Step 1), the Detect by Window Class and Detect by Window Title options are selected. These options are usually sufficient to enable the detection of the window by Enterprise SSO.
    • If these options are not sufficient, you can use advanced detection parameters, by looking for additional texts in the window (Look for text option), and/or by adding constraints on the detection process (Advanced button). For more details on these detection parameters, see Advanced Detection.

In this section:

Simple Detection

Depending on the type of window to detect, the selection area of the Detection tabbed panel is different:

In this section:

Simple Detection of a Window or a Java Applet

To detect a window, Enterprise SSO first looks for its title (for standard or Java applications) or its login area (for Java applets). It can then look for the presence of an additional text in the window.

To automatically configure the necessary basic data, do one of the following:

  • For standard or Java application windows, drag and drop the target button located in the top right of the Detection tabbed panel onto the title bar of the window that you want to detect. The data from the last targeted window is displayed in the configuration window, as shown in the following figure.
  • For standard or Java application windows, drag and drop the target button located in the top right of the Detection tabbed panel onto the title bar of the window that you want to detect. The data from the last targeted window is displayed in the configuration window, as shown in the following figure:

    The Detection tab now shows a tree structure for the targeted window, as well as its parent windows, if any; each window is represented on two lines differentiated by the icon on the left of the line:

 

Icon

Description

Real characteristics of the targeted window (real title and class).

Data used to detect the targeted window (detection method, modified title).

At this point, the "simple" detection parameters of the selected window are automatically configured as follows:

  • Detect by Window Class.
  • If the window has a title, Detect by Window Title (not case sensitive).

If you want to modify these configuration parameters, make selections in the bottom half of the property page; if a targeted window has parent windows, you can modify the configuration for any intermediate window.

The following table lists the available title detection methods (not case sensitive):

 

Method

Description

Is equal to

The window title must be equal to the given character string.

Starts with

The window title must start with the given character string.

Contains

The window title must contain the given character string.

Ends with

The window title must end with the given character string.

Example

Let us assume that the application authentication window has a title similar to: Enter the password for FirstName LastName.

A potential problem appears with this title because FirstName and LastName can differ from each user who will try to authenticate to this application.

In this case, the text must be edited and reduced to Enter the password for, and the window detection method must be selected: Starts with or Contains.

Simple Detection of a Web Page

IMPORTANT: If you are using different web browsers at the same time (Internet Explorer and Firefox for example), you must create two different windows: one window for the web page displayed in Internet Explorer, and another one for the web page displayed in Firefox.If the title of the web page is different depending on the language used, you must also create as many different windows as there are different titles.
Description

To detect a web page, Enterprise SSO first looks for its URL. It can then look for the presence of additional text or field in the web page.

To automatically configure the necessary basic data, drag and drop the target button located in the top right of the Detection tabbed panel onto the web page that you want to detect. The data from the last targeted window is displayed in the configuration window, as shown in the following screenshot:

The Detection tab now shows the URL of the web page (Web page area). At this point, you can adjust the detection parameters of the selected web page by defining a variable URL (Variable URL area) or by detecting a field in the web page (Parameter of the web page area) for example. For more details, see Advanced Detection.

NOTE: SSO is triggered when all the required fields are displayed, even if the web page is not entirely loaded.

Advanced Detection

In this section:

The Enable Variable URL Detection option

Restriction

This option is only available upon the detection of a web page URL.

Description

Some websites are provided by clusters of HTTP servers (for instance Hotmail) or use the URL to keep session data (for instance Yahoo! Mail). This leads to URLs with variable parts.

To configure the detection of a web page that uses a variable URL, select Enable variable URL detection and click the Configure button.

NOTE: If a variable URL detection has already been configured and you select a new URL with the Get URL button, Enterprise SSO checks the compatibility of the new URL with the old URL variable schema. If the schema cannot be matched, confirmation is requested before the old URL variable schema is destroyed.Replace this text with a description of a feature that is noteworthy.

The variable URL configuration window looks like this:

The selected URL is displayed in the text field.

To setup the variable parts, there are two solutions:

  • Use the generic characters: select (with the mouse or the keyboard arrows and the SHIFT key) a part of the URL (1). The tool bar is updated and shows only the generic characters that match the selection. In the tool bar, select the wanted generic character (2).

    Generic characters are represented as follows:

    • Replaces any character (one or more). Corresponds to .+ in a regular expression.
    • Replaces alphanumeric characters (one or more): lower case letters, upper case letters and digits. Corresponds to [a-zA-Z0-9_]+ in a regular expression.
    • Replaces letters (one or more): lower or upper case. Corresponds to [azA-Z_]+ in a regular expression.
    • Replaces digits (one or more). Corresponds to [0-9]+ in a regular expression.

    If you select a generic character, you can restore the original text with the Revert action.

IMPORTANT: A variable URL must never begin with a generic character.

Example:

In the previous window, an Outlook URL is displayed. Variable parts are 12 and 1398851398 numbers after "rpsnv=" and after "&ct=".

You only need to select 12 and click (in the toolbar), then select 1398851398 and click again on . The field is displayed like this:

  • Create your own regular expression: select the I write my own regular expression check box (3) and enter your regular expression in the text field.

    Example:

The Look for text option

There are cases where detection based on a window class and title is not enough to distinguish multiple windows. For example, assuming you need to configure a detection method that distinguishes between two authentication windows that are both standard dialog boxes (class "#32770") and have the same title (for example, Enter password). Such a case requires that you configure an advanced detection method.

This method performs a search for a specific text in the window’s fields (Windows controls).

To configure advanced detection, select in the window list the window that must be detected, and select fill-in the Look for text area.

Two search methods exist:

  • In the whole window: the text is searched in all the window fields.
  • In Field: allows you to specify a field where the search will be carried out for a finer search. This field can be configured with the small target button by dragging and dropping it onto the target field. The field content will be automatically pasted in the look for text field.

    The search comparison is of type contains and is not case sensitive.

    • If the selected Windows control field identifier is 0xFFFF, the search is automatically extended to all the window control fields. This identifier is a special one and is used for generic static texts, it can also appear more than once in a window.
    • Not supported by Microsoft Edge.

The Advanced button

You can define a list of constraints to redefine the advanced detection parameters, using the Advanced button. This button allows you to add constraints on windows that are detected by Enterprise SSO, to enable or disable the Single Sign-On, as described in the following procedure:

  1. In the Detection tabbed panel, click the Advanced button.

    The following window appears:

  2. Click the Add button.

    The following window appears:

  3. Fill-in this window with the following guidelines:
    • The fields are already filled in by default with the values of the selected target window.
    • Use the target button only if the target window is not the wanted one.
    • If you select only the Signature check box, the SSO will be disabled, as this parameter changes.
    • If you select several check boxes to define the constraint, the application containing the window to detect must meet all the parameters defined by these check boxes.
  4. Click OK.

    The constraint is added to the constraint list.

IMPORTANT: Remember that Enterprise SSO detects the window if only one of the listed constraints is verified

Restrictions

To authenticate to an application, Enterprise SSO implements the user’s sign-on for him. Therefore, Enterprise SSO considers that an application is valid as soon as the user is able to enter the information requested by the application.

Consequently, Enterprise SSO only detects windows that are:

  • Visible.
  • Not minimized.
  • "Active" in the Windows sense, i.e. they can accept user inputs.

Therefore, Enterprise SSO cannot perform SSO for minimized or hidden windows.

User Interface

In this section, we introduce the tools and elements of the user interface that allow you to configure windows of type Windows.

The tools are:

  • The target button that allows you to select a Windows control (field or button).
  • The optional parameter list that allows you to enter SSO data other than user name/password.
  • The actions list to be performed after the fields have been filled.

In this section:

The Target button

You can use the following target button to select a window control field of type Windows (text field, button, etc.) with the target button.

This target can be used in two ways:

  • By performing a drag and drop onto the target control field: click the target and keep the mouse button down; the mouse cursor changes to a target; drag it to the target control field and release the mouse button.

    Once the mouse button has been released, the field is updated with the control field information (and the intermediate windows/control fields if they exist):

    The information displayed gives the control field identifier (in hexadecimal), its class and the text found when the control field was detected.

    A new window can be opened by clicking the target button:

  • By directly clicking the target button to display all the control fields in the window.

    In the Control Detection window, a new target icon allows you to select the desired control field (with drag and drop). This window allows you to see the selected control field’s details and the different levels of nested windows between the control field and the base window. This is useful for example to select control fields with the same name in windows containing multi-frames. You can click on a control field to highlight the corresponding field in the window.

    Only the path from the base window to the target is displayed. To see all the other control fields/windows, you must select the Display all window details check box.

    You can also receive the control by its position by selecting the Identify the control by its position in the control hierarchy check box.

    NOTE: You must re-select the windows to activate this mode

    You can force the use of Accessibility API to manage field detection by selecting the Activate Accessibility usage check box The tree is then updated with the controls retrieved from the accessibility API. You can then select the desired field.

    You can force the text conversion for sites requiring a specific character format. Select one of the elements form the drop down list:

    • No modification: the text is sent as it is.
    • Convert to lowercase: the text is converted into lower case letters.
    • Convert to uppercase: the text is converted into upper case letters.
    • Convert to capitalized: the first letter of the first word is converted into upper case letters.

Validation Actions

When the fields have been filled by Enterprise SSO, you must validate the window with the Enter key or by clicking the OK button (for example). In most of the windows of type Windows, you have the following choices:

Generic Plug-in Actions

In this section:

StandardLogin – Connection

This type of window is the most frequent one; it performs the login for most of the applications of type Win32, Web and Java.

In this section:

Window Description

This property page enables you to specify:

  • The field that will receive the user identifier (or username) that allows the user to connect to the application.

The path of the field in the application appears next to the identifier.

 

  • The field that will receive the password associated with the username.
  • The Do not prompt for user account check box: when you select this check box, if a user reconnects to an application and has several accounts, it is the active account that is automatically used.
  • Additional authentication parameters, if needed. For more details, see Defining Additional Fields (Optional).
  • The window validation method.

Defining Additional Fields (Optional)

Subject

This section focuses on the Additional fields customization area of the Actions tab of the StandardLogin window type. This area allows you to define more fields than simply the couple of fields user name/password of the target application authentication window.

Before starting

The definition of additional fields is only possible if additional parameters are defined in the Application object associated with this window For more details, see The "Parameters" Tab.

Procedure

 

  1. Click the Customize button.

    The following window appears:

    This window allows you to associate a Parameter with an authentication field of the target application.

  2. Select the wanted parameter in the list.

    NOTE: The Description field is in "read-only" mode. It displays the value of the Description field filled-in upon the creation of the parameter at Application level.

  1. Use the target button to select in the target application the wanted authentication field.
  2. Click Insert.

    The parameter appears in the window.

  3. If necessary, repeat the operation with other parameters.
  4. Click OK.

 

Enterprise SSO Behavior

In Enterprise SSO, the following actions are performed after the window has been detected:

  • The username and password associated with the application are retrieved from the security system:
    • If required, the user will be prompted to choose one of his accounts.
    • If the selected (or single) account has no data, Enterprise SSO will ask the user for the associated password and will save it in the security database (collect).
  • Data is sent to the window.
  • Optional parameters associated with the selected account are retrieved from the security system: if one parameter value is unknown in the security system, it is collected.
  • Parameters are sent.
  • The window is validated.
  • BadPassword and NewPassword window types are activated.

    If the user clicks on Cancel, SSO is deactivated for the concerned application. To replay SSO, the application must be reactivated in Enterprise SSO.

BadPassword

Detects that the login previously submitted to the application by the SSO engine has been rejected by the application. The login must therefore be recollected and submitted to the application. This window is triggered only if the SSO has already been performed on the application.

In this section:

Window Description

This property page enables you to specify:

  • The validation method after the password has been updated in the security database (with a new authentication if needed).
  • The cancellation method of the window if the password update fails in the security database.
  • The field that will receive the user identifier (or username) if the user is prompted to re-authenticate.
  • The field that will receive the user password if the user is prompted to reauthenticate in the same window.
  • The optional parameters, if re-authentication is proposed in the same application window. For more details, see Defining Additional Fields (Optional).

Enterprise SSO Behavior

Full Version Behavior

In Enterprise SSO, the following actions are performed after the window has been detected:

  • The user is warned that the password stored in the security system is not the right one for this application; he is prompted to enter the right password (the user can also change the identifier if he has misspelled it in the collect window).
  • If the user cancels the window or if an error occurs, the window is canceled according to the selected method.

    NOTE: If the user clicks on Cancel and no method is indicated, SSO is deactivated for the concerned application. To replay SSO, the application must be reactivated in Enterprise SSO
  • If the new username/password pair is validated by the user and the security database is updated successfully:
    • The specified username, password and optional parameters are sent to the application.
    • The window is validated according to the specified method.
Access Collector Mode Behavior
  • If you configure a BadPassword window without specifying a login or password field, the detection of the window deletes the collected account. At the next login window detection, a new collect will be performed.
  • If you configure a BadPassword with sending of a login or a password, a BadPassword window will appear to collect the right account. If the user cancels this window, then the account is deleted and the collect will be restarted at the next user connection.

NewPassword

Detects that a new password is requested by the application. This window is triggered only if the SSO has already been performed on the application.

In Access Collector mode, the NewPassword window type is not available.

In this section:

Window Description

This property window allows you to enter:

  • The field that will receive the old password (optional).
  • The field that will receive the new password (optional).
  • The field that will receive the new password as a confirmation (optional).
  • The window validation method if the password has been successfully updated in the security database.
  • The cancellation method in case of failure or if the user cancels the window.

Enterprise SSO Behavior

In Enterprise SSO, the following actions are performed after the window has been detected:

  • If specified, the old password is sent (if the application can have many sessions at the same time and if several accounts are used, Enterprise SSO will ask the user to choose the relevant session).
  • The application asks the user for a new password or computes it itself (according to the PFCP associated with the application).
  • If the password is confirmed, the new password is saved in the security database.
  • In case of failure, the window is canceled.
  • In case of success, or without confirmation:
    • The new password is sent (if requested).
    • The new password is sent again (if confirmation is needed).
    • The window is validated.
    • BadNewPassword and ConfirmPassword window types are activated.

If the user clicks on Cancel, SSO is canceled for the concerned application. To replay SSO, the application must be relaunched.

Observation

As previously explained, the new password will be saved in the security database only after it has been confirmed:

  • Either in the same window (New password and Confirm password fields set).
  • Or in another window (NewPassword or ConfirmPassword) if the New password field has been set.

ConfirmPassword

Confirms a new password if it has not been done in the NewPassword window type. Default operation: a new password has been provided but not confirmed.

In Access Collector mode, the ConfirmPassword window type is not available.

In this section:

Window Description

This window allows you to configure "Confirm New Password" window management:

  • The field that will receive the old password (optional).
  • The field that will receive the new password as a confirmation.
  • The window validation method if the password has been successfully updated in the security database.
  • The cancellation method in case of failure or if the user cancels the window.

Enterprise SSO Behavior

In Enterprise SSO, the following actions are performed after the window has been detected:

  • The old password is sent (if requested).
  • The password is updated in the security database.
  • In case of failure, the window is canceled.
  • In case of success, the window is validated and the ConfirmPassword and BadNewPassword window types are disabled.

BadNewPassword

Detects that the new password submitted to the application is rejected. This window restores the old password and asks the user to re-enter a new password. If the PFCP et PGP are configured correctly, this window should not appear. Default operation: a new password has been submitted but not confirmed or a new password has been confirmed.

In Access Collector mode, the BadNewPassword window type is not available.

In this section:

Window Description

This window type allows you to configure the BadNewPassword window type behavior by specifying the window validation method.

Enterprise SSO Behavior

In Enterprise SSO, the following actions are performed after the window has been detected:

  • The old password becomes the current password.
  • NewPassword window types are reactivated.
  • The window is validated.

Special Cases

"Standard" window types do not allow you to manage all kinds of applications, therefore, Enterprise SSO provides some tools that allow you to manage these cases: Custom Scripts and the OLE/Automation Interface. However, for well-known and commonly used applications, specific window types are provided to speed up configuration and optimize SSO processing.

In this section:

NotesLogin (Lotus Notes Plug-in)

The Lotus Notes plug-in has a window type that manages Lotus Notes 4.x, 5.x and 6.5 authentication windows, but it is generally used for all the applications that always display the login and ask for the password to be entered.

A NotesLogin window type automatically selects the user account according to the account name displayed in the window. If the user owns:

  • Only one Lotus Notes account, the account will have to match the requested account name; otherwise SSO will not be performed.
  • Several accounts: Enterprise SSO will choose the user account corresponding to the requested account name. If none matches the requested account name, SSO will not be performed.

In this section:

Lotus Notes Identifier Format

The Lotus Notes identifier (or username) can be stored in the Enterprise SSO security database using Lotus Notes formats (username, account name, Lotus Notes canonic name).

Window Description

This tabbed panel is pre-configured and should not be modified. However, if the SSO Engine actions does not work with the pre-configured parameters, drag and drop the target buttons onto the target fields of the Lotus Notes login window, and if required, modify the pre-configured parameters.

Configuring the Field Containing the Lotus Notes Login

The first field is the one that contains the Lotus Notes username (Enter the password of…). The field must be selected using the target button.

In the field where the complete Lotus username is shown, ensure that all entries are deleted, and that only the symbol remains.

Select the password field using the target button.

Clear the automatic window validation field.

NOTE: When only one Notes account is accessed from the workstation, you can check the automatic window validation field. We recommend you to activate this option only in Personal configuration mode.

Enterprise SSO Behavior

In Enterprise SSO, the following actions are performed after the window has been detected:

  • The Lotus Notes identifier is retrieved from the field as shown above.
  • A search is conducted for the account name in all the accounts associated with the application (beginning with full names):
    • If necessary, the user will have to choose between the accounts that match (or those that have no data associated with them).
    • If a single account matches (or has no data), Enterprise SSO will prompt the user for the associated password and will save it in the security database (collect).
  • The password is sent to the password field.
  • The window is validated; if the automatic validation option has not been selected in the configuration.
  • BadPassword and NewPassword window types are activated.

HTTP Authentication (Internet Explorer Plug-in)

When you connect to some websites, an HTTP authentication window is displayed. Under Windows XP, this window looks like this:

This window can be managed using the StandardLogin window type. However, if the password entered is not correct, the same window is displayed again with the same username that was previously entered in the User name field (The first time this window is displayed, no username is displayed). This window type has been created to manage such a case (StandardLogin and BadPassword mix).

NOTE: This window is quite different for each of the Microsoft operating systems other than Windows XP. If you have a heterogeneous computer installation, you will have to define several windows of this type in your configuration.

The Netscape 4.7 HTTP authentication window is managed by the StandardLogin window type.

In this section:

Window Description

The configuration page looks like this:

As for StandardLogin, you have to set the identifier and password fields with the target button.

For the identifier field, be sure to select the field within the drop down list and not the list itself.

Internet Explorer allows you to save passwords. However, you may prefer to use Enterprise SSO. So clear the Remember my password check box and select the check box with the target tool.

Once the SSO data has been sent to the fields, you can validate the window.

Enterprise SSO Behavior

SSO actions for this window type correspond to StandardLogin and BadPassword window types:

  • The content of the Identifier field is retrieved: if it is empty, it is a StandardLogin behavior:
    • The username and password associated with the application are retrieved from the security system:
    • If required, the user will be prompted to choose one of his accounts.
    • If the selected (or single) account has no data, Enterprise SSO will ask the user for the associated password and will save it in the security database (collect).
    • Data is sent to the window.
    • Clear the Remember my password check box.
    • The window is validated.
    • BadPassword window type is activated.
  • If the identifier is not empty, it is a BadPassword behavior:
    • The user is warned that the password stored in the security system is not the right one for this application; he is prompted to enter the right password (the user can also change the identifier if he has misspelled it in the collect window).
    • If the new username/password pair is validated by the user and the security database is updated successfully:
    • Username, password and optional fields are provided for the application.
    • The window is validated.
    • NewPassword window types are activated.

HTTP Authentication with Google Chrome

Subject

Creating an authentication window for Google Chrome is different due to its limitations. Indeed, when HTTP authentication windows of type "popup" appear in Google Chrome as follows:

the URL and the fields of this popup window are not detected automatically.

Procedure

 

  1. Create a StandardLogin window type.
  2. In the Detection tab, drag & drop the target icon onto the authentication window.

    The name of the authentication window appears in the URL field.

  3. In the Parameter of the web page area, select the Look for text check box and click the target.

    The Control Detection window appears.

  4. In the list of controls, select the server name and click the OK button.
  5. Select the Actions tab and use the same control detection method for the following fields:
    • Identifier.
    • Password.
    • Press the button.
  6. Click OK.

    You StandardLogin window for Google Chrome has been created.

 

The Google Chrome Extension

The Google Chrome Extension

Description

The Chrome extension manages SSO in the HTML document windows of the Google Chrome browser. It works with HTML document forms.

The Chrome extension provides the same window types as the generic plug-in. For more information, see The Generic Plug-in.

In this section:

Installing the Chrome Extension

Prerequisites
  • For the Chrome extension to work properly, the Microsoft Visual C++ 2012 (32-bit) redistributable must be installed on each workstation where the extension is installed.
  • The Google Chrome Web browser must be installed on the workstation(s).
Description

The Chrome extension can be installed in two ways:

IMPORTANT: At the end of the installation, restart Google Chrome and Enterprise SSO.

In this section:

Global Installation

Description

If you have a group strategy (GPO), you can install the Chrome extension globally.

Procedure

Follow the instructions described in the following URL to set the Google Chrome registry key: http://dev.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist

NOTE: The extension identifier is mheiphfcfdhlkecdhpgblhpemkecaheh

 

The extension is installed when Google Chrome is started.

Local Installation

Description

You can install the Chrome extension independently on each workstation via the Chrome Web Store.

Procedure
  1. Open your Google Chrome browser and enter the following URL:
    https://chrome.google.com/webstore/detail/enterprise-sso/mheiphfcfdhlkecdhpgblhpemkecaheh
  2. Click on Add to Chrome.
  3. Confirm the installation by clicking on Add extension.

    The extension is installed.

NOTE: To check the extension installation, you can go to the Chrome extensions menu (chrome://extensions).

 

 

Configuring the Technical Definitions and Windows

The technical definitions and windows configuration for Google Chrome must be performed in Internet Explorer (see Defining Application and Technical Definition Objects and Defining Window Objects).

Once the configuration is performed, if the user starts Google Chrome to access a URL and a corresponding technical definition is configured in Enterprise SSO, then SSO will be performed in Google Chrome.

The Microsoft Internet Explorer Plugin

The Microsoft Internet Explorer Plugin

Before starting
  • This plug-in is deprecated. To create new windows allowing SSO with Internet Explorer, Firefox or Chrome, use the Generic plug-in (The Generic Plug-in) and/or the Chrome extension (The Google Chrome Extension).
  • Use the Microsoft Internet Explorer plug-in only to modify SSO configurations already using windows defined through this plug-in.
  • To migrate windows created with the Microsoft Internet Explorer plug-in to the Generic Plug-in, create the same windows using the Generic plug-in.
Description

The Microsoft Internet Explorer plug-in manages SSO in HTML documents in Microsoft Internet Explorer 5.5 and 6.0. It works with HTML document forms.

The Internet Explorer plug-in provides several window types detailed in the following table:

Window Type

Description

IELogin

HTTP, Firewall or Proxy connection windows.

HTMLLogin

Web/HTML application connection window.

HTMLBadPassword

 

HTML page which indicates that the password entered in the HTMLLogin window is not correct, this allows SSO data collect mode.
The right username and password may be entered again this time.

HTMLNewPassword

HTML page which prompts for a new password (and generally for a confirmation).

HTMLBadNewPassword

Window type used to handle new password refusals in HTML pages.

In this section:

HTML/Internet Explorer Detection

The detection of HTML pages is URL-based.

Start Internet Explorer.

NOTE: For Windows 2003 servers, check that the Internet Explorer option Enable third-party browser extensions (in Internet options>Advanced>Browser) is selected.

The HTML Detection property page looks like this:

To fill-in the URL field, use the Get URL button. The following window appears:

The list of open HTML documents in Internet Explorer windows (and frames) is displayed.

The list of HTML forms (and their associated fields) is displayed for information only.

The Internet Explorer button allows you to launch Internet Explorer if it is not already running (same as launching it from the Start menu).

To select an URL, just select the line that shows the URL, or one of its elements. The selected URL is shown in bold.

The HTML page display is dynamically updated as you open new HTML windows or navigate within Internet Explorer The Refresh button allows you to force the display and remove windows which are no longer displayed.

NOTE: If only one HTML document is opened, its URL will automatically be pasted in the URL field if it was empty.

In this section:

Variable URLs

For more information, see The Enable Variable URL Detection option.

Advanced Detection

Advanced detection in an Internet Explorer HTML page is based on text search.

The dialog box that allows you to configure the advanced detection parameter:

You can enter a text using the keyboard or select it with your mouse in an HTML page and click the Capture button: the text is pasted in the field.

There are two search methods:

  • Text must be Present: if the text is found on the page, detection is successful.
  • Text must be Absent: if the text is found on the page, detection fails.

User Interface

In this section, we introduce the tools and elements of the user interface that are used to configure HTML/Internet Explorer window types.

These tools are:

  • The HTML form selection tool which allows the association of an SSO parameter (username, password, optional parameter) with an HTML form field.
  • The custom parameters list which allows the setting up of additional parameters (other than username and password) which will be sent to the application to perform SSO.
  • The HTML form submission-method selection tool (same icon ).

In this section:

Selecting a Field in an HTML Form

The field selection window for an HTML form is as follows:

This window displays, in a list, all the forms (and their fields) contained in the HTML page selected in the detection page.

The fields are displayed in order and an icon distinguishes the clear text fields from the fields containing a password . The associated text is the field’s internal name (HTML).

The forms are differentiated by their names. If several forms have the same name (or are unnamed), the position is displayed in brackets: this is the position in the page compared to all forms with the same name.

NOTE: If you do not want to use this field, validate by clicking the Clear button

Custom SSO Parameters

The following window allows you to enter and configure optional parameters that will be sent to the target application:

To customize an optional field, proceed as follows:

Procedure
  1. Select the parameter in the list.
  2. Fill-in Associated Field by using the target to select the target control field.
  3. Click the Insert button to customize the optional field.
  4. Validate by clicking OK.

 

Submitting an HTML Form

The window for setting up the HTML form submission method is the following:

This window offers two submit methods:

  • Simple submit or submit by clicking a Button.
  • Advanced submit by clicking a link.

In this section:

Simple Submit / Button Click

  • To submit a form by simulating the Enter key, simply select the form.
  • To submit the form by clicking a button, select the desired button.
  • To check that it is actually the desired button, you can make it flash in the HTML page using the Highlight button.

Click a Link

This method is used to submit a form by clicking a text or an image starting a JavaScript script.

Such a link is recognized by its URL starting with javascript:

HTML/Internet Explorer Actions

In this section:

HTMLLogin – Connection

In this section:

Configuration.

This property page enables you to specify:

  • The field that will receive the user identifier (or username) that allows the user to connect to the application.
  • The field that will receive the password associated with the username.
  • Optional parameters, if needed.
  • The form-submit method.

Actions

In Enterprise SSO, the following actions are performed after the window has been detected:

  • The username and password associated with the application are retrieved from the security system:
    • If required, the user will be prompted to choose one of his accounts.
    • If the selected (or single) account has no security data in the security system, Enterprise SSO will prompt the user for this data and will save them in the security system (collect).
  • Data is sent to the form fields of the HTML page.
  • Optional parameters associated with the selected account are retrieved from the security system: if any parameter value is unknown, it is requested from the user and then stored in the security system.
  • Parameters are sent.
  • The form is submitted.
  • BadPassword (HTML) and NewPassword (HTML) window types are activated.

HTMLBadPassword

In this section:

Configuration

This property page enables you to specify:

  • The validation method after the password has been updated in the security database (with a new authentication if needed).
  • The HTML field that will receive the user identifier (or username) if the user is prompted to re-authenticate.
  • The HTML field that will receive the user password if the user is prompted to reauthenticate in the same window.
  • The optional parameters, if re-authentication is proposed in the same application window.

Actions

In Enterprise SSO, the following actions are performed after the HTML page has been detected:

  • The user is warned that the password stored in the security system is not the right one for this application; he is prompted to enter the right password (the user can also change the identifier if he has misspelled it in the collect window).
  • If the new username/password pair is validated by the user and the security database is updated successfully:
    • The specified username, password and optional HTML parameters are sent to the application.
    • The HTML form is validated according to the specified method.

HTMLNewPassword

In this section:

Configuration

This property page allows you to enter:

  • The HTML field that will receive the user identifier (or username).
  • (Optional) The HTML field that will receive the old password.
  • (Optional) The HTML field that will receive the new password.
  • (Optional) The HTML field that will receive the new password as confirmation.
  • The HTML form-submit method if the password has been successfully updated in the security database.
  • The cancellation method in case of failure or if the user cancels the window.

Actions

In Enterprise SSO, the following actions are performed after the HTML page has been detected:

  • If specified, the user identifier and the old password are sent (if the application can have many simultaneous sessions and if several accounts are used, Enterprise SSO will ask the user to choose the relevant session).
  • The application asks the user for a new password or computes it itself (according to the PFCP associated with the application).
  • If the password is confirmed, the new password is saved in the security database.
  • In case of failure, the submission is canceled.
  • In case of success, or without confirmation:
    • The new password is sent (if requested).
    • The new password is sent again (if confirmation is needed).
    • The window is validated.

HTMLBadNewPassword

In this section:

Configuration

This property page enables you to specify:

  • The validation method after a new password has been refused.
  • (Optional) The HTML field that will receive the user identifier (or username) if the user is prompted to re-authenticate.
  • (Optional) The HTML field that will receive the old password.
  • (Optional) The HTML field that will receive the new password.
  • (Optional) The HTML field that will receive the new password as confirmation.

Actions

In Enterprise SSO, the following actions are performed after the HTML page has been detected:

  • The old password becomes the current password.
  • If specified, the user identifier and the old password are sent (if the application can have many simultaneous sessions and if several accounts are used, Enterprise SSO will ask the user to choose the relevant session).
  • The application asks the user for a new password or computes it itself (according to the PFCP associated with the application).
  • If the password is confirmed, the new password is saved in the security database.
  • In case of failure, the submission is canceled.
  • In case of success, or without confirmation:
    • The new password is sent (if requested).
    • The new password is sent again (if confirmation is needed).
    • The window is validated.
    • NewPassword window types are activated.

The SAP R/3 Plug-in

The SAP R/3 Plug-in

This section describes the Enterprise SSO SAP R/3 plug-in for Enterprise SSO.

The SAP R/3 plug-in provides different types of windows for the management of SSO, depending on the version of SAP R/3 clients and servers. To identify the window corresponding to each version of the SAP R/3 components, see Evidian EAM Release Notes.

NOTE: The SAPLogin and SAPExpired window types defined in version 3.71 of Enterprise SSO are still available, to ensure the continuity of deployed configurations. However, we recommend that these are ported to SAPGUI Scripting window types.

In this section:

SAPLogin and SAPExpired Window Types

In this section:

SAPLogin (SAP R/3 Login)

This window type manages SAP R/3 4.5 connection. It includes bad password management (BadPassword).

NOTE: With version 4.6, only authentication is managed: due to technology modification, Enterprise SSO does not detect bad passwords anymore.

To configure a window type SAPLogin, you have to specify the following parameters:

NOTE: This window is pre-selected and should normally not be modified.
  • Fields
    • SAP Main Field is where SSO data should be sent. Field selection can be done with the target .
    • SAP Status bar is the field where errors are displayed. Field selection can be done with the target  (target button).
    • Error text is the message displayed by SAP R/3 in case of error. This allows Enterprise SSO to deal with bad passwords (SAP R/3 4.5 only).
  • Window parameters

    Language and Client Name parameters can be associated with parameters stored in the security database.

  • Window Validation

    The authentication window is validated with the Enter key.

SAPExpired (SAP R/3 Password Expiry)

This window type manages SAP R/3 4.5 password expiry.

NOTE: In Access Collector mode, the SAPExpired window type is not available. 

In the configuration window, fill in the SAP main field with the button.

Basic Principles of the SAP R/3 Plug-in

Prerequisites
  • SAPGUI 6.20 Scripting must be activated on the SAP R/3 server, with the following parameter:
  • Sapgui/user_scripting = TRUE
  • SAPGUI Scripting must be activated on the SAP R/3 client.
  • The connection description in the SAPLogon must not use the slow connection parameter.
  • SAPGUI Scripting works only with the new SAP R/3 visual design.

Configuration Guide

In this section:

Configuring an SAP R/3 Application

An application should be configured with the Enterprise SSO configuration editor. For SAP R/3 applications, use the SAP application model in ESSO Enterprise Studio.

Configuring an Application for SAPGUI Scripting

If you use SAPGUI Scripting window types, the OLE/automation option in the configuration is not required. It should, therefore, be left inactivated.

Configuring the SAPGUI Scripting Window

In this section:

The Detection Tab

The detection of SAP R/3 connections is based on their connection servers or server groups:

To specify an SAP R/3 server or group of servers, use the following options:

  • Name (mandatory): server name (SAP R/3 hostname) or server group name for which SSO is to be performed.
  • SAP system name: SAP R/3 name of the system in 3 characters (database ID).
  • Direct server connection
    Detect the System Number
    : provide the SAP R/3 System Number if the target server is running more than one copies of SAP R/3.
  • Group with load balancing
    Message Server
    : enter the SAP R/3 message server name as it is configured in the SAPLogon module if there are a several SAP R/3 groups with the same name but with different messages servers.

The Actions Tab

Description of the SAP R/3 parameters 

At authentication time, Enterprise SSO can fill the language and client name fields as defined in the SAP R/3 application model. These parameters must be declared in the Parameters tab of the application object.

  • Automatic validation of the credentials: the user does not have to validate the credentials sent by E-SSO to start an SAP session. The Auto validate login page check box is selected by default.
  • Changing the SAP R/3 user’s password: by default, Enterprise SSO manages the authentication process, and the user cannot change his or her SAP R/3 password at this stage but must use the password change transaction once connected. To avoid the complexity inherent in this procedure, activating this option will result in Enterprise SSO asking the user if a change of password should be made during connection to SAP R/3; Enterprise SSO will then manage all the password change processes as required.
  • Automatic validation of the connection notification: the SAPGUI Scripting technology causes a message to appear, notifying the user that a script is connecting to SAPLogon. By activating this option, and by declaring the notification window title (by default this is saplogon), Enterprise SSO will automatically validate the notification as required. The notification will still appear in non-Enterprise SSO connections, and therefore for other scripts.
  • To define error messages, click the Errors button:

    Error messages are detected by Enterprise SSO so that it can react when there is a password desynchronization problem, when there is a password change, or if the new password is refused by the SAP R/3 system. In addition to the pre-configured error messages, you can declare your own specific messages:

  • By content: enter a message and assign a meaning to it. Enterprise SSO will look for the message in the status bar or error dialog box. In this case, it is the message string that is looked for. It is dependent, therefore, on the language of the SAP R/3 client.
  • By reference: if you also specify the SAP R/3 ABAP reference of the message, Enterprise SSO will look for the reference of the message, and not its content. Thus, it becomes independent from the client language. In this case, the content of the message field is simply for informative purpose.

NOTE: The list of message references can be found using the transaction SE16, table T100.

Authentication steps:

  • Connection refused: the SAP R/3 system has refused the connection. The user may be locked, or the server unavailable.
  • Invalid password: the user password is incorrect. A new password is requested through Enterprise SSO’s data collection windows.
  • New password refused: the user has just changed the password, but the SAP R/3 system does not accept it. A new password is requested through Enterprise SSO’s data collection windows.
Related Documents