Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Security Tab

Security Tab

Option name

Description

Change password every <n> days

Select this check box to allow the user to manually change his/her primary password (whatever the authentication method used) every "n" days using the default password format control policy (PFCP) selected in the User PFCP field.

NOTE: in SmartCard Logon mode, the Windows password is changed automatically every "n" days when Enterprise SSO starts.

If the manual password change policy detects expiration date of the password when the user authenticates offline, the user is not asked to change his/her password (it is performed at authentication of the user in connected mode). In this case, you can force the user to re-authenticate when the directory is available again in the opened session, so that he can manually change his password in the directory, by setting to the following registry key the value 1 :
"ManualPwdChangeMandatory" (DWORD).

This key is available in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\
Policies\Enatel\WiseGuard\Framework\Authentication

NOTE: if you also select the Change password on token every <n> days check box, the present option is disabled for users whose authentication method does not require to provide the primary password (smart cards, biometrics).

User PFCP

The default password format control policy (PFCP) is selected by default. This PFCP applies when the user types his/her password. Click the button to select another existing PFCP.

NOTE: Click the button to display and, if necessary, modify the selected PFCP, as described in Section Creating/Modifying Password Format Control Policies.

Change password on token every <n> days

 

 

 

 

 

 

 

 

 

 


and on collect or expiration

This option is operating only if:

  • The directory used is an AD or AD/ADAM.
  • The user smart card stores the password.
  • The user can change his/her password (LDAP permission).

Select this check box to enable the automatic change of the smart card or USB token password every "n" days. This operation has no consequence on the user authentication tasks (the user still uses his/her PIN to authenticate).

If the automatic password change policy detects the expiration date of the password when the user authenticates offline, the automatic password change is not performed (it is performed upon the next user authentication in connected mode).
You can force the user to re-authenticate when the directory is available again in the opened session, so that the password is automatically changed in the directory. For this, you must set the following registry key to value 1:
"AutoPwdChangeMandatory" (DWORD), which is available in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\
Policies\Enatel\WiseGuard\Framework\Authentication

Select this check box to enable the automatic password change:

on collect, that is when the password is collected upon the first use of the token.

or on expiration of the password in the directory.

NOTE: this option is unavailable if the Change password on token every <n> days check box is cleared.

Automatic PFCP

The default password format control policy (PFCP) is selected by default. This PFCP applies when password change is performed automatically, without user intervention (e.g.: the password is stored on smart card and changes every x days).
Click the button to select another existing PFCP.

NOTE: Click the button to display and, if necessary, modify the selected PFCP, as described in Section Creating/Modifying Password Format Control Policies.

Allow external access

Select this check box to specify that the users associated with this security profile can share their accounts with external applications. You must select this check box to enable the Mobile E-SSO feature. For more information, see Mobile E-SSO Installation and Configuration Guide.

Allow the emergency plan

Select this check box to allow users to ask for their password to be sent by email through the EAM portal. The list of passwords sent to the user is controlled by the option set on the application. For more information, see Defining account properties - Password tab.

NOTE: The user cannot recover passwords of: Shared accounts. Delegated accounts.

SSO data protected by token is also available on password authentication

Select this check box to specify that the SSO data protected by token can be used even if the user authenticates by password.

SSO data is protected by session key

Select this check box to enable the synchronization between session and:

Password encryption: when the user authenticates with his password, the key table entry “session” is automatically updated.

Smart card encryption: when the user authenticates with his smart card, the key table entry “session” is automatically updated.

Grace period

The grace period is the period of time during which the workstation automatically unlocks when the user logs on with his/her smart card or RFID token using the same reader.

Roaming session duration

The roaming session allows users to open a session on a computer using their physical authentication token, without having to type a password or a PIN.

Select this check box to authorize the "roaming session" mode for users associated with the profile.
You can set this mode for a defined period of time, or with no duration limit:

x hours: type a duration time for the roaming session. The roaming session is created as soon as the user authenticates on an access point (where the roaming session is allowed). The session duration time starts from that moment. At the end of the duration time, the user will have to type his/her password or PIN.

no duration limit: if you select this check box the roaming session is created as soon as the user authenticates on an access point, with no duration time. The user will never have to type a password or PIN again.

If you change the duration time parameter once the roaming session has started, the new value will only be taken into account once the session in progress has expired, or has been deleted by the user (from Authentication Manager) or in by the administrator from EAM Console (see Section Displaying user authentication information and administering roaming sessions).

NOTE: To authorize roaming sessions on computers where Authentication Manager is installed, see Section Authentication Manager Tab.

SSO and Notes Tab

  • Single Sign On (SSO) area

Option name

Description

Inactivation duration (min)

Period of inactivity after which the Enterprise SSO engine is disabled.

Notes:

If you select 0, the engine is never disabled.

This option does not work in smartcard mode, except when the AllowSmartCardInactivity registry key is set (for more information on the registry keys used by Authentication Manager, see Authentication Manager for Windows User's Guide).

Allow pause/restart of Enterprise SSO

Select these check boxes to allow the users associated with this security profile to pause, refresh, stop or restart the engine.

Allow Enterprise SSO stop

Allow Enterprise SSO refresh

Show Enterprise SSO launcher in foreground

Select this check box to allow the opening of the Enterprise SSO engine from the Windows notification area during the execution of Enterprise SSO.

Allow Personal SSO Studio

Select these check boxes to allow the users associated with this security profile to use Personal SSO Studio and Enterprise SSO Studio.

Allow Enterprise SSO Studio

Allow role selection

Select this check box to allow the users associated with this user security profile to select different roles in the engine.

Require strong authentication for SSO

Select this check box to specify that a token is necessary to start the SSO.

Authentication on next access/Authenticate immediately

SSO behavior on card insertion.

  • Personal notes area

 

Option name

Description

Allow personal notes from computers

Users can manage personal notes from their computer(s).

Allow personal notes from mobile devices

Users can manage personal notes from their mobile device(s).

Synchronize mobile personal notes with the directory

When personal notes are available on:

Computers: this check box is unavailable.

Mobile devices: the personal notes created on the mobile device are automatically synchronized with the directory.

Computers and mobile devices: the personal notes created on the mobile device are synchronized and available on the user's computer and vice versa.

Maximum characters for a note

Self-explanatory

Default value: 256 characters.

Limit the number of notes

Self-explanatory

Default value: 32.

Cloud Tab

The Cloud tab enables you to manage the servers to which Cloud E-SSO connects.

 

Option name

Description

Cloud Servers

List of the Web servers that can be reached by Cloud E-SSO to download the Enterprise SSO configuration.

Use the associated buttons to add a new server, modify its position (if a server is in first position, it will be the first one to be contacted by Cloud E-SSO) or delete it.

Randomize the list at runtime for load balancing

Select this check box to force Cloud E-SSO to connect randomly to the Cloud servers.

IMPORTANT: To enable the sending of the OTP in case of Cloud E-SSO password reset, the corresponding check box must be selected: see Self Service Password Request Tab.

Unlocking Tab (Fast User Switching - FUS)

The Unlocking tab allows you to activate and configure the Fast User Switching (FUS) feature.

For more details on the FUS feature, see Authentication Manager Session Management Administrator’s Guide.

Option name

Description

User level

Enter a user hierarchy level (0 is the lowest level).

User can unlock sessions of users below level

Select this check box to allow a user to unlock a session locked by another user whose level is below the specified level.

User can close sessions of users below level

Select this check box to allow a user to close a session opened by another user whose level is below the specified level.

Example

You want that User 1, who is associated with the Security Profile 1 can unlock or close sessions of other users associated with the Security Profile 1. To enable this, configure the Unlocking tab as follows:

  • User level: X (5 for example).
  • User can unlock sessions of users below level: >X (7 for example).
  • User can close sessions of users below level: >X (7 for example).

To check that this example works:

  1. Using Authentication Manager log on as User 1.
  2. Lock the session.
  3. Unlock the session with another user associated with the Security Profile 1 (User 2 for example).
    • Enterprise SSO is restarted with the SSO data of User 2, and the Session Information window of Authentication Manager displays the following parameters:
      • EAM user: User 2.
      • Windows user: User 1.
Related Documents