Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Displaying user authentication information and administering roaming sessions

Displaying user authentication information and administering roaming sessions

Subject

The Authentication tab allows you to:

  • Check if a user's account is still being used.
  • Manage roaming sessions by displaying their duration, and delete them if necessary.
Before starting

To configure the parameters described in this section, you must work in advanced administration mode, and your role must contain the following administration right: "Roaming: Delete user's sessions".

NOTE: For more information on administration roles, see Section Managing administrators.

Procedure

  1. In the tree structure of the Directory panel, select the wanted user.
  2. In the Connection tab, click Authentication.
    • The tab appears.

      This panel displays:

      • The date of the last successful authentication attempt and the date of the last authentication failure.
      • The roaming session duration
        The Delete roaming session button allows you to delete the current roaming session to force the user to authenticate again at the next session opening.
        This option also allows you to disable the roaming session in case the user has lost his/her physical authentication means.

Predefining a new user's primary password

Predefining a new user's primary password

Subject

In the Password tab described in this section, you can predefine the user's primary password without he/she loses his/her recoverable SSO data.

IMPORTANT:

  • This process makes the user's private accounts unavailable.
  • This action automatically unlocks the user account (you are not warned if the unlocking operation fails).

This tab allows you also to allow a user to use temporarily the password authentication method. This feature can be useful if you want to force the use of tokens within the company: in this case, you disable password authentication for all users, and activate temporary password access (TPA) in the Password tab for users who do not have their smart card yet.

Before starting

To perform this operation, you must have recovery rights, that is:

  • In classic administration mode:
    • The "SSO Data Recoverer" administration role.
    • The SSO data recoverer authorization applicable to the administration of your smart card.
  • In advanced administration mode, your role must contain the following administration rights: "User: Password modifications", "Temporary password access: Creation" and "Temporary password access: Deletion".

Procedure

  1. In the tree structure of the Directory panel, right-click the wanted user and select Force Password.
    • The Password tab appears.

  2. To modify the user's primary password, do one of the following operations:
    • In the New Password and Confirmation fields, type the new user's primary password and click Apply.
    • Click the Generate button to automatically generate the user's password and click Apply.
  1. To activate the temporary password access for the user, perform the following operations:
    1. Complete the New Password and Confirmation fields as explained.
    2. Select the User can connect using password authentication check box and click Apply.
      • The tab displays the temporary password access expiration date. If the user connects using a smart card, the temporary password access is automatically removed.
    1. To extend the temporary password access duration, clear the User can connect using password authentication check box, and create a new one.
  1. To force the user to change his password, select the User must change password at next login check box and click Apply.
  1. To avoid site replication issues if you are using Active Directory: in the User is logged on computer field, type the user's computer name to make the reset password operation on a domain controller located on the same site as the computer (and not on the domain controller on which you are connected) and click Apply.

    NOTE: For more information on how to select domain controllers, see Section Selecting a domain controller.
    • All the reset password operation will be performed on this server. The administration connection will switch back to the previous domain controller when the password reset operation is performed.

 

Managing user Self Service Password Request

Managing user Self Service Password Request

Subject

The Self Service Password Request tab allows you to display and manage the password and PIN reset feature for a user. You can perform the following actions:

  • Consulting the Self Service Password Request information of a user.
  • Resetting the number of attempts for the password if the user has reached the maximum number of attempts.
  • Generating challenges (unblocking codes), to allow the user to reset his/her password or PIN.
Before starting

To perform the tasks described in this section, you must have at least the following administration role:

  • In classic administration mode: "Security object administrator" or "Rights administrator" or "SSO Data Recoverer".
  • In advanced administration mode, your role must contain the following administration rights: "Self Service Password Request: Answer deletion", "Self Service Password Request: Challenge generation" and "Self Service Password Request: Reset attempt counter".

Procedure

  1. In the tree structure of the Directory panel, select the wanted user.
  2. In the Connection tab, click Self Service Password Request.

    • This tab displays information about the last use of Self Service Password Request by the user.
  1. Do one of the following operations, depending on the action you want to perform:
    • To reset to 0 the number of password attempts for the user, click the Reset button (works only in connected mode).
    • To delete the answers given by the user so that he/she can provide them again, click the Reset answers button.
    • To check the identity of the user, click the Check User Challenge button and enter the challenge provided by the user.
    • To generate an unblocking code, click the Generate Unblocking Code button.
      • The Unblocking Code window appears.

      1. Follow the instructions displayed in the window and in the User challenge field, type the unblocking code the user gave you.

        NOTE: If a temporary access password has been assigned to the user, the Temporary password access duration field displays the number of days remaining to the user to connect by password (for more information, see Section Predefining a new user's primary password).
      2. Click the Generate button.
        • The result appears, you can then give it to the user so that he/she can reset his/her password or PIN.

          NOTE: The number of reset password is automatically reset to zero once the password is reset (you are not warned if the operation fails).

Defining an audit identifier

Defining an audit identifier

Subject

By default, an audit identifier is automatically generated for each administered user (you can select the LDAP attribute that is used as audit identifier in the Audit identifier area area: see Section Adding user attribute information).

You can modify it if you want. In this case, you are strongly advised to modify it only once, upon the first definition of the user to avoid generating several audit identifiers for the same user.

Procedure

  1. In the tree structure of the Directory panel, select the user to whom you want to assign an audit identifier.
  2. Click the Connection tab.
  3. In the Audit identifier area, modify the identifier.
  4. Click the Apply button.
Related Documents