Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Assigning/forbidding applications to an access point

Assigning/forbidding applications to an access point

Subject

To configure the SSO for a user, you must set the following links:

  • Authorize the user on an access point.
  • Authorize an application to run on a given access point.
  • Authorize the user to access the application.

This section describes how to authorize the execution of an application on an access point.

Before starting
  • The software corresponding to the application object must be installed on the access point.

IMPORTANT: The EAM Controller uses the following algorithm to assign or forbid applications to access points:

  • Checks the authorization of the application on the access point.

  • Checks the authorization or the prohibition of the application on a primary group of access points.

  • Checks the authorization or the prohibition of the application on the group of access points.

  • Checks the authorization or the prohibition of the access by the parent organizational unit of the access point.

  • To perform the task described in this section, you must have at least the following administration role:
    • In classic administration mode: "Security object administrator" or "Access administrator".
    • In advanced administration mode, your role must contain the following administration rights: "Authorization for application on access point: Creation/Modification" and "Authorization for application on access point: Deletion".
  • If you are working in "no-access-point-management" mode, it is not possible to make applications available on individual access points or to objects representing a set of access points (groups, organizations and so on) other than "outbound representatives". The Application Available tab is not available.

Procedure

  1. In the tree structure of the Directory panel, select the wanted access point.
  2. Click the Available Applications tab.

  3. Click the Add/Remove buttons to select the applications that you want to make accessible to the selected access point.
  4. To provide more details on the list of available applications, use the following buttons:
    • Allow/Forbid
      If you have added a group of applications and you wand to forbid one or more application(s) in this group, use the Allow and Forbid buttons.
    • Propagation method
      If you want to specify a specific applications, and if your application uses the SSO propagation method, you must indicate a technical reference. By default, the technical reference specified on the application is used, based on the descriptions in Section Defining the Single Sign-On properties of an application (SSO).

 

Adding or removing an access point from a group

Subject

The console allows you to add or remove users and access points from groups directly through the interface, without using a third-party group management console.

You can perform this task in two ways:

  • From an access point, as detailed in Procedure#1 below.
  • From a group of users, as detailed in Procedure#2 below.

IMPORTANT: You must use this feature only with groups carrying Enterprise SSO data.
Before starting
  • You have delegated the task Modify the membership of a group to the Organization for which you want to manage group memberships. For more details, see One Identity EAM Installation Guide.
  • You have the right Group: Add/Remove member in your administration profile (the management of administration profiles is described in Section Managing Administration Profiles).

Procedure#1

  1. In the tree structure of the Directory panel, select the wanted access point.
    • The Information tab appears.

  1. Use the Add and Remove buttons to add or remove the access point to/from a group.

Procedure#2

  1. In the tree structure of the Directory panel, select the wanted group of user.
    • The Information tab appears.

  1. Use the Add and Remove buttons to add or remove access points to/from the selected group.

Analyzing Errors of a Remote Access Point

Subject

The Actions tab enables you to check the status of an access point (whether it can be reached or not) and also to perform a certain number of actions such as adjusting the parameters and collection of the cache and trace files.

Description
  • The Cache Files area enables you to manage the user cache of the remote access point: see Managing the Cache.
  • The Trace Files area enables you to manage the traces of the remote access point: see Managing Traces.
  • The Security Services area enables you to manage the connection of the remote access point to the controller and the directory: see Managing Security Services.
  • The Authentication Manager area enables you to deactivate the display of the Authentication Manager tiles before session opening.

NOTE: This area appears only if Authentication Manager is installed on the remote access point.
Restrictions
  • The Actions tab only appears if you have the following advanced administration role: "Access point: Help desk".
  • Port 3644 of the remote station must be open.
  • To activate the Reboot computer option (Upon actions area), you must set the following registry value to a non-null value: HKLM\SOFTWARE\Enatel\WiseGuard\Console\AllowRemoteReboot (REG_DWORD).

NOTE: For more information on administration roles, see Section Managing administrators.

Procedure

  1. In the tree structure of the Directory panel, select the wanted access point.
  2. Click the Actions tab.

    NOTE: If the access point cannot be reached or if it does not support the remote analysis, an error message appears.
    • The current parameters of the remote access point appear in the tab.

  3. Perform the necessary actions described hereunder.

    NOTE:

    • If the EAM security services on the remote access point are stopped, you must wait a few seconds before downloading the compressed files.
    • You are advised to collect and download the files for analysis before performing the required actions.
  4. To download the cache, trace or registry files of the remote access point, go to the Download area of the tab.
  5. Click Apply.

    NOTE: If Authentication Manager is installed on the remote access point, the user session locks and the user must reauthenticate.

Managing the Cache

Managing the cache remotely enables you to:

  • Delete cache files linked to the user and the selected access point. The administrator can delete a cache file only linked to a specific user.
  • Collect cache files linked to the user and the access point available on the selected access point.
  • Deactivate the use of the cache on the selected access point.
Related Documents