Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Managing user smart cards

Managing user smart cards

You can manage user's smart cards from the Directory panel, using the Smart Cards tab. It is also possible to use the Smart Cards panel. For practical reasons, the administration tasks related to smart cards are the subject of a separate section. Thus, for more information on the smart cards management, see Section Managing smart cards.

IMPORTANT: The Smart Card tab only appears if you have the "Smart card administrator" role.

Managing user Mobile Devices


The Mobile Devices tab, directly linked to QRentry: the application for mobile devices, enables you to:

  • Restrict the set of mobile devices for a particular user with the unique identifier of the mobile device.
  • Force the verification of the unique identifier of a non-enrolled mobile device.

If a mobile device has been enrolled by a user, then it appears under this user. You can check the following information:

  • The mobile devices enrolled for emergency access and for the local administration access (optional).
  • The mobile devices not enrolled yet.
  • The properties of each mobile device (name, unique identifier...).

For a complete description of QRentry, please refer to QRentry User’s Guide.

Description of the Information tabbed panel of a Mobile Device

NOTE: To display the following tabbed panel, in the tree structure of the Directory panel, select the wanted user by clicking and select a mobile device.




Displays the following information:

  • Name: name configured during the enrollment of the mobile device.
  • Operating System: OS of the mobile device (iOS, Android).
  • State: enable or disable the mobile device by clicking the Enable/Disable button.
  • Enrolled on: date and time of the mobile device enrollment. Otherwise, Not enrolled appears.
  • Last configuration update: date and time of the last update of the mobile device configuration (for example, update of E-SSO applications).
  • Unique Identifier: unique number of the mobile device.
  • Personal Key ID: private key ID. This ID is also available from the QRentry application installed on the mobile device.
  • Audit ID: identification number of the mobile device displayed in the reports.

Administration Keys

This area displays the following information:

  • The list of the Access Point security profiles that contain the computers for which the selected mobile device can be used to log on as local administrator (Access Point security profile column).

    NOTE: several Access Point security profiles can be listed if they use the same Active Directory user group (for more details, see Local Administrators Tab).
  • For each Access Point security profile, if the mobiledevice is enrolled or not for local administration access(Status column), such as:

    Mobile device enrolled.

    Mobile device enrolled with local administration access.

    Mobile device not enrolled yet.

  • The local administration roles associated with each security profile (Local admin role column).

Displaying and deleting user biometrics data


The Biometrics tab displays information about the user biometric data enrollment, and allows you to remove enrollment biometric data from the controller.

Before starting

To configure the parameters described in this section, you must work in advanced administration mode, and your role must contain one of the following administration right:

  • Bio: Display user biometric details (self-explanatory).
  • Bio: Is enable to allow biometrics pattern enrollment. This right allows you to display and remove from the controller enrolled fingerprints, and allows users to enroll their fingerprints (see Biometrics Tab).

NOTE: For more information on administration roles, see Section Managing administrators.


  1. In the tree structure of the Directory panel, select the wanted user.
  2. Click the Biometrics tab
    • The tab appears and displays user’s biometric data, as described in the following Section Window description.
Window description

  • Provider field

    Name of the biometric reader provider that you want to be used.

  • Clear all Patterns button

    Removes enrolled biometric data from the controller.

NOTE: You must have the right Bio: Is enable to allow biometrics pattern enrolment to use this button.
  • Enrolled patterns

    Displays the enrollment pattern quality for each finger.

  • Last enrolment field

    Date and time of the last user enrollment.

  • Enrolment approved by field

    Name of the user or administrator who has authenticated at enrollment time to validate the user enrolment.

Assigning applications to a user

Assigning applications to a user


To configure the SSO for a user, you must set the following links:

  • Authorize the user on an access point.
  • Authorize an application to run on a given access point.
  • Authorize the user to access the application.

This section describes how to authorize a user to run an application from the User object.

Before starting

To perform the task described in this section, you must have at least the following administration role:

  • In classic administration mode: "Security object administrator" or "Access administrator".
  • In advanced administration mode, your role must contain the following administration rights: "Authorization to use application: Creation/Modification", "Authorization to use application: Deletion".


  1. In the tree structure of the Directory panel, select the wanted user.
  2. Click the Application Access tab.
    • The tab appears.

  1. Fill in the panel as follows:
  • Select the Show inherited access check box to display all the applications inherited from the parent groups and the parent organizational units.
  • Click Add to select applications to assign to the selected user, then fill in the Access properties area and click Apply.
  • The application is now displayed in the access list.

NOTE: For more information on the Access properties area, see the subsection below.
You can click at any time the Edit and Remove buttons to modify or delete entries in the list.
Access properties area




Application name

Account Type

Shared, Primary, Standard or Defined on the application.

For more information, refer to the sub-section hereunder.

Application Profile.

Application profile selected for the application.


Default role proposed to the user.


Specifies how the user was granted access to the application.

Example: if the user belongs to a group that has access to the application, then the user can also access it.

Access properties area

The Access properties area allows you to define how the user has access to the application using the following parameters:

  • Account Type: this drop-down list offers the following options:
    • Shared: the account is shared between several users who belong to the same group of users.
    • Primary: the primary account represents an account allowing the use of the user's connection data to produce SSO information. This account is only available if the user password is authenticated.
    • Standard: the standard account is an account type that is automatically associated with the application when it is defined for the user.
    • Specified on the Application: account type defined in the account base of the application (primary account or standard account).
  • Format: if you have selected the primary account type, select in this drop-down list the format of the Windows user name (user name preceded by NETBIOS domain or including Windows domain for example).
  • Application profile: if you have defined several application security profiles at application level, you can specify the profile you want to use for a particular access.

    NOTE: To enable the Mobile E-SSO feature, you must select an Application profile that allows external accesses. For more information, see Mobile E-SSO Installation and Configuration Guide.
  • Role: the Manage button enables you to define a role that will be suggested by default to the user when he creates his first account in Enterprise SSO.
  • This access is for computers: the selected application can be used on workstations.
  • This access if for mobile devices: the selected application can be used by QRentry on mobile devices.


    • If you want to manage SSO of an application on workstations and mobile devices separately, you must create two applications that share the same account base.

    • For more information, see QRentry User’s Guide.

  • Users can create additional accounts: select this check box to authorize the user to create as many accounts as he/she wants.
Related Documents