Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Managing User Security Profiles

Definition

User security profiles are security objects that define a set of rights and properties that are applied generically for one or more users.

Target objects

User security profiles only applies to users.

As mentioned in Section Overview, the user object refers to the user himself, a group of users or an organizational unit that contains users. Thus, user security profiles can be applied to the following LDAP directory objects (they are listed from the highest to lowest order of priority):

  • User.
  • Group of users.
  • Group of groups.
  • Organizational Units.

In this section:

Creating/Modifying User Security Profiles

Before starting
  • To perform the tasks described in this section, you must have at least the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain the following administration right: "User security profile: Creation/Modification".
  • The time slice that will be used by the user security profile must be created.

Procedures

Creating User Security Profiles

  1. In the tree structure of the Directory panel, right-click the organizational unit that must contain your user security profile and select New\User Security Profile.
    • The tab designed to configure the user security profile
  1. Fill in the window as described in Section Configuring User Security Profiles and click Apply.
    • The user security profile appears in the directory tree structure.

Modifying User Security Profiles

IMPORTANT: If you modify a user security profile already used by users, your modifications apply to all users associated with this security profile.
  1. In the tree structure of the Directory panel, select the user security profile to modify.
    • The tab designed to configure the user security profile
  1. Fill in the window as described in Section Configuring User Security Profiles and click Apply.

    The user security profile is modified.

Configuring User Security Profiles

Configuring User Security Profiles

Before starting

To perform the task described in this section, you must have at least the following administration role:

  • In classic administration mode: "Security object administrator".
  • In advanced administration mode, your role must contain the following administration rights: "User security profile: Creation/Modification" and "Temporary password access: Change duration".
Procedure
  1. Type the profile name.
  2. In the Authentication tab, select the authentication methods available for the users that will be associated with the user security profile, and define the authentication parameters of the user security profile, as described in Section Authentication Tab.
  3. In the Security tab, define the security parameters of the user security profile, as described in Section Security Tab.
  4. In the SSO and Notes tab, set the SSO and manage the activation and configuration of the personal notes, as described in SSO and Notes Tab.
  5. In the Cloud tab, manage the Cloud E-SSO servers, as described in Cloud Tab.
  6. In the Unlocking tab, define the unlocking parameters of the user security profile to activate and use the Fast User Switching feature, as described in Section Unlocking Tab (Fast User Switching - FUS).
  7. In the Self Service Password Request tab, specify the Self Service Password Request (SSPR) parameters of the user security profile to activate and use the emergency access feature, as described in Section Self Service Password Request Tab.
  8. In the Biometrics tab, define the biometrics policy, as described in Section Biometrics Tab.
  9. In the Session delegation tab, authorize users to delegate their session, as described in Section Session Delegation Tab.
  10. In the Audit tab, assign an audit filter to the user security profile to generate only relevant audit events, as described in Section Audit Tab.
  11. In the OTP tab, define the OTP authentication parameters, as described in Section OTP Tab.
  12. In the Mobile Device tab, activate and configure the mobile device enrollment, as described in Section Mobile Device Tab.

In this section:

Authentication Tab

User authentication methods area

IMPORTANT:

  • If you modify a user security profile already used by users, your modifications apply to all users associated with this security profile.
  • A wide range of authentication methods is supported. To add more authentication methods to the list, please contact your One Identity representative.
  • The Session authentication method works only with Active Directory.
  • The Select Configuration button allows you to assign a specific configuration to smart card authentication methods(as Cryptoflex smart card, CyberFlex PKCS#11 or Rainbow iKey3000). These configurations are defined in the Smart Card panel. For more information, see Section Managing smart card configuration profiles.
  • The "Biometrics Store-On-Server and "Biometrics Store-On-PC methods cannot be used simultaneously. You must only select one of them. For more information, see Section Managing biometrics.
  • The RFID authentication method can be configured in the RFID panel: see Section Managing RFID tokens.
  • The OTP authentication method:
  • To enable this authentication method, you must have one of the following products: RSA Authentication Manager or a RADIUS plugin. The following authentication modes are supported:

IMPORTANT: EAM supports one activated authentication mode at a time.

To use these modes, RSA Authentication Manager or the RADIUS plugin must be installed and configured in accordance with the procedures detailed in One Identity EAM Installation Guide.

For more information on how to configure the OTP authentication modes, see OTP Tab.

  • Online and offline: this mode allows users to authenticate even if they are not connected to a EAM Controller. This mode does not work with the RADIUS plugin.
  • Online: in this mode, an EAM Controller must be available when the user authenticates using OTP.

The Mobile device authentication method; which is completely described in QRentry User’s Guide.

Timeslice

The default time slice is systematically selected. Click the  button to select a different time slice.

NOTE: Click the  button to display, and if necessary modify the selected time slice, as described in Section Creating/Modifying Time Slices.

Use cache/Cache data validity (h)

Select this option to allow the users associated with this security profile to use a cache on their workstations. This enables them to:

  • Authenticate on their workstations even if they are not connected to the network (disconnected mode).
  • Optimize the cache updates when the workstation is in connected mode.

NOTE:

  • To use the cache, the user must first authenticate at least once in connected mode.

  • When the cache data validity is outdated, the user must be in connected mode to open his/her Windows session. The cache data validity is then reset to zero.

  • The default value is 0: infinite validity duration of the cache data.

IMPORTANT: You must also select the use cache option in the access point security profile. For more details, see Security Services Tab.

Session duration (in hours)

Session activation time before re-authentication is required.

NOTE: The 0 value is the "infinite" value: re-authentication is never required.

Allow temporary password access for...

This option allows you to set a validity duration of the temporary password access method. When the time has elapsed, the user cannot authenticate using a password.

  • <X> day(s) when generating challenge:

    This value applies when the user who resets on his/her own his/her password in disconnected mode enters the unblocking code given by the helpdesk. This value is displayed in the unblocking code generation window (Managing user Self Service Password Request).

NOTE: For a complete description of the temporary password access, see Authentication Manager Self Service Password Request Administrator's Guide.

Allow on all access points

  • In "access point management" mode, authorizes the users associated with this security profile to authenticate on all access points of their domain (option selected by default).
  • In "no access point management" mode, a user can open an EAM session on an access point only if the Allow on all access points check box is selected.

To authorize the users to log on access points registered in external domains, see Section Managing representative objects.

IMPORTANT: If you forbid access points to a user and this option is selected, then the user will be able to access the access points anyway. For more information, see Section Assigning/forbidding access points to a user.

Can unlock a workstation

Authorizes the users associated with this security profile to unlock a workstation locked by another user.

Primary password is stored as an SSO account, encrypt by...

You can select this option when the primary password must be used:

  • Within a Smart Card Logon environment.
  • To interconnect EAM with Web Access Manager (WAM).

If this option is selected, EAM stores the user primary password as an SSO account.
Then, Enterprise SSO uses this SSO account for each application configured to use primary accounts.

NOTE:
  • In SmartCard Logon mode, if the password is not yet stored as an SSO account, of if a bad password is detected by Enterprise SSO upon the SSO process, Enterprise SSO requests the user to re-authenticate with his smart card and asks for his primary password.

  • In case of PKA authentication, this option stores the user password in the directory at authentication time. The password is also protected by the controller key.
    During PKA authentication, if the user password is wrong or unknown, then a PKA signed request is sent to the controller to retrieve from the directory the password sequestered in the directory. The retrieved password is then used to continue the authentication.With this option, when a lent smart card or a new smart card is assigned to a user, the user does not have to fill the password; it is automatically retrieved from the directory. All the security is based on the certificate validity.

    Restriction: if the retrieved password is not up to date, the user is then prompted to enter his password.

This drop-down list allows you to select the way the SSO primary accounts are ciphered and deciphered (for PKA authentication, the choice of the encrypt method has no impact on the functionality of password recovery through the controller):

  • User: only the user can decipher his/her SSO primary account. This is the most secure option.

    IMPORTANT: If the user forgets his/her primary password or loses his/her smart card, the applications configured to use his/her SSO primary account will become obsolete.
  • User and administrators: you can decipher the user primary account, in the same way as the user can. Thus, if you force a new primary password or assign a new smart card, the applications configured to use his/her SSO primary account are also updated.
  • User, administrators and an external key: allows an external application to decipher the user's SSO primary account using a public key. For example, you must select this entry if you want to use EAM with WAM. This option allows WAM to decipher the user SSO primary account so that it can enable the SSO with this account. For more details, see Mobile E-SSO Installation and Configuration Guide.

User can have only one active Windows session

This check box allows you to set up the double-login prevention functionality.

  • Check box selected:

    When a user authenticates on a workstation, the workstation on which he/she was previously logged on locks.

    For this functionality to work properly:

    • EAM must be configured in "manage-access-point" mode.
    • An EAM controller must be available.
    • The workstations must be connected to the network.
    • Port 3644 must be open on workstations so that SSO clients can communicate.

      NOTE: As Double-Login Prevention information is stored in the directory, the directory architecture and replication time (in case several servers are replicated) must be taken into account. The Double-Login Prevention feature can only work if the time it takes for the user to change from a workstation to another is longer than the time it takes to replicate data between all directory servers. If replication time is to long, you can configure EAM Controllers to make them use a list of directories according to their availability.

    For more details, see Authentication Manager Session Management Administrator’s Guide.

  • Check box cleared:

    When a user authenticates on a workstation, the session on which he/she was previously connected remains active.

Allow password authentication until first smartcard enrollment

This check box allows you to authorize the user to authenticate with his password until he enrolls his smart card for the first time (for example, if he has not received it yet). Once he has enrolled his smart card, he will not be able to authenticate with his password anymore, except if the Password authentication method is selected.

  • Check box selected:

    The user can authenticate with his password.

  • Check box cleared:

    The user cannot authenticate with his password and must authenticate with his smart card.

Upon first smart card authentication, add user to group

This check box allows to add a user to a group as soon as he authenticates for the first time with his smart card.

  • Check box selected:

    Click on to select the group in which the user will be added after his first smart card authentication.

  • Check box cleared:

    The button is deactivated.

NOTE: To execute this operation, the EAM controller must have the right to add users in directory groups. For more information, see One IdentityEAM Installation Guide.
Related Documents