Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Managing representative objects

Subject

A representative object is an LDAP object representing a set of target objects (users or access points) that are not part of the domain the representative object belongs to. Thus, a represented user can log on to an access point which is not part of his/her domain, and access his/her local domain applications.

This section describes how to create, modify and delete representatives.

Object definition

A representative represents objects (users or Access points) that are not part of its local domain.

These objects are of two different types:

  • Inbound type: the object represents a set of external users.
  • Outbound type: the object represents a set of external access points.

By default, two representative objects are created: they represent all the external domains.

In "no-access-point-management" mode:

  • The inbound representative must have a security profile allowing it to authenticate on all access points.
  • The outbound representative represents a domain of access points.

In this section:

Managing inbound representative objects

Subject

An inbound representative object represents a set of users that are not part of the domain the representative belongs to.
You assign a security profile to this representative, and choose what access points of the local domain must be accessible to the represented users in "access-point management" mode. Thus, these users will be able to log on to access points that are not part of their domain.

Before starting
  • You must be authorized to access the external domains in which reside the users to be represented (see Section Managing administrators).
  • To perform the tasks described in this section, you must have at least the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain the following administration right: "User security profile: Creation/Modification" or "Representative: Creation/Modification".
  • The user security profile that you want to assign to the external users must be created, as described in Section Managing User Security Profiles.
  • In "no-access-point-management" mode, a user can open an EAM session on an access point of a foreign domain only if the representative of the user is authorized to authenticate on all access points. In the security profile of the representative, the Allow on all Access Points field must be selected, as described in Section Authentication Tab.

In this section:

Creating/Modifying an inbound representative object

Procedures

Creating an inbound object

  1. In the tree structure of the Directory panel, right-click the organizational unit that must contain your inbound object, and select New\Representative.
    • The selection window appears.

  1. Click Inbound access and click OK.
    • The inbound object Configuration tab appears.
  2. In the Configuration tab, in the Representative area, type the name of the representative you are creating.
  3. Configure the representative object, as described in the following sections:
  4. Click Apply.
    • The inbound object appears in the directory tree structure.

Modifying an inbound object

  1. In the tree structure of the Directory panel, select the inbound object to modify.
    • The inbound object Configuration tab appears.
  2. Modify the configuration of the representative object, as described in the following sections:
  1. Click Apply.
    • The inbound object is modified.

 

Defining the set of users to represent

Subject

You must select the external users that you want to be represented by the representative object.

Procedure

In the Configuration tab, in the Represented population area, use the Add and Remove buttons to choose the users of external domains that you want to be represented by the representative.

 

Related Documents