Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Multi-User Desktop Tab

Subject

This tab allows you to configure the Multi-User Desktop feature for workstations associated with the security profile.

NOTE:

  • Multi-User Desktop provides advanced Fast User Switching features for workstations used simultaneously by a large number of users, such as "kiosk workstations" or computers used by medical staff in hospitals. For more information on the Multi-User Desktop feature, see Authentication Manager Session Management Administrator’s Guide.

  • When a user authenticates in Multi-User Desktop mode with an unassigned RFID badge, he will be able to assign it with his credentials. He will have to choose a PIN if the RFID+PIN authentication method is active.

Before starting

The workstations running Multi-User Desktop must meet the following requirements:

  • The Windows session is always (and automatically) opened and cannot be locked.
  • The screen saver is disabled.
  • Neither Authentication Manager nor the Integration with Windows Authentication module is installed.
Window example

Configuration parameters

Item

Description

Full screen mode

 

 

Background color

In full screen mode, the multi-user desktop welcome screen covers the full screen in order to hide the desktop.

You can customize the background color of the welcome screen (white by default).

Transparent mode

Lock keyboard and mouse

Move information window

Information window is resizable

In Transparent mode, the multi-user desktop welcome screen appears at the center of the desktop.

When this radio button is selected, the following options are available:

  • Lock keyboard and mouse:
    this option allows you to limit the use of the keyboard and mouse inside the multi-user desktop welcome screen.
  • Move information window every:
    by default, the welcome screen moves clockwise on the workstation’s desktop every 5 seconds. You can either change this value or select Manually to allow users to move the welcome screen using the keyboard (even if Lock keyboard and mouse is selected). The following keys move the window (left arrow, right arrow, up arrow, down arrow, home, end, page up and page down). For more details, see Authentication Manager Session Management Administrator’s Guide.
  • Information window is resizable:
    select this option to allow users to change the size (and the displayed items) of the welcome screen using the plus (+) and minus (-) keyboard keys.

Always display windows of these processes

When switching between 2 different user’s session, Multi-User Desktop hides or terminates the applications (and associated processes) that must not be used by the authenticated user and shows the approved applications.

Complete this field to specify processes that are not managed by Multi-User Desktop: the applications running from the listed processes remains active and can be used by any authenticated users.

The processes must be separated by commas, as in the following example: AlertMgmt.exe, word.exe

Notes:

By default, the following applications are not managed by Multi User Desktop:

Multi User Desktop itself.

Enterprise SSO.

Windows task manager.

To activate this option for all running applications, enter the * character in the process field. The windows of the running applications will always be displayed.

Allow reboot

Select this option to display a Reboot button in the welcome screen, which allows users to restart the workstation.

Show help URL

Select this option and complete the field with an URL to an help page in order to display in the welcome screen a link to the help URL.

Automatically disconnect users after <x> seconds

 

Users can disconnect manually

 

 

 

 

Show count down for last <x> seconds before lock

Specifies how much user idle time must elapse before the Windows session automatically locks.

Enter 0 to disable this feature.

You can allow users to lock their session. When this option is selected, the Disconnect command is available from the Multi User Desktop icon displayed in the workstation notification area and from the tool bar if you have selected this display mode (for more details, see Authentication Manager Session Management Administrator’s Guide).

If the Show count down for last <x> seconds before lock option is selected, a countdown clock automatically appears on the workstation desktop at the specified time. When the countdown hits zero, the session is locked.

Automatically logoff users after <x> seconds

 

Users can logoff manually

Specifies how much time must elapse after the lock of the workstation to automatically log off.

Enter 0 to disable this feature.

You can allow users to logoff. When this option is selected, the Logoff command is available from the Multi User Desktop icon displayed in the workstation notification area and from the tool bar if you have selected this display mode (for more details, see Authentication Manager Session Management Administrator’s Guide).

Maximum concurrent sessions

Maximum number of Windows sessions managed by the Multi User Desktop feature. When a new session is opened whereas this limit is reached, the oldest locked session is automatically closed.

Enter 0 to disable this feature.

Allow biometrics enrollment

This option is selected by default to allow users who can authenticate using their biometric data but who have not yet enrolled their fingerprints to registered their fingerprints when they log on the Multi User Desktop workstation for the first time.

Show infos

Select this option to display information on the chosen location (as an overlay on the wallpaper or on a toolbar located at the top of the screen). To customize the available information, see Security Services Tab.

Biometrics Tab

Subject

This tab allows you to configure biometric parameters on workstations on which it is used.

Before starting

To configure the parameters described in this section, you must work in advanced administration mode, and your role must contain the following administration right: "Bio: Is enable to allow biometrics pattern enrollment".

 NOTE: For more information on administration roles, see Section Managing administrators.
"Biometrics" Tab - Description

  • Sensitivity area

False accepted rate (read the instructions displayed in the area).

NOTE: This option applies to the Precise Biometrics middleware and to the UPEK middleware.

For the UPEK middleware, the false accepted rate value sets the severity level used when matching fingerprints. 5 levels are supported:

  • minimal: value set between 100 and 9,999.

  • low: value set between 10,000 and 19,999.

  • average: value set between 20,000 and 39,999.

  • high: value set between 40,000 and 59,999.

  • maximal: value set between 60,000 and 100,000.

 

  • Policy area
    • Remove unused cached patterns on the workstation after x days check box
      • Check box selected: biometric data stored in the cache will be deleted if it has not been used after a defined number of days.
      • Check box cleared: biometric data stored in the cache is never deleted.
    • Users must confirm biometric scan to log on check box.
      • Check box selected: to log on to the computer, users must scan their fingerprints and then click OK in the Authentication Manager welcome screen.
      • Check box cleared: to log on to the computer, users only have to scan their fingerprints. The validation is automatic.

Self Service Password Request Tab

Option name

Description

Servers

This area displays the list of the password reset servers you want to use. The position of servers in the list corresponds to the working order (if the first server does not respond, the second one is tested, and so on).

Remove button

This button removes the selected server from the server list.

Add button

Type a server address in the field and click this button to add it to the list.

Active RFID Tab

This tab allows you to modify the detection areas of RFID tokens. For more information, see Section Modifying the detection areas and the grace period.

Related Documents