Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Creating a welcome message

Creating a welcome message

Subject

You can create a customized welcome message for the user, which will be appear as a popup when Enterprise SSO opens.

Procedure

  1. In the tree structure of the Directory panel, select the wanted user.
  2. Click the Connection tab.
  3. In the User message area, type the welcome message for the selected user.
  4. Click Apply.

Assigning a user security profile

Assigning a user security profile

Subject

The assignment of a user security profile to a user is a fundamental step in the administration of User objects. Globally, User Security Profile objects define:

  • The authentication methods authorized for the users.
  • The parameters associated with the use of the Enterprise SSO module.
Before starting
  • To perform the tasks described in this section, you must have the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain the following administration right: "User security profile: Assignment".
  • The user security profile that you want to assign must be created first as described in Section Managing User Security Profiles.

Procedure

  1. In the tree structure of the Directory panel, select the wanted user.

    NOTE: You can also select a group of users by selecting a folder containing the wanted users.
    This is not possible if the EAM data is separated from other data (Fedora Directory server in cooperative mode, or Active Directory + ADAM infrastructure for example).
  2. Click the Security Profiles tab.

    • A predefined user profile is automatically assigned. To simply the following explanations, we will call it "default user profile".

      NOTE: You can set the "default user profile". For more information on this key, see Defining Security Profiles Default Values.
  3. To assign a different user profile, click the  button.
  4. In the displayed window, select the wanted user profile, either by browsing the tree structure, or by using a search filter.
  5. Click Apply.

    NOTE: Click the  button to display and optionally modify the selected user profile.
Hint

To quickly reassign the "default user profile", complete the user profile selection window as follows:

  1. In the Search tab, type "..." in the Filter field.
  2. Click OK.

Declaring a user as administrator

Declaring a user as administrator

Subject

Any user declared in the directory can become administrator. To declare a user as administrator, it is necessary to perform the operations described in the following procedure.

Procedure

  1. Grant administrative rights to the user, through the Administration tab, as described in Section Managing administrators.
  2. If the access to EAM Console regularly requests the input of authentication information, provide a smart card to the user, though the Smart Card tab, as described in Section Managing smart cards.

 

Assigning/forbidding access points to a user

Assigning/forbidding access points to a user

Subject

To configure the SSO for a user, you must set the following links:

  • Authorize the user on an access point.
  • Authorize an application to run on a given access point.
  • Authorize the user to access the application.

This section describes how to authorize a user to log on to an access point, from the User object. This access is controlled by Authentication Manager or by the GINA of the client workstation. If a non authorized user tries to log on to a workstation, the following message appears on the screen: "You are not authorized to log on to this access point".

NOTE: It is also possible to grant permission to a user to log on to an access point using the Access Point object, as described in Section Assigning/forbidding users to an access point.
Before starting
  • To perform the task described in this section, you must have the following administration role:
    • In classic administration mode: "Security object administrator" or "Access administrator".
    • In advanced administration mode, your role must contain the following administration rights: "Authorization for user on access point: Creation/Modification" and "Authorization for user on access point: Deletion".
  • If the Allow on all access points option of the user security profile is selected (refer to Section Authentication Tab), then the ban on the access point for a user will not be effective for this user.
  • If you are working in "no-access-point-management" mode, it is not possible to configure the user access to access points or to objects representing a set of access points (groups, organizations and so on).
    In this mode, a user can connect to an access point located in his domain only if the Allow on all access points option associated with his security profile is selected (see Section Authentication Tab).

Procedure

  1. In the tree structure of the Directory panel, select the wanted user.
  2. Click the Access Points tab.
    • The tab appears.

  1. If the Allow on all Access Points parameter of the user security profile associated with this user is selected (for more details, see Section Authentication Tab), you can let this tab blank to authorize the selected user to authenticate on all the access points of the domain. If you want to define authorized/forbidden access points, follow this procedure:
    • Click the Add/Remove buttons to select the access points on which the selected user can authenticate.
    • To be more precise on the list of available access points, use the following buttons:
      • Allow/Forbid
        If you have added a group of access points and you wand to forbid one or more access point(s) in this group, use the Allow and Forbid buttons.
      • Modules
        Select the EAM modules (Authentication Manager, Enterprise SSO, EAM Console...) installed on the access point and that can be used by the selected user.

NOTE: The EAM Controller uses the following algorithm to allow or forbid access points to users:
  1. Checks whether the user is authorized or denied.
  2. Checks whether a user primary group is authorized or denied.
  3. Checks whether a user group is authorized or denied.
  4. Checks whether a parent organizational unit grants or denies access.
Related Documents