Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Defining the general properties of an application

Defining the general properties of an application

Subject

The application's general properties allow you to define the following:

  • The application access time slice.
  • The authorized authentication type.
Before starting
  • The application access Timeslice object must be created. For more information, see Section Managing time slices.
  • To perform the tasks described in this section, you must have at least the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain the following administration right: "Application: Creation/Modification".

Procedure

  1. In the tree structure of the Directory panel, select the wanted application.
  2. In the Configuration tab, click the General tab.
    • The General tab appears.

  3. Fill in this tab as follows:
    • Timeslice area

      Click the  button to change the time slice used by the application.

      NOTE: To display the parameters of the selected time slice, click the  button.
    • Properties area

      Only the password authentication method is currently supported.

Audit area
You can assign an audit filter to the application to generate only relevant events relative to this object: see Section Applying an audit filter to specific objects.

Click Apply.

 

Creating the account properties for an application

Subject

The properties of the account associated with an application allow you to define login/password requirements, the list of parameters supported by the application and if applications use the same account base. You define the account properties through the Account Base and Account Rule tabs located in the Configuration tab of an application object.

Before starting

To perform the tasks described in this section, you must:

  • Either have at least the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain one of the following:
      • the rights "Application: Creation/Modification", "Parameter: Creation/Modification", "Parameter: Deletion".
      • The right "Application: Manage all applications".
  • Or be an administrator allowed to manage the application with full control on it.

NOTE: For more information on:

In this section:

Defining account base parameters

Defining account base parameters

Subject

The Account Base tab allows you to define common bases of accounts for several applications.

Procedure

  1. In the tree structure of the Directory panel, select the wanted application.
  2. In the Configuration tab, click the Account Base tab.
    • The Account Base tab appears.

  3. Read carefully the information note and Section Account Base tab - Description below to fill in the panel.
  4. Click Apply.
Account Base tab - Description
  • The application uses primary accounts check box
    • Check box cleared:
      The application standard account is used to perform SSO on the selected application.
    • Check box selected:
      The primary account (the user name and password that the user types to open his Windows session) is used to perform SSO on the selected application.

      The Windows username can be used in the following formats:

      • Short name: username only.
      • Windows 2000 (and later): username including the domain name. For example: jsmith@oneidentity.com
      • NT 4: username preceded by the NETBIOS domain, for instance: oneidentity\jsmith.

  • The application uses the PIN check box
    • Check box cleared:
      The application standard account is used to perform SSO on the selected application.
    • Check box selected:
      The PIN (that the user types to open his Windows session) is used to perform SSO on the selected application.
  • Share Account Base with Another Application button

    This button allows you to share the account base of the selected application (Application A) with another application (Application B). Application B will then use Application A accounts.
    If users have already collected accounts for Application B, these accounts will not be visible anymore; the only visible accounts will be those of Application A.

    Once you have shared the account base of the selected application, the accounts are displayed from both applications (in the Accounts tab, as described in Section Displaying accounts associated with the application), but you can stop the sharing only from Application A (see Stop Sharing Account Base with Another Application button below).

    If you try to stop the sharing from Application B, then application A will be left with no account base.

    Use case:

    You have 2 applications: App A and App B. These two applications contain accounts (App A: Acc A1, Acc A2 etc. and App B: Acc B1, Acc B2 etc).

    Open App A and add App B as a shared application and validate to keep your old accounts.

    Select App B and delete the sharing with App A. From now on, App B contains all the accounts from App A which does not contain any account anymore.

  • Stop Sharing Account Base with Another Application button

    This button allows you to stop sharing the account base of the selected application (Application A) with another application (Application B).
    Application B then recovers the accounts that had been already collected for it.

Defining account properties

Defining account properties

Subject

The Account Properties tab allows you to define the login and password requirements for the selected application, and the list of parameters supported by the application. The end user will have to follow these rules at application login/password collection time.

Procedure

  1. In the tree structure of the Directory panel, select the wanted application.
  2. In the Configuration tab, click the Account Properties tab.
    • The Account Properties tab appears.
  1. Fill in the Login, Password and Parameters tabbed panels with the instructions given in the following section ("Account Properties" tab - Description).
  1. Click Apply.
"Account Properties" tab - Description

Login tab

  • Login creation rule area

    This area allows you to define the rule for the application login value, on the basis of the information read within the User object.

    • Rule field:
      Between parentheses, type the exact name of the user LDAP attribute(s) that you want to be displayed to the user in the application Login field.
      Example: (mail) indicates that the login is the user's email address.
      If you want to add several LDAP attributes, they must be separated by a comma inside the parentheses. Example: (mail,dn)

      NOTE: To get the exact LDAP attribute name, use an LDAP browser.

      You can be more specific about the login value by following these rules:

      • To keep only the first n characters of the LDAP value, use the syntax (attLDAP,n).
      • Three functions are used to process LDAP values: UPPER, LOWER and CAPITALIZED. For example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case.
    • User can modify login check box:
      • Clear this check box to indicate that the login creation rule is mandatory, which means that the user cannot modify the application login.
      • Select this check box to indicate that the defined login creation rule is only for information and that the user can modify the application login.
  • Login constraints area

    IMPORTANT: The settings defined in this section must be coherent with the rule defined in the Login creation rule area.
    • Length area: set the minimum and maximum number of characters of the login by using the arrow keys.
    • Forbidden characters area: one after the other, type the characters that you want to forbid to the user.
  • Default account label area

    This area enables you to define a label that will be suggested during the creation of a first account and the first collection. This label will be displayed in Enterprise SSO as well as in all the SSO data collection windows and in the user account management window.

Password tab

  • Password Format Control Policy area

    The password is checked using a PFCP object, which must be created. For more details, see Section Managing Password Format Control Policies.

    • Click the  button to choose the PFCP used by the application.
    • Click the  button to display the selected PFCP parameters.
  • Password Reveal policy area

    The password reveal policy is initially configured on Application Profiles, as detailed in Account tab. In some cases (for example if the SSO process stops working on an application), you can allow users to display the password of a specific application from the Enterprise SSO engine:

    • In the drop-down list, select On profile and application.
    • Select the Allow password reveal for all users check box.

      NOTE: You must have one of the following administration rights:

  • Send Password by email (Emergency Plan) area

    You can send a user’s password by email. To do so, you must configure the application with one of the three following options:

    • Never: the password will never be sent to the user.
    • During Emergency Plan (default mode): the password is sent to the user only if the emergency plan is activated. To activate the Emergency plan, see Security Tab and Managing Emergency Accesses.
    • Always: the password is sent to the user through the Web server or through an administrative operation.

    Parameters tab

    The Parameters tab allows you to add a list of additional authentication parameters (as "Windows Domain" or "Language" for example). These parameters will enable you to define other fields than the user name/password fields of the target application authentication window.

    To define a UNIX application, you must add in this tab the Unix Host Identifier parameter (Default type). This parameter is aimed to collect the name of the UNIX computer on which the user can authenticate.

IMPORTANT: Do not forget to check the consistency between the list of authentication parameters for the application and the parameters defined at the technical reference level, which is done using Enterprise SSO Studio. For more details, seeEnterprise SSO Administrator's Guide.
  • Add button: click this button to add a parameter. The Add Parameter window appears:

    • To add an existing parameter, select it and click OK.
    • To create a new parameter, type its name in the Name field and click New.
    • To delete or rename an existing parameter, select it and click Delete or Rename.
    • To define an external name for a parameter, select the wanted parameter, click External Name and fill in the displayed window.

      NOTE: External names for parameters allow you to define a mapping between the parameter that you are configuring within EAM Console and the name of an external parameter (created using another SSO tool).

      This option is particularly useful to integrate User Provisioning or Web Access Manager with the EAM module. For more details, see Defining external names.  

  • Delete button: select a parameter a click Delete.
  • Properties button:
    Select a parameter, then click this button to define the properties of the selected parameter.

    • Parameter type:
      • Default:
        The value of the parameter is collected for each SSO account and can be modified by the user.
      • Global:
        The parameter is the same for all SSO accounts and is not proposed to the user.
      • Rule:
        The value is dynamically defined as a function on user data, and cannot be changed.
    • Value:
      This is the default value assigned to the parameter. If nothing is entered here, it will be requested at first authentication (data collection) as a function of the parameter type defined previously.

      If you have selected Rule in the Parameter type area, get the exact LDAP attribute name (using an LDAP browser) and type it between parentheses in the Value field. For example, type (mail) to indicate that the parameter value is the user's mail address.

      NOTE:

      • If you want to add several LDAP attributes, each of them must be in brackets. Example: (mail)(dn).
      • You can further refine the parameter value according to the following rules:
        • To keep only the first n characters of the LDAP value, use the syntax (attLDAP,n).

        • Three functions are used to process LDAP values: UPPER, LOWER and CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case.

Related Documents