Configuring Access Point Security Profiles
Configuring Access Point Security Profiles
Before starting
To perform the task described in this section, you must have at least the following administration role:
- In classic administration mode: "Security object administrator".
- In advanced administration mode, your role must contain the following administration right: "Access point security profile: Creation/Modification".
Procedure
- Type the access point security profile name.
- If you want to select another time slice, click the
button.
NOTE: Click the 
button to display, and if necessary modify the selected time slice, as described in Section Creating/Modifying Time Slices. - Click the button to display, and if necessary modify the selected time slice, as described in Section Creating/Modifying Time Slices.
- Set the parameters of the access point security profile according to your needs:
- To configure security services parameters, see Section Security Services Tab.
- To configure Authentication Manager parameters, see Section Authentication Manager Tab.
- To configure Enterprise SSO, SSO Studio and EAM Console parameters, see Section Enterprise SSO Tab.
- To configure Multi-User Desktop parameters, see Section Multi-User Desktop Tab.
- To configure biometrics parameters, see Section Biometrics Tab.
- To configure Self Service Password Request parameters (emergency access), see Section Self Service Password Request Tab.
- To configure active RFID parameters, see Section Active RFID Tab.
- To configure Audit parameters, see Section Audit Tab.
- To enable "local administration" access to workstations with QRentry, see Section Local Administrators Tab.
In this section:
Self Service Password Request Tab
Security Services Tab
|
Option name |
Description | ||
|
Select this option to activate the cache on the workstations associated with this access point security profile. Then, you can click the Cache properties button to configure the parameters of the cache data synchronization with the directory. For more details, see Cache operation and configuration of the cache data synchronization with the directory below.
| |||
|
This option forces the use of the cache data in order to reduce the session opening times (provided that the cache validity period configured in the associated user security profile is not outdated).
| |||
|
Delete user cache files unused for x days |
The cache is automatically deleted if it has not been used for a defined period of time (1 to 300 days).
The cache is not deleted if it has not been used for a period of time | ||
|
Time between two directory connection tests |
Frequency at which the EAM Controller checks that the connection to the LDAP directory works. Set 0 if you don't want to test the connection to the directory (not recommended because the waiting time will be increased to recover the connection). | ||
|
Time between two software inventories |
Definition of the check frequency of the access points to retrieve the list of the installed software clients (Enterprise SSO, Authentication Manager…). The starting time point is the starting of the EAM server. | ||
|
Wallpaper |
Click this button to customize the information that appears at the foreground of the user’s desktop (Multi User Desktop and Cluster features only).
For more information on this customization, see Customizing the information displayed on the wallpaper. | ||
|
Authorized authentication methods |
A wide range of authentication methods is supported. Select the authentication methods available for the access points that will be associated with this security profile.
|
Cache operation and configuration of the cache data synchronization with the directory
The cache allows the user to authenticate on his/her workstation in disconnected mode. It is thus possible to:
- Ensure service continuity, by supporting network interruptions.
- Nomad users to authenticate even if they are not connected to the network.
The cache can also reduce the session opening duration of the user when the workstation is in connected mode.
To activate the cache on a workstation and enable its use, you must:
- Select the Use Cache option available in the user security profile and set the cache data validity (see Authentication Tab).
- Select the Activate cache option available in the Access Point security profile and configure the synchronization parameters of the cache data.
To use the cache, the user must then authenticate at least once in connected mode on his/her workstation to retrieve from the directory all the required data. The cache data validity and the synchronization parameters of the cache data are then initialized.
The Cache properties window allows you to configure the synchronization parameters of the user data (User data area), as for example his/her secondary accounts... And the data related with the applications associated with the access point (Application data (primary domain) and Application data (External domain) areas), as for example the technical references, the application profiles, the PFCP...
- User data area: when the delay before the refresh of the data is reached, the user data is synchronized with the directory and the counter resets to zero.
NOTE: The delay before the refresh of the data must be configured with a lesser value than the value set for the cache data validity configured for the user security profile (see Authentication Tab). To offer the user the best authentication experience, you are advised to set this value to 1 day (43200 seconds). - Application data (primary domain) and Application data (External domain) areas: these areas allow you to configure the synchronization period of the application data in three ways:
NOTE: The Application data (External domains) area is functional only with Active Directory, as it concerns only inter domain and multi domain infrastructures. - Asynchronous update in days:
IMPORTANT: You are strongly advised to select this option as it dramatically reduces the authentication times. You are also advised to enable the update management feature, as detailed in the introduction of Section Managing Security Profiles. The Synchronize data every <xdays> between <hour1> and <hour2> option allows you to set the update frequency of the cache data in days, within a specified time slot. The data synchronization is started randomly within the specified time slot. This method avoids the systematic data synchronization when the user authenticates in connected mode on his/her workstation. Thus the network and the directory are not overloaded during the critical hours (9 a.m. for example), and the authentication process duration decreases.
NOTE:
-
You can set only the day value, and enter null values for hour1 and hour2. In this case, the data synchronization is started randomly within the day.
-
If a workstation is in disconnected mode (or turned off), the asynchronous update is not run. In this case, application data is synchronized with the directory as soon as the workstation switches to the connected mode, regardless of the time interval set.
-
- Asynchronous update in hour:
To use this mode, select Performance cache validity period <hour> and the check box Refresh automatically on expiration. In this mode, when the validity period is outdated, the application data is automatically synchronized with the directory and the validity period is reset.
- Synchronous mode:
To use this mode, select Performance cache validity period <hour> and clear the check box Refresh automatically on expiration. In this mode, when the validity period is outdated, the user must authenticate in connected mode on his/her workstation to synchronize the application data and reset the validity period.
- Asynchronous update in days:
Customizing the information displayed on the wallpaper
The information displayed on the workstations used as Multi-User Desktops or in cluster mode can be customized. By clicking the Wallpaper button, you can insert some text (name of the product, of the connected users, of the cluster etc.), modify its size, its position and its color.
|
Area |
Description |
|
Position (in pixels) |
|
|
Font and colors |
|
|
Information |
|
|
Multi User Desktop |
|
|
Cluster |
|
Authentication Manager Tab
Authentication Manager Tab
Authentication Manager Tab
For more details about the Authentication Manager application, see Authentication Manager for Windows User's Guide.
Configuration parameters
|
Option name |
Description | ||
|
Lock behavior |
Workstation behavior when the user locks it (if the workstation is part of a cluster, the locking behavior defined in the cluster is taken into account).
Pressing Ctrl+Alt+Del on this computer displays the standard unlock window.
| ||
|
Default action when token removed |
Workstation behavior at authentication token removal. | ||
|
Delay before action |
Time elapsed before Authentication Manager applies the action defined in the Default action when token removed drop-down list.
| ||
|
Automatically lock after |
Specifies how much user idle time must elapse before the Windows session automatically locks. The default value is 0: option disabled. | ||
|
Override user’s setting |
When a user has set a screen saver with a specific timer (in minutes), select this option to cancel this timer.
| ||
|
Automatically logoff after |
Specifies how much time must elapse after the lock of the workstation to automatically log off. Enter 0 to disable this feature. | ||
|
Allow local connection |
Select this check box to allow the users associated with this access point to connect using the local computer account (without any connection to EAM). | ||
|
Allow remote unblocking of tokens |
Select this check box to allow users associated with this access point to unlock their smart cards directly on the workstation using the unlocking secret code given by the Smart card administrator. | ||
|
Allow windows domain connection (for directories other than Active Directory) |
When the architecture is not based on Active Directory environment, Authentication Manager allows authentication on the directory and, if allowed, locally. Select this check box to allow the authentication on the Windows domain to which the computer belongs, in case the dedicated directory is not available or if there are some troubles. The Windows domain to which the computer belongs will be added to the domain list displayed to the user. | ||
|
Remember authentication role |
Select this check box to allow the SSO engine to use the last selected role upon restart of the workstations associated with this security profile. | ||
|
Allow roaming session |
The roaming session allows users to open a session on a computer using their physical authentication token, without having to type a password or a PIN. Select this check box to authorize the "roaming session" mode on the access point. When a user authorized to access roaming sessions (see Section Security Tab) authenticates on this workstation, a roaming session is automatically created for this user.
| ||
|
Allow password change |
Select these check boxes to show or hide password change or PIN change buttons of the Authentication Manager session information window. | ||
|
Allow PIN change | |||
|
Allow remote control (QRentry) |
Select this check box to allow the user to manage his Windows session (open, lock, close) from his mobile device with QRentry. | ||
|
Enable smart card detection on Ctrl+Alt+Del |
Select this check box to prompt the user to type his PIN if a smart card is detected when he presses Ctrl+Alt+Del. Clear this check box to prompt the user to type his password even if a smart card is detected when he presses Ctrl+Alt+Del. | ||
|
Grace period for administrator authentication |
Specifies the administrator’s grace period. An administrator can log on to a user's session using his own login and password; for this, he removes the user's smart card by pressing the SHIFT key and then inserts his own smart card to authenticate. The grace period is the time between the removal of the first card and the insertion of the second. The default value is 60 seconds. | ||
|
Allow unlock if allowed by the user security profile |
Select this check box to authorize the use of the FUS feature (Fast User Switching) on the workstation: if the user level allows it in the user security profile (see Section Unlocking Tab (Fast User Switching - FUS)), the security services allow the FUS on the workstation. For more information on fast user switching (FUS), see Authentication Manager Session Management Administrator’s Guide. | ||
|
Allow unlock if the same Windows credential is used |
If you select this check box, the workstations associated with this security profile can only be unlocked with the same Windows user account. This allows the use of shared-access FUS.
| ||
|
Max concurrent Windows sessions |
Maximum number of Windows sessions that can be managed at the same time on a Windows 7 (or later) workstation or on a Windows Server 2008 (or later) computer. When a new session is opened whereas this limit is reached, the oldest locked session is automatically closed. Enter 0 to disable this feature. | ||
|
Manage Accounts button |
This button allows you to define the authentication module used to open a Windows session: Included accounts open their Windows session using Authentication Manager (and can use any supported authentication method to log on). Excluded accounts open their Windows session using the Windows authentication module (and must use the password authentication method to log on). For more details, see topic Manage Accounts Window, below. |
Manage Accounts Window
|
|
NOTE: By default, the Manage Accounts window is empty. This means that the Authentication Manager module is always used to open Windows sessions. |
- Click Add to select a group containing user accounts to include or exclude from the access point associated with this profile.
- Click Change meaning to set the group state:
- Included: only users member of the group authenticate using Authentication Manager.
- Excluded: users member of the group authenticate using the Windows authentication module.
- Click Change scope to set specific access points (and not all the access points associated with this profile), according to the operating system type. The scope of the included/excluded accounts can be:
- All the access points.
- Workstations running Windows XP (and later).
- Any servers, except Citrix and TSE servers.
- Citrix and TSE servers.
- To exclude local administrators, select Perform operating system authentication for local administrators.
IMPORTANT: When this option is selected, the local administrators who are member of the included groups are excluded from the EAM authentication. - To exclude accounts that are not able to perform an EAM authentication, select Perform operating system authentication when EAM authentication fails.
IncludedGroupList registry key
You can complete the list of group set in the Manage Accounts window by creating the following registry key: IncludedGroupList (String). This key allows you to define group of users allowed to open their Windows session using Authentication Manager:
- This key is available in the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\FrameWork\
Authentication. - Set the registry key value with the following restrictions:
- Separate each group name by a semicolon.
- The group name must not contain a semicolon.
|
|
NOTE: The group name is the label of the group displayed in the EAM console. |
During the starting of the security services, if the IncludedGroupList registry key is set, the group names are transformed into SID and GUID and the result is stored under the IncludedGroupSIDList and IncludedGroupGUIDList registry keys. These registry keys are of type cache; this cache is refreshed if:
- There is no value.
- The number of SID or GUID differs from the number of group names.
|
|
IMPORTANT:
|
|
If the Windows authentication token of the user... |
Then... |
|
Does not contain one of the configured SID groups |
The account is considered as an excluded account. Therefore, no E-SSO authentication is performed and the SSO engine is not started. |
|
Contains a group that is excluded by the access point configuration, even if this group is also in IncludedGroupList |
Enterprise SSO Tab
Enterprise SSO Tab
|
|
NOTE: The following table details only the drop-down lists and check boxes that require additional description. |
|
Option name |
Description | ||
|
Enterprise SSO module is authorized on this workstation |
Select this check box to allow all the access points associated with this security profile to start the Enterprise SSO module if it is installed. | ||
|
Allow Enterprise SSO Studio |
Select this check box to allow all the access points associated with this security profile to start run the SSO Studio module if it is installed. | ||
|
EAM Console is authorized on this workstation |
Select this check box to allow all the access points associated with this security profile to start run the EAM Console module if it is installed. | ||
|
Show splash screen |
Select this check box to deactivate the display of the Enterprise SSO splash screen. | ||
|
Show Enterprise SSO icon in the task bar |
Self-explanatory | ||
|
Time between two window detection sequences |
This drop-down list allows you to define the scan frequency of the Windows workstation done by Enterprise SSO in order to detect the presence of authentication windows. | ||
|
Do not lock Enterprise SSO on smart card withdrawal |
By default, the smart card withdrawal locks Enterprise SSO (even if Authentication Manager is running). Select this check box so that Enterprise SSO is not locked upon smart card withdrawal. | ||
|
Show SSOWatch launcher in foreground |
Select this check box to display the application launcher in the foreground when Enterprise SSO is started.
|