Security Tab
Security Tab
|
Option name |
Description | ||||
|
Change password every <n> days |
Select this check box to allow the user to manually change his/her primary password (whatever the authentication method used) every "n" days using the default password format control policy (PFCP) selected in the User PFCP field.
If the manual password change policy detects expiration date of the password when the user authenticates offline, the user is not asked to change his/her password (it is performed at authentication of the user in connected mode). In this case, you can force the user to re-authenticate when the directory is available again in the opened session, so that he can manually change his password in the directory, by setting to the following registry key the value 1 : This key is available in the following location:
| ||||
|
User PFCP |
The default password format control policy (PFCP) is selected by default. This PFCP applies when the user types his/her password. Click the
| ||||
|
Change password on token every <n> days
and on collect or expiration |
This option is operating only if:
Select this check box to enable the automatic change of the smart card or USB token password every "n" days. This operation has no consequence on the user authentication tasks (the user still uses his/her PIN to authenticate). If the automatic password change policy detects the expiration date of the password when the user authenticates offline, the automatic password change is not performed (it is performed upon the next user authentication in connected mode). Select this check box to enable the automatic password change: on collect, that is when the password is collected upon the first use of the token. or on expiration of the password in the directory.
| ||||
|
Automatic PFCP |
The default password format control policy (PFCP) is selected by default. This PFCP applies when password change is performed automatically, without user intervention (e.g.: the password is stored on smart card and changes every x days).
| ||||
|
Allow external access |
Select this check box to specify that the users associated with this security profile can share their accounts with external applications. You must select this check box to enable the Mobile E-SSO feature. For more information, see Mobile E-SSO Installation and Configuration Guide. | ||||
|
Allow the emergency plan |
Select this check box to allow users to ask for their password to be sent by email through the EAM portal. The list of passwords sent to the user is controlled by the option set on the application. For more information, see Defining account properties - Password tab.
| ||||
|
SSO data protected by token is also available on password authentication |
Select this check box to specify that the SSO data protected by token can be used even if the user authenticates by password. | ||||
|
SSO data is protected by session key |
Select this check box to enable the synchronization between session and: Password encryption: when the user authenticates with his password, the key table entry “session” is automatically updated. Smart card encryption: when the user authenticates with his smart card, the key table entry “session” is automatically updated. | ||||
|
Grace period |
The grace period is the period of time during which the workstation automatically unlocks when the user logs on with his/her smart card or RFID token using the same reader. | ||||
|
The roaming session allows users to open a session on a computer using their physical authentication token, without having to type a password or a PIN. Select this check box to authorize the "roaming session" mode for users associated with the profile. x hours: type a duration time for the roaming session. The roaming session is created as soon as the user authenticates on an access point (where the roaming session is allowed). The session duration time starts from that moment. At the end of the duration time, the user will have to type his/her password or PIN. no duration limit: if you select this check box the roaming session is created as soon as the user authenticates on an access point, with no duration time. The user will never have to type a password or PIN again. If you change the duration time parameter once the roaming session has started, the new value will only be taken into account once the session in progress has expired, or has been deleted by the user (from Authentication Manager) or in by the administrator from EAM Console (see Section Displaying user authentication information and administering roaming sessions).
|
button to select another existing PFCP. 
button to display and, if necessary, modify the selected PFCP, as described in Section SSO and Notes Tab
- Single Sign On (SSO) area
|
Option name |
Description |
|
Inactivation duration (min) |
Period of inactivity after which the Enterprise SSO engine is disabled. Notes: If you select 0, the engine is never disabled. This option does not work in smartcard mode, except when the AllowSmartCardInactivity registry key is set (for more information on the registry keys used by Authentication Manager, see Authentication Manager for Windows User's Guide). |
|
Allow pause/restart of Enterprise SSO |
Select these check boxes to allow the users associated with this security profile to pause, refresh, stop or restart the engine. |
|
Allow Enterprise SSO stop | |
|
Allow Enterprise SSO refresh | |
|
Show Enterprise SSO launcher in foreground |
Select this check box to allow the opening of the Enterprise SSO engine from the Windows notification area during the execution of Enterprise SSO. |
|
Allow Personal SSO Studio |
Select these check boxes to allow the users associated with this security profile to use Personal SSO Studio and Enterprise SSO Studio. |
|
Allow Enterprise SSO Studio | |
|
Allow role selection |
Select this check box to allow the users associated with this user security profile to select different roles in the engine. |
|
Require strong authentication for SSO |
Select this check box to specify that a token is necessary to start the SSO. |
|
Authentication on next access/Authenticate immediately |
SSO behavior on card insertion. |
- Personal notes area
|
Option name |
Description |
|
Allow personal notes from computers |
Users can manage personal notes from their computer(s). |
|
Allow personal notes from mobile devices |
Users can manage personal notes from their mobile device(s). |
|
Synchronize mobile personal notes with the directory |
When personal notes are available on: Computers: this check box is unavailable. Mobile devices: the personal notes created on the mobile device are automatically synchronized with the directory. Computers and mobile devices: the personal notes created on the mobile device are synchronized and available on the user's computer and vice versa. |
|
Maximum characters for a note |
Self-explanatory Default value: 256 characters. |
|
Limit the number of notes |
Self-explanatory Default value: 32. |
Cloud Tab
The Cloud tab enables you to manage the servers to which Cloud E-SSO connects.
|
Option name |
Description |
|
Cloud Servers |
List of the Web servers that can be reached by Cloud E-SSO to download the Enterprise SSO configuration. Use the associated buttons to add a new server, modify its position (if a server is in first position, it will be the first one to be contacted by Cloud E-SSO) or delete it. |
|
Randomize the list at runtime for load balancing |
Select this check box to force Cloud E-SSO to connect randomly to the Cloud servers. |
|
|
IMPORTANT: To enable the sending of the OTP in case of Cloud E-SSO password reset, the corresponding check box must be selected: see Self Service Password Request Tab. |
Unlocking Tab (Fast User Switching - FUS)
The Unlocking tab allows you to activate and configure the Fast User Switching (FUS) feature.
For more details on the FUS feature, see Authentication Manager Session Management Administrator’s Guide.
|
Option name |
Description |
|
User level |
Enter a user hierarchy level (0 is the lowest level). |
|
User can unlock sessions of users below level |
Select this check box to allow a user to unlock a session locked by another user whose level is below the specified level. |
|
User can close sessions of users below level |
Select this check box to allow a user to close a session opened by another user whose level is below the specified level. |
Example
You want that User 1, who is associated with the Security Profile 1 can unlock or close sessions of other users associated with the Security Profile 1. To enable this, configure the Unlocking tab as follows:
- User level: X (5 for example).
- User can unlock sessions of users below level: >X (7 for example).
- User can close sessions of users below level: >X (7 for example).
To check that this example works:
- Using Authentication Manager log on as User 1.
- Lock the session.
- Unlock the session with another user associated with the Security Profile 1 (User 2 for example).
- Enterprise SSO is restarted with the SSO data of User 2, and the Session Information window of Authentication Manager displays the following parameters:
- EAM user: User 2.
- Windows user: User 1.
- Enterprise SSO is restarted with the SSO data of User 2, and the Session Information window of Authentication Manager displays the following parameters: