Terminal type windows manage SSO in text fields emulating a line mode terminal. The terminal must be displayed in a text-edit control field.
|
NOTE: Some emulator windows may not meet this requirement. In this case, the use of other methods like OLE/Automation interface access is necessary. |
The way this window type works is slightly different from the way other window types work, since the SSO events correspond to the display of messages; in addition, all the SSO states are managed in the same window.
Once the connection has been set up, SSO is disabled for this window.
Two window types offer the management of terminals:
|
NOTE: Enterprise SSO also works with PUTTY. |
The detection of these window types is the same as for the Windows type.
However, the Actions part covers all standard window types: it is used to manage the opening of a full session (including bad and new passwords management) running in text mode and in a single Windows control field (usually an Edit field). It simulates the user keyboard entries and controls the state of the connection status by detecting text banners.
This window type has been created to manage the terminal connections in Edit fields, especially the Windows remote access pre- and post- dial-up terminals.
Its configuration window is the following:
The Host Control field must contain the whole text used for connection. Using the target icon, click the terminal window; this will copy the text across.
The behavior regarding the text banners is defined by clicking on the Banners button (see Banners).
If you have difficulties or if you want to optimize the processing, you can also set up the timing between two searches for banners.
Once SSO has been performed, or in case of failure, it is possible to click a button to close the window. Using the target icon, click the terminal window; this will copy the button across.
Two window types are available for managing the Microsoft TelnetW2KXP application:
Window Type |
Description |
MSTelnetW2KXP |
Telnet Microsoft for Windows 2000 and XP OS |
MSTelnet |
Obsolete for compatibility purpose |
Its configuration window is the following:
If you have difficulties or if you want to optimize the processing, you can also change the performance-tuning parameters:
The banners configuration window is the following:
This window allows you to specify SSO events (the detection of text in a new text line) and the behavior to be associated with them.
The possible behaviors are:
Event |
Description |
Identifier |
The text indicates a username request. |
Password |
The text indicates a password request. |
Custom Parameter |
An additional parameter is requested. |
Connection OK |
The text indicates that the connection is successful. It stops the SSO. |
Enter new password |
The text indicates that a new password is requested. |
Confirm new password |
The text indicates that the same new password must be confirmed. |
Bad password |
The text indicates that there is a wrong password in the security database. |
Connection refused |
The text indicates that the connection failed. It stops the SSO. |
Do not press Enter key if the value is greater than... |
Defines the number of characters above which the Enter key is not sent. If the value is 0, the Enter key is never sent. |
To add an event, you must:
To edit an event, you must:
To delete an event, you must:
This section describes how to enable SSO or account collect (in Access Collector mode) for applications using HLLAPI.
The HLLAPI (High Level Language Application Program Interface) is an IBM API that allows a PC application to communicate with a mainframe computer. HLLAPI requires a PC to run a 3270 emulation software and then defines an interface between a PC application and the emulation software.
|
IMPORTANT: In the next sections, the term "HLLAPI applications" designates the applications that are using HLLAPI. |
In this section:
If the default configuration parameters used to implement the HLLAPI plug-in are not working with your HLLAPI application, or if you want to configure Single Sign-On for different types of HLLAPI applications installed on the same workstation, you must modify keys and values in the Windows Registry to fit your requirements.
|
IMPORTANT: Modifying the Windows Registry may damage your Windows system. It is strongly recommended to be accommodated with the Registry Editor to modify keys and values |
|
NOTE: It is not mandatory to set all the values listed in "HLLAPI Plug-in Registry Keys". If a value is not set, the default value data is used. |
Value name |
|
Description |
Enables/disables the management of different types of HLLAPI applications on the same workstation. |
Type |
REG_DWORD |
Value data |
0: disabled. 1: enabled. |
Location |
|
Example: to add Attachmate EXTRA! and Rumba terminal emulation applications, you can create the following sub-keys:
HKLM\SOFTWARE\Enatel\SSOWatch\HLLAPI\Attachmate EXTRA!
HKLM\SOFTWARE\Enatel\SSOWatch\HLLAPI\Rumba
Example:
[HKLM\SOFTWARE\Enatel\SSOWatch\HLLAPI\Attachmate EXTRA!]
"HllLibrary"="C:\\Program Files\\Attachmate\\E!E2K\\ehlapi32.dll"
"HllEntryPoint"="hllapi"
"HLLAPI-32bit"=dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HLLAPI\Rumba
"HllEntryPoint"="hllapi"
"HllLibrary"="D:\\Program Files\\NetManage\\RUMBA\\System\\ehlapi32.Dll"
"HLLAPI-32bit"=dword:00000001
"IgnoreWindowsHandle"=dword:00000001
"UseTitleInDetection"=dword:00000001
|
NOTE: If the EnableMultiEmulator key is set to 1 (see Configuring the HLLAPI Plug-in for Different Types of Applications), the registry keys listed in this section that are located directly under HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI are ignored. |
Value name |
|
Description |
Enables/disables the management of different types of HLLAPI applications on the same workstation. |
Type |
REG_DWORD |
Value data |
0: disabled. 1: enabled. |
Location |
|
Value name |
| ||
Description |
DLL file that must be used by the HLLAPI plug-in.
| ||
Type |
REG_SZ | ||
Value data |
Pathname of the .DLL file. Default value: PCSHLL32.dll | ||
Location |
Single application: Multi applications: |
Value name |
| ||
Description |
Name of the HLLAPI function in the DLL file.
| ||
Type |
REG_SZ | ||
Value data |
Default value: hllapi | ||
Location |
Single application: Multi applications: |
Value name |
| ||
Description |
Specifies that the HLLAPI application is a 32-bit application.
| ||
Type |
REG_DWORD | ||
Value data |
1 (default): 32-bit application 0: 16-bit application | ||
Location |
Single application: Multi applications: |
Value name |
|
Description |
Allows Enterprise SSO to support HLLAPI libraries which are not able to return Windows handle properly. |
Type |
REG_DWORD |
Value data |
1: enabled. 0 (default): disabled. |
Location |
Single application: Multi applications: |
Value name |
|
Description |
Allows the Enterprise SSO engine to detect the title of the HLLAPI application. |
Type |
REG_DWORD |
Value data |
1 (default): enabled (displays the Title check button in the Detection tab. For more details, see The Detection Tab). 0: disabled. |
Location |
Single application: Multi applications: |
To enable SSO for HLLAPI applications, you must declare the application in the Enterprise SSO configuration and define the window types that must be detected by Enterprise SSO, as described in the following procedure.
The Application object appears under the Applications node.
The Window Properties window appears.
|
IMPORTANT: If you are defining an HLLAPI New Password screen, and if the new password must be provided in the login screen, then select Use Manual SSO State Conditions, click Configure and select SSO has been done. Password has expired and must be changed. |
The Window object appears under the Application object.
The section gives information on how to fill-in the Detection tab for HLLAPI window types. This tab allows you to define the screen requirements to enable SSO.
This area allows you to specify the communication standard used by the application.
|
IMPORTANT: If the connection type information is not available at HLLAPI level, Enterprise SSO does not take into account this parameter.If you do not know the connection type, select or clear all check boxes. |
You must fill-in this area to define the strings that Enterprise SSO must detect to enable SSO. Read carefully the following guidelines:
|
NOTE:
|
Example
In this example, Enterprise SSO enables SSO if:
The section gives information on how to fill-in the Actions tab for HLLAPI window types. This tab allows you to define the authentication data that Enterprise SSO must send to the terminal emulator.
This area allows you to sort and modify the actions that must be performed by Enterprise SSO in the terminal emulator window.
This area allows you to define the data that Enterprise SSO must send to the terminal emulator. Fill-in the window as follows:
|
NOTE: For more information on the list of keys that are compatible with many emulator software applications, see HLLAPI Application Keys . |
The following window appears:
Fill-in this window as follows:
|
NOTE: When SSO is implemented, the DLL is searched in the directory defined in the %PATH% environment variable of the user who is logged on If it is not found, the DLL is searched in the same directory as the one used during the configuration process.For more details on external DLL, see Extension DLL. |
The following table lists the keys that are compatible with many emulator software applications.
Mnemonic |
Meaning |
3270 |
5250 |
VT |
@B |
Left Tab |
Yes |
Yes |
No |
@C |
Clear |
Yes |
Yes |
No |
@D |
Delete |
Yes |
Yes |
No |
@E |
Enter |
Yes |
Yes |
No |
@F |
Erase EOF |
Yes |
Yes |
No |
@H |
Help |
No |
Yes |
No |
@I |
Insert |
Yes |
Yes |
No |
@J |
Jump (SetFocus) |
Yes |
Yes |
No |
@L |
Cursor Left |
Yes |
Yes |
Yes |
@N |
New Line |
Yes |
Yes |
Yes |
@O |
Space |
Yes |
Yes |
Yes |
@P |
|
Yes |
Yes |
Yes |
@R |
Reset |
Yes |
Yes |
No |
@T |
Right Tab |
Yes |
Yes |
Yes |
@U |
Cursor Up |
Yes |
Yes |
Yes |
@V |
Cursor Down |
Yes |
Yes |
Yes |
@X* |
DBCS (Reserved) |
Yes |
Yes |
No |
@Y |
Caps Lock (No action) |
Yes |
Yes |
No |
@Z |
Cursor Right |
Yes |
Yes |
Yes |
@0 |
Home |
Yes |
Yes |
No |
@1 |
PF1/F1 |
Yes |
Yes |
No |
@2 |
PF2/F2 |
Yes |
Yes |
No |
@3 |
PF3/F3 |
Yes |
Yes |
No |
@4 |
PF4/F4 |
Yes |
Yes |
No |
@5 |
PF5/F5 |
Yes |
Yes |
No |
@6 |
PF6/F6 |
Yes |
Yes |
Yes |
@7 |
PF7/F7 |
Yes |
Yes |
Yes |
@8 |
PF8/F8 |
Yes |
Yes |
Yes |
@9 |
PF9/F9 |
Yes |
Yes |
Yes |
@a |
PF10/F10 |
Yes |
Yes |
Yes |
@b |
PF11/F11 |
Yes |
Yes |
Yes |
@c |
PF12/F12 |
Yes |
Yes |
Yes |
@d |
PF13 |
Yes |
Yes |
Yes |
@e |
PF14 |
Yes |
Yes |
Yes |
@f |
PF15 |
Yes |
Yes |
Yes |
@g |
PF16 |
Yes |
Yes |
Yes |
@h |
PF17 |
Yes |
Yes |
Yes |
@i |
PF18 |
Yes |
Yes |
Yes |
@j |
PF19 |
Yes |
Yes |
Yes |
@k |
PF20 |
Yes |
Yes |
Yes |
@l |
PF21 |
Yes |
Yes |
No |
@m |
PF22 |
Yes |
Yes |
No |
@n |
PF23 |
Yes |
Yes |
No |
@o |
PF24 |
Yes |
Yes |
No |
@q |
End |
Yes |
Yes |
No |
@s |
ScrLk (No action) |
Yes |
Yes |
Yes |
@t |
Num Lock (No action) |
Yes |
Yes |
Yes |
@u |
Page Up |
No |
Yes |
No |
@v |
Page Down |
No |
Yes |
No |
@x |
PA1 |
Yes |
Yes |
No |
@y |
PA2 |
Yes |
Yes |
No |
@z |
PA3 |
Yes |
Yes |
No |
@A@C |
Test |
No |
Yes |
No |
@A@D |
Word Delete |
Yes |
Yes |
No |
@A@E |
Field Exit |
Yes |
Yes |
No |
@A@F |
Erase Input |
Yes |
Yes |
No |
@A@H |
System Request |
Yes |
Yes |
No |
@A@I |
Insert Toggle |
Yes |
Yes |
No |
@A@J |
Cursor Select |
Yes |
Yes |
No |
@A@L |
Cursor Left Fast |
Yes |
Yes |
No |
@A@Q |
Attention |
Yes |
Yes |
No |
@A@R |
Device Cancel |
Yes |
Yes |
No |
@A@T |
Print Presentation Space |
Yes |
Yes |
Yes |
@A@U |
Cursor Up Fast |
Yes |
Yes |
No |
@A@V |
Cursor Down Fast |
Yes |
Yes |
No |
@A@Z |
Cursor Right Fast |
Yes |
Yes |
No |
@A@9 |
Reverse Video |
Yes |
Yes |
No |
@A@b |
Underscore |
Yes |
No |
No |
@A@c |
Reset Reverse Video |
Yes |
No |
No |
@A@d |
Red |
Yes |
No |
No |
@A@e |
Pink |
Yes |
No |
No |
@A@f |
Green |
Yes |
No |
No |
@A@g |
Yellow |
Yes |
No |
No |
@A@h |
Blue |
Yes |
No |
No |
@A@i |
Turquoise |
Yes |
No |
No |
@A@j |
White |
Yes |
No |
No |
@A@l |
Reset Host Colors |
Yes |
No |
No |
@A@t |
Print (Personal Computer) |
Yes |
Yes |
No |
@A@y |
Forward Word Tab |
Yes |
Yes |
No |
@A@z |
Backward Word Tab |
Yes |
Yes |
No |
@A@− |
Field − |
No |
Yes |
No |
@A@+ |
Field + |
No |
Yes |
No |
@A@< |
Record Backspace |
No |
Yes |
No |
@S@E |
Print Presentation Space on Host |
No |
Yes |
No |
@S@x |
Dup |
Yes |
Yes |
No |
@S@y |
Field Mark |
Yes |
Yes |
No |
@X@1 |
Display SO/SI |
Yes |
Yes |
No |
@X@5 |
Generate SO/SI |
No |
Yes |
No |
@X@6 |
Display Attribute |
No |
Yes |
No |
@X@7 |
Forward Character |
No |
Yes |
No |
@X@c |
Split vertical bar (¦) |
No |
Yes |
No |
@M@0 |
VT Numeric Pad 0 |
No |
No |
Yes |
@M@1 |
VT Numeric Pad 1 |
No |
No |
Yes |
@M@2 |
VT Numeric Pad 2 |
No |
No |
Yes |
@M@3 |
VT Numeric Pad 3 |
No |
No |
Yes |
@M@4 |
VT Numeric Pad 4 |
No |
No |
Yes |
@M@5 |
VT Numeric Pad 5 |
No |
No |
Yes |
@M@6 |
VT Numeric Pad 6 |
No |
No |
Yes |
@M@7 |
VT Numeric Pad 7 |
No |
No |
Yes |
@M@8 |
VT Numeric Pad 8 |
No |
No |
Yes |
@M@9 |
VT Numeric Pad 9 |
No |
No |
Yes |
@M@- |
VT Numeric Pad - |
No |
No |
Yes |
@M@, |
VT Numeric Pad , |
No |
No |
Yes |
@M@. |
VT Numeric Pad . |
No |
No |
Yes |
@M@e |
VT Numeric Pad Enter |
No |
No |
Yes |
@M@f |
VT Edit Find |
No |
No |
Yes |
@M@i |
VT Edit Insert |
No |
No |
Yes |
@M@r |
VT Edit Remove |
No |
No |
Yes |
@M@s |
VT Edit Select |
No |
No |
Yes |
@M@p |
VT Edit Previous Screen |
No |
No |
Yes |
@M@n |
VT Edit Next Screen |
No |
No |
Yes |
@M@a |
VT PF1 |
No |
No |
Yes |
@M@b |
VT PF2 |
No |
No |
Yes |
@M@c |
VT PF3 |
No |
No |
Yes |
@M@d |
VT PF4 |
No |
No |
Yes |
@M@h |
VT HOld Screen |
No |
No |
Yes |
@M@(space) |
Control Code NUL |
No |
No |
Yes |
@M@A |
Control Code SOH |
No |
No |
Yes |
@M@B |
Control Code STX |
No |
No |
Yes |
@M@C |
Control Code ETX |
No |
No |
Yes |
@M@D |
Control Code EOT |
No |
No |
Yes |
@M@E |
Control Code ENQ |
No |
No |
Yes |
@M@F |
Control Code ACK |
No |
No |
Yes |
@M@G |
Control Code BEL |
No |
No |
Yes |
@M@H |
Control Code BS |
No |
No |
Yes |
@M@I |
Control Code HT |
No |
No |
Yes |
@M@J |
Control Code LF |
No |
No |
Yes |
@M@K |
Control Code VT |
No |
No |
Yes |
@M@L |
Control Code FF |
No |
No |
Yes |
@M@M |
Control Code CR |
No |
No |
Yes |
@M@N |
Control Code SO |
No |
No |
Yes |
@M@O |
Control Code SI |
No |
No |
Yes |
@M@P |
Control Code DLE |
No |
No |
Yes |
@M@Q |
Control Code DC1 |
No |
No |
Yes |
@M@R |
Control Code DC2 |
No |
No |
Yes |
@M@S |
Control Code DC3 |
No |
No |
Yes |
@M@T |
Control Code DC4 |
No |
No |
Yes |
@M@U |
Control Code NAK |
No |
No |
Yes |
@M@V |
Control Code SYN |
No |
No |
Yes |
@M@W |
Control Code ETB |
No |
No |
Yes |
@M@X |
Control Code CAN |
No |
No |
Yes |
@M@Y |
Control Code EM |
No |
No |
Yes |
@M@Z |
Control Code SUB |
No |
No |
Yes |
@M@u |
Control Code ESC |
No |
No |
Yes |
@M@v |
Control Code FS |
No |
No |
Yes |
@M@w |
Control Code GS |
No |
No |
Yes |
@M@x |
Control Code RS |
No |
No |
Yes |
@M@y |
Control Code US |
No |
No |
Yes |
@M@z |
Control Code DEL |
No |
No |
Yes |
@Q@A |
VT User Defined Key 6 |
No |
No |
Yes |
@Q@B |
VT User Defined Key 7 |
No |
No |
Yes |
@Q@C |
VT User Defined Key 8 |
No |
No |
Yes |
@Q@D |
VT User Defined Key 9 |
No |
No |
Yes |
@Q@E |
VT User Defined Key 10 |
No |
No |
Yes |
@Q@F |
VT User Defined Key 11 |
No |
No |
Yes |
@Q@G |
VT User Defined Key 12 |
No |
No |
Yes |
@Q@H |
VT User Defined Key 13 |
No |
No |
Yes |
@Q@I |
VT User Defined Key 14 |
No |
No |
Yes |
@Q@J |
VT User Defined Key 15 |
No |
No |
Yes |
@Q@K |
VT User Defined Key 16 |
No |
No |
Yes |
@Q@L |
VT User Defined Key 17 |
No |
No |
Yes |
@Q@M |
VT User Defined Key 18 |
No |
No |
Yes |
@Q@N |
VT User Defined Key 19 |
No |
No |
Yes |
@Q@0 |
VT User Defined Key 20 |
No |
No |
Yes |
@Q@a |
VT Backtab |
No |
No |
Yes |
@Q@r |
VT Clear Page |
No |
No |
Yes |
@Q@s |
VT Edit |
No |
No |
Yes |
@@ |
@ |
Yes |
Yes |
Yes |
@$ |
Alternate Cursor (The Presentation Manager Interface only) |
Yes |
Yes |
Yes |
@< |
Backspace |
Yes |
Yes |
Yes |
The window types provided with Enterprise SSO allow you to enable SSO or account collect (in Access Collector mode) for a wide range of applications. But there are some applications that cannot be managed with these standard types. In this case, Enterprise SSO proposes two solutions:
The Custom Script and Custom Script HTML plug-ins open Enterprise SSO to some applications neither managed by the standard nor dedicated plug-ins. It offers a "scripting logic" while keeping the same simple and user-friendly configuration interface offered by ESSO Enterprise Studio and enables you to call a function from an external DLL.
|
IMPORTANT:
|
They use the same detection mechanisms already used for this kind of window in the Standard plug-in. The detection property page is the same.
However, you can select the combo box by passing the cursor over the text area or by clicking the button displaying all the different choices.
The difference is in the Actions tabbed panel of the Windows Properties window that allows you to create a logically ordered list of specific actions.
The main behavior of the window: Login, Bad Password, New Password or New Password Confirmation window is automatically deduced from the configured actions, except for Bad Password, which must be manually specified.
Actions are executed one after the other Their execution is based on a True or False state, which is transmitted to each action, and sometimes modified by some of them. An action is executed only if its state (Condition) corresponds to the current state, or if no state is specified for this action (No condition).
The initial state of an action is True.
The following table summarizes the behavior by indicating whether an action is performed based on its execution condition and the current state. The symbol ü means that the action is performed.
State Condition |
True |
False |
None |
ü |
ü |
|
ü |
|
|
|
ü |
This logic allows you to manage simple actions of If…Then…Else… type.
All the actions include a context that contains the following data:
The context data is maintained in a data buffer that is initialized before each Script execution in the following way:
By default, the Actions tabbed page is empty. The following figure shows an example of a filled-in Actions tabbed page.
The list of actions to be performed is displayed in a read-only state, and a check box allows you to specify whether or not this window manages bad passwords. To build or edit a script, you must use the Script Editor.
The Script Editor window is made up of four elements:
The actions list has three columns:
The toolbar allows you to create new actions, modify their execution conditions, and move actions.
Button |
Description |
|
Create a new action placed after the first selected action |
|
Delete one (or several) action(s) |
|
Move up one (or several) action(s) |
|
Move down one (or several) action(s) |
|
Modify the execution condition to Always execute |
|
Modify the execution condition to Execute if True |
|
Modify the execution condition to Execute if False |
The action creation icon in the toolbar displays a menu with a list of all the available actions. The table below summarizes the available actions, showing the correspondence between the two types of plug-ins (Custom Script and Custom Script HTML).
Icon |
Custom Script |
Custom Script HTML |
|
Send Key/String |
Send String to Form Field |
|
Send SSO parameter |
Send SSO Parameter to a field |
|
Send Command Message |
Not available |
|
Send a JavaScript (not supported by Microsoft Edge). |
Send a JavaScript (not supported by Microsoft Edge). |
|
Get Control Text (not supported by Microsoft Edge). |
Get Field Text (not supported by Microsoft Edge). |
|
Get SSO parameter |
Get SSO parameter |
|
Click Button |
Send an HTML event |
|
Select Item in list |
Select Item in an HTML list |
|
Call External Function |
Call External Function |
|
Sleep |
Sleep |
|
Compare |
Compare |
|
Return |
Return |
|
Special Event |
Special Event |
|
Create a Label |
Create a Label |
|
Jump to Label (Goto) |
Jump to Label (Goto) |
|
Display a message box |
Display a message box |
|
Input box |
Input box |
|
Check certificate |
Check certificate |
|
Change SSO State |
- |
|
Copy buffer to param |
- |
The rest of this subsection describes the different actions; each action description is introduced by a table summarizing its main characteristics:
[Icon] Action name | ||||
|
Modify state | |||
Modify buffer
| ||||
Action description. | ||||
| ||||
|
Modify state
| |||
Modify buffer
| ||||
This action allows you to send characters (keyboard keys or strings) to a target window (the window being the primary, active window) or to a target control (field or button) in a window. In the Target area, it is strongly recommended to select Send to the Control (use the target icon button to select the control field). If it is not possible, that is if the window has no control fields or buttons it is better to select Send to the Window rather than Focused Window. Then, if necessary, modify the sending method (it is recommended to use the Automatic method. If it does not work, try another method depending on your application). In the Send Key/String area, define the characters you want to send in the target window:
|
| ||
|
Modify state
| |
Modify buffer
| ||
This action allows you to send strings to a target form field in an HTML page. In the Target area, use the HTML target button to fill-in the field (the HTML page containing the target form field must be displayed). In the Send Key/String area, define the string you want to send in the target HTML form field:
|
| ||
|
Modify state
| |
Modify buffer
| ||
This action allows you to send an SSO parameter of a user account to a target window (the window being the primary, active window) or to a target control (field or button) in a window. For details on the Target area, please see the Send Key/String action above. In the Parameter to Send area, define the SSO parameter you want to send:
The transmitted SSO parameter is copied to the memory buffer. |
| ||||
|
Modify state | |||
Modify buffer | ||||
Read carefully the instructions written in the Send command message are
|
| ||
|
Modify state | |
This action enables you to send a JavaScript if the address bar is displayed in Internet Explorer, Firefox and Chrome. |
| ||||
|
Modify state
| |||
Sends an event (navigation, button click, item to be checked or execution of a JavaScript) to the active HTML browser.
|
| ||
|
Modify state | |
Modify buffer | ||
This action reads the text contained in a targeted control field. The recovered text is also copied to the memory buffer. |
| ||||
|
Modify state
| |||
Modify buffer
| ||||
This action retrieves the value of an SSO parameter from a user account (identifier, password…) and copies it to the memory buffer. For a description of the options, see the Send SSO Parameter action above. The Perform SSO as a different user action authorizes the SSO execution of a second user for the same application. When you select this check box, Enterprise SSO requests a second user to authenticate during SSO.
|
| ||||||
|
Modify state
| |||||
This action allows you to simulate a mouse click on:
|
| ||
Depending on the selected Selection Mode, the interface of this window is slightly different: By Item Number:
By Parameter:
By Item Label:
|
Modify state
| |
This action allows you to select an element from a list. The list must be targeted with the target icon. The supported list types are:
The selection can be performed by:
|
| ||
|
Modify state | |
Modify buffer
| ||
This action allows you to call a function in an external DLL. Click the Search button to choose the DLL. Enter the function name in the Function field. If the function is found in the DLL, the indicator turns green, otherwise, it remains red. When SSO is implemented, the DLL will first be searched in the PATH associated with the connected user’s environment and if it is not found, it will be searched in the same directory as the one used during the configuration process. For more details on how to write external functions, see Extension DLL. |
| ||
|
Modify state
| |
This action suspends Enterprise SSO for the time specified (in milliseconds). Two buttons (500 ms and 1000 ms) allow you to quickly configure the most common wait times. |
| ||||||
|
Modify state
| |||||
This action compares the memory buffer contents with a given character string. The comparison is case sensitive. The state is then modified, depending on the result of this comparison: True if the string is found, False otherwise. You can compare the result with a regular expression and by selecting the This is a regular expression check box.
|
| ||
|
Modify state | |
This action enables you to check the SSL certificate of a web server before performing the SSO. The check is done by comparing the web server certificate with a local certificate. You must provide the following information:
|
| ||
|
Modify state
| |
This action stops the script and returns one of the following statuses:
|
| ||||
|
Modify state
| |||
This action allows you to trigger one of the events listed in the Special Event area.
|
| ||
|
Modify state | |
This action allows you to create a label in the custom script, to manage conditional operations. You must use this action if you want to use the Jump to Label (Goto) action. |
| ||
|
Modify state | |
This action is only available if you have already defined a Create a Label action. It allows you to define a jump in your custom script. It is strongly recommended to use this action in association with a condition (True/False), to avoid infinite loops. |
| ||||
|
Modify state
| |||
This action allows you to display a message box in order to ask a question to the user. Use the available options to define the content of your message box. In the message box value, to add a:
If the user can click No or Cancel, the state is set to False. Select Buffer content to enable the user to see the content of the buffer. This feature enables the user to see his login and password. The user's answer can be saved in an SSO parameter. When SSO is performed in a Yes/no box type and the user answers, this answer is then saved and the question will not be asked again. However, if the value of the saved parameter differs, then the question is asked again.
|
| ||
|
Modify state
| |
Modify buffer
| ||
This action allows you to define an input box. Select Allow value selection from list or combobox if you prefer to display a list of items the user can select rather than a standard input field where he can enter any text. |
| ||
|
Modify state | |
This action allows you to force the modification of the current SSO state. Example: if you select no SSO done, then the following actions will be played regarding this state. |
| ||
|
Modify state | |
This action allows you to force the filling of the current buffer with the content of the parameter selected in the drop down list. |
The DLL enables you to perform the integration of an application with the SSO where the other methods have failed. This means creating a specific SSO agent for a specific application; which requires programing skills.
An Enterprise SSO extension library sample can be found in the Enterprise SSO package (CustomDllSample
).
To be included in an Enterprise SSO script, an external function must respect the following rules:
SSOWatchSSOData
data structure.
SSOWatchSSOData
structure but it can read them.
SSOWatchSSOData.h and SSOWatchWindows.h
. An external function must use the prototype:
extern « C » DWORD (*)(SSOWatchSSOData *)
The following structure defines the SSOWatchSSOData
structure provided as a parameter to the external function. This structure contains the data that is carried from one action to another:
struct SSOWatchSSOData
{
int m_nVersion; // R
BOOL m_bState; // RW
HWND m_hWnd; // R
TCHAR m_szBuffer[SSOWATCHSSODATA_BUFFERLEN+1];// RW
TCHAR m_szIdentifier[SSOWATCHSSODATA_IDLEN+1];// R
TCHAR m_szPassword[SSOWATCHSSODATA_PWDLEN+1]; // R
TCHAR m_szParam[SSOWATCHSSODATA_PARAMLEN+1]; // R
LPCTSTR m_szCredential; // R
void *m_UserData; // RW
void *m_pInternal; // --
void *m_pInternalCred; // --
void *m_pIternalInstance; // --
};
The version number (m_nVersion
) indicates the version of this structure which can change between versions of Enterprise SSO. It must be compared to SSOWATCHSSODATA_VERSION
.
The (m_bState
) state indicates the state of the last action (TRUE
or FALSE
) and can be modified to change the execution of the next actions.
m_hWnd
contains the handle of the currently processed window, it can be used to call Win 32 functions that need a window handle as a parameter; but it should not be modified.
m_szBuffer
is the memory buffer: it can be modified if required.
m_szCredential, m_szIdentifier
and m_szPassword
respectively contain the name of the service associated with the application being processed, and the identifier and password of the user for this service. These parameters should not be modified. m_szParam
contains the last SSO Parameter retrieved with the Get SSO action. None of these fields should be modified.
m_szCredential
contains a string in the form: Account="…"
m_UserData
is a pointer to custom user data. It is not used by Enterprise SSO (except of course by external functions) and it remains valid during the entire execution of the same script.
|
NOTE: The members: m_pInternal, m_pInternalCred et m_pInternalInstance must not be modified. They are reserved for internal use by Enterprise SSO.ce this text with a description of a feature that is noteworthy. |
The function must return a code that is a combination of one of the values in the following table together with the code SSORET_STOP
if the script must be stopped.
Code |
Description |
|
The function ended with no error. |
|
The function ended with no error and SSO has been performed. |
|
An error occurred during password management. |
|
The user is not registered for the application. |
|
An error occurred during the recovery of an SSO parameter. |
|
This window should not have been processed in this order (for example, bad password window found before the logon window). |
|
SSO has already been performed for this window. |
|
The application is waiting for a confirmation of password update. |
|
The password has been changed. |
|
An error occurred during access to the security database. |
|
An error occurred while the current window was being processed. This window will be disabled. |
|
An error occurred while the current application was being processed. The entire application will be disabled. |
|
User has disabled SSO for this application instance. |
|
User has disabled SSO for this application. |
For some specific applications like line terminal emulators, or applications that cannot be configured with any of the Enterprise SSO window types, Enterprise SSO provides an OLE/Automation interface.
Enterprise SSO behaves like a COM server and accepts calls from several clients. These clients connect with the COM protocol using high-level programming languages like Visual Basic, or any language that supports this kind of programming interface (which is the case of most terminal emulators like: Hummingbird Exceed, AttachMate Extra, …). You may also use this interface from any C/C++ program.
Clients connecting to Enterprise SSO use the active Enterprise SSO configuration and benefit from Enterprise SSO application behavior management and password policies.
By default, access to Enterprise SSO objects using OLE/Automation interface is forbidden. You have to explicitly authorize this action in the general options of the application object.
For security reasons, you must specify a password in the configuration to protect access.
The OLE/Automation interface provides two types of objects:
ISSOEngine provides the GetApplication2 and the GetSSOEngineState functions.
|
IMPORTANT: The GetApplication function is obsolete and should not be used. |
In this section:
The function returns an interface pointer to ISSOApplication, unless the application is not found in the Enterprise SSO configuration or the challenge is not matched or this application is not configured to allow OLE/Automation access its security information.
When more than one account is associated with an application, Enterprise SSO asks the user to choose which account Enterprise SSO must use during this session. This choice will be kept until the interface pointer to ISSOApplication is released. The only way to change account is to use GetApplication2 again.
HRESULT GetApplication2(/*[in]*/ BSTR strAppName,
/*[in]*/ BSTR strChallenge,
/*[in]*/ LONG hWnd,
/*[out]*/ IDispatch *pIDispatch)
GetApplication2(strAppName as String,
strChallenge as String,
hWnd as Long) as Objetct
strAppName
is the name of the application as defined in the active configuration of Enterprise SSO (for security purposes, this string is case sensitive).
strChallenge
is the password used to protect the OLE link. This password must match the password defined in the applications settings of the Enterprise SSO configuration.
hWnd
is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when Enterprise SSO asks for security information, so that Enterprise SSO windows does not appear under the application window (in the background). If this information is not available or you do not know how to get it, provide the value 0. Returns a pointer to the ISSOApplication interface.
Dim oSSO, oApp As Object
Set oSSO = CreateObject (“SSOEngine.SSOEngine”)
Set oApp = oSSO.GetApplication2 ("MyApplication","Password",0)
This function returns values corresponding to the state of Enterprise SSO.
HRESULT GetSSOEngineState(/*[out]*/ LONG *plSSOEngineState)
Get SSOEngineState () as Long
No parameters.
Returns the state of Enterprise SSO, as described in the following table:
Return Value |
Engine State |
0 |
Started |
2 |
Stopped |
4 |
Suspended |
Once the ISSOApplication interface pointer has been obtained, the following methods (or functions) and properties (or parameters) are available:
Methods |
Properties |
GetSSOParameter |
LoginID |
GetNewPassword |
Password |
GetUserApplicationPassword |
|
Get_IsExpired |
|
Read-only property that returns the account name associated with the application.
HRESULT get_LoginId([in] LONG hWnd, [out] BSTR *pVal)
app.LoginId(hWnd As Long) As String
hWnd
is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when Enterprise SSO asks for security information, so that Enterprise SSO windows does not appear under the application window (in the background). If this information is not available or you do not know how to get it, provide the value 0.
Name of the account associated with the application.
Read/Write property for retrieving or setting the application password.
HRESULT get_Password(/*[in]*/ LONG hWnd, /*[out]*/ BSTR *pVal)
HRESULT put_Password(/*[in]*/ LONG hWnd)
Visual Basic:
app.Password(hWnd As Long) As String
Parameters
hWnd
is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when Enterprise SSO asks for security information, so that Enterprise SSO windows does not appear under the application window (in the background). If this information is not available or you do not know how to get it, provide the value 0.
Return Value
Password of the application.
The GetUserApplicationPassword Method
Description
Method that returns an SSO parameter which name is in strParameterName. The strParameterDesc parameter is a user-friendly description if Enterprise SSO needs to prompt the user for the parameter value.
Prototypes
C/C++:
HRESULT GetSSOParameter(/*[in]*/ LONG hWnd,
/*[in]*/ BSTR strParameterName,
/*[in]*/ BSTR strParameterDesc,
/*[out]*/ BSTR *pVal)
Visual Basic:
app.GetSSOParameter(hWnd As Long,
strParameterName As String,
strParameterDesc As String) As String
Parameters
hWnd
is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when Enterprise SSO asks for security information, so that Enterprise SSO windows does not appear under the application window (in the background). If this information is not available or you do not know how to get it, provide the value 0.
strParameterName
is the name of the SSO parameter to retrieve.
strParameterDesc
is a user-friendly description (or a label) if Enterprise SSO needs to prompt the user for the parameter value.
Return Value
Returns the SSO parameter.
Description
This method collects the password of the running application by asking the user to enter it. This method returns the password as a string.
Prototype
C/C++:
HRESULT GetUserApplicationPassword(/*[in]*/ LONG hWnd,
/*[out]*/ BSTR *pVal)
Visual Basic:
GetUserApplicationPassword(hWnd As Long) As String
hWnd
is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when Enterprise SSO asks for security information, so that Enterprise SSO windows does not appear under the application window (in the background). If this information is not available or you do not know how to get it, provide the value 0.
Returns the password as a string.
Prompts the user for a new password (or creates a new one automatically, following the password policy) for the running application.
|
IMPORTANT: You must call the Password property when you use this method to save the new password. |
HRESULT GetNewPassword(/*[in]*/ LONG hWnd,
/*[out]*/ BSTR *pstrPassword)
app.GetNewPassword(hWnd As Long) As String
hWnd
is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when Enterprise SSO asks for security information, so that Enterprise SSO windows does not appear under the application window (in the background). If this information is not available or you do not know how to get it, provide the value 0.
Returns a new password for the running application.
NewPassword$ = oApp.GetNewPassword(0)
// Asks for a new password.
oApp.Password(0) = NewPassword$
// Saves the new password.
This method allows you to know if the password has expired. It must be used after the GetNewPassword method.
C/C++:
HRESULT get_IsExpired(/*[in]*/ LONG hWnd,
/*[out]*/ BOOL *pbExpired)
Visual Basic:
app.IsExpired(hWnd As Long) As Long
hWnd
is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when Enterprise SSO asks for security information, so that Enterprise SSO windows does not appear under the application window (in the background). If this information is not available or you do not know how to get it, provide the value 0.
Returns True if the password has expired.
To use these interfaces, you must first connect to Enterprise SSO by creating an "SSOEngine.SSOEngine"
object:
Dim oSSO, oApp
Set oSSO = CreateObject("SSOEngine.SSOEngine")
This returns an interface pointer to ISSOEngine
that allows you to call the GetApplication2 method:
Set oApp = oSSO.GetApplication2(" NomApp ", " password ", 0)
Then you can use the security information:
Wscript.Echo " Login: " & oApp.LoginId(0
)
Wscript.Echo " Password: "
&
oApp.Password(0)
Once you have finished with the objects, you must free them (otherwise, Enterprise SSO will not be stopped safely):
Set oApp = Nothin
g
Set oSSO = Nothing
Return codes are HRESULT
with the FACILITY_ITF
feature.
Define |
Value |
Meaning |
SSOAPI_OK |
0 |
OK |
SSOAPI_INVALID_SERVICE |
1 |
Account or Service empty. |
SSOAPI_ACCESS_DENIED |
2 |
No Account exists. |
SSOAPI_SUBAPI_ERROR |
3 |
Generic error from User Provisioning underlying API. |
SSOAPI_INVALID_SERVICE_TYPE |
4 |
Invalid Service Type (User Provisioning only). |
SSOAPI_UNKNOWN_ERROR |
5 |
Unknown error. |
SSOAPI_MEMORY_FAILED |
6 |
Out of memory. |
SSOAPI_INVALID_PASSWD
|
7
|
Invalid password: this return code is managed by the OLE/Automation API. |
SSOAPI_UNKNOWN_PARAMETER |
8 |
Unknown parameter. |
SSOAPI_INVALID_PARAM_NAME |
9 |
Invalid parameter name. |
SSOAPI_INVALID_FLAG |
10 |
Internal. |
SSOAPI_SERVICE_NOT_FOUND
|
11
|
Service not found for the system type provided. Similar to ACCESS_DENIED. |
SSOAPI_SERVER_ERROR |
12 |
Error while accessing the security server. |
SSOAPI_PASSWD_NOT_CHANGED_ |
13 |
The password change is not taken into account yet. |
SSOAPI_NOMOREAPP |
14 |
No more applications in the application list. |
SSOAPI_NOTREADY |
15 |
Not ready (for example: smart card removed). |
SSOAPI_UNKNOWN_APPLICATION |
16 |
Unknown application. |
SSOAPI_CANCELLED_BYUSER |
17 |
Application instance disabled by the user. |
SSOAPI_CANCELLED_BYUSER_APPLICATION |
18 |
Application disabled by the user. |
SSOAPI_DISABLED_APPLICATION |
19 |
Application already disabled by the user. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy