Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Managing user accounts

Managing user accounts

Subject

The Accounts tab allows you to manage user's accounts.

Before starting

To perform the task described in this section, you must:

  • Either have at least the following administration role:
    • In classic administration mode: "Security object administrator" or "Access administrator".
    • In advanced administration mode, your role must contain one of the following:
      • the rights "Account: Creation/Modification", "Account: Deletion", "Account: Manage parameters", "User role: Creation/Modification", "User role: Deletion".
      • the right "Application: Manage all applications".
  • Or be an administrator allowed to manage the application(s) with full control on it.

    NOTE: For more information on:

Procedure

  1. In the tree structure of the Directory panel, select the wanted user.
  2. Click the Accounts tab.
    • The Accounts tab appears.
  3. Select the account you want to manage and perform the wanted operation using the available buttons, as explained in the following Accounts tab description section.
Accounts tab description

  • Show unregistered account check box
    • Check box selected: the tab displays all the accounts that are not yet registered.
    • Check box cleared: the tab displays only the registered accounts.
  • Export button

    Exports the user accounts list in a CSV file.

  • Lock/Unlock button

    Locks/unlocks the account. If the account is locked, the user is not able to connect to the application anymore.

  • Properties button

    Displays the account properties window, which allows you to manage the selected account SSO data and the delegation properties.

    • SSO Data tab

      • Login field
        Account login name.
      • Password field
        Account password. You can manually type it or automatically generate it by clicking the Generate button.
      • Password must change at next logon check box
        If this check box is selected, the user will be prompted to change his/her password when he/she first logs on to this application with this account.
      • Clear password history check box
        If this check box is selected, all previous passwords are deleted. This means that the user will be able to use again previous passwords.
      • Parameters area
        Displays any additional parameters set for the account, and allows you to set them again.
      • Delegation tab

        This tab displays the list of users to whom the user has delegated his/her account using Enterprise SSO.

      • Ownership tab

        This tab enables you to select users allowed to manage the account. Click one of the following buttons:

        • Set Owner: a specific user or group of users can manage the account.

        • No owner: only EAM Console administrators can manage the account.

IMPORTANT: The account access is managed by an ACL, therefore super administrators of the directory can always access the account.
  • New button

    Displays the personal account creation window, which allows you to create another user account for the same application.

  • Delete button

    Removes the selected account.

  • Clear all accounts button

    Deletes all the user accounts.

Managing the User Self Enrollment

Subject

You must configure EAM console so that users can self enroll.

Description

Thanks to the EAM portal, external users can self enroll, which will enable them to authenticate to their Windows session.

The self enrollment system will create a primary account in the corporate directory, within a dedicated OU depending on the domain of their email address.

Assigning Administration Rights

You must assign rights to the following elements:

  • Administration rights to the technical account of the E-SSO Controller, sufficient to create users in the directory, such as "create, delete, and manage user accounts" (for more information refer to the One Identity EAM Installation Guide).
  • The User administrator administration profile to the SSPR administrator (for more information, see Delegating Administration Roles).
  • For AD LDS: rights to the SSPR administrator to manage the user accounts in the welcome nodes of the users who self enroll, by creating an account delegation on the welcome node (for more information, refer to the Microsoft documentation
    https://technet.microsoft.com/en-us/library/cc731868%28v=ws.10%29.aspx).

Configuring the Dedicated Organizational Units

Subject

Users who self enroll are identified with the domain of their email address and are created in dedicated OU in the directory.

Before starting

The dedicated OU must already be created in the directory. You can create a general OU for the dedicated users or one OU for each domain.

Procedure

In EAM console, you must create the following elements, which will be dedicated to theses users and applied to the dedicated OU:

You can also apply a dedicated PFCP (see Creating/Modifying Password Format Control Policies).

Related Documents