Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Blacklisting an SA Server device

The blacklisting procedure is detailed in Section Managing lost or theft smart cards.

When a device is blacklisted, the action performed on it depends on the configuration set while configuring the SA Server device management, in the Action on device blacklisting area (see Section Configuring the management of SA Server devices).

  • If the Revoke option is selected, the device is revoked and cannot be used anymore.
  • If the Initialize option is selected, the device state becomes "Initialized". If a user was linked to this device, the link is broken.

Managing the link between the user and the SA Server device

In the Directory panel of EAM Console, in the Smart Card tabbed panel, the SA Server tab allows you to manage the SA Server devices of a user.

User Information area

  • User ID/User State: information fields.
  • Block/Unblock button:
    • The Block button allows you to prevent the user from authenticating. When his state is "Block", the user cannot authenticate. In this case, the button label changes: it becomes Unblock.
    • The Unblock button allows you to authorize a blocked user to authenticate again.
  • Revoke button:
    This button allows you to revoke the user by definitively canceling his user identifier. This operation is irreversible.
  • Unlock button:
    This button is only available if the user is locked, which means he has reached the maximum number of allowed password attempts (this number is defined in the Gemalto SA Server, in the user settings).
    This button allows you to unlock the user by resetting the number of password attempts.

Associated device button

  • Device ID/Device State button: information fields retrieved from the device.
  • Device expiration check box:
    Select this check box to make the device expiration field available and modify it.
  • OTP attempts field:
    This field displays the number attempts to enter the one-time password, using the following syntax:
    <number of OTP attempts>/<maximum attempts before lock>
    The maximum number of OTP attempts is defined in the Gemalto SA Server, in the OATH policy.
  • Reset OTP attempts button:
    This button allows you to unlock the device in case it has reach the maximum number of one time password attempts.
  • Block/Unblock button:
    • The Block button allows you to prevent the device from being used. When its state is "Block", the device cannot be used to authenticate. In this case, the button label changes: it becomes Unblock.
    • The Unblock button allows you to allow a blocked device to be used again to authenticate.
  • Revoke button:
    This button allows you to revoke the device by definitively canceling its identifier. This operation is irreversible, the device cannot be used again.
  • Link User/Remove User button
    • The Link User button appears in the following cases:
      • If the device-user link is not established in SA Server.
        In this case, this button allows you to link the device to the user in the SA Server, using the following window:

        This window allows you to update in the SA Server the information entered while assigning the device to the user.
        The information entered at assignment time (see Section Assigning an SA server device to a user) is not displayed in the window:
        • If you fill-in again these fields, the corresponding answers will be updated in the SA Server.
        • If you let these fields empty, the SA Server will not be updated.
      • If the user does not exist in the SA Server yet.
        In this case, this button allows you to create the user and link him/her to the device, using the following window:

        This window allows you to enter the necessary information to link the device to the user, as described in Section Assigning an SA server device to a user.
    • The Remove User button allows you to remove the link set between the device and the user.
      If you remove a user-device link, you can restore it again later without having to re-enter the necessary information, by clicking on the Link User button.

Managing RFID tokens

Managing RFID tokens


  • To enable the management of RFID tokens, the RFID option must have been selected upon the installation of EAM Console. For more details, see One IdentityEAM Installation Guide.

  • Workstations using RFID tokens must be equipped with a compliant RFID hardware system. For more details on the supported RFID devices, see One IdentityEAM Release Notes.

  • Bluetooth devices can also be used to authenticate and are recognized by EAM Console as RFID badges. To do so, the Bluetooth device used must be paired with the workstation.

RFID definition

RFID, which is the acronym of Radio Frequency IDentification is a technology used anywhere a unique identification system is needed. In information systems, RFID can be used to secure equipped workstations. An RFID system consists of an antenna and a transceiver (short for transmitter-receiver), which read the radio frequency and transfer the information to an RFID token, which contains the information to be transmitted.

Possible states of an RFID token

Interface design

To manage the RFID tokens, you will use the following administration panels:

  • The RFID panel, which gives you an overview of the RFID tokens used in the company. You may use the intuitive filter area, useful when managing many and many tokens.

  • The Directory panel, which allows you to manage the RFID tokens of a specific user and to configure RFID parameters.

In this section:

Assigning an RFID token

Assigning an RFID token

Before starting
  • To be able to assign an RFID token, you must have either the RFID token itself or its serial number.
  • To perform the task described in this section, you must have at least the following administration role:
    • In classic administration mode: "Smart card administrator" and at least one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator".
    • In advanced administration mode, your role must contain the following administration rights: "Token: Assignment" and "Directory: Browsing".

      NOTE: When a user authenticates in Multi-User Desktop mode with an unassigned RFID badge, he will be able to assign it with his credentials. He will have to choose a PIN if the RFID+PIN authentication method is active.


  1. Make sure that the following security profiles have one of the RFID authentication method:
  2. In the tree structure of the Directory panel, select the user to whom you want to assign an RFID token and click the RFID tab.
    • The tab appears.
  3. Click Assign.
    • The token selection window appears.

      NOTE: If your workstation is not equipped with an RFID device, the Select a present RFID option is disabled.
  4. Define the RFID token to assign using one of the two following methods:
    • If you have the RFID token to assign, select it in the drop-down list.
    • Otherwise, enter its serial number.
  5. (Optional): select the Expiry date to define the day and hour of the RFID token expiration.

    NOTE: You can change this option at any time through the RFID tab of the selected user.
  6. If the RFID+PIN authentication method is activated, fill-in the Default PIN field to assign a PIN to the RFID badge.
  7. (Optional): select the Change PIN at next connection check box to force the user to change his PIN at the next authentication.
  8. Click OK.


Related Documents