Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Sharing the administration of an application

Sharing the administration of an application

Subject

When you create an application, you are the only manager for this application. Therefore, you get administration rights for this application. However, you can define other administrators to manage this application, each with different control levels.

IMPORTANT: If you use EAM Console in advanced administration mode, the Application: Manage all application administration right can be delegated to other administrators so that they can manage all the applications, even if they have not created them.
For more information on administration rights, see Managing administrators.

Procedure

  1. In the tree structure of the Directory panel, select the wanted application.
  2. Click the Administrators tab.

    In this tab, you can:

    • Modify the main administrator of the application, using the Select button.
    • Define additional administrators, allowed to co-manage the application, using the Add and Remove buttons.
    • For each added administrator, you can set the administration level for the corresponding application using the Modify button. Here are the administration levels that you can set:

Control level

Description

None

The administration rights are removed.

Password control

The administrator can change the user SSO data.

Full control

The administrator can change the application access strategies.

Password reveal policy modification allowed

The administrator can change the application password reveal policy (for more details, see Defining account properties ).

 

Generating/Importing accounts for an application

Generating/Importing accounts for an application

Subject

This section describes account generation and import operations for an application to allow a user to run the selected application.

Before starting
  • You must authorize the user to run the application, as described in Assigning applications to a user.
  • To perform the tasks described in this section, you must have at least the following administration role:
    • In classic administration mode: "Security object administrator" or "Access administrator".
      And you must be manager of the application.
    • In advanced administration mode, your role must contain the following administration rights: "Account: Creation/Modification", "Account: Manage parameters".
      And you must be manager of the application or possess the right "Application: Manage all applications".

NOTE: For more information on the:

Procedure

  1. In the tree structure of the Directory panel, select the wanted application.
  2. Click the Account Generation tab.
    • The account generation tab appears.

  3. Fill in the panel as follows:
    1. Complete the Credentials area. This area is designed to set the account creation rules. Enter the following information:
      • In the Login field, type the login creation rule. For example, type (cn) to set the common name of the user as the login name.

        NOTE: For more information on the login creation rule syntax, see Section Creating the account properties for an application.
      • Define the password:

        To define a random password for each account, select the Random password generation check box. This password is created according to the defined PFCP (for more information, see Managing Password Format Control Policies).
        To apply the same password on all the accounts, clear the Random password generation check box and type the password in the Password area.

        IMPORTANT: If you type a password containing a special character, make sure to enclose the password in quotation marks.
        Example: "My;Password".
    2. To add additional authentication parameters (Windows domains or languages for example), fill in the Parameters area (optional).
    3. Complete the Generate accounts for only these users area. This area allows you to select the users who must have accounts. Depending on your needs, proceed as follows:
      • If you want to generate an account for all the users who have access to the application (that is who are listed in the User Access tab), but who do not have any account, make sure that the Do not modify existing accounts check box is selected.
      • If you want to generate an account for all the users who have access to the application, including the users who have already an account (in this case, you are going to renew their accounts), clear the Do not modify existing accounts check box.
      • If you want to generate an account for some users who have access to the application, use the Add and Remove buttons to establish the list of concerned users, and select or clear the Do not modify existing accounts check box is selected.
    4. In the Working file area, click the Select button to:
      • Define the name and location of the CSV file that will be used to import the accounts.
      • Select an existing CSV file.
    5. Click Import to build the file.
      • The account import window appears.

    6. Click Start to build/import the accounts.

Assigning access points to an application

Assigning access points to an application

Subject

To configure the SSO for a user, you must set the following links:

  • Authorize the user on an access point.
  • Authorize an application to run on a given access point.
  • Authorize the user to access the application.

This section describes how to authorize the execution of an application on an access point.

Before starting
  • The software corresponding to the application object must be installed on the access point.
  • To perform the tasks described in this section, you must have at least the following administration role:
    • In classic administration mode: "Security object administrator" or "Access administrator".
    • In advanced administration mode, your role must contain the following administration rights: "Authorization for application on access point: Creation/Modification", "Authorization for application on access point: Deletion".
  • If you are working in "no access point management" mode, the Access Points tab is not available.

Procedure

  1. In the tree structure of the Directory panel, select the wanted application.
  2. Click the Access Points tab.
    • The tab appears.

  1. Read carefully the instructions located in the Information area on how to complete this panel.

    IMPORTANT: If you select the Allow access from all access points declared in the local directory check box, the selected application will be available on all the computers registered in the same domain as the application. To make this application available on computers registered in different domains, use the representative objects, detailed in Managing representative objects.

    If you do not select the Allow access from all access points declared in the local directory check box, do the following procedure:

    • Click the Add/Remove buttons to select the access points that you want to make accessible to the selected application.
    • To provide more details on the list of available access points, use the following buttons:
      • Allow/Forbid
        If you have added a group of access points and you wand to forbid one or more access point(s) in this group, use the Allow and Forbid buttons.
      • Propagation method
        If you want to specify a specific access point, and if your application uses the SSO propagation method, you must indicate a technical reference. By default, the technical reference specified on the application is used, as described in Defining the Single Sign-On properties of an application (SSO).

Displaying accounts associated with the application

Subject

The Accounts tab allow you to filter and display the accounts associated with the selected application, and to export them as CSV file.

NOTE: To display the accounts associated with several applications, see Managing reports.

Procedure

  1. In the tree structure of the Directory panel, select the wanted application.
  2. Click the Accounts tab.
    • The Accounts tab appears.

  1. In the Filter list:
    • Select the filter you want to apply to the accounts associated with the selected application.
      • Display all accounts without access
        Displays all the user accounts that have been collected for the selected application, but being no longer associated with the application.
      • Display all unregistered accounts
        Displays all the users allowed to access the selected application, and who have not yet registered their account for this application (the account is not collected).
      • Display all registered accounts
        Displays all the users allowed to access the selected application, and who have registered their account for this application (the account is collected).
      • Display all accounts
        Displays all users allowed to access the selected application (unregistered and registered accounts).
    • Select the Show Parameters check box to display the authentication parameters of the technical definition associated with the application.
  1. Click Apply.
    • The area displays the selected accounts list.
  1. In the Export area, select the item of the displayed list that you want to export as CSV file, and click Export.
  1. In the Accounts area, click on Clear all accounts to delete the association with the registered accounts.
Related Documents