Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

OTP Tab

The OTP tab allows you to configure the authentication mode of the OTP authentication method.

This authentication method must be enabled for users in the Authentication tab (see Authentication Tab), and for access points in the Security Services tab (see Security Services Tab).

Online

In this mode, an EAM Controller must be available when the user authenticates by OTP on his/her workstation. The EAM Controller checks the OTP and gives back to the workstation the user password so that the session can open.
The user’s primary password is stored in the directory.

Online and offline

In this mode, the user’s primary password is stored in the directory and in the workstation cache.
For the offline mode to work properly, the cache must exist on the user’s workstation(s); which means that the user must have logged on at least once on the workstation he/she wants to use.

  • If the workstation is connected to the network, the EAM Controller checks the OTP as in the "online" mode and the user’s password stored in the directory is used to open the session.
  • If the workstation is disconnected from the EAM Controller, the OTP is verified locally and the user’s password stored in the cache is used to open the session.

Ask OTP authentication every x days

For the OTP cache to be properly built for offline mode, the user must authenticate periodically on his/her workstation.

Primary password must be provided for OTP authentication

Forces the user to provide the OTP as well as his primary password to authenticate.

Mobile Device Tab

Subject

This tab enables you to authorize users to access, with a mobile device, the QRentry feature which enables them to access their:

  • Web, personal and Store application(s) with SSO.
  • Computer(s) in normal or emergency access. This emergency access provides a Self-Service Password Request option.

For a complete description of QRentry, please refer to QRentry User’s Guide.

Tabbed panel description

Security Tab

 

Item

Description

Users can enroll their mobile device

This check box enables the users associated with the user security profile to enroll their mobile device for QRentry.

IMPORTANT: the Mobile authentication method must be selected on the user security profile and on the access point security profile (see Authentication Tab and Security Services Tab).

Launch enrollment wizard if necessary

This check box allows you to start automatically the enrollment wizard on the user’s computer except if:

His/her mobile device is already enrolled.

He/she has deactivated the wizard automatic start.

Maximum number of devices per user

Self-explanatory

Verify the Unique Identifier of the device during enrolment

When this option is selected, the Unique Identifier (a.k.a IMEI) of the user’s mobile device is checked upon the enrolment process. This allows you to restrict the set of mobile devices a user can use.

IMPORTANT:
  • This feature works only for Android mobile devices.
  • If you select this option, you must enter the Unique Identifiers of all the users’ mobile devices associated with this profile, as described in Managing user Mobile Devices.

NOTE: this piece of data is stored as a plain text attribute in the directory: external applications can therefore manage it.

Required protection level

Protection method of QRentry start on the user’s mobile device:

  • None: everybody can access QRentry.
  • Requires a dedicated secret: the user must assign a PIN to QRentry and then use it to access the application.
  • Biometrics: the user must authenticate with his fingerprints (previously enrolled in his mobile device) to access the application. If the biometric authentication does not work, he will have to enter a PIN (at first request, the user will have to assign a PIN to QRentry).

Notes:

  • The biometrics used by QRentry is compatible with specific models of mobile devices. To get the list of these devices, refer to the One Identity EAM Release Notes.
  • The user can modify his PIN later on; for more information refer to QRentry User’s Guide.

Update configuration when application starts

The configuration is updated each time the application starts.
Example: if an E-SSO application has been created for a user, this application will be available in QRentry the next time it is started.

Update configuration every x days

The configuration is updated every x days.
Note: QRentry must be started to be updated.

Upload Audit events immediately

Each time the web server is reachable, the audit events are uploaded immediately.

List of Servers

List of the web servers that can be reached by the mobile device to download the Enterprise SSO configuration and upload audit events.

Authentication Manager Tab

Item

Description

Required protection level

Protection method of the authentication on the user’s mobile device:

None: everybody can authenticate.

Requires a dedicated secret: the user must assign a PIN to QRentry and then use it to authenticate.

Biometrics: the user must authenticate with his fingerprints (previously enrolled in his mobile device) to authenticate. If the biometric authentication does not work, he will have to enter a PIN (at first request, the user will have to assign a PIN to QRentry).

Notes:

The biometrics used by QRentry is compatible with specific models of mobile devices. To get the list of these devices, refer to the One Identity EAM Release Notes.

The user can modify his PIN later on; for more information refer to QRentry User’s Guide.

Users can authenticate using their device

Only when on-line: the user’s computer must be connected to the EAM controller.

Only when off-line: the authentication process is done using the cache data stored on the user’s workstation. To use the cache, the user must first authenticate at least once in connected mode.

Always: if the cache is:

Available: it is used to authenticate the user.

Unavailable: the E-SSO controller is used if the mobile device is connected to the network. If it is not, then the user cannot authenticate.

Length of mobile device secret code

Length of the OTP displayed by QRentry on the mobile device.

User can reset the primary password and use it for x hours

When this option is selected, the user can reset his/her primary password after logging on using his/her mobile device.

When you select:

This password is only valid locally: the password is reset only on the current computer and is valid for the number of hours you enter.

This password is valid on all workstations (requires network): if the user is:

Authorized to authenticate with password, the primary password is reset and the new password has no limit of duration.

Not authorized to authenticate with password, a temporary password is created and is valid for the number of hours you enter.

Note: if you enter 0 hour, the primary password is reset and the new password has no limit of duration.

Allow Workstation Remote Control on the device

Users can use the Enrolled Computers feature of QRentry to take control of their computer(s).

Local Administrator Access > Required protection level

Protection method of QRentry start on the local admin’s mobile device to access a user’s computer:

None: the admin can access QRentry.

Requires a dedicated secret: the admin must assign a PIN to QRentry and then use it to access the application.

Biometrics: the administrator must authenticate with his fingerprints (previously enrolled in his mobile device) to access the application. If the biometric authentication does not work, he will have to enter a PIN (at first request, the user will have to assign a PIN to QRentry).

Notes:

The biometrics used by QRentry is compatible with specific models of mobile devices. To get the list of these devices, refer to the One Identity EAM Release Notes.

The administrator can modify his PIN later on; for more information refer to QRentry User’s Guide.

Enterprise SSO Tab

Item

Description

Allow use of SSO on the mobile device

This check box enables the users associated with the user security profile to use Enterprise SSO on their mobile device.

Required protection level

Protection method of Enterprise SSO with the user’s mobile device:

None: everybody can access Enterprise SSO.

Requires a dedicated secret: the user must assign a PIN to QRentry and then use it to use Enterprise SSO.

Biometrics: the user must authenticate with his fingerprints (previously enrolled in his mobile device) to use Enterprise SSO. If the biometric authentication does not work, he will have to enter a PIN (at first request, the user will have to assign a PIN to QRentry).

Notes:

The biometrics used by QRentry is compatible with specific models of mobile devices. To get the list of these devices, refer to the One Identity EAM Release Notes.

The user can modify his PIN later on; for more information refer to QRentry User’s Guide.

Offline mode is allowed for x days

Enterprise SSO works without the network. However, for security reasons, you can force the device to connect to the network at least once every x days by selecting this check box. If no connection is established during that period of time, Enterprise SSO data is deleted.

Note: if you enter 0, Enterprise SSO will try to connect each time you perform SSO with your mobile device.

Displaying User Security Profile Usage Logs

Subject

The Applies to tab enables you to display the list of users who are directly linked to the selected security profile.

Procedure
  1. In the tree structure of the Directory panel, select the user security profile for which you want to display usage.
  2. Select the Applies to tab.
    • The list of users linked to this security profile appears.

  1. Double-click a user to go directly to his profile.

Displaying User Security Profile Event Logs

Displaying User Security Profile Event Logs

Subject

The Events tab allows you to display all the events that are directly or indirectly linked to the selected object for a defined period (the last two days by default). This report contains both user actions and administration actions log entries.

Restriction

The Events tab only appears if you have the following administration role:

  • In classic administration mode: "Auditor".
  • In advanced administration mode, your role must contain the following administration right: "Audit: Visualization".

NOTE: For more information on administration roles, see Section Managing administrators.

Procedure

  1. In the tree structure of the Directory panel, select the user security profile for which you want to display events.
  2. Click the Events tab.

  3. In the Filter area, set a period of time to filter the log entries and click Apply (for more information on event logs see Section Managing audit events).
Related Documents