Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Defining the Single Sign-On properties of an application (SSO)

Defining the Single Sign-On properties of an application (SSO)

Subject

The SSO properties of an application allow you to define:

  • The application's authentication method.
  • The application security profiles (access strategies) defined for the application.
Before starting

To perform the tasks described in this section, you must:

  • Either have at least the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain the right "Application: Manage all applications".
  • Or be an administrator allowed to manage the application with full control on it.

NOTE:

For more information on:

Procedure

  1. In the tree structure of the Directory panel, select the wanted application.
  2. In the Configuration tab, click the SSO tab.
    • The SSO tab appears.

  3. Fill in the Methods, Access Strategies and OLE/Automation tabs as follows:
    • Methods tab:

      The following authentication methods are available:

      • SSO: this method stipulates that the authentication is done through a technical reference. The technical reference is stated upon the authorization of the application on an access point At the application level, you can set the technical reference to apply by default (optional).

        NOTE: For more information on how to create technical references, see Enterprise SSO Administrator's Guide.
      • Windows authentication: this authentication method defines the SSO accounts that can be used by the GINA. This function enables the use to several Windows accounts.
        If you are defining an UNIX application, you must select this propagation method.
      • OLE/Automation: this option states that it is possible to access the application through the OLE function. The secret allowing the connection establishment must be set in the OLE/Automation tab.
      • XenApp: this authentication method enables you to activate and use the Citrix Fast Connect 2 Credential Insertion API to execute SSO for Citrix-compatible applications. This SSO does not simulate the user behavior but calls specific APIs to provide the connection data. This choice enables you to specify a technical definition; which must be used for the automatic launch of XenApp.

        NOTE: For more information on the Citrix Fast Connect 2 Credential Insertion API, the XenApp client and its prerequisites, refer to the Citrix documentation.
      • VMWare View: this authentication method enables you to activate and use VMWare View to execute SSO for VMWare-compatible applications.
        When creating the VMWare application, you must create the View Connection Server parameter containing the server name.

        IMPORTANT:

        • If a technical definition is selected, you can edit it directly in Enterprise SSO Studio by clicking Edit.

        • For XenApp type applications, you must specify the domain parameter of the application.

        NOTE: The Show configuration data button in the Enterprise SSO on mobile devices area enables you to check whether the QRentry configuration data is present in the technical definition of the application. If this data is present, then the application can be used in QRentry.
      • Access Strategies tab:

        This tab defines the list of the application security profiles used by the application. The profile to be used is selected when the application is assigned to the user. If there is only one available profile, it is automatically selected.

      • OLE/Automation tab:
        This tab allows you to define the secret allowing the application access if the OLE/Automation method is selected in the Methods tab.
  1. Click Apply.

Defining external names

Defining external names

This tab allows you to set a mapping between the application you are configuring using EAM Console and the name of an external application (created using another SSO tool) for which you want to configure an access.

This option is particularly useful to integrate User Provisioning or Web Access Manager with EAM. For example, if you are defining the MyHTMLApplication application that already uses Web Access Manager account bases, enter the names of the Web Access Manager account bases defined for this application. By this way, the EAM Controller will be able to use these Web Access Manager account bases to perform SSO with this application. For more information, see Mobile E-SSO Installation and Configuration Guide.

Defining the Provisioning Connector

Subject

The E-SSO Provisioning connector enables the:

  • Password synchronization between the account base of a client application and Active Directory.
  • Regular and automatic password renewal.

To enable this connector, you must set the administrator of the administrator account of the target application in the Provisioning connector tab (described hereunder) and associate it with a password (see One IdentityEAM Installation Guide).

Description

This tab enables you to define the provisioning connector to force the password of this application's accounts.

IMPORTANT: Password provisioning may slow down the sending of the login/password to the application. To avoid this, you can activate the window masking option in the application window (see Enterprise SSO Administrator's Guide).
Restrictions
  • This tab is only available if The application uses the primary account and The application uses the PIN check boxes of the Account base tab are cleared (see Defining account base parameters). Otherwise, this tab is unavailable.
  • If the SSO application shares its account base with other applications, all applications must be configured for provisioning.
  • Multi-account is not supported.

Procedure

  1. In the tree structure of the Directory panel, select the wanted application.
  2. In the Configuration tab, click the Provisioning connector tab.
    • The Provisioning connector tab appears.

  3. To activate provisioning, select the This connector is used for provisioning check box and fill-in the tab as follows:
    • Configuration area:
      • Login format: select the login format of the application's account base: short name, Windows 2000 or NT4.
      • Library: dll of the E-SSO connector (here: UAConnectorLdap, installed with the E-SSO controller).
      • XML configuration: XML configuration corresponding to the connector's pre-requisite (here: pre-requisite of UAConnectorLdap).
        For more information on the DLL and XML configuration, please contact your One Identity representative.
      • Admin login: login of the administrator account that you want to select (login or DN).
    • Provisioning behavior area:
      • Synchronize application password with the primary password: synchronizes the application's account base from the primary account.
      • Automatic password change: the lifecycle of the application's accounts is managed automatically (not synchronized with the primary account).
  1. Click Apply.

Assigning users to an application

Assigning users to an application

You can authorize a user to run an application in the Access tab, either from an Application object of from a User object. Whatever the selected object type, the tab is the same. For more information on how to fill in this panel, see Assigning applications to a user.

Related Documents