Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Managing Mobile Devices

Subject

The EAM console includes a mobile devices management module dedicated to the QRentry feature. This module allows you to:

  • Display the list of the mobile devices already enrolled, and the list of the mobile devices not yet enrolled (optional).
  • Show the properties of each mobile device (device name, local administration access...).
  • Remove a mobile device from your configuration.

NOTE: For a complete description of the QRentry feature, please refer to QRentry User’s Guide.

Procedure

  • From the EAM console welcome page, click the Mobile Devices Management button.
    • The list of enrolled mobile device appears:

    1. To add to the list the mobile devices that are not yet enrolled, select the check box and click Apply.
    2. To remove a mobile device, select it in the list and click Remove.
Hint

Double-click a listed mobile device to browse to the Mobile Devices tab of the user associated with this device. For more details on this tab, see Managing user Mobile Devices.

Enabling the public key authentication method

Enabling the public key authentication method

The PKA authentication (Public Key Authentication)

One Identity EAM provides smart card authentication. This authentication method is used to store the user’s directory credentials necessary to access the user’s SSO data. In addition, EAM supports Microsoft smart card logon authentication, but this authentication method is limited to Microsoft compliant public key external infrastructures.

The Public Key Authentication (PKA) is another authentication method supported by EAM that can be used to grant SSO to users. The goal of EAM PKA is to provide user authentication and an SSO based on X.509 certificates: authentication and access to SSO is provided only if the user’s certificate is valid and if the user can prove his certificate ownership. EAM PKA supports smart card driven certificates, the most widespread method of deploying certificates.

PKA authentication process

Once the PKA authentication method enabled, the EAM PKA authentication process is as follows:

  1. Identification of the inserted smart card (this implies the use of a smart card XML description file that is properly configured).
  2. If the smart card is PKA compliant, the EAM Client reads the certificate and retrieves the user’s name using the attribute mapping rules (contents of the certificate on one side and user’s attributes in the LDAP directory on the other side).
  3. Once the user has been identified, the EAM Client prompts the user for his/her smart card PIN.
  4. Verification of the user’s public key certificate.
  5. Certificate enrollment: if this is the first time the user logs on to his/her workstation using the PKA authentication method, the EAM Controller automatically creates in the EAM directory an object that contains the user’s LDAP credentials (login name and password). To create the LDAP object, the EAM Controller does the following:
    • It verifies the user’s certificate (validity period, authorized usage, trusted certification authority, proper revocation status).
    • If the certificate is valid, EAM prompts the user to enter his LDAP credentials (login name and password).
    • If these credentials grant access to the LDAP directory, EAM encrypts them using the user’s public key certificate.
    • EAM then creates an LDAP object where the user’s encrypted LDAP credentials are stored. Access to this LDAP object is restricted to that user; moreover, that user must authenticate using that certificate to gain access to his LDAP credentials.
  6. Retrieving encrypted LDAP credentials from the EAM directory.
  7. Decrypting the LDAP credentials using the user’s private key stored on the smart card.
  8. Using the decrypted LDAP credentials to retrieve EAM data from the LDAP directory.
Revocation

The EAM PKA authentication process relies on a public key certificate to identify the incoming user. It is therefore necessary to ensure that any public key certificate used to authenticate a user is valid and properly trusted.

This requires external PKI material such as a set of public key certificates for each certification authority and an access to an On-line Certificate Status Protocol responder (OCSP) or to a set of Certificate Revocation Lists (CRL).

During the certificate enrollment, the user’s public key certificate is validated as follows:

  • Its issuing Certification Authority must be identified as a trusted authority for the purpose of EAM PKA.
  • If a CRL or an OCSP responder is defined for that issuing certification authority (or defined in the certificate itself), the revocation status is checked.

The revocation engine is included in the EAM Controller. Its job is to maintain the accuracy of the revocation status of all public key certificates used for EAM PKA. For each CRL distribution point or OCSP responder defined, the revocation engine performs the following operations:

  • Computes the time for next revocation update.
  • Collects the revocation information.
  • Checks the revocation status of all enrolled public key certificates.
  • Checks the revocation status of the public key certificate of all trusted certification authority.

NOTE: Anytime a user’s public key certificate is revoked, its status is updated in the EAM directory and the user’s smart card is automatically blacklisted.

In this section:

Configuring user and access point security profiles to support the PKA authentication method

Configuring user and access point security profiles to support the PKA authentication method

Before starting
  • A smart card XML description file must exist and it must contain the description of the specific type(s) of smart card that will be used for PKA authentication. Several reserved keywords are used in the XML file to specify to EAM that this smart card will be used for that purpose (see Section Customizing configuration files).
  • To perform the task described in this section, you must have the following administration role:
    • In classic administration mode: "Security object administrator".
    • In advanced administration mode, your role must contain the following administration rights: "User security profile: Creation/Modification", "Access point security profile: Creation/Modification".

Procedure

  1. Import a smart card XML description file, which is properly configured (see Section Customizing configuration files).
  2. Create (or modify) a user security profile with the following mandatory requirements:
    • The authentication method which is PKA compliant must be selected.
    • The Password authentication method must also be selected.

NOTE: For more details, see Section Configuring User Security Profiles.
  1. Create (or modify) an access point security profile with exactly the same mandatory requirements. For more details, see Section Configuring Access Point Security Profiles.

Activating the PKA authentication method and defining the set of authorized certification authorities

To perform the task described in this section, you must have the following administration role:

  • In classic administration mode: "Security object administrator".
  • In advanced administration mode, your role must contain the following administration rights: "PKA authority: "Creation/Modification", "PKA authority: Deletion".

In this section:

Related Documents