Preface
Overview
Enterprise Access Management Concepts
EAM Controllers
A Multi-Domain Architecture
Interface general design
Authenticating to EAM Console and Managing Protection Modes
Searching the Directory Tree
Managing administrators
Administration Modes - Presentation
Delegating Administration Roles
Managing Administration Profiles
Transferring an Administration Role
Deleting an Administration Role
Displaying your Administration Role
Modifying the Parent Administrator
Adding/Removing Primary Administrators
Managing Security Profiles
Managing time slices
Managing directory objects
Creating/Modifying Time Slices
Configuring Time Slices
Displaying time slice usage logs
Displaying time slice event logs
Renaming representative objects
Deleting time slices
Managing Password Format Control Policies
Creating/Modifying Password Format Control Policies
Configuring Password Format Control Policy
Displaying PFCP usage logs
Displaying Password Format Control Policy Event Logs
Renaming Password Format Control Policies
Deleting Password Format Control Policies
Managing User Security Profiles
Creating/Modifying User Security Profiles
Configuring User Security Profiles
Managing Access Point Security Profiles
Authentication Tab
Security Tab
SSO and Notes Tab
Cloud Tab
Unlocking Tab (Fast User Switching - FUS)
Self Service Password Request Tab
Biometrics Tab
Session Delegation Tab
Audit Tab
OTP Tab
Mobile Device Tab
Displaying User Security Profile Usage Logs
Displaying User Security Profile Event Logs
Renaming User Security Profiles
Deleting User Security Profiles
Creating/Modifying Access Point Security Profiles
Configuring Access Point Security Profiles
Managing Application Security Profiles
Security Services Tab
Authentication Manager Tab
Enterprise SSO Tab
Multi-User Desktop Tab
Biometrics Tab
Self Service Password Request Tab
Active RFID Tab
Audit Tab
Local Administrators Tab
Displaying Access Point Security Profile Usage Logs
Displaying Access Point Security Profile Event Logs
Renaming Access Point Security Profiles
Deleting Access Point Security Profiles
Managing Password Generation Policies
Defining Security Profiles Default Values
Managing User and Access Point Security Profiles Priorities
Creating/Modifying Password Generation Policies
Configuring the Password Generation Policy
Displaying Password Generation Policy Usage Logs
Displaying Password Generation Policy Event Logs
Renaming Password Generation Policies
Deleting Password Generation Policies
Creating/Modifying Application Security Profiles
Configuring Application Security Profiles
Displaying Application Security Profile Usage Logs
Displaying Application Security Profile Event Logs
Renaming Application Security Profiles
Deleting Application Security Profiles
Managing applications
Importing/Exporting security profiles and directory objects
Managing smart cards
Creating an application
Defining the general properties of an application
Creating the account properties for an application
Defining the Single Sign-On properties of an application (SSO)
Defining external names
Defining the Provisioning Connector
Assigning users to an application
Sharing the administration of an application
Generating/Importing accounts for an application
Assigning access points to an application
Displaying accounts associated with the application
Displaying application event logs
Displaying/Modifying application information
Renaming applications
Deleting applications
Managing users
Displaying general information about the user
Defining user connection parameters
Managing access points
Suspending or limiting temporarily user access
Displaying user authentication information and administering roaming sessions
Predefining a new user's primary password
Managing user Self Service Password Request
Defining an audit identifier
Creating a welcome message
Assigning a user security profile
Declaring a user as administrator
Assigning/forbidding access points to a user
Managing user accounts
Managing the User Self Enrollment
Assigning Administration Rights
Configuring the Dedicated Organizational Units
Configuring Self Enrollment
Sending SSO account passwords to users
Sending primary password expiration notification emails to users
Defining additional security parameters for groups of users
Managing user smart cards
Managing user Mobile Devices
Displaying and deleting user biometrics data
Assigning applications to a user
Displaying delegated sessions
Managing user RFID tokens
Displaying user event logs
Deleting SSO data of disabled user accounts
Adding or removing a user from a group
Displaying general information about the access point
Defining access point configuration parameters
Managing representative objects
Assigning an access point security profile
Managing EAM controller services
Assigning a generic account to an access point
Assigning/forbidding users to an access point
Assigning/forbidding applications to an access point
Adding or removing an access point from a group
Analyzing Errors of a Remote Access Point
Displaying access point event logs
Updating manually an access point
Managing inbound representative objects
Managing clusters of access points
Creating/Modifying an inbound representative object
Defining the set of users to represent
Assigning a user security profile to the inbound representative object
Selecting access points available to the representative
Managing outbound representative objects
Creating/Modifying an outbound representative object
Defining the set of access points to represent
Selecting applications available to the representative
Displaying representative event logs
Renaming representative objects
Deleting representative objects
Creating and configuring a cluster of access points
Managing user permissions on clusters
Selecting a domain controller
Authorizing users to access the workstations of the cluster
Displaying the cluster composed by authorized users
Displaying cluster event logs
Renaming clusters
Deleting cluster
Configuring smart card parameters of use
Managing SA server devices
Managing RFID tokens
Managing smart card configuration profiles
Managing smart card certificates
Assigning smart cards (except loan cards)
Creating/Modifying configuration profiles
Renaming a configuration profile
Deleting a configuration profile
Modifying authentication parameters of an assigned smart card
Managing batches of smart cards
Assigning smart cards
Assigning a smart card managed by an external CMS
Smart card self enrollment
Formatting an assigned smart card
Managing loan cards
Unlocking smart cards
Setting administrator's contact information
Unlocking to Forcing PIN
Unlocking by secret code
Unlocking by SSPR
Unlocking by extending the validity duration
Formatting a blacklisted card
Managing lost or theft smart cards
Formatting smart cards
Displaying information
Exporting Generated Reports
Assigning an RFID token
Locking and unlocking an RFID token
Managing biometrics
Locking and unlocking an RFID token from the Directory panel
Locking and unlocking an RFID token from the RFID panel
Resetting the PIN of an RFID badge
Blacklisting and deleting an RFID token
Blacklisting and deleting an RFID token from the Directory panel
Blacklisting and deleting an RFID token from the RFID panel
Modifying the detection areas and the grace period
Exporting a list of RFID tokens
Defining the biometric enrollment policy
Defining the workstation biometric parameters
Managing the user enrollment
Displaying and exporting the biometric enrollment report
Managing Mobile Devices
Enabling the public key authentication method
Configuring user and access point security profiles to support the PKA authentication method
Activating the PKA authentication method and defining the set of authorized certification authorities
Managing Emergency Accesses
Managing audit events
Activating the PKA authentication method
Configuring the set of authorized certification authorities
Configuring the automatic update of the revocation information
Displaying audit events
Defining an audit population
Managing and assigning audit filters
Interpreting audit events
Managing reports
The audit main window
The "Event details" window
Detailed information on the audit administration events
Exporting audit events
Archiving audit records
Retrieving user identifier from audit identifier
Retrieving audit events
Generating PDF reports
Generating On-screen reports
Customizing configuration files
Creating scripts
Basic syntax of regular expressions
Listing audit events and error codes
Correspondence between profiles and administration rights
Report Models and Parameters List
Custom Group Files Format
Defining the Single Sign-On properties of an application (SSO)
Managing directory objects > Managing applications > Defining the Single Sign-On properties of an application (SSO)
Defining the Single Sign-On properties of an application (SSO)
Subject
The SSO properties of an application allow you to define:
- The application's authentication method.
- The application security profiles (access strategies) defined for the application.
Before starting
To perform the tasks described in this section, you must:
- Either have at least the following administration role:
- In classic administration mode: "Security object administrator".
- In advanced administration mode, your role must contain the right "Application: Manage all applications".
- Or be an administrator allowed to manage the application with full control on it.
|
|
NOTE:
For more information on:
|
Procedure
- In the tree structure of the Directory panel, select the wanted application.
- In the Configuration tab, click the SSO tab.
- The SSO tab appears.
- Fill in the Methods, Access Strategies and OLE/Automation tabs as follows:
- Methods tab:
The following authentication methods are available:
- SSO: this method stipulates that the authentication is done through a technical reference. The technical reference is stated upon the authorization of the application on an access point At the application level, you can set the technical reference to apply by default (optional).
NOTE: For more information on how to create technical references, see Enterprise SSO Administrator's Guide. - Windows authentication: this authentication method defines the SSO accounts that can be used by the GINA. This function enables the use to several Windows accounts.
If you are defining an UNIX application, you must select this propagation method. - OLE/Automation: this option states that it is possible to access the application through the OLE function. The secret allowing the connection establishment must be set in the OLE/Automation tab.
- XenApp: this authentication method enables you to activate and use the Citrix Fast Connect 2 Credential Insertion API to execute SSO for Citrix-compatible applications. This SSO does not simulate the user behavior but calls specific APIs to provide the connection data. This choice enables you to specify a technical definition; which must be used for the automatic launch of XenApp.
NOTE: For more information on the Citrix Fast Connect 2 Credential Insertion API, the XenApp client and its prerequisites, refer to the Citrix documentation. - VMWare View: this authentication method enables you to activate and use VMWare View to execute SSO for VMWare-compatible applications.
When creating the VMWare application, you must create the View Connection Server parameter containing the server name.IMPORTANT:
-
If a technical definition is selected, you can edit it directly in Enterprise SSO Studio by clicking Edit.
-
For XenApp type applications, you must specify the domain parameter of the application.
NOTE: The Show configuration data button in the Enterprise SSO on mobile devices area enables you to check whether the QRentry configuration data is present in the technical definition of the application. If this data is present, then the application can be used in QRentry. -
- Access Strategies tab:
This tab defines the list of the application security profiles used by the application. The profile to be used is selected when the application is assigned to the user. If there is only one available profile, it is automatically selected.
- OLE/Automation tab:
This tab allows you to define the secret allowing the application access if the OLE/Automation method is selected in the Methods tab.
- SSO: this method stipulates that the authentication is done through a technical reference. The technical reference is stated upon the authorization of the application on an access point At the application level, you can set the technical reference to apply by default (optional).
- Methods tab:
- Click Apply.
Defining external names
Defining external names
This tab allows you to set a mapping between the application you are configuring using EAM Console and the name of an external application (created using another SSO tool) for which you want to configure an access.
This option is particularly useful to integrate User Provisioning or Web Access Manager with EAM. For example, if you are defining the MyHTMLApplication application that already uses Web Access Manager account bases, enter the names of the Web Access Manager account bases defined for this application. By this way, the EAM Controller will be able to use these Web Access Manager account bases to perform SSO with this application. For more information, see Mobile E-SSO Installation and Configuration Guide.
Defining the Provisioning Connector
Subject
The E-SSO Provisioning connector enables the:
- Password synchronization between the account base of a client application and Active Directory.
- Regular and automatic password renewal.
To enable this connector, you must set the administrator of the administrator account of the target application in the Provisioning connector tab (described hereunder) and associate it with a password (see One IdentityEAM Installation Guide).
Description
This tab enables you to define the provisioning connector to force the password of this application's accounts.
|
|
IMPORTANT: Password provisioning may slow down the sending of the login/password to the application. To avoid this, you can activate the window masking option in the application window (see Enterprise SSO Administrator's Guide). |
Restrictions
- This tab is only available if The application uses the primary account and The application uses the PIN check boxes of the Account base tab are cleared (see Defining account base parameters). Otherwise, this tab is unavailable.
- If the SSO application shares its account base with other applications, all applications must be configured for provisioning.
- Multi-account is not supported.
Procedure
- In the tree structure of the Directory panel, select the wanted application.
- In the Configuration tab, click the Provisioning connector tab.
- The Provisioning connector tab appears.
- The Provisioning connector tab appears.
- To activate provisioning, select the This connector is used for provisioning check box and fill-in the tab as follows:
- Configuration area:
- Login format: select the login format of the application's account base: short name, Windows 2000 or NT4.
- Library: dll of the E-SSO connector (here: UAConnectorLdap, installed with the E-SSO controller).
- XML configuration: XML configuration corresponding to the connector's pre-requisite (here: pre-requisite of UAConnectorLdap).
For more information on the DLL and XML configuration, please contact your One Identity representative. - Admin login: login of the administrator account that you want to select (login or DN).
- Provisioning behavior area:
- Synchronize application password with the primary password: synchronizes the application's account base from the primary account.
- Automatic password change: the lifecycle of the application's accounts is managed automatically (not synchronized with the primary account).
- Configuration area:
- Click Apply.
Assigning users to an application
Assigning users to an application
You can authorize a user to run an application in the Access tab, either from an Application object of from a User object. Whatever the selected object type, the tab is the same. For more information on how to fill in this panel, see Assigning applications to a user.