Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Deleting representative objects

Before starting

To perform the task described in this section, you must have the following administration role:

  • In classic administration mode: "Security object administrator".
  • In advanced administration mode, your role must contain the following administration right: "Representative: Deletion".

Procedure

In the Directory panel, right-click the representative object to delete and select Delete.

  • The representative object is removed from the directory tree structure.

 

Managing clusters of access points

Definition

A cluster of access points is a set of computers on which the Windows sessions are synchronized by EAM. All the actions that a user performs on the Windows session (opening, closing, locking, unlocking) of a computer that belongs to the cluster are automatically and simultaneously performed on all the other computers that form the cluster.

The number of workstations you can include in a cluster is not limited.

In a cluster of access points, the computer on which the user performs an action is called the master computer. The same action is simultaneously performed on the other computers of the cluster, called slaves.

 IMPORTANT: An EAM Controller does not work in cluster mode.

For more details on how the cluster of access points operate, see Authentication Manager Cluster Administrator’s Guide.

Mechanism description

When a user performs an action on a computer (opening, closing, locking, unlocking), this computer becomes the master computer and periodically informs the slave computers of the operation performed. This allows the management of slave computer behaviors.

  • Logging On

    When a user opens a session on a computer of the cluster, all the sessions of other computers of the cluster open with the same user account.

    • If a slave computer is not reachable at session opening on the master computer, the session opening operation on this slave computer will be performed as soon as the network is restored.
    • If a slave computer restarts, and if the last operation performed on the master computer is a session opening, then a session will be opened on this slave computer as soon as it is available.
    • If the session opened on a slave computer is locked by another user, the session is unlocked only if the Fast User Switching (FUS) option is enabled on the computer (see Section Unlocking Tab (Fast User Switching - FUS)).
      If a user performs a fast user switching (FUS) on a computer, all the other computers of the cluster perform the same action.
    • If an "Excluded Account" opens a session on a workstation that is part of the cluster, this workstation is automatically excluded from the cluster.
      For more information on excluded accounts, see the Section Authentication Manager Tab, Excluded accounts button.
  • Logging Out

    When a user closes the session on a computer of the cluster, all the sessions of other computers of the cluster close.

    		 NOTE: A slave computer can only accept an order from the master computer if its current session is compatible with this order. For example: if a user locks a computer of his/her cluster while all the other cluster computer sessions are closed, these sessions will remain closed.
  • Screensaver

    When the screensaver starts on a computer, the computer is not locked. It locks at the end of the screensaver period and then becomes the master computer and locks all the computers of the cluster.

    So, you must configure the screensaver according to the wanted behavior.

In this section:

Creating and configuring a cluster of access points

Subject

The following procedure explains how to create and configure a new cluster of access points:

  • You can authorize users to temporarily remove a computer from the cluster.
  • You can define a different locking behavior for each computer of the cluster.
  • You can define restart options for the cluster.
Before starting
  • To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following administration right: "Cluster: Creation/Modification".

    		NOTE: For more information on administration roles, see Section Managing administrators.
  • Make sure that none of the computer you want to place in the cluster is a EAM Controller.
  • Make sure that all the computers you want to gather in a cluster are connected to each other, and configured according to your needs (automatic screensaver launching, locking).
  • DNS resolution must work properly so that orders sent from the master can be easily transmitted to slaves.
  • Port 3644 must be open on the set of computers you want to gather in a cluster.
  • EAM must be configured in "manage-access-point" mode.
  • The "Cluster Server" license key must be installed on the EAM Controller and the "Cluster Client" key must be installed on all the workstations that will belong to the cluster.
Procedure
  1. In the tree structure of the Directory panel, right-click the organizational unit in which you want to create the cluster and select New\Cluster of access points.
    • The Configuration tab appears.
  2. Complete the Name field.
  3. Click the Add button to select the access points that you want to add to the cluster.
    Use the Browse tab to browse the directory tree structure or use the Search tab to find the access point by typing its name.
  4. Define the cluster properties as explained in the following "Configuration" tab description section.
  5. Click Apply.
    • The "cluster" object is created in the tree structure.

"Configuration" tab description

  • Allow users to temporarily withdraw a computer from the cluster check box

    If this check box is selected, users allowed to access one of the cluster computer will be able to temporarily exclude a computer from the cluster, from the Authentication Manager module (for more details, see Authentication Manager for Windows User's Guide).

  • Lock the cluster after x minutes of inactivity

    This option allows you to define the period of inactivity after which all the computers of the cluster will be automatically locked.

    The computers are locked according to the locking behavior you have defined in the Cluster Lock Mode window: see Option button below.

 IMPORTANT: For this function to work properly, you must deactivate the Windows locking and screen saving mechanisms on all the computers of the cluster.
  • Allow the user to reboot the cluster check box
    • Check box selected: the users allowed to access one of the computer of the cluster can simultaneously restart all the computers of the cluster from the Authentication Manager module.
    • Check box cleared: the users are not allowed to restart all the computers of the cluster.
  • When a workstation shuts down, do not close the other workstations check box
    • Check box selected: if a user restarts a computer of the cluster, the sessions of the other computers remain unchanged: they remain in the state they were before the restart operation.
    • Check box cleared: if a user restarts a computer of the cluster, the sessions of the other computers close.
  • Members table

    This area displays the list of access points that are part of the cluster and their lock mode (defined using the Option button below).

    If you have authorized a list of users to add (or remove) to/from their own cluster, access points of the selected cluster (see Section Managing user permissions on clusters), this area gives information on how authorized users have composed their own cluster, by the use of colored icons:

    •  : the access point is not originally part of the cluster. It has been added to the cluster by an authorized user.
    •  : the access point is originally member of the cluster and has been separated from it by an authorized user who has included it in his/her own cluster.
    •  : the access point is originally member of the cluster and none has separated it.
  • Option button

    Gives access to the Cluster Lock Mode window.

    For each computer of the cluster, this window allows you to define the computer behavior in the following cases:

    • When it receives a locking order from the master computer.
    • When it is directly locked
    • When it does not receive any order from the master for more than 30 seconds.
    • Transparent lock with logo

      The keyboard and mouse of the selected computer are disabled and a logo appears on top of the screen, but the information displayed on screen remains visible.

      To modify the logo displayed on the screen, save a WGLock.bmp file corresponding to the wanted logo in the EAM Client installation folder (the default folder is Program Files\
      One Identity\Enterprise Access Management      ).

      		 IMPORTANT: The size of the logo must be 420(W)x72(H) pixels.

      Pressing Ctrl+Alt+Del on this computer displays the standard unlock window.

    • Transparent lock

      The keyboard and mouse of the selected computer are disabled, but the information displayed on screen remains visible.

      Pressing Ctrl+Alt+Del on this computer displays the standard unlock window.

    • Windows lock

      The selected computer is locked.
      The standard lock window appears on the screen.

  • Remove button

    Removes permanently from the cluster the selected computer.

  • New button

    Allows you to select the access point you want to add to the cluster.
    Use the Browse tab to browse the directory tree structure or use the Search tab to find the access point by typing its name.

  • Information area

    This area displays the name of the last user who connected to the cluster of access points

Managing user permissions on clusters

You can give more autonomy to users of clusters by allowing them to manage their own cluster: you can authorize them to add to their own cluster some access points that are originally part of another cluster.

If a user adds an access point to his/her own cluster, the access point stays linked to the original cluster. When the user decide to release an access point, it is automatically associated back to its original cluster.

For more details on the conditions under which a user can add a new access point to its cluster, see Authentication Manager Cluster Administrator’s Guide.

In this section:

Related Documents