Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Configuring the management of SA Server devices

Subject

Configuration parameters are available for all SA Servers declared in the SA Server Hosts tab.

Procedure

  1. In EAM Console, click File/Configuration and select the SA Server Configuration tab.
  2. Fill-in the tab using the instructions given in the following "SA Server Configuration" tab - description section.
  3. Click OK.
    • The server is configured.
"SA Server Configuration" tab - description

  • Administrator parameters area

    User identifier and password of an SA Server administrator. This administrator is allowed to manage devices and users.

    IMPORTANT:

    • This user must exist in the SA Server.

    • This user must have an "admin" role.

  • Security questions to answer in case of loss of device area

    The two questions entered here will be asked to the user in case he/she loses his/her device. Correct answers provide a list of one-time passwords.

  • SA Server mode area

    The mode in which the SA Server has been installed (see the Gemalto documentation for more details).

  • Action on device formatting area

    Operation to perform on the SA Server devices when they are formatted from EAM Console:

    • Initialize: the device can be used again.
    • Revoke: the device cannot be used anymore (irreversible).
  • User ID rule field

    Each user to whom is assigned a SA Server device has his own user identifier in the SA Server.
    The rule entered in this field allows you to choose the user identifier syntax, according to the chosen LDAP parameters.

    Example: if the user identifier rule is (givenName).(sn), the user whose givenName is "John" and whose sn is "Smith" will get "John.Smith" as user identifier.

    The default rule is "displayName". It is applied even if no rule is set.

  • Action on device blacklisting area

    Operation to perform on the SA Server devices when they are blacklisted from EAM Console:

    • Initialize: the device can be used again.
    • Revoke: the device cannot be used anymore (irreversible).

Managing SA server devices

Subject

You can manage SA Server devices in EAM Console in the same way as smart cards.

The identifier associated with device is saved in the directory, and allows EAM Console to detect whether the device is a device registered in the SA Server.

Before starting

In this section:

Assigning an SA server device to a user

Subject

This section describes how to assign an OATH device to a user.

The assignment procedure is almost the same as the smart card assignment procedure. The only difference is that for SA Server devices, you must fill-in the SA Server tab, as explained in this section.

Before starting

Check that the following requirements are met:

  • You must have at least the following administration roles:
    • In classic administration mode: "Smart card administrator" and at least one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator".
    • In advanced administration mode, your role must contain the following administration rights: "Token: Assignment" and "Directory: Browsing".
  • If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to be able to perform the task described in this section.
  • The device you want to assign must have an identifier, and have previously been provisioned in the SA Server. Its state must be set to "initialized" in the SA Server.
Procedure
  1. Follow the smart card assignation procedure explained in Section Assigning smart cards.
  2. Fill-in the SA Server tab using the instructions given in the following "SA Server" tab - description section. This tab allows you to register the device as an SA Server device, and to link it to the selected user.
  3. Click OK.
    • A window asks you to enter the device PIN.
  4. Enter the PIN and click OK.
    • Once assigned, the device identifier and the user identifier are linked together. The device and the user are set to the "Active" state.
"SA Server" tab - description

  • Associated user area

    The User field is automatically filled in according to the rule defined upon the configuration of the SA Server device management (see Section Configuring the management of SA Server devices).

    • If the SA Server is configured in "Full DB" mode, you must complete the Password and Confirm password fields for the selected user.
    • If the SA Server is configured in "Mixed mode", the Password field is not available.

  • Answer to security questions area

    The questions displayed her are those chosen upon the configuration of the SA Server device management (see Section Configuring the management of SA Server devices).

    You must answer these questions with the user, so that he/she can get a one-time password in case he/she loses his/her device.

    NOTE: If the user identifier already exists in the SA Server and if the answers are already recorded, the fields are empty.

    • If you fill-in again these fields, the corresponding answers will be updated in the SA Server.

    • If you let these fields empty, the answers will not be updated in the SA Server.

  • Device ID field

    The displayed number is read from the device.

Formatting an SA Server device

The formatting procedure is detailed in Section Administering smart card certificates.

When an SA Server device is formatted, the action performed on the device depends on the configuration set while configuring the SA Server device management, in the Action on device formatting area (see Section Configuring the management of SA Server devices).

  • If the Revoke option is selected, the device is revoked and cannot be used anymore.
  • If the Initialize option is selected, the device state becomes "Initialized". If a user was linked to this device, the link is broken.
Related Documents