Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Configuring Access Point Security Profiles

Configuring Access Point Security Profiles

Before starting

To perform the task described in this section, you must have at least the following administration role:

  • In classic administration mode: "Security object administrator".
  • In advanced administration mode, your role must contain the following administration right: "Access point security profile: Creation/Modification".

Procedure

  1. Type the access point security profile name.
  2. If you want to select another time slice, click the button.

    NOTE: Click the  button to display, and if necessary modify the selected time slice, as described in Section Creating/Modifying Time Slices
  3. Click the  button to display, and if necessary modify the selected time slice, as described in Section Creating/Modifying Time Slices

In this section:

Security Services Tab

Authentication Manager Tab

Enterprise SSO Tab

Multi-User Desktop Tab

Biometrics Tab

Self Service Password Request Tab

Active RFID Tab

Audit Tab

Local Administrators Tab

Security Services Tab

Option name

Description

Activate cache /
Cache properties
button

Select this option to activate the cache on the workstations associated with this access point security profile. Then, you can click the Cache properties button to configure the parameters of the cache data synchronization with the directory. For more details, see Cache operation and configuration of the cache data synchronization with the directory below.

IMPORTANT:

You must select this option for the workstations, to limit the network flow.

You are advised to clear this option for the controllers, to improve the response times of the console.

Always authenticate on cache

This option forces the use of the cache data in order to reduce the session opening times (provided that the cache validity period configured in the associated user security profile is not outdated).

IMPORTANT: in this mode, if the cache data is outdated, it is synchronized after the authentication of the user (asynchronously). The cache containing the updated data will be used only at the next authentication of the user.

Delete user cache files unused for x days

  • Check box selected

The cache is automatically deleted if it has not been used for a defined period of time (1 to 300 days).

NOTE: you are advised to select this option for workstations used by mobile users who authenticate only rarely on these computers.
  • Check box cleared

The cache is not deleted if it has not been used for a period of time

Time between two directory connection tests

Frequency at which the EAM Controller checks that the connection to the LDAP directory works.

Set 0 if you don't want to test the connection to the directory (not recommended because the waiting time will be increased to recover the connection).

Time between two software inventories

Definition of the check frequency of the access points to retrieve the list of the installed software clients (Enterprise SSO, Authentication Manager…). The starting time point is the starting of the EAM server.

Wallpaper

Click this button to customize the information that appears at the foreground of the user’s desktop (Multi User Desktop and Cluster features only).

NOTE:

  • In Multi-User Desktop configurations, the display of the information must be activated, as detailed in Section Multi-User Desktop Tab.

  • In Cluster configurations, the display is always activated.

For more information on this customization, see Customizing the information displayed on the wallpaper.

Authorized authentication methods

A wide range of authentication methods is supported. Select the authentication methods available for the access points that will be associated with this security profile.

NOTE: the selected authentication methods must be consistent with the authentication methods selected in the related Application and User Security Profiles. To add more authentication methods to the list, please contact your One Identity representative.

Cache operation and configuration of the cache data synchronization with the directory

The cache allows the user to authenticate on his/her workstation in disconnected mode. It is thus possible to:

  • Ensure service continuity, by supporting network interruptions.
  • Nomad users to authenticate even if they are not connected to the network.

The cache can also reduce the session opening duration of the user when the workstation is in connected mode.

To activate the cache on a workstation and enable its use, you must:

  1. Select the Use Cache option available in the user security profile and set the cache data validity (see Authentication Tab).
  2. Select the Activate cache option available in the Access Point security profile and configure the synchronization parameters of the cache data.

To use the cache, the user must then authenticate at least once in connected mode on his/her workstation to retrieve from the directory all the required data. The cache data validity and the synchronization parameters of the cache data are then initialized.

The Cache properties window allows you to configure the synchronization parameters of the user data (User data area), as for example his/her secondary accounts... And the data related with the applications associated with the access point (Application data (primary domain) and Application data (External domain) areas), as for example the technical references, the application profiles, the PFCP...

  • User data area: when the delay before the refresh of the data is reached, the user data is synchronized with the directory and the counter resets to zero.

    NOTE: The delay before the refresh of the data must be configured with a lesser value than the value set for the cache data validity configured for the user security profile (see Authentication Tab). To offer the user the best authentication experience, you are advised to set this value to 1 day (43200 seconds).
  • Application data (primary domain) and Application data (External domain) areas: these areas allow you to configure the synchronization period of the application data in three ways:

    NOTE: The Application data (External domains) area is functional only with Active Directory, as it concerns only inter domain and multi domain infrastructures.
    • Asynchronous update in days:

      IMPORTANT: You are strongly advised to select this option as it dramatically reduces the authentication times. You are also advised to enable the update management feature, as detailed in the introduction of Section Managing Security Profiles.

      The Synchronize data every <xdays> between <hour1> and <hour2> option allows you to set the update frequency of the cache data in days, within a specified time slot. The data synchronization is started randomly within the specified time slot. This method avoids the systematic data synchronization when the user authenticates in connected mode on his/her workstation. Thus the network and the directory are not overloaded during the critical hours (9 a.m. for example), and the authentication process duration decreases.

      NOTE:

      • You can set only the day value, and enter null values for hour1 and hour2. In this case, the data synchronization is started randomly within the day.

      • If a workstation is in disconnected mode (or turned off), the asynchronous update is not run. In this case, application data is synchronized with the directory as soon as the workstation switches to the connected mode, regardless of the time interval set.

    • Asynchronous update in hour:

      To use this mode, select Performance cache validity period <hour> and the check box Refresh automatically on expiration. In this mode, when the validity period is outdated, the application data is automatically synchronized with the directory and the validity period is reset.

    • Synchronous mode:

      To use this mode, select Performance cache validity period <hour> and clear the check box Refresh automatically on expiration. In this mode, when the validity period is outdated, the user must authenticate in connected mode on his/her workstation to synchronize the application data and reset the validity period.

Customizing the information displayed on the wallpaper

The information displayed on the workstations used as Multi-User Desktops or in cluster mode can be customized. By clicking the Wallpaper button, you can insert some text (name of the product, of the connected users, of the cluster etc.), modify its size, its position and its color.

Area

Description

Position (in pixels)

  • From top: distance between the top of the screen and the text area.
  • From right: distance between the right of the screen and the text area.
  • Width: width of the text area. If the text is longer than the width indicated, then it is truncated.

Font and colors

  • Font: font type.
  • Font: font type.
  • Large size (only for cluster mode): font size of the text displaying the number of the workstation in the cluster.
    Example: 4/7.
  • Color: font color.
  • Shadow color: color of the text shadow.

Information

  • Show product name: displays the mode in which the workstation is:
    • Multi-User Desktop.

      OR

    • Authentication Manager (cluster).
  • Show user display name: displays the name of the connected user.
  • Add user directory attribute: displays a characteristic of the connected user.
    Example: if you enter the mail attribute of the user in the field, when the user opens his session, his email address will appear in the information displayed on the wallpaper.
  • Show product version: displays the version number of the product.
  • Show authentication time: time at which the user connected to the workstation.

Multi User Desktop

  • Show connected users: displays the name of the users who have an open session in the Multi-User Desktop.
  • Connection times: time at which the user connected to the Multi-User Desktop.

Cluster

  • Show cluster name: displays the cluster name.
  • Show members: displays the name of the users who are members of the cluster.

Authentication Manager Tab

Authentication Manager Tab

Authentication Manager Tab

For more details about the Authentication Manager application, see Authentication Manager for Windows User's Guide.

Configuration parameters

Option name

Description

Lock behavior

Workstation behavior when the user locks it (if the workstation is part of a cluster, the locking behavior defined in the cluster is taken into account).

  • Transparent lock with logo

    The keyboard and mouse of the selected computer are disabled and a logo appears on top of the screen, but the information displayed on screen remains visible.

    To modify the logo displayed on the screen, save a WGLock.bmp file corresponding to the wanted logo in the EAM Client installation folder (the default folder is Program Files\One Identity\Enterprise Access Management).

IMPORTANT:the size of the logo must be 420(W)x72(H) pixels.

Pressing Ctrl+Alt+Del on this computer displays the standard unlock window.

  • Transparent lock

    The keyboard and mouse of the computer are disabled, but the information displayed on screen remains visible.

    Pressing Ctrl+Alt+Del on this computer displays the standard unlock window.

  • Windows lock

    The computer is locked.
    The standard lock window appears on the screen.

Default action when token removed

Workstation behavior at authentication token removal.

Delay before action

Time elapsed before Authentication Manager applies the action defined in the Default action when token removed drop-down list.

NOTE: For Windows 7 (and later) computers, the timer is automatically set to 0: it is the default action that is applied.

Automatically lock after

Specifies how much user idle time must elapse before the Windows session automatically locks.

The default value is 0: option disabled.

Override user’s setting

When a user has set a screen saver with a specific timer (in minutes), select this option to cancel this timer.

NOTE: this option applies only on Windows XP or Windows Server 2003 workstations.

Automatically logoff after

Specifies how much time must elapse after the lock of the workstation to automatically log off.

Enter 0 to disable this feature.

Allow local connection

Select this check box to allow the users associated with this access point to connect using the local computer account (without any connection to EAM).

Allow remote unblocking of tokens

Select this check box to allow users associated with this access point to unlock their smart cards directly on the workstation using the unlocking secret code given by the Smart card administrator.

Allow windows domain connection (for directories other than Active Directory)

When the architecture is not based on Active Directory environment, Authentication Manager allows authentication on the directory and, if allowed, locally.

Select this check box to allow the authentication on the Windows domain to which the computer belongs, in case the dedicated directory is not available or if there are some troubles.

The Windows domain to which the computer belongs will be added to the domain list displayed to the user.

Remember authentication role

Select this check box to allow the SSO engine to use the last selected role upon restart of the workstations associated with this security profile.

Allow roaming session

The roaming session allows users to open a session on a computer using their physical authentication token, without having to type a password or a PIN.

Select this check box to authorize the "roaming session" mode on the access point.

When a user authorized to access roaming sessions (see Section Security Tab) authenticates on this workstation, a roaming session is automatically created for this user.

NOTE: For performance reasons, we recommend to allow the roaming session mode only on access point that will actually use it.

Allow password change

Select these check boxes to show or hide password change or PIN change buttons of the Authentication Manager session information window.

Allow PIN change

Allow remote control (QRentry)

Select this check box to allow the user to manage his Windows session (open, lock, close) from his mobile device with QRentry.

Enable smart card detection on Ctrl+Alt+Del

Select this check box to prompt the user to type his PIN if a smart card is detected when he presses Ctrl+Alt+Del.

Clear this check box to prompt the user to type his password even if a smart card is detected when he presses Ctrl+Alt+Del.

Grace period for administrator authentication

Specifies the administrator’s grace period.

An administrator can log on to a user's session using his own login and password; for this, he removes the user's smart card by pressing the SHIFT key and then inserts his own smart card to authenticate. The grace period is the time between the removal of the first card and the insertion of the second.

The default value is 60 seconds.

Allow unlock if allowed by the user security profile

Select this check box to authorize the use of the FUS feature (Fast User Switching) on the workstation: if the user level allows it in the user security profile (see Section Unlocking Tab (Fast User Switching - FUS)), the security services allow the FUS on the workstation.

For more information on fast user switching (FUS), see Authentication Manager Session Management Administrator’s Guide.

Allow unlock if the same Windows credential is used

If you select this check box, the workstations associated with this security profile can only be unlocked with the same Windows user account. This allows the use of shared-access FUS.

NOTE:for more details on shared-access FUS, see Authentication Manager Session Management Administrator’s Guide.

Max concurrent Windows sessions

Maximum number of Windows sessions that can be managed at the same time on a Windows 7 (or later) workstation or on a Windows Server 2008 (or later) computer. When a new session is opened whereas this limit is reached, the oldest locked session is automatically closed.

Enter 0 to disable this feature.

Manage Accounts button

This button allows you to define the authentication module used to open a Windows session:

Included accounts open their Windows session using Authentication Manager (and can use any supported authentication method to log on).

Excluded accounts open their Windows session using the Windows authentication module (and must use the password authentication method to log on).

For more details, see topic Manage Accounts Window, below.

Manage Accounts Window

NOTE: By default, the Manage Accounts window is empty. This means that the Authentication Manager module is always used to open Windows sessions.
  1. Click Add to select a group containing user accounts to include or exclude from the access point associated with this profile.
  2. Click Change meaning to set the group state:
    • Included: only users member of the group authenticate using Authentication Manager.
    • Excluded: users member of the group authenticate using the Windows authentication module.
  3. Click Change scope to set specific access points (and not all the access points associated with this profile), according to the operating system type. The scope of the included/excluded accounts can be:
    • All the access points.
    • Workstations running Windows XP (and later).
    • Any servers, except Citrix and TSE servers.
    • Citrix and TSE servers.
  4. To exclude local administrators, select Perform operating system authentication for local administrators.

    IMPORTANT: When this option is selected, the local administrators who are member of the included groups are excluded from the EAM authentication.
  5. To exclude accounts that are not able to perform an EAM authentication, select Perform operating system authentication when EAM authentication fails.
IncludedGroupList registry key

You can complete the list of group set in the Manage Accounts window by creating the following registry key: IncludedGroupList (String). This key allows you to define group of users allowed to open their Windows session using Authentication Manager:

  • This key is available in the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\FrameWork\
    Authentication
    .
  • Set the registry key value with the following restrictions:
    • Separate each group name by a semicolon.
    • The group name must not contain a semicolon.

NOTE: The group name is the label of the group displayed in the EAM console.

During the starting of the security services, if the IncludedGroupList registry key is set, the group names are transformed into SID and GUID and the result is stored under the IncludedGroupSIDList and IncludedGroupGUIDList registry keys. These registry keys are of type cache; this cache is refreshed if:

  • There is no value.
  • The number of SID or GUID differs from the number of group names.

IMPORTANT:

  • f the user password has expired, the authentication token cannot be removed.

  • If you change the name of a group or if a group has been deleted and created again, you must clear the content of IncludedGroupSIDList or IncludedGroupGUIDList.

  • The network must be reachable upon the starting of the security services.

  • EAM must be configured for Active Directory.

  • The user, the workstation and the groups listed in the registry key must belong to the same Active Directory domain.

 

If the Windows authentication token of the user...

Then...

Does not contain one of the configured SID groups

The account is considered as an excluded account. Therefore, no E-SSO authentication is performed and the SSO engine is not started.

Contains a group that is excluded by the access point configuration, even if this group is also in IncludedGroupList

Enterprise SSO Tab

Enterprise SSO Tab

NOTE: The following table details only the drop-down lists and check boxes that require additional description.
 

Option name

Description

Enterprise SSO module is authorized on this workstation

Select this check box to allow all the access points associated with this security profile to start the Enterprise SSO module if it is installed.

Allow Enterprise SSO Studio

Select this check box to allow all the access points associated with this security profile to start run the SSO Studio module if it is installed.

EAM Console is authorized on this workstation

Select this check box to allow all the access points associated with this security profile to start run the EAM Console module if it is installed.

Show splash screen

Select this check box to deactivate the display of the Enterprise SSO splash screen.

Show Enterprise SSO icon in the task bar

Self-explanatory

Time between two window detection sequences

This drop-down list allows you to define the scan frequency of the Windows workstation done by Enterprise SSO in order to detect the presence of authentication windows.

Do not lock Enterprise SSO on smart card withdrawal

By default, the smart card withdrawal locks Enterprise SSO (even if Authentication Manager is running). Select this check box so that Enterprise SSO is not locked upon smart card withdrawal.

Show SSOWatch launcher in foreground

Select this check box to display the application launcher in the foreground when Enterprise SSO is started.

NOTE: this option is available only with the Multi-User Desktop.
Related Documents