Preface
Overview
Enterprise Access Management Concepts
EAM Controllers
A Multi-Domain Architecture
Interface general design
Authenticating to EAM Console and Managing Protection Modes
Searching the Directory Tree
Managing administrators
Administration Modes - Presentation
Delegating Administration Roles
Managing Administration Profiles
Transferring an Administration Role
Deleting an Administration Role
Displaying your Administration Role
Modifying the Parent Administrator
Adding/Removing Primary Administrators
Managing Security Profiles
Managing time slices
Managing directory objects
Creating/Modifying Time Slices
Configuring Time Slices
Displaying time slice usage logs
Displaying time slice event logs
Renaming representative objects
Deleting time slices
Managing Password Format Control Policies
Creating/Modifying Password Format Control Policies
Configuring Password Format Control Policy
Displaying PFCP usage logs
Displaying Password Format Control Policy Event Logs
Renaming Password Format Control Policies
Deleting Password Format Control Policies
Managing User Security Profiles
Creating/Modifying User Security Profiles
Configuring User Security Profiles
Managing Access Point Security Profiles
Authentication Tab
Security Tab
SSO and Notes Tab
Cloud Tab
Unlocking Tab (Fast User Switching - FUS)
Self Service Password Request Tab
Biometrics Tab
Session Delegation Tab
Audit Tab
OTP Tab
Mobile Device Tab
Displaying User Security Profile Usage Logs
Displaying User Security Profile Event Logs
Renaming User Security Profiles
Deleting User Security Profiles
Creating/Modifying Access Point Security Profiles
Configuring Access Point Security Profiles
Managing Application Security Profiles
Security Services Tab
Authentication Manager Tab
Enterprise SSO Tab
Multi-User Desktop Tab
Biometrics Tab
Self Service Password Request Tab
Active RFID Tab
Audit Tab
Local Administrators Tab
Displaying Access Point Security Profile Usage Logs
Displaying Access Point Security Profile Event Logs
Renaming Access Point Security Profiles
Deleting Access Point Security Profiles
Managing Password Generation Policies
Defining Security Profiles Default Values
Managing User and Access Point Security Profiles Priorities
Creating/Modifying Password Generation Policies
Configuring the Password Generation Policy
Displaying Password Generation Policy Usage Logs
Displaying Password Generation Policy Event Logs
Renaming Password Generation Policies
Deleting Password Generation Policies
Creating/Modifying Application Security Profiles
Configuring Application Security Profiles
Displaying Application Security Profile Usage Logs
Displaying Application Security Profile Event Logs
Renaming Application Security Profiles
Deleting Application Security Profiles
Managing applications
Importing/Exporting security profiles and directory objects
Managing smart cards
Creating an application
Defining the general properties of an application
Creating the account properties for an application
Defining the Single Sign-On properties of an application (SSO)
Defining external names
Defining the Provisioning Connector
Assigning users to an application
Sharing the administration of an application
Generating/Importing accounts for an application
Assigning access points to an application
Displaying accounts associated with the application
Displaying application event logs
Displaying/Modifying application information
Renaming applications
Deleting applications
Managing users
Displaying general information about the user
Defining user connection parameters
Managing access points
Suspending or limiting temporarily user access
Displaying user authentication information and administering roaming sessions
Predefining a new user's primary password
Managing user Self Service Password Request
Defining an audit identifier
Creating a welcome message
Assigning a user security profile
Declaring a user as administrator
Assigning/forbidding access points to a user
Managing user accounts
Managing the User Self Enrollment
Assigning Administration Rights
Configuring the Dedicated Organizational Units
Configuring Self Enrollment
Sending SSO account passwords to users
Sending primary password expiration notification emails to users
Defining additional security parameters for groups of users
Managing user smart cards
Managing user Mobile Devices
Displaying and deleting user biometrics data
Assigning applications to a user
Displaying delegated sessions
Managing user RFID tokens
Displaying user event logs
Deleting SSO data of disabled user accounts
Adding or removing a user from a group
Displaying general information about the access point
Defining access point configuration parameters
Managing representative objects
Assigning an access point security profile
Managing EAM controller services
Assigning a generic account to an access point
Assigning/forbidding users to an access point
Assigning/forbidding applications to an access point
Adding or removing an access point from a group
Analyzing Errors of a Remote Access Point
Displaying access point event logs
Updating manually an access point
Managing inbound representative objects
Managing clusters of access points
Creating/Modifying an inbound representative object
Defining the set of users to represent
Assigning a user security profile to the inbound representative object
Selecting access points available to the representative
Managing outbound representative objects
Creating/Modifying an outbound representative object
Defining the set of access points to represent
Selecting applications available to the representative
Displaying representative event logs
Renaming representative objects
Deleting representative objects
Creating and configuring a cluster of access points
Managing user permissions on clusters
Selecting a domain controller
Authorizing users to access the workstations of the cluster
Displaying the cluster composed by authorized users
Displaying cluster event logs
Renaming clusters
Deleting cluster
Configuring smart card parameters of use
Managing SA server devices
Managing RFID tokens
Managing smart card configuration profiles
Managing smart card certificates
Assigning smart cards (except loan cards)
Creating/Modifying configuration profiles
Renaming a configuration profile
Deleting a configuration profile
Modifying authentication parameters of an assigned smart card
Managing batches of smart cards
Assigning smart cards
Assigning a smart card managed by an external CMS
Smart card self enrollment
Formatting an assigned smart card
Managing loan cards
Unlocking smart cards
Setting administrator's contact information
Unlocking to Forcing PIN
Unlocking by secret code
Unlocking by SSPR
Unlocking by extending the validity duration
Formatting a blacklisted card
Managing lost or theft smart cards
Formatting smart cards
Displaying information
Exporting Generated Reports
Assigning an RFID token
Locking and unlocking an RFID token
Managing biometrics
Locking and unlocking an RFID token from the Directory panel
Locking and unlocking an RFID token from the RFID panel
Resetting the PIN of an RFID badge
Blacklisting and deleting an RFID token
Blacklisting and deleting an RFID token from the Directory panel
Blacklisting and deleting an RFID token from the RFID panel
Modifying the detection areas and the grace period
Exporting a list of RFID tokens
Defining the biometric enrollment policy
Defining the workstation biometric parameters
Managing the user enrollment
Displaying and exporting the biometric enrollment report
Managing Mobile Devices
Enabling the public key authentication method
Configuring user and access point security profiles to support the PKA authentication method
Activating the PKA authentication method and defining the set of authorized certification authorities
Managing Emergency Accesses
Managing audit events
Activating the PKA authentication method
Configuring the set of authorized certification authorities
Configuring the automatic update of the revocation information
Displaying audit events
Defining an audit population
Managing and assigning audit filters
Interpreting audit events
Managing reports
The audit main window
The "Event details" window
Detailed information on the audit administration events
Exporting audit events
Archiving audit records
Retrieving user identifier from audit identifier
Retrieving audit events
Generating PDF reports
Generating On-screen reports
Customizing configuration files
Creating scripts
Basic syntax of regular expressions
Listing audit events and error codes
Correspondence between profiles and administration rights
Report Models and Parameters List
Custom Group Files Format
Configuring the management of SA Server devices
Managing SA server devices > Configuring EAM for the management of SA Server devices > Configuring the management of SA Server devices
Subject
Configuration parameters are available for all SA Servers declared in the SA Server Hosts tab.
Procedure
- In EAM Console, click File/Configuration and select the SA Server Configuration tab.
- Fill-in the tab using the instructions given in the following "SA Server Configuration" tab - description section.
- Click OK.
- The server is configured.
"SA Server Configuration" tab - description
- Administrator parameters area
User identifier and password of an SA Server administrator. This administrator is allowed to manage devices and users.
IMPORTANT:
-
This user must exist in the SA Server.
-
This user must have an "admin" role.
-
- Security questions to answer in case of loss of device area
The two questions entered here will be asked to the user in case he/she loses his/her device. Correct answers provide a list of one-time passwords.
- SA Server mode area
The mode in which the SA Server has been installed (see the Gemalto documentation for more details).
- Action on device formatting area
Operation to perform on the SA Server devices when they are formatted from EAM Console:
- Initialize: the device can be used again.
- Revoke: the device cannot be used anymore (irreversible).
- User ID rule field
Each user to whom is assigned a SA Server device has his own user identifier in the SA Server.
The rule entered in this field allows you to choose the user identifier syntax, according to the chosen LDAP parameters.Example: if the user identifier rule is (givenName).(sn), the user whose givenName is "John" and whose sn is "Smith" will get "John.Smith" as user identifier.
The default rule is "displayName". It is applied even if no rule is set.
- Action on device blacklisting area
Operation to perform on the SA Server devices when they are blacklisted from EAM Console:
- Initialize: the device can be used again.
- Revoke: the device cannot be used anymore (irreversible).
Managing SA server devices
Subject
You can manage SA Server devices in EAM Console in the same way as smart cards.
The identifier associated with device is saved in the directory, and allows EAM Console to detect whether the device is a device registered in the SA Server.
Before starting
- SA Server must be declared and configured in EAM, as explained in Section Configuring EAM for the management of SA Server devices.
- All the devices must be registered in the SA Server by the SA Server administrator.
In this section:
- Assigning an SA server device to a user
- Formatting an SA Server device
- Blacklisting an SA Server device
- Managing the link between the user and the SA Server device
Assigning an SA server device to a user
Subject
This section describes how to assign an OATH device to a user.
The assignment procedure is almost the same as the smart card assignment procedure. The only difference is that for SA Server devices, you must fill-in the SA Server tab, as explained in this section.
Before starting
Check that the following requirements are met:
- You must have at least the following administration roles:
- In classic administration mode: "Smart card administrator" and at least one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator".
- In advanced administration mode, your role must contain the following administration rights: "Token: Assignment" and "Directory: Browsing".
- If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to be able to perform the task described in this section.
- The device you want to assign must have an identifier, and have previously been provisioned in the SA Server. Its state must be set to "initialized" in the SA Server.
Procedure
- Follow the smart card assignation procedure explained in Section Assigning smart cards.
- Fill-in the SA Server tab using the instructions given in the following "SA Server" tab - description section. This tab allows you to register the device as an SA Server device, and to link it to the selected user.
- Click OK.
- A window asks you to enter the device PIN.
- Enter the PIN and click OK.
- Once assigned, the device identifier and the user identifier are linked together. The device and the user are set to the "Active" state.
"SA Server" tab - description
- Associated user area
The User field is automatically filled in according to the rule defined upon the configuration of the SA Server device management (see Section Configuring the management of SA Server devices).
- If the SA Server is configured in "Full DB" mode, you must complete the Password and Confirm password fields for the selected user.
- If the SA Server is configured in "Mixed mode", the Password field is not available.
- Answer to security questions area
The questions displayed her are those chosen upon the configuration of the SA Server device management (see Section Configuring the management of SA Server devices).
You must answer these questions with the user, so that he/she can get a one-time password in case he/she loses his/her device.
NOTE: If the user identifier already exists in the SA Server and if the answers are already recorded, the fields are empty.
-
If you fill-in again these fields, the corresponding answers will be updated in the SA Server.
-
If you let these fields empty, the answers will not be updated in the SA Server.
-
- Device ID field
The displayed number is read from the device.
- Validate check box
- Check box selected: the SA Server is updated with the information entered in the tab when you click the OK button, and the link between the device and the user is established in the SA Server.
- Check box cleared: the SA Server is not updated with the information entered in the tab when you click the OK button, and no link is established between the device and the SA Server.
You can do the assignation later on, using the Link User/Remove User buttonThe Link User button appears in the following cases:If the device-user link is not established in SA Server.In this case, this button allows you to link the device to the user in the SA Server, using the following window:This window allows you to update in the SA Server the information entered while assigning the device to the user. The information entered at assignment time (see Section Assigning an SA server device to a user) is not displayed in the window:If you fill-in again these fields, the corresponding answers will be updated in the SA Server.If you let these fields empty, the SA Server will not be updated.If the user does not exist in the SA Server yet.In this case, this button allows you to create the user and link him/her to the device, using the following window:This window allows you to enter the necessary information to link the device to the user, as described in Section Assigning an SA server device to a user.The Remove User button allows you to remove the link set between the device and the user.If you remove a user-device link, you can restore it again later without having to re-enter the necessary information, by clicking on the Link User button. described in Section Managing the link between the user and the SA Server device.
Formatting an SA Server device
The formatting procedure is detailed in Section Administering smart card certificates.
When an SA Server device is formatted, the action performed on the device depends on the configuration set while configuring the SA Server device management, in the Action on device formatting area (see Section Configuring the management of SA Server devices).
- If the Revoke option is selected, the device is revoked and cannot be used anymore.
- If the Initialize option is selected, the device state becomes "Initialized". If a user was linked to this device, the link is broken.