Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Self Service Password Request Tab

Subject

The Self Service Password Request tab allows you to enable and configure the emergency access (or SSPR) feature, which for example allows a user to reset his primary password or PIN by himself in order to authenticate again rapidly to his workstation or to reset his Cloud E-SSO password.

NOTE: For a complete description of this feature, please refer to Authentication Manager Self Service Password Request Administrator's Guide.
Configuration parameters

Tab contents

Description

Confirmation code can be used to reset password

When this check box is selected, the user can reset his primary password with an OTP received by e-mail and/or SMS.

IMPORTANT: This check box must be selected to activate the sending of the OTP to reset the Cloud E-SSO password.

To configure the sending of the OTP and its characteristics, see Managing the emergency access.

Availability

With Self Service Password Request server only: the user can use emergency access only if the workstation is connected to the network and the reset password server is available. The new password is immediately updated in the directory.

IMPORTANT:

NOTE: if the user uses emergency access whereas he/she has locked his/her account, the account is automatically unlocked by the SSPR server upon the password reset.

Always available: the user is always able to use emergency access, even if the workstation is not connected to the network or if the password reset server is not available. You can configure this mode so that the SSPR server can be used in priority, if it is available, by selecting item 10 in the SSPR Policy window (see description of the Security area below).

IMPORTANT:

  • If Authentication Manager is installed, you are advised to use this mode.

  • You must activate the cache. For more details, see Section Security Services Tab.

NOTE:

  • If the directory is not available when the user resets his/her password, you can configure the use of a new temporary password, by selecting item 11 in the SSPR Policy window (see description of the Security area below). In this case, when the workstation switches to the connected mode (directory available), the user is prompted to re-authenticate and change his/her password (which will then be updated in the directory).

  • If the directory is available (connected mode), the password is immediately updated in the directory.

  • The PIN is directly updated in the smart card.

Not available: emergency access is disabled.

User must contact the help-desk to gain password access

This option is only available if the Always available mode is selected and if no SSPR server has been activated. It allows you to force the user to call the help desk to reset his/her password.

IMPORTANT: in the case of a PIN reset, this check box is ignored because the help desk call is mandatory.
  • Check box cleared: the user answers to Self Service Password Request questions (that he/she has set with Authentication Manager or using the web portal). He/she is then automatically prompted to reset his/her password (correct answers to questions are sufficient to decrypt the password stored in the cache).
  • Check box selected: the user answers to Self Service Password Request questions (that he/she has set with Authentication Manager or using the web portal), which allows him/her to obtain a challenge (unlock code). He/she is then prompted to give this challenge to the help desk, which will have to give him a challenge in exchange (see Section Managing user Self Service Password Request) that will allows him to reset his password or PIN.

Only when offline

This option is active only if the User must contact the help-desk to gain password access mode is selected. It enables to condition the calls to the helpdesk if the user is connected or not to the network.

  • Check box cleared: the user can call the helpdesk to provide his challenge, either online or offline.
  • Check box selected: the user can call the helpdesk only if he is offline.

Self Service Password Request opens Windows session

This option is only available if the Always available mode is selected It allows you to set the emergency access feature as an authentication method:

  • Check box selected: the Forgotten password (Windows 7) / Questions and answers tile (Windows 10) of the Authentication Manager authentication window allows users to open their session without resetting their password: if they answer correctly to their Self Service Password Request questions, the session opens.
  • Check box cleared: the Forgotten password (Windows 7) / Questions and answers tile (Windows 10) of the Authentication Manager authentication window allows users to reset their password or PIN: if they answer correctly to their Self Service Password Request questions, they are allowed to reset their password or PIN.

Questions area

This area allows you to define the number of questions to ask to the user and to manage a list of available questions. These questions will be provided to the user in the Self Service Password Request wizard (through Authentication Manager).

For more information, see Authentication Manager Self Service Password Request Administrator's Guide.

Security area

This area allows you to define your Self Service Password Request security policy, by defining the number of questions to which the end-user must answer and the minimum number of correct answers that the end-user must enter to reset his/her password/PIN or to open his/her session.

The Advanced button allows you to define other security parameters, detailed the Description of the "SSPR Policy" window topic below.

Description of the "SSPR Policy" window

Option

Description

Forces the user to set his/her questions and answers before he/she can use Enterprise SSO on his/her workstation.

Forces the user to change his/her answers to question at a defined frequency.

Prevents the user from giving the same answer to different questions.

Prevents the user from using the words used in the questions in his/her answers.

Sets a maximum number of attempts to answer questions.

Option only available if you have selected the Always available mode and the Limit Self Service Password attempts option.
This check box sets a timeout before allowing the user to attempt to answer SSPR questions again on his/her workstation.

Note: in enterprises with no SSPR server, the timeout is set only on the concerned workstation: the user can log on another workstation before the end of the timeout to answer the questions

Sets the answers to questions as case-insensitive and ignore white spaces (other characters as accents, hyphens or apostrophes are taken into account).

Allows the user to authenticate using the password authentication method for a given period when he/she resets his/her password.

Option only available if you have selected the User must contact the help desk to gain password access option.

This check box allows the help desk to modify the validity duration of the password authentication method, when he provides an unblocking code to a user.

Option only available if the Always available mode is selected

This check box forces the use of the reset password server (SSPR server) when available before using the disconnected mode.

Note: you must set the list of the password reset servers: see Section Self Service Password Request Tab.

Option only available if the Always available mode is selected

If this check box is selected, the temporary password will never be resynchronized with the directory. This allows you to force the user to use his/her own password and not his/her temporary password when he/she reconnects to the network.

Option only available if the Always available mode is selected

Sets the maximum number of attempts to use the Self Service Password Request feature in disconnected mode.

Biometrics Tab

Subject

The Biometrics tab allows you to define the biometric enrollment policy for users. Users can enroll their biometrics data from Authentication Manager.

Before starting

To configure the parameters described in this section, you must work in advanced administration mode, and your role must contain the following administration right: "Bio: Is enable to allow biometrics pattern enrollment".

NOTE: For more information on administration roles, see Managing administrators.
"Biometrics" Tab - Description

  • Enrolment procedure area

    This area allows you to force the user biometric data enrolment supervised by an administrator or another user.

    • Approval not required: the user biometric data enrollment do not require the authentication of another person.
    • An EAM administrator: the user biometric data enrollment requires the authentication of an administrator who has at least the following administration right: "Bio: Is enable to allow biometrics pattern enrolment" (advanced administration mode only).
    • Another EAM user: the user biometric data enrollment requires the authentication of another user of the directory.
  • Policy area
    • User must enrol between x and x finger(s): number of fingerprints you want the user to enrol.
    • Allow user to abort the enrolment process: if this check box is selected, the user is allowed to cancel the enrollment process by closing the enrollment window.
    • Remember Passwords. When this check box is:
      • Selected, the user authenticates only with his fingers.
      • Not selected, the user authenticates with his fingers and must enter his password.

        NOTE: You can combine this option with the Grace Period functionality. For more information, see Modifying the detection areas and the grace period.

Session Delegation Tab

Subject

The Session delegation tab is intended to users, inside or outside a cluster (for more information on clusters, see Section Managing clusters of access points): if a user has to leave his/her cluster for any reason, you can authorize him/her to delegate his/her Windows session to one or more delegates so that they can intervene in any of his/her ongoing operations, or just monitor them.

This tab allows you to authorize users associated with the security profile to delegate their Windows session to another user.

NOTE: To display the list of delegations concerning a user, see Section Displaying delegated sessions.

You can also set delegation permissions to members of the same group of users: see Defining additional security parameters for groups of users.

For more details on the conditions under which a user can delegate a session, see Authentication Manager Cluster Administrator’s Guide.

"Session delegation" Tab Description

Delegation type

The user can decide to delegate his/her session temporarily or permanently. Both options are available to the user, so you must configure each of them.

  • Temporary: when a user delegates his/her session, the session is delegated until he/she re-authenticates.
  • Permanent: when a user delegates his/her session, the session is delegated until he/she ends the delegation authorization through the Manage Session Delegation command in Authentication Manager.

Re-authentication is needed check box

This check box allows you to define whether users must re-authenticate when they want to access the Cluster wizard (from which they can delegate their session) or the Set temporary session delegation direct command. For more details on how users can access these tools, see Authentication Manager Cluster Administrator’s Guide. For session delegation outside a cluster, this check box must be selected.

  • Check box selected: when the user launches one of the delegation tool, an authentication window appears on the screen.
  • Check box cleared: the user does not need to authenticate again on his/her workstation when he/she launches delegation tools.

Temporary delegation needs an approval check box

This check box is only available if the Temporary session delegation type is selected.

  • Check box selected: the user who wants to delegate his/her session needs the approval of the delegate.
    In this case, when a user selects a user to whom he/she wants to delegate his/her session, a delegation proposal window appears on the delegate’s workstation. This one can accept or reject the proposal. The window of the user who asks for is frozen until all the users have given an answer.

    Delegate has x seconds to answer the delegation question

    Period of time during which the delegation proposal window appears on the delegate' screen. If no answer is given during this period of time, the delegation demand is declined.

  • Check box selected. a user can delegate his/her session to another user without his/her approval. An information window appears on the delegate’s workstation to inform him/her that a delegation has been set.

Authorize delegation to all users check box

For session delegation outside a cluster, this check box must be selected.

  • Check box selected. users are authorized to delegate their Windows session to all other users of the directory.
  • Check box cleared: users are not authorized to delegate their Windows session to all other users of the directory.

Authorize delegation to members of the same group check box

  • Check box selected: users are authorized to delegate their Windows session to all the members of the same group of users.
  • Check box cleared: users are not authorized to delegate their Windows session to the members of the same group of users.

Authorize delegation to members of the same organizational entity check box

  • Check box selected: users are authorized to delegate their Windows session to all the members of the same organizational unit.
  • Check box cleared: users are not authorized to delegate their Windows session to the members of the same organizational unit.

Advanced mode (build the list of authorized users/groups/organizational entities) check box

  • Check box selected: users are authorized to delegate their Windows session to all the users listed in the Advanced Mode area (see below).

    Advanced Mode area

    Displays the list of users to whom users of the profile are authorized to delegate their session.

  • Add button: opens the user selection window, which allows you to add users to the list.
    Use the Browse tab to browse the directory tree structure or use the Search tab to find the user by typing its name.
  • Remove button: removes the selected user or group or organizational unit from the list.

Check box cleared: no specific user is defined.

Audit Tab

The Audit tab allows you to assign an audit filter to the user security profile.

To assign an audit filter, see Section Applying an audit filter to specific objects.

Related Documents