Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Configuring Self Enrollment

Before starting

To configure the user self enrollment, you must be a super administrator.

Procedure

  1. In the File menu, click Configuration.
    • The Configuration window appears.
  2. Click on the User Self Enrollment tab.
  3. Select the Users can enroll themselves through the Web Portal check box.
  4. Fill-in the tab using the instructions given in section "User Self Enrollment" tab - Description hereunder.
  5. Click OK.
    • The user self enrollment is configured.

 

"User Self Enrollment" tab - Description

  • User Enrollment Domains area
    1. Click Add to assign an email domain to a dedicated OU.
    2. Enter the email domain (example: @oneidentity.com, the @ is optional).
    3. Select the dedicated OU that you previously created.

    In the self enrollment form of the EAM portal, the users can fill-in the following fields (attributes):

    Field name

    Active Directory Name

    OpenLDAP Name

    First name

    givenName

    givenName

    Last name

    sn

    surname

    Common name

    cn

    cn

    Login name (mandatory)

    sAMAccountName

    uid

    Email address (mandatory)

    mail

    mail

    Cell phone

    mobile

    mobile

    If the users do not fill-in the Common name field, the cn of the user account object is automatically built as follows:

    • cn = First name + Space character + Last name
    • cn = elements left of the @, the Space character replaces the "."

    For Active Directory, the user's UPN (User Principal Name) is defined as follows: UPN = sAMAccountName + @ + directory domain. Uniqueness rules apply to the user's attributes:

    • The cn must unique within the OU.
    • The sAMAccountName and the UPN must be unique within the directory.
  • Confirmation Code area
    • Code length: number of characters of the OTP sent to the user.
      Default value: 8 characters.
    • Validity duration: validity duration in minutes of the sent OTP. Past that, the OTP is not valid anymore and the user will have to request a new OTP.
      Default value: 5 minutes.
  • Email button
    • Email address LDAP attribute: the definition of the LDAP attribute used for the email.
    • SMTP Server: SMTP server name to send emails.
    • Port: the port number if the server does not use port 25 (default port).
    • Secure connection using: type of connection to the server: TLS or SSL.
    • Authenticate to SMTP Server as: name and password of the user to enter to connect to the email server, if necessary.
    • Sender's (and reply to) address: email address of the sender (optional).
    • Language: language of the email model sent. The default language model is english. If a model language is not translated, you can select a model and translate the content.
    • Sender's display name: the sender name.
    • Subject: the subject of the message.
    • Body: the content of the email in plain text. The same content will be used for all users. You can use the following variables, which will be automatically replaced with their values upon the email generation:
      • %USER% => user display name.
      • %CONFIRMATIONCODE% => OTP sent to the user.
      • %DOMAIN% => domain in which the user must authenticate.

        Example:

  • SMS check box and button
    • Mobile phone number LDAP attribute: the definition of the LDAP attribute used for the phone number.
    • Service URL: HTTP server for sending the SMS.
    • Proxy Server: the HTTP proxy (optional).
    • Submitted web form data: SMS configuration parameters to provide to the SMS sending server.
    • Keyword for localized message: this keyword must be set in the Submitted web form data field, and gathers the whole text of the Message field.
    • Language: language of the email model sent. The default language model is english. If a model language is not translated, you can select a model and translate the content.
    • Message: the content of the SMS. The same content will be used for all users. You can use the following variables, which will be automatically replaced with their values upon the SMS generation:
      • %USER% => user display name.
      • %CONFIRMATIONCODE% => OTP sent to the user.
      • %PHONENUMBER% => user phone number.
      • %DOMAIN% => domain in which the user must authenticate.

        Example:

Sending SSO account passwords to users

Subject

You can allow users to quickly access their SSO accounts in case of emergency access by sending them their passwords by email. The passwords are never displayed to the administrators.

Restrictions
  • Delegated accounts data cannot be sent by email.
  • Emails are sent one after the other. If you need to send emails to several users, it is possible to use a function available in the API and in the web service.
  • You cannot select passwords to send to a user: all his/her passwords are sent in one time.
Before starting
  • To perform this task, you must have the Emergency plan: Send SSO data by mail to users administration role.
  • If you start the console using the smart card authentication method, the Recuperator role must be set on the token.

NOTE:

  • To send emails to users, you need a valid email address. This address must be an LDAP attribute of the user and must be filled-in. If you want to provision or manage the email attribute, use One Identity Request Manager (see Request Manager Administrator’s Guide).
  • Passwords sent to users have two requirements:

Procedure

  1. In the tree structure of the Directory panel, right-click the wanted user and select Send SSO Data by mail.
    • The Send SSO data by mail window appears.

      IMPORTANT: Shared accounts data cannot be sent to a single user. You must select the group that the user is a member and send the data to all the members of the group or to a subset of this group.

  2. Select the application for which you want to send the SSO data and click OK.
    • A confirmation window appears to confirm that the email containing the passwords has been sent to the user.

 

Sending primary password expiration notification emails to users

Subject

You can configure notification e-mails to send to users which primary password is going to expire, has already expired or has been modified.

Description

You can set the delay and frequency for sending emails, as well as e-mail templates based on the domain (based on the e-mail address) to which the user belongs and the urgency delay.

For example, you can create a template for a user from domain A whose password expires in 15 days and sent every 3 days and another template for a user from domain B whose password expires in 5 days and sent daily.

Before starting
  • To configure the email content, you must be a super administrator.
  • To activate the e-mail notification feature, you must set the following registry value on the controller managing these notifications:
    HKLM \SOFTWARE\Enatel\WiseGuard\FrameWork\FmkServer\
    NotifyPwdExpiry (REG_DWORD) = 0x01.

    IMPORTANT: Only one controller must have this key, otherwise users will receive as many notifications as there are controllers.

Procedure

  1. In the File menu, click Configuration.
    • The Configuration window appears.
  2. Click on the User Notifications tab.
  3. Fill-in the tab using the instructions given in section "User Notifications" tab - Description hereunder.
  4. Click OK.
    • The sending of notifications by email is configured.

"User Notifications" tab - Description

Notify users when their primary password is about to expire area

Select this check box to activate the email notification for expiring passwords.

  • Expiration warning delay: x days: number of days before the password expires and the email is sent.
  • Send notification every x days: frequency for sending the email.
  • Press 'Email' to configure default notification message: click the Email button to configure the sending and content of the email.

    IMPORTANT: The configuration of the notification emails is the same for expiring, expired and modified passwords as well as for advanced notifications.

    • Template name: email template name.
    • User's email address LDAP attribute: the definition of the LDAP attribute used for the email.
    • SMTP Server: SMTP server name to send emails.
    • Port: the port number if the server does not use port 25 (default port).
    • Secure connection using: type of connection to the server: TLS or SSL.
    • Authenticate to SMTP Server as: name and password of the user to enter to connect to the email server, if necessary.
    • Sender's (and reply to) address: email address of the sender (optional).
    • Language: language of the email to send.
    • Sender's display name: the sender name.
    • Subject: the subject of the email.
    • Body: the content of the email in plain text. Click the Load file button to import a pre-defined text (HTML or TXT). You can use the following variables, which will be automatically replaced with their values upon the email generation:
      • %USER% => user display name.
      • %DAYS% => number of days left.
      • %DOMAIN% => user domain.

  • Advanced per-domain notifications: enables to create advanced notification templates based on the user domain and the password's expiration delay. Click Add to create one.

    • Select email template: enables to select an email template. Click + or Edit to create or edit a template.

      NOTE: The template configuration is the same as for the default notification message described above.
    • Send email if password expires in less than x days: delay after which the email is sent.
    • for email domain: the email is sent only to the addresses of the specified domain. Example: oneidentity.com.

Notify users when their primary password already expired area

Select this check box to activate the email notification for expired passwords.

  • Expired password default template: click the Email button to configure the sending and content of the email.

    NOTE: The template configuration is the same as for the default notification message described above.
  • Advanced per-domain notifications: enables to create advanced notification templates based on the user domain. Click Add to create one.

    NOTE: The advanced configuration is the same as for the advanced per-domain notifications described above.

Password Change - Notify users when their primary password has been changed area

Select this check box to activate the email notification for modified passwords.

Press 'Email' to configure notification message: click the Email button to configure the sending and content of the email.

NOTE: The template configuration is the same as for the default notification message described above.

Defining additional security parameters for groups of users

Subject

You can define additional security policy parameters on groups of users These parameters are added to the security profiles associated with the members of the group.

The Policies tab (only available from a group of users object) is dedicated to users of clusters of access point and allows you to authorize members of the group to delegate their Windows session to another member of the group.

For more information on session delegation for users of clusters, see Section Session Delegation Tab.

For more details on the conditions under which a user can delegate a session, see Authentication Manager Cluster Administrator’s Guide.

Before starting
  • This section only applies to groups of users who use cluster of access points.
  • To perform the task described in this section, you must have at least the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain the following administration right: "Group policy: Modification".

      NOTE: For more information on administration roles, see Section Managing administrators.

Procedure

  1. In the tree structure of the Directory panel, select the wanted group of users.
  2. Click the Policies tab.
    • The tab appears.

  3. Select the Define additional Security Policies for members of this group check box.
  4. In the Windows Session Delegation Policy area, select the check box corresponding to the type of delegation you want to authorize to members of the group:
    • Allow permanent delegation: when a user delegates his/her session, the session is delegated until he/she ends the delegation authorization through the cluster management wizard.
    • Allow temporary delegation: when a user delegates his/her session, the session is delegated until he/she re-authenticates.
  5. Click Apply.
Related Documents