Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Assigning an access point security profile

Assigning an access point security profile

Subject

The assignment of an access point security profile to an access point is an important step in the management of Access Point objects. Among other things, this security profile define:

  • The authentication methods enabled for the workstations associated with the access point security profile;
  • The software modules (Enterprise SSO, Authentication Manager...) enabled for these workstations.

NOTE: An access point security profile must be applied on TSE type access points to indicate that on these workstations, Enterprise SSO must not display the splash screen nor the Enterprise SSO management icon in the notification bar.
Before starting
  • To perform the task described in this section, you must have at least the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain the following administration right: "Access point security profile: Assignment".
  • The access point security profile that you want to assign must be created first as described in Section Managing Access Point Security Profiles.
Restriction

If you are working in "no access point management" mode, the access point security profiles cannot be applied to the access points.

Procedure

  1. In the tree structure of the Directory panel, select the wanted access point.
  2. Click the Configuration tab.

    • A predefined access point profile is automatically assigned. To simply the following explanations, we will call it "default access point profile".

      NOTE: You can set the "default access point profile". For more information on this key, see Defining Security Profiles Default Values.
  3. To select a different access point profile, click the  button.
  4. In the displayed window, select the wanted access point profile, either by browsing the tree structure, or by using a search filter.
  5. Click Apply.

    NOTE: Click the  button to display and optionally modify the selected access point profile.
Hint

To quickly reassign the "default access point profile", complete the access point profile selection window as follows:

  1. In the Search tab, type "..." in the Filter field.
  2. Click OK.

Managing EAM controller services

Subject

If an EAM Controller is installed on the selected access point, you can manage the list of services that this controller should provide: when a workstation needs to connect to an EAM Controller, the EAM Security Services connect to an EAM Controller that explicitly provides the required service.

NOTE: For more information on the EAM controllers, see Section EAM Controllers.

Procedure

  1. In the tree structure of the Directory panel, select the access point you want to configure.
  2. Click the Configuration tab.

    • The Available Security services area displays the port number used by the EAM Controller (for information) and the list of available services.
  1. Select the check boxes corresponding to the services you want to be provided by the EAM Controller installed on this computer. Changing the list of available services has no impact on the controller itself.
    • A dialog box appears to confirm that the modifications have been taken into account. If you click on:
      • Yes: the modifications are immediately taken into account by the workstations.
      • No: the modifications are taken into account by workstations at cache refresh time.

        IMPORTANT: If Web Service and Cloud are selected, check that the corresponding certificates are available on the controller. For more information on the certificates to install, see One IdentityEAM Installation Guide

Assigning a generic account to an access point

Subject

You can create a generic account and assign it to an access point so that several users can use it on this access point.

Before starting
  • To perform the task described in this section, you must have at least the following administration role: Access point Windows generic account: Creation/Modification/Deletion.
  • The generic account must not be modified when it is being used.

Procedure

  1. In the tree structure of the Directory panel, select the access point you want to configure.
  2. Click the Configuration tab.

    • The Windows generic account area displays the name of the generic account as well as the associated password.
  3. Enter the Domain name or the access point name as well as the login such as: Domain\Login.
  4. Enter the password and confirm it.
  5. If needed, select the following check boxes:
    • User can open other Windows account sessions: during session opening, the generic account as well as the other accounts are displayed on the access point.
    • Generic account session is never automatically closed: the generic account session is not impacted by the Max concurrent Windows sessions option of the access point security profile (see Authentication Manager Tab).
  6. Click Apply.
    • Changes are taken into account by workstations at cache refresh time.

Assigning/forbidding users to an access point

Assigning/forbidding users to an access point

Subject

To configure the single sign on authentication for a user, you must set the following links:

  • Authorize the user on an access point.
  • Authorize an application to run on a given access point.
  • Authorize the user to access the application.

This section describes how to authorize a user to log on to an access point, from the Access Point object. This access is controlled by Authentication Manager or by the GINA of the client workstation. If a non authorized user tries to log on to a workstation, the following message appears on the screen: "You are not authorized to log on to this access point".

NOTE: It is also possible to grant permission to a user to log on to an access point using the User object, as described in Section Assigning/forbidding access points to a user.
Before starting
  • To perform the task described in this section, you must have at least the following administration role:
    • In classic administration mode: "Security object administrator" or "Access administrator".
    • In advanced administration mode, your role must contain the following administration rights: "Authorization for user on access point: Creation/Modification" and "Authorization for user on access point: Deletion".
  • If the Allow on all access points option of the user security profile is selected (refer to Section Authentication Tab), then the ban on the access point for a user will not be effective for this user.
  • If you are working in "no-access-point-management" mode, it is not possible to configure the user access to individual access points or to objects representing a set of access points (groups, organizations and so on); the Authorized Users tab is not available.
    A user is authorized to connect to an access point of his/her domain only if his/her security profile indicates Allow on all access points (see Section Authentication Tab).

Procedure

  1. In the tree structure of the Directory panel, select the wanted access point.
  2. Click the Authorized Users tab.
  3. If the Allow on all Access Points parameter of the user security profile associated with this user is selected (for more details, see Section Authentication Tab), you can let this tab blank to authorize all the access points of the directory domain for the selected users.
    If you want to define the authorized/forbidden users, follow this procedure:
    • Allow/Forbid
      If you have added a group of users and you wand to forbid one or more user(s) in this group, use the Allow and Forbid buttons.
    • Modules
      To prevent the user from accessing some of the software modules installed on the access point (Authentication Manager, EAM Console, Enterprise SSO or SSO Studio), use the Modules button

NOTE: The EAM Controller uses the following algorithm to allow or forbid access points to users:
  1. Checks whether the user is authorized or denied.
  2. Checks whether a user primary group is authorized or denied.
  3. Checks whether a user group is authorized or denied.
  4. Checks whether a parent organizational unit grants or denies access.

 

Related Documents