Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

General Tab

Option name

Description

Use password control policy specified here

Select this check box to select a PFCP for the security profile. If you do not select any PFCP, the application PFCP is used by default.

If the check box is selected, the default PFCP is always selected. Click the  button to select another one.

Note: click the button to display and if necessary modify the PFCP, as described in Section Managing Password Format Control Policies

Password generation policy

The default PGP is selected by default. Click the  button to select another one.

Note: click the button to display and if necessary modify the PGP, as described in Section Creating/Modifying Password Generation Policies.

User must re-authenticate to perform SSO

Select this check box if the applications associated with the security profile need a user's primary authentication to start.

Launch application at start-up of Enterprise SSO

Select this check box to start the application associated with the security profile when Enterprise SSO starts. The settings for application execution are therefore set at the SSO Studio level.

Show application on user's Enterprise SSO desktop

Select this check box to display the SSO data of the applications associated with the security profile on the account list.

When application is used, set user's 'unlocking level' to

If you want to use a different user level than the one specified in the user security profile (see Section Unlocking Tab (Fast User Switching - FUS)), select this check box and define the new level of the user for the applications associated with this security profile.

Allow the user to test the application with Enterprise SSO

Select this check box to enable the Test application command in Enterprise SSO when the user right clicks applications associated with the security profile.

Account tab

Option name

Description

Credential storage

Set the storage location of the user accounts used by the applications associated with the security profile.

IMPORTANT: if you select Store on token, check that the proper authentication method is provided and selected. For more information, see Section Authentication method Tab.

Password change at first connection

Select this check box to make the password expire immediately after being collected. The password is then changed according to the password policy (see Section Configuring the Password Generation Policy).

User can modify account

Select this check box to allow users to change their passwords using Enterprise SSO. This option ensures that SSO data is always managed centrally.

User can display password

Select this check box to allow users to display their passwords using Enterprise SSO.

Encrypt by

The drop-down list allows you to select the way the secondary accounts used by the applications associated with the security profile are ciphered and deciphered:

User: only the user can decipher his/her secondary accounts. This is the most secure option.

IMPORTANT: If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her secondary accounts.

User and administrators: you can decipher the user secondary accounts, in the same way as the user can. Thus, if you force a new primary password or assign a new smart card using the console, the user's secondary accounts are recovered.

User, administrators and external key: select this option to allow an external application to decipher the user secondary accounts using a public key. For example, you must select this option if you want to use EAM with Web Access Manager (WAM). This option enables WAM to decipher the EAM secondary accounts of the user so that WAM can perform SSO with these accounts. For more details, see Mobile E-SSO Installation and Configuration Guide.

User can reveal password history

This check box is only available if the User can display password check box is selected.

Select this check box to allow users to see the list of passwords that have already been used for an application (in Enterprise SSO).

User can cancel Single Sign-On

If this option is cleared, the user cannot cancel the SSO execution when he/she starts an application associated with the security profile:

If the user starts an application for the first time, he must complete the authentication data collection dialog box.

If the user has several accounts for an application, he must select an account in the account selection dialog box (the Cancel button is unavailable).

Note: if a problem occurs (for example, if the authentication data cannot be saved due to network issues), the Cancel button is available again to allow the user to log on manually or to quit the application.

Select this option to allow users to temporarily cancel the SSO execution for applications associated with the security profile, then select in the drop-down list the scope of this option:

For the current session only:
if the user cancels the SSO execution for an application, he can then start as many application instances as required, the SSO execution remains disabled. The SSO is enabled again when the user quits all the application instances and restarts the application (or resets the configuration or restarts Enterprise SSO).

For the application (until reset):
The user can disable the SSO execution: either for the current SSO session (see above) or until further notice. In this latter case, to enable again the SSO execution for the suspended applications, the user must use the appropriate contextual command from the Enterprise SSO Account panel (or reset the configuration, or restart Enterprise SSO).

For the current window only:
if the user cancels the SSO execution for an application, the SSO is disabled for this application instance only.

Integration with Identity & Access Manager

This drop-down list allows you to define the way Enterprise SSO behaves when it collects the security data of an application for which there is no account for the user.

IMPORTANT: this drop-down list appears only if the URL field of the Configuration window (File\Configuration\Options) is filled in:

The Account is collected by EAM:
When the user starts an application for the first time, the standard Enterprise SSO security data collect window appears: the user must enter his/her login/password to enable the SSO for this application.

The user can request an access:
When the user starts an application for the first time, the link I don’t have any account for this application appears in the Enterprise SSO security data collect window. The user can click this link to request an access to the application through the Request Manager portal.

The user must request an access:
When the user starts an application for the first time, he/she must request an access to the application through the Request Manager portal.

Authentication method Tab

This tab allows you to:

  • Select the necessary authentication methods to perform SSO.

    IMPORTANT:

    • The selected authentication methods must be consistent with the authentication methods selected in the related access point and user security profiles.
    • A wide range of authentication methods is supported. To add more authentication methods to the list, please contact your One Identity representative.
  • Authorize access to application (SSO) in case the roaming session mode is activated (see roaming session activation parameters in the following Sections: Authentication Manager Tab and Security Tab.

Delegation Tab

This tab allows you to define delegation permissions. These permissions authorize users to delegate their SSO account so that it can be used by other users.

The SSO account can be delegated to the following user selection.

  • Limit delegation duration to x day(s)
    Allows you to set the maximum number of days of application delegation.
  • Authorize delegation to all users
    Authorizes delegation to all users of the application.
  • Authorize delegation to members of the same group
    Authorizes delegation to all users of the same group.
  • Authorize delegation to members of the same organization entity
    Authorizes delegation to all users of the same organization.
  • Advanced mode, list users/groups/organizational entities authorized for delegation
    Authorizes delegation to a selection of users, groups, organization units.
  • Authorize delegated users to generate new password
    Authorizes the delegated user(s) to modify the delegated SSO account password.

NOTE: A user can delegate his/her SSO account from Enterprise SSO.
For more details, see Enterprise SSO Administrator's Guide.
Related Documents