e-sso 803 consoleadminguide

Enterprise SSO Console

Administrator Guide

8.0.3Enterprise Single Sign-On

Copyright © 1998-2009 Quest Software and/or its Licensors ALL RIGHTS RESERVED.

This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.

DISCLAIMER The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.

Trademarks Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners.

World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com Please refer to our website for regional and international office information.

Quest Enterprise SSO Updated – January 2010 Software version – 8.0.3

http://www.quest.com/�

i

CONTENTS About This Guide ...................................................................................................... 7

Access Management ......................................................................................................... 7 Conventions ............................................................................................................... 8

1. Overview................................................................................................................. 9 1.1 Enterprise SSO Concepts ........................................................................................... 9 1.2 Enterprise SSO Controllers ....................................................................................... 10

1.2.1 Enterprise SSO Services................................................................................ 10 1.2.2 Domain Controller Selection........................................................................... 12

1.3 A Multi-Domain Architecture...................................................................................... 12 1.4 General Ergonomic Design ....................................................................................... 15

1.4.1 Home Window ................................................................................................ 15 1.4.2 Directory Panel Overview ............................................................................... 17

2. Authenticating to E-SSO Console and Managing Protection Modes ............ 19 2.1 Starting/Stopping the Enterprise SSO Console ........................................................ 19

2.1.1 Starting the Enterprise SSO Console............................................................. 19 2.1.2 Stopping the Enterprise SSO Console ........................................................... 21

2.2 Managing Protection Modes...................................................................................... 21 2.2.1 Displaying the Current Protection Mode ........................................................ 21 2.2.2 Migrating from Software Mode to Hardware Mode ........................................ 22 2.2.3 Managing Administrators whose Administration Keys are Protected by Software Encryption ........................................................................... 23

3. Searching the Directory Tree ............................................................................. 25 3.1 Searching for Directory Objects ................................................................................ 25 3.2 Deleting Search Requests......................................................................................... 27

4. Managing Administrators................................................................................... 28 4.1 Administration Modes—Presentation........................................................................ 28

4.1.1 The Classic Administration Mode................................................................... 28 4.1.2 The Advanced Administration Mode .............................................................. 30 4.1.3 Administration Role Inheritance ..................................................................... 30

4.2 Delegating Administration Profiles ............................................................................ 31 4.3 Managing Administration Profiles.............................................................................. 33

4.3.1 Creating/Editing an Administration Profile...................................................... 33 4.3.2 Deleting an Administration Profile .................................................................. 36

4.4 Transferring an Administration Role.......................................................................... 36 4.5 Deleting Administration Role ..................................................................................... 37 4.6 Displaying your Administration Role ......................................................................... 37 4.7 Modifying the Parent Administrator ........................................................................... 38 4.8 Defining Multiple Primary Administrators .................................................................. 39

5. Managing Security Profiles ................................................................................ 40 5.1 Managing Timeslices................................................................................................. 40

5.1.1 Creating/Modifying Timeslices ....................................................................... 41 5.1.2 Configuring Timeslices ................................................................................... 41 5.1.3 Displaying Timeslice Event Logs.................................................................... 42 5.1.4 Renaming Timeslices ..................................................................................... 43

ii

5.1.5 Deleting Timeslices......................................................................................... 43 5.2 Managing Password Format Control Policies ........................................................... 44

5.2.1 Creating/Modifying Password Format Control Policies.................................. 44 5.2.2 Configuring Password Format Control Policy ................................................ 45 5.2.3 Displaying Password Format Control Policy Event Logs ............................... 46 5.2.4 Renaming Password Format Control Policies................................................ 47 5.2.5 Deleting Password Format Control Policies................................................... 47

5.3 Managing User Security Profiles ............................................................................... 47 5.3.1 Creating/Modifying User Security Profiles...................................................... 48 5.3.2 Configuring User Security Profiles ................................................................. 49 5.3.3 Displaying User Security Profile Event Logs.................................................. 66 5.3.4 Renaming User Security Profiles ................................................................... 66 5.3.5 Deleting User Security Profiles....................................................................... 67

5.4 Managing Access Point Security Profiles.................................................................. 67 5.4.1 Creating/Modifying Access Point Security Profiles ........................................ 68 5.4.2 Configuring Access Point Security Profiles .................................................... 68 5.4.3 Displaying Access Point Security Profile Event Logs .................................... 81 5.4.4 Renaming Access Point Security Profiles ...................................................... 82 5.4.5 Deleting Access Point Security Profiles ......................................................... 82

5.5 Managing Application Security Profiles..................................................................... 83 5.5.1 Managing Password Generation Policies ...................................................... 83 5.5.2 Creating/Modifying Application Security Profiles............................................ 87 5.5.3 Configuring Application Security Profiles ....................................................... 88 5.5.4 Displaying Application Security Profile Event Logs........................................ 94 5.5.5 Renaming Application Security Profiles ......................................................... 94 5.5.6 Deleting Application Security Profiles............................................................. 95

5.6 Defining Security Profiles Default Values.................................................................. 95 5.7 Managing User and Access Point Security Profiles Priorities................................... 97

6 Managing Directory Objects ............................................................................... 99 6.1 Managing Applications ............................................................................................ 100

6.1.1 Creating an Application ................................................................................ 100 6.1.2 Defining the General Properties of an Application ("Configuration"/"General" Tab)............................................................................. 103 6.1.3 Creating the Account Properties of an Application ...................................... 104 6.1.4 Defining the Single Sign-On Properties of an Application ("Configuration"/"SSO" Tab) .................................................................................. 110 6.1.5 Defining External Names ("Configuration"/"External Names" Tab) ............. 112 6.1.6 Assigning Users to an Application................................................................ 113 6.1.7 Sharing the Administration of an Application ("Administrators" Tab)........... 113 6.1.8 Generating/Importing Accounts for an Application ("Account Generation" Tab)................................................................................... 114 6.1.9 Assigning Access Points to an Application ("Access Points" Tab) .............. 116 6.1.10 Displaying Accounts Associated With the Application ("Accounts" Tab)... 118 6.1.11 Displaying Application Event Logs ("Events" Tab)..................................... 119 6.1.12 Displaying/Modifying Application Information ("Information" Tab) ............. 120 6.1.13 Renaming Applications............................................................................... 120 6.1.14 Deleting Applications .................................................................................. 120

iii

6.2 Managing Users ...................................................................................................... 121 6.2.1 Displaying User General Information ("Information" Tab)............................ 121 6.2.2 Defining User Connection Parameters ("Connection" Tab) ......................... 122 6.2.3 Assigning a User Security Profile to a User ("Security Profile" Tab) ........... 128 6.2.4 Declaring a User as an Administrator ("Administration" Tab) ........................ 129 6.2.5 Assigning/Forbidding Access Points to a User ("Access Points" Tab) ........ 129 6.2.6 Managing User's Accounts ("Accounts" Tab)............................................... 131 6.2.7 Managing User's Smart Cards ("Smart Card" Tab) ..................................... 133 6.2.8 Displaying User’s Biometric Data ("Biometrics" Tab)................................... 134 6.2.9 Assigning Applications to a User ("Application Access" Tab) .......................... 135 6.2.10 Managing User's RFID Tokens ("RFID" Tab)............................................. 136 6.2.11 Managing Data Privacy ("DP" Tab) ............................................................ 136 6.2.12 Displaying User Event Logs ("Event" Tab)................................................. 137

6.3 Managing Access Points ......................................................................................... 137 6.3.1 Displaying Access Point General Information ("Information" Tab) .............. 138 6.3.2 Defining Access Point Configuration Parameters ("Configuration" Tab) ..... 139 6.3.3 Assigning/Forbidding Users to Access Points ("Authorized Users" Tab) .... 141 6.3.4 Assigning/Forbidding Applications to Access Points ("Available Applications" Tab) ............................................................................... 142 6.3.5 Displaying Access Point Event Logs ("Events" Tab) ................................... 144

6.4 Managing Representative Objects .......................................................................... 144 6.4.1 Managing Inbound Representative Objects ................................................. 145 6.4.2 Managing Outbound Representative Objects .............................................. 149 6.4.3 Displaying Representative Event Logs ........................................................ 153 6.4.4 Renaming Representative Objects............................................................... 153 6.4.5 Deleting Representative Objects.................................................................. 154

6.5 Managing Clusters of Access Points....................................................................... 154 6.5.1 Creating and Configuring a Cluster of Access Points .................................. 156 6.5.2 Displaying Cluster Event Logs ("Events" Tab) ............................................. 159 6.5.3 Renaming Clusters ....................................................................................... 159 6.5.4 Deleting Clusters .......................................................................................... 160

6.6 Selecting a Domain Controller................................................................................. 160 7. Managing Smart Cards ..................................................................................... 162

7.1 Assigning Smart Cards to Users ............................................................................. 164 7.1.1 Assigning Smart Cards to Many Users ........................................................ 164 7.1.2 Assigning a Smart Card to a User................................................................ 166 7.1.3 Assigning a new Smart Card Allowing a User to log on a Workstation which is Disconnected from the Directory................................. 168

7.2 Formatting Smart Cards .......................................................................................... 169 7.3 Forcing a New PIN .................................................................................................. 170 7.4 Disabling Temporarily Smart Cards ........................................................................ 171

7.4.1 Disabling Temporarily Smart Cards from the Smart Card Panel ................. 171 7.4.2 Disabling Smart Cards of a User from the Directory Panel.......................... 171

7.5 Unlocking Smart Cards............................................................................................ 172 7.5.1 Unlocking Smart Cards from the Smart Card Pane ..................................... 172 7.5.2 Unlocking Smart Cards from the Directory Panel ........................................ 174 7.5.3 Defining Contact Information........................................................................ 174

iv

7.6 Sending Smart Cards to a Blacklist......................................................................... 175 7.6.1 Sending Smart Cards to a Blacklist from the Smart Card Panel ................. 175 7.6.2 Sending Smart Cards to a Blacklist from the Directory Panel .......................... 176

7.7 Extending the Validity of a Smart Card ................................................................... 176 7.8 Displaying Smart Card Properties ........................................................................... 178 7.9 Displaying the List of Supported Smart Cards ........................................................ 179 7.10 Managing Smart Card Configuration Profiles ....................................................... 180

7.10.1 Creating / Modifying Configuration Profiles................................................ 180 7.10.2 Renaming Configuration Profiles................................................................ 181 7.10.3 Deleting Configuration Profiles................................................................... 182

7.11 Managing Loan Cards ........................................................................................... 182 7.11.1 Assigning a Loan Card to a User ............................................................... 182 7.11.2 Returning Loan Cards ................................................................................ 183

7.12 Managing Smart Card's Authentication Parameters............................................. 185 7.13 Managing Batches of Smart Cards ....................................................................... 186

7.13.1 Defining a Stock of Tokens......................................................................... 186 7.13.2 Displaying Information on Stocks ............................................................... 188 7.13.3 Forcing the Use of Smart Cards Defined in the Batch ............................... 189

8. Managing SA Server Devices........................................................................... 190 8.1 Configuring Enterprise SSO for SA Server Management....................................... 190

8.1.1 Configuring SA Server Connection .............................................................. 191 8.1.2 Configuring the SA Server Device Management ......................................... 192

8.2 Managing SA Server Devices ................................................................................. 194 8.2.1 Assigning an SA Server Device to a User.................................................... 194 8.2.2 Formatting an SA Server Device.................................................................. 196 8.2.3 Blacklisting an SA Server Device ................................................................. 196 8.2.4 Managing the Link between User and SA Server Device ............................ 197

9. Managing RFID Tokens..................................................................................... 200 9.1 Assigning an RFID Token ....................................................................................... 202 9.2 Locking and Unlocking an RFID Token................................................................... 203

9.2.1 Locking and Unlocking an RFID Token from the Directory Panel ............... 203 9.2.2 Locking and Unlocking an RFID Token from the RFID Panel ..................... 204

9.3 Blacklisting and Deleting an RFID Token................................................................ 205 9.3.1 Blacklisting and Deleting an RFID Token From the Directory Panel ........... 205 9.3.2 Blacklisting and Deleting an RFID Token from the RFID Panel .................. 207

9.4 Modifying the Detection Areas and the Grace Period............................................. 208 9.5 Exporting a List of RFID Tokens ............................................................................. 210

10. Managing Biometric Enrolment ..................................................................... 211 10.1 Defining the Biometric Enrolment Policy ............................................................... 213 10.2 Defining the Biometric Workstation Parameters ................................................... 213 10.3 Managing the User Enrolment............................................................................... 213 10.4 Displaying and Exporting the Biometric Enrolment Report................................... 214

11. Managing Data Privacy................................................................................... 215 11.1 Generating Keys.................................................................................................... 217

11.1.1 Generating Keys for a Single User or a Group of Users............................ 217 11.1.2 Massive Keys Generation (Batch Mode).................................................... 218 11.1.3 Configuring the Automatic Generation of a Key upon User's Logon ......... 219

v

11.2 Renewing Keys...................................................................................................... 220 11.2.1 Renewing Manually a Key .......................................................................... 220 11.2.2 Configuring Automatic Updates of Keys .................................................... 222

11.3 Allowing Users to Refresh their Keys from the Directory...................................... 223 11.4 Exporting a List of Generated Keys ...................................................................... 225

12. Enabling the Public Key Authentication Method ......................................... 226 12.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method........................................................................................... 228 12.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities.................................................................................................. 228

12.2.1 Activating the PKA Authentication Method................................................. 229 12.2.2 Configuring the Set of Authorized Certification Authorities........................ 230

12.3 Configuring the Automatic Update of the Revocation Information........................ 232 12.3.1 Importing a CRL Point of Distribution ......................................................... 233 12.3.2 Importing an OCSP Responder.................................................................. 233 12.3.3 Deleting a CRL Point of Distribution or an OCSP Responder ................... 234

13. Managing Audit Events................................................................................... 235 13.1 Displaying Audit Events......................................................................................... 236 13.2 Managing Audit Filters........................................................................................... 237

13.2.1 Filtering Audit Records ............................................................................... 237 13.2.2 Assigning an Audit Filter to Specific Objects.............................................. 239

13.3 Interpreting Audit Events ....................................................................................... 242 13.3.1 The Audit Main Window.............................................................................. 242 13.3.2 The "Event Details" Window....................................................................... 244 13.3.3 Detailed Information on Administration Audit Events................................. 245

13.4 Exporting Audit Events .......................................................................................... 247 13.5 Archiving Audit Records ........................................................................................ 247 13.6 Retrieving User ID from Audit ID ........................................................................... 248 13.7 Retrieving Event Codes......................................................................................... 248

14. Customizing Configuration Files.................................................................... 249 14.1 Importing a List of Supported Authentication Tokens ........................................... 249 14.2 Adding User Attribute Information ......................................................................... 250

15. Creating Scripts............................................................................................... 252 15.1 Using the Script Editor........................................................................................... 252 15.2 Script Commands .................................................................................................. 253

15.2.1 CREATE_ROLE ......................................................................................... 253 15.2.2 CREATE_ACCESS .................................................................................... 253 15.2.3 CREATE_ACCOUNT ................................................................................. 254

15.3 Importing Script Files............................................................................................. 256 A. Regular Expressions–Basic Syntax ............................................................... 257 B. Listing Audit Events and Error Codes............................................................ 259

B.1 Listing Audit Events................................................................................................. 259 B.2 Listing Error Codes ................................................................................................. 261

C. List of Administration Rights .......................................................................... 263 About Quest Software, Inc. .................................................................................. 267

Contacting Quest Software............................................................................................ 267 Contacting Quest Support ............................................................................................. 267

Administrator Guide

7

About This Guide Access Management

Subject This guide describes how to administer an Quest Enterprise SSO solution using Enterprise SSO Console, the centralized administration and audit consultation tool.

Intended Reader • System integrators. • Administrators.

Software/Hardware Required

Enterprise SSO Console 8.0 evolution 3 and later versions.

For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to Quest Enterprise SSO Release Notes.

Supported Operating Systems

Enterprise SSO Console runs only on Windows systems.

Quest Enterprise SSO 8.0.3 - Enterprise SSO Console

8

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons.

Bolded text Interface elements that appear in Quest products, such as menus and commands.

Italic text Used for comments.

Bold Italic text Introduces a series of procedures.

Blue text Indicates a cross-reference. When viewed in Adobe® Acrobat®, this format can be used as a hyperlink.

Used to highlight additional information pertinent to the process being described.

Used to provide Best Practice information. A best practice details the recommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them at the same time.

| A pipe sign between elements means that you must select the elements in that particular sequence.

Administrator Guide

9

1. Overview This guide describes how to use Enterprise SSO (or E-SSO) Console, the administration tool that allows you to define your company Access Management configuration, from the setting up of the basic security objects to the definition of access rights for users, workstations and applications.

1.1 Enterprise SSO Concepts Enterprise SSO is the module of the Access Management solution that provides centralized management of application and network access strategies and security data and for this purpose is based on the management of three types of objects:

• The company's users. • The company's applications for which you will enable the single sign-on

functionality. • The client workstations (Access Points) on which users log on to access their

applications. Quest Enterprise SSO offers two Access Point functional modes. The wanted mode is selected at installation time (see Enterprise SSO Advanced Installation and Configuration Guide):

• In "manage-access-point" mode, you can define security policies for individual workstations and group of workstations.

• In "no-access-point-management" mode, no objects representing client workstations are created or used in the directory and one security policy is applied to all access points. In this mode, Enterprise SSO controllers do not "authenticate" client workstations.

You main administration task consists in implementing the relations between these three types of objects, as shown in the following diagram:


10

Access Point

User A

Connection

Access

Availability

PasswordFormatPolicy

Application

PasswordGeneration

Policy

The term User refers to the user himself, a group of users or an organizational unit that contains users. Likewise, the term Access Point refers to the access point itself (which is a computer), a group of computers or an organizational unit that contains computers.

1.2 Enterprise SSO Controllers

1.2.1 Enterprise SSO Services

Enterprise SSO Services Overview

When an Enterprise SSO controller is installed, several services dedicated to specific features are installed at the same time. The set of functions provided by Enterprise SSO are gathered in the following services:

• Administration. • Audit collection. • Access point registration. • User enrolment.

Each Enterprise SSO controller may offer the set of services or only a part of these services.

Administrator Guide

11

Enterprise SSO Services Management

At installation time, Enterprise SSO controllers are not specialized: all the above services are available.

The Enterprise SSO Console allows you to dedicate an Enterprise SSO controller to a subset of services. Once specialized, each controller continues to run all the services but only a part of them is used by the workstations.

At any time, you can change the Enterprise SSO controller configuration from the Enterprise SSO Console (as explained in Section 6.3.2.2, Managing the Access Point Available Services) without having to install anything on the controller.

Workstation Connection to Enterprise SSO controllers

All the controllers and their services are registered in the directory.

The first time a workstation needs to connect to an Enterprise SSO controller, it obtains the list of existing controllers from the directory and builds in a cache the list of the available services classified by sites. Then the workstation tries to connect to an Enterprise SSO controller that explicitly provides the required Service in its site. If no such controller is available, then the workstation tries to connect to an Enterprise SSO controller that provides all Services in its site. If no such controller is available it tries in the other sites.

This list is rebuilt only at the cache expiration, so when you change the services configuration from the Enterprise SSO Console, it needs time before all the workstation use the new services. For this reason and for backward compatibility with the previous version of Enterprise SSO, an Enterprise SSO controller provides all Services.

Example

To ensure high availability and good performances, it is interesting to install Enterprise SSO on several servers and to dedicate it to specific services. The following figure shows an example of service distribution: one server is dedicated to the audit and another to the administration.

Audit Master Database

Audit Server

User Workstation

Administrator Workstation

AuditCollection

AdministrationAudit Analysis

E-SSO Controller

Audit Service

E-SSO Controller

Administration Service

AdvancedLogin

SSOStudio

AdministrationConsole

CorporateLDAP Directory

SSOWatch

AdvancedLogin

E-SSO Middleware E-SSO Middleware

AdministrationServer


12

1.2.2 Domain Controller Selection

Windows Reminders

In Active Directory (AD), the concept of Sites is a physical group of computers represented by one or more IP subnets.

On Windows server systems, a Domain Controller (DC) is a server that manages all security-related aspects between user and domain interactions (authentication, permissions and so on) within the Windows server domain.

Each domain controller has a copy of the Active Directory (synchronized by a multi-master replication) and is associated with a site.

Within the same site, replication is fast (with an appropriate data transmission), but it can take a long time between different sites, depending on the data type and the configuration of the replication.

Enterprise SSO Functionality

Enterprise SSO introduces a way to select a specific domain controller to work on. There are two situations where the current domain controller can be changed:

• Persistent change: see Section 6.6, Selecting a Domain Controller. • Password reset operation: see Section 6.2.2.3, Forcing a New User's Primary

Password ("Password" Tab).

1.3 A Multi-Domain Architecture Active Directory Case

In a multi-domain forest the Active Directory database becomes partitioned. That is, each domain maintains a list of only those objects that belong to that domain. So, for example, a user created in Domain A would be listed only in Domain A's domain controllers. With this architecture, the storage of the Enterprise SSO data can be done in two ways:

• Enterprise SSO data is stored in the AD directories and is thus distributed in the forest: see the following figure showing a multi-domain architecture with Enterprise SSO data stored in Active Directory.

Administrator Guide

13

Audit Master DatabaseE-SSO Controller

(Domain 1)E-SSO Controller

(Domain 2)

AdvancedLogin

SSOWatch

E-SSO Console

E-SSO Security Services

AdvancedLogin

SSOWatch

E-SSOConsole


Corporate Active Directory witha Multi-Domain Forest Extended

for the Quest ESSO Module

DOMAIN 2

E-SSO Workstation ClientsRunning Applications

(Domain 1)

E-SSO Workstation ClientsRunning Applications

(Domain 2)

UserComputer

OUE-SSO Classesand Attributes

DOMAIN 1

UserComputer

OUE-SSO Classesand Attributes

1 1

2

2

1

2

2

2

Administration / Audit Data

Read / Write data

When the Enterprise SSO data is stored in the multi-domain forest AD, the propagation of the data in the other directories of the forest is made by AD, but you have to declare the Enterprise SSO administrators in others domains if they have to manage data stored in theses others domains and you have to declare representatives of users and access points if the users have to connect on the workstations of the others domains.


14

• Enterprise SSO data is stored at only one place in an ADAM directory and the administration console makes it possible to see at the same time the data in AD and in ADAM: see the following figure showing a multi-domain architecture with Enterprise SSO data stored in ADAM.

DOMAIN 1

Audit Master Database

E-SSO Controller(Domain 1)

E-SSO Controller(Domain 2)

AdvancedLogin

SSOWatch

E-SSO Console


AdvancedLogin

SSOWatch

E-SSOConsole


Corporate Active Directory with a

Multi-Domain Forest

AD DOMAIN 2

E-SSO WorkstationClients Running

Applications(Domain 1)

E-SSO WorkstationClients Running

Applications(Domain 2)

AD DOMAIN 1

UserComputer

OU

E-SSOData

UserComputer

OU

1 1

2

1

2

2

Administration / Audit Data

Read / Write data

When the Enterprise SSO data is stored in ADAM, the Enterprise SSO administration is greatly simplified and identical to the mono domain administration

Architecture Components

The above illustration shows an Enterprise SSO software architecture that allows administrators to manage users that reside in different LDAP domains.

The software architecture depends on the way the Enterprise SSO module is installed. For details on the possible architectures depending on the LDAP directories infrastructures, see Enterprise SSO Advanced Installation and Configuration Guide.

Administrator Guide

15

It consists of the following modules:

• The corporate LDAP directory, which was a baseline of users of the company, before the implementation of the Enterprise SSO architecture. During the installation of the software suite, the schema of this directory is extended with Enterprise SSO specific classes and attributes.

• The Enterprise SSO controllers (primary controller, secondary controllers, associated controllers), which provide administration and audit communications between client stations and the LDAP directory.

• A centralized audit base (called the Master database), which contains all the log entries of every individual Enterprise SSO controller. This concerns both user action log entries and administration action log entries. In that case, the local SQL Server databases of individual servers are only used to store the audit events temporarily, before sending them to the Master base. This audit base can be hosted on other databases than SQL Server. For details on the supported databases, see Quest Enterprise SSO Release Notes.

• The Enterprise SSO client workstations, which communicate directly with the corporate LDAP directory and the Enterprise SSO controllers (for administration and audit data). They are the user's Access Points to applications

• The applications of the Enterprise SSO module, which are based on the Enterprise SSO Security Services:

• Enterprise SSO Console: centralized administration and audit consultation tool. This administration console can be installed on any client workstations and allows you to manage users that reside in different LDAP domains.

• SSOWatch and SSOStudio: the Single Sign-On (SSO) tools. • Advanced Login: tool for user authentication by password, smart card, RFID

or biometrics, and workstation security protection.

1.4 General Ergonomic Design

1.4.1 Home Window

The Enterprise SSO Console home window gives access to all Enterprise SSO available modules.

Some module icons may not be available for the following reasons:

• The module is not installed. • You have not enough administration rights to access a module.

The status bar displays the name of the Enterprise SSO Controller that the Enterprise SSO Console uses.


16

ICON DESCRIPTION

Gives access to the Directory panel, which allows you to manage all directory objects.

This panel is explained in the following sections of this guide: • Section 3, Searching the Directory Tree. • Section 4, Managing Administrators. • Section 5, Managing Security Profiles. • Section 6, Managing Directory Objects.

Gives access to the Smart Card panel, which allows you to manage smart cards. This panel is explained in the following sections of this guide:

• Section 7, Managing Smart Cards. • Section 8, Managing SA Server Devices.

Gives access to the Biometrics panel, which allows you to display and export the list of users who have enrolled their biometric data.

This panel is explained in Section 10, Managing Biometric Enrolment of this guide.

Gives access to the RFID panel, which allows you to manage RFID badges.

This panel is explained in Section 9., "Managing RFID Tokens" of this guide.

Gives access to the Data Privacy panel, which allows you to manage file encryption.

This panel is explained in Section 11, Managing Data Privacy of this guide.

Gives access to the Audit panel, which allows you to audit events.

This panel is explained in Section 13, Managing Audit Events of this guide.

Administrator Guide

17

1.4.2 Directory Panel Overview

The graphical user interface (GUI) of the Enterprise SSO administration console Directory panel is divided in different areas, as shown in the following illustration:

AREA NAME DESCRIPTION

1 Menu bar The menu bar contains 2 types of menus:

Static menus (File, View and Help), which are always available and always display the same commands.

A dynamic menu (Directory in the above illustration), which displays specific commands depending on the administration panel selected in area 5.

2 Tool bar The tool bar is dynamic. It displays buttons that are shortcuts to the menu bar items.

3 Tabbed panel

Depending on your administration role and on the selected administration panel, this area displays tabbed panels that allow you to manage and stores access rights and user accounts in the LDAP directory (Directory panel), manage a base of corporate smart carts (Smart Card panel), manage a base of RFID tokens (RFID panel), configure file encryption for some users (Data Privacy panel), display biometry data (Biometrics panel), display Audit information (Audit panel).

4 Directory tree

This area appears in the Directory panel only. It displays your LDAP directory administration perimeter.


18

AREA NAME DESCRIPTION

5 Navigation bar

This area allows you to switch rapidly between the different administration panels.

• The active panel is shown in a gray circle. • Depending on your administration rights, some buttons may

be deactivated.

Administrator Guide

19

2. Authenticating to E-SSO Console and Managing Protection Modes Quest provides the two following protection modes for the Enterprise SSO security database:

• Hardware protection mode: Enterprise SSO operating mode in which administration encryption keys are protected by cryptographic smart cards. In this mode, smart cards are required to perform Enterprise SSO administration tasks.

• Software protection mode: Enterprise SSO operating mode in which administration keys are protected by passwords and, if wanted, by smart cards. In this mode, smart cards are not required to perform Enterprise SSO administration tasks.

The protection mode is chosen at installation time, during the primary controller initialization (for more information on installation, see Enterprise SSO Advanced Installation and Configuration Guide).

2.1 Starting/Stopping the Enterprise SSO Console This section explains how to start and stop the Enterprise SSO Console.

2.1.1 Starting the Enterprise SSO Console

Subject

As the Enterprise SSO console is an administration console, the way to start it depends on the protection mode used:

• In hardware protection mode, see Section 2.1.1.1, Starting the Enterprise SSO Console in Hardware Protection Mode.

• In software protection mode, see Section 2.1.1.2, "Starting the Enterprise SSO Console in Software Protection Mode.

Upon the first start of Enterprise SSO Console, you authenticate from the Security Module or pass phrase as the super-administrator. Then, depending on your needs, you can define as many administrators as you want, and assign for each one an administration role, with specific administration profiles and for specific organizations of the directory (see Section 4, Managing Administrators).


20

2.1.1.1 Starting the Enterprise SSO Console in Hardware Protection Mode

Before Starting

To start the Enterprise SSO console in hardware protection mode, make sure you have the Security Module or an administration smart card.

Procedure

1. In the Windows task bar, click Start | Programs | Quest Software | Enterprise SSO | Enterprise SSO Console.

• The Enterprise SSO Console authentication window appears. 2. Insert the Security Module or an administration smart card and type your PIN.

• The Enterprise SSO Console appears.

2.1.1.2 Starting the Enterprise SSO Console in Software Protection Mode

Before Starting

• If you start the Enterprise SSO console in software protection mode for the first time, you must be a primary administrator.

• If you are not a primary administrator, you must have an administration profile to start the console.

Procedure

First Start


• The Enterprise SSO Console authentication window appears. 2. As a super-administrator, type your identifier and password.

• The administration pass-phrase window appears.

3. Type the pass-phrase that has been entered at installation time, during the primary controller initialization (see Enterprise SSO Advanced Installation and Configuration Guide) and click OK.


Administrator Guide

21

Everyday Start


• The Enterprise SSO Console authentication window appears. 2. Type your PIN (smart card) or identifier and password.


2.1.2 Stopping the Enterprise SSO Console

Subject

The following procedure explains how to normally quit the Enterprise SSO console.

Procedure

1. To stop the Enterprise SSO console, click File | Exit. • A confirmation window appears.

2. Click Yes. • The Enterprise SSO Console is closed.

2.2 Managing Protection Modes

2.2.1 Displaying the Current Protection Mode

Procedure

The Enterprise SSO Console allows you to display the current protection mode.

In Enterprise SSO Console, click File | Protection Mode.

• The protection mode administration window appears, displaying the current protection mode and information about it. The following window shows an example of software protection mode.


22

2.2.2 Migrating from Software Mode to Hardware Mode

Subject

If you migrate from software to hardware protection mode, the administration keys will be protected by smart cards only; you will no longer be able to logon to Enterprise SSO without smart card.

In hardware mode:

• The administration keys are protected by the Security Module. • The security Module or a smart card is required to start Enterprise SSO

Console. • The Password Reset server is configured to use smart card authentication.

Before starting

• You must be a primary administrator to perform this task. • Make sure all administrators possess smart cards that grant administration rights. • Make sure you have an Enterprise SSO Security Module smart card and the

administration pass-phrase that is currently protecting the security database. • If you use the Enterprise SSO Password Reset server, make sure it is

configured to use smart card authentication (see Enterprise SSO Advanced Installation and Configuration Guide).

Administrator Guide

23

Procedure

1. Display the protection mode as explained in Section 2.2.1, Displaying the Current Protection Mode.

2. In the Migration tab, click the Migrate to hardware mode button. • The change protection mode window appears, asking you to insert the

Security Module, its associated PIN and the administration pass-phrase.

3. Enter the information required and click OK. • A confirmation window appears.

4. Click OK. • You are now working in hardware protection mode.

2.2.3 Managing Administrators whose Administration Keys are Protected by Software Encryption

Subject

The migration from software to hardware protection mode does not delete all copies of the administration keys from the directory: the directory contains an encrypted copy of one or both of the following administration keys:

• SSO Recovery: key pair that protects the copy of the owner's recoverable SSO key in the directory.

• Token Administration: key pair that protects smart card administration data in the directory.

This section explains how to display and manage the administrators who have copies of one or both of these administration keys.

Before Starting

You must be a primary administrator to delete copies of an administration key.


24

Procedure

1. Display the protection mode as explained in Section 2.2.1, Displaying the Current Protection Mode.

2. Click the Software Mode Keys tab. • The tab lists the names of the administrators who have copies (stored in the

directory) of one or both administrative encryption keys.

3. To delete the copies of the administration keys, select the wanted line and click Delete Keys.

• The copies of the administration keys encrypted by the recoverable keys of the selected users are deleted from the directory.

Administrator Guide

25

3. Searching the Directory Tree Subject

The searching functionality is available from the Directory panel. The search results appear as a tree under the Search request node.

If you execute several search requests, they all appear as a node in the tree.

For performance reasons, you cannot search for a directory container in the directory. Objects designated with a CN are the only ones that can be found.

Before starting

To perform the task described in this section, you must have at least the following administration role:

• In classic administration mode: "Security object administrator" or "Access administrator" or "Rights administrator" or "Smart card administrator" or "File Encryption administrator".

• In advanced administration mode, your role must contain the following right: "Directory: Browsing".

3.1 Searching for Directory Objects Subject

This section explains how to use the search function in Enterprise SSO Console.

You can only find objects that you are allowed to access, according to your administration rights.

Procedure

1. In the Directory panel, click the Search request node, or press CTRL+F. • The search configuration tab appears. For a full description of the tab, see

the following Search Configuration Tab - Description section. 2. In the Search root field, click the Select button to select the organization in

which you want to search an object: Use the Browse tab to browse the directory tree structure or use the Search tab to find the organization according to its name

3. In the Object type list, select the type of object you want to search.


26

4. In the Filter field, type the wanted search request, as explained in the tab instructions and click Search.

• The search result appears in a new node in the Directory panel, under the Search request node. The following example window shows the result of two search requests.

Search Configuration Tab - Description

• Search root field The container in which is performed the search.

If you leave this field empty, the search is performed in all the directory organizations to which you are authorized to access.

• Select button Opens the organization selection window, which allows you to browse the directory tree structure (Browse tab) or filter the directory tree (Search tab) to find the organization.

• Remove button Removes the organization from the field. An empty field means all organizations.

• Object type list List of directory objects you can search for in the directory.

For performance reasons, you cannot search for an organization in the directory. Objects designated with a CN are the only one that can be found.

• Filter field Name of the object (or part of the name, using the * character) you want to search for.

• Search button Performs the search.

• Clear all button Deletes all search requests from the directory tree.

Administrator Guide

27

3.2 Deleting Search Requests Subject

You can delete search requests one by one or all requests simultaneously.

Procedures

Deleting a Search Request

1. In the directory tree, select the search request you want to delete. • The Information tab appears.

2. Click the Delete button. • The search request node disappears from the tree.

Deleting All Search Requests

1. In the directory tree, select the Search request node. • The search configuration tab appears.

2. Click the Clear all button. • All search request nodes disappear from the tree.


28

4. Managing Administrators Subject

This section describes how to delegate, transfer and delete administration profiles to manage the users declared in your LDAP directory who are allowed to administer the Quest Enterprise SSO solution though the Enterprise SSO Console.

An administration role is made up of the following elements:

• The administration role scope: the objects of the directory on which the administration role applies.

• One or several administration profile(s): the administration rights allocated to the administration role.

• A parent administrator (optional). • An audit filter that indicates what administrator actions should be audited.

Enterprise SSO Console allows you to assign administration profiles to users so that they can perform the corresponding administration tasks.

4.1 Administration Modes—Presentation Quest provides the two following administration modes:

• The classic administration mode: see Section 4.1.1, The Classic Administration Mode.

• The advanced administration mode: see Section 4.1.2, The Advanced Administration Mode.

The administration mode is selected at installation time.

4.1.1 The Classic Administration Mode

Definition

In classic administration mode, administration rights are classified into eight predefined administration profiles that you apply to users so that they can perform their administration tasks in the Enterprise SSO Console.

These administration profiles cannot be modified.

Administrator Guide

29

To migrate from the classic administration mode to the advanced administration mode, see Enterprise SSO Advanced Installation and Configuration Guide.

The list of existing administration profiles and their corresponding administration rights (available in advanced administration mode) is given in Appendix C. List of Administration Rights).

Delivered Administration Profiles

Quest delivers the following administration profiles:

ADMINISTRATION PROFILE NAME DESCRIPTION

"Security object administrator" This role allows the administrator to manage tokens' inventory and change the following security objects:

• Time slices. • Password Format Control Policies (PFCP). • Password Generation Policies (PGP). • User Security Profiles. • Access Point Security Profiles. • Application Security Profiles

"Access administrator" This role allows the administrator to authorize applications and users on access points.

"Rights administrator" This role allows the administrator to authorize a user to use an application. This right also requires administration rights on the application.

"Smart card administrator" This role allows the administrator to manage smart cards.

"File Encryption administrator" This role allows the administrator to manage the Data Privacy feature.

"Auditor" This role allows the administrator to manage the audit.

"SSO Data Recoverer" This role allows the administrator to reassign recoverable accounts to the user and to change the user's means of authentication without the user losing his SSO data.

“Authorize propagation of administration rights"

This option allows the administrator to delegate his/her administration rights. This delegation is restricted to the administrator's rights and visibility.


30

4.1.2 The Advanced Administration Mode

Definition

In advanced administration mode, the administration profiles are not limited to eight categories: you can create your own administration profiles by selecting the wanted administration rights.

Possible administration rights

The list of administration rights available in advanced administration mode (and their corresponding administration profiles in classic administration mode) is given in Appendix C. List of Administration Rights.

4.1.3 Administration Role Inheritance

The administration role inheritance principle can be represented by the following tree structure:

IT Security Manager(Security Module or Pass phrase)

Super Administrator

Admin 1 Admin 3Admin 2

Admin 4 Admin 5

Administration Role Inheritance

The tree structure root is the IT Security Manager (or primary administrator which corresponds to a specific user created in the LDAP directory during the installation of the solution. The IT Security Manager administration keys are encrypted with a Security Module or a pass phrase (for more information on the protection modes, see Section 2, Authenticating to E-SSO Console and Managing Protection Modes).

Upon the first start of Enterprise SSO Console, you authenticate from the Security Module or pass phrase as the super-administrator. Then, depending on your needs, you can define as many administrators as you want, and assign for each one an administration profile, with specific administration roles and for specific organizations of the directory.

Administrator Guide

31

Administration role is inherited in the following ways:

• Delegate: the current administrator copies his/her administrator role to the selected user.

• Transfer: the administration role of the selected user is transferred to another user (who must not have administration rights yet). This new user replaces the previous administrator.

• Delete: the administration role of the selected user is deleted. The parent of these child items in the administration tree structure is now the parent of the child item whose rights were removed.

In advanced administration mode, the "User administration profile: administration rights manager" administration right allows an administrator to delegate his administration rights or to delete rights to/from an administrator for whom he/she is not the parent administrator.

4.2 Delegating Administration Profiles Subject

Delegating administration profiles consists in copying to a user all or a part of your administration role.

For more details on the administration profiles inheritance mechanisms, see Section 4.1.3, Administration Role Inheritance.

Before Starting

Check that you meet the following requirements:

• The user for which you want to delegate administration profiles must be created in the directory.

• You must have at least the following administration role: • In classic administration mode: "Authorize propagation of administration

rights" and one of the following profiles: "Security object administrator", or "Access administrator" or "Rights administrator".

• In advanced administration mode, you role must contains the following rights: "User administration profile: Delegation" and "Directory: Browsing".

• In software protection mode, the user for which you want to delegate administration profiles must have authenticated to the Enterprise SSO Console at least once.

Restriction

You cannot delegate Organizational Units that are outside your administration perimeter.


32

Procedure

1. In the Directory panel, select the user for which you want to delegate your administration profile.

2. In the Administration tab, click Delegate. • The tab is automatically filled in with your administration profile attributes and

the selected user has an administration profile.

Classic Administration Mode

Advanced Administration Mode

3. If you want to modify the delegated administration profile, modify this tab as follows:

a) Advanced organization(s) area: In this area, modify the administration perimeter, by adding or removing Organizational Units (OU) using the Add and Remove buttons.

• For a complete visibility, select the directory root. • You can add as organizations as required.

b) Managed users area By default, this area is empty. It means the administrator can manage all the people registered in the administered organizations. To restrict the number of users to administer, define in this area the groups and organizational units of the administration perimeter containing the users to administer.

Administrator Guide

33

c) Administration role area:

• In Classic Administration Mode: Select the check boxes corresponding to the administration profiles you want to delegate to the user (for more details on existing administration profiles, see Section 4.1.1, The Classic Administration Mode).

• In Advanced Administration Mode: Select the administration profiles you want to assign to the user by using the Add and Remove buttons. To create a new administration profile, see Section 4.3, Managing Administration Profiles.

d) Set Parent Administrator button: By default, the parent administrator is the administrator who delegates his administration rights. If you want set another parent administrator, click Set Parent Administrator. For more details, see Section 4.7, Modifying the Parent Administrator.

e) Audit area (advanced administration mode only): Assign an audit filter to the selected administrator, as explained in Section 13.2.2, Assigning an Audit Filter to Specific Objects.

4. Click Apply. 5. Assign an authentication token with administrator rights to the user. For more

details, see Section 7.1.2, Assigning a Smart Card to a User.

4.3 Managing Administration Profiles Subject

An administration profile is a set of administration rights. Enterprise SSO Console used in advanced administration mode allows you to define your own administration profiles by selecting a number of administration rights.

This functionality is only available if you use Enterprise SSO Console in advanced administration mode

4.3.1 Creating/Editing an Administration Profile

Subject

This section explains how to create or modify an administration profile.

Before Starting

• To add to the administration profile an administration right, you must either possess this right, or possess the "User administration profile: administration rights manager" right. Make sure you have all the administration rights you want to add to the profile, or the "User administration profile: administration rights manager" right.

• To be able to perform the tasks described in this section, your role must contain the following administration rights: "User administration profile: Delegation", "Administration profile: Creation/Modification", "Directory: Browsing".


34

Procedure

1. In the Administration profile tab, in the Administration role area, click the Add button.

• The administration profile selection window appears.

2. Do one of the following, depending on the operation you want to perform: • To create a new profile, click the Add button. • To modify an existing profile, select the wanted profile and click Edit.

The Administration profile edition window appears. 3. In the Administration profile name field, type a name for the administration

profile you are creating or modifying. 4. Set the scope of the administration profile (optional) and use the Add and

Remove buttons to select the administration rights you want to be contained in the profile, as explained in the following Administration Profile Window Description section.

Administrator Guide

35

Administration Profile Window Description

This section describes the administration profile edition window.

INTERFACE ELEMENT DESCRIPTION

Profile name Name of the administration profile you are creating or modifying.

Additional organization (optional)

Scope of the administration profile: all the objects on which the administration profile applies.

This field allows you to define the organizations that must be assigned to the administrator at the same time as the administration profile.

• The button allows you to select in the directory the perimeter of the administration profile, by browsing the directory or by executing a search request.

• The Clear button removes the organization from the field.

Administration rights List of all available Enterprise SSO administration rights that you can add in the administration profile.

All rights are written in the following format: <object or authorization name>:<right name>

Administration rights granted by this profile

List of administration rights that will be assigned to the administrator.

You cannot add to the profile an administration right that you do not already own.

Add button Adds the selected administration rights to the administration profile.

Remove button Removes the selected administration rights from the administration profile.


36

4.3.2 Deleting an Administration Profile

Subject

This section explains how to delete an administration profile. You can delete an administration profile even if you have not created it.

Before Starting

To be able to perform the task described in this section, you must have at least the following administration right: "Administration profile: Deletion".

Procedure

1. In the Administration profile tab, in the Administration role area, click the Add button.

• The administration role selection window appears. 2. Select the profile you want to delete and click Delete.

4.4 Transferring an Administration Role Subject

Transferring an administration role consists in transferring to a user an administration role. The user who transfers his administration role is no longer administrator.

For more details on the administration profiles inheritance mechanisms, see Section 4.1.3, Administration Role Inheritance.

Before Starting Check that you meet the following requirements:

• The user for which you want to transfer administration role must be created in the directory.

• Make sure you have at least the following administration role: • In classic administration mode: "Authorize propagation of administration

rights" and one of the following profiles: "Security object administrator", or "Access administrator" or "Rights administrator".

• In advanced administration mode, you role must contains the following administration right: "User administration profile: Delegation".

Procedure

1. In the Directory panel, select the administrator for which you want to transfer the administration role.

2. In the Administration tab, click Transfer. • The User selection window appears.

3. Select the user for which you want to transfer the administration role of the selected administrator and click OK.

• The administration role of the administrator is deleted and transferred to the selected user.

Administrator Guide

37

4.5 Deleting Administration Role Subject

Deleting an administration role consists in removing the administration role of a user.

If this administration role is a parent administration role, then the parent administrator is the parent administrator of the deleted administrator.

Before Starting

To perform this task, you must be a parent administrator.

Procedure

1. In the Directory panel, select the user for which you want to delete his administration profile.

2. In the Administration Profile tab, click Delete. • The administration profile of the user is deleted.

4.6 Displaying your Administration Role Subject

At any time, you can display your administration role to have more information on your administration profiles (and rights, if working in advanced administration mode), your administration perimeter, your parent administrator….

Procedure

1. In the File menu, click Administration Profile | Current profile. • The current profile tab appears.

Classic administration mode


38

Advanced administration mode

2. From this window, click the wanted tab to display the following information: • The Current profile tab displays: • You parent administrator (not defined if this involves the security module or

pass-phrase). • Your LDAP directory administration perimeter. • Your administration profiles. • In advanced administration mode, the Show rights button allows you to

displays the administration rights corresponding to the displayed profiles. • Profile propagation tree tab displays the administration rights propagation

tree to indicate all the administrators of the LDAP directory and their links (parent/child/no link).

• Administered applications tab displays the list of applications for which you have administration rights.

• Administered users tab displays the list of u for which you have administration rights.

4.7 Modifying the Parent Administrator Subject

By default, the administrator who creates an administration profile is the parent administrator of this profile. If needed, you can modify the parent administrator.

Before Starting To perform this task, you must be a parent administrator.

Procedure

1. In the Directory panel, select the user for which you want to modify the parent administrator.

2. In the Administration Profile tab, click Set Parent Administrator. • The User selection window appears.

3. Select the new parent administrator and click OK.

Administrator Guide

39

4.8 Defining Multiple Primary Administrators Subject

This option allows the definition of multiple super administrators. A super administrator is allowed to manage:

• All the LDAP directories. • All the Applications.

Procedure

1. In the File menu, click Configuration and select the Primary administrators tab.

• The Primary Administrator tab appears.

2. Use the Add and Remove buttons to define auxiliary primary administrators.

All Policy Manager administrators are Enterprise SSO super administrators. Do not remove them.


40

5. Managing Security Profiles Subject

Upon the installation of the Enterprise SSO controller, default security profiles are created. These objects are required to manage the target objects, which are Users, Access Points and Applications.

Depending on your administration perimeter, you can use the default Security Profiles, or create, modify, delete your own ones, as described in this section.

Before Starting

To optimize network traffic, you can use the update management feature. By default, the Enterprise SSO workstations retrieve the whole SSO configuration periodically. The update management feature allows you to post an update, which generates a unique identifier. The workstations retrieve the application data and this identifier. As long as the identifier is unchanged between the directory and the cache of the workstations, the workstations do not update their SSO configurations.

To Enable/Disable the update management feature, in the File menu of Enterprise SSO Console select Manage updates. When a workstation runs an update, it retrieves the entire configuration (and not only the configuration corresponding to the last posted update). So this feature does not avoid workstations retrieving the applications configured by administrators after the last posted update if the data on the workstation is older than the last posted update.

5.1 Managing Timeslices Subject

Managing Timeslices consists in creating, modifying and deleting Timeslices.

Object Timeslices are Security objects that define the periods during which the target objects can be accessed or are inhibited.

Target objects

Timeslices are required to define the following target objects:

• User Security Profiles. • Access Point Security Profiles. • Applications.

Administrator Guide

41

5.1.1 Creating/Modifying Timeslices

Before Starting


• In classic administration mode: "Security object administrator". • In advanced administration mode, your role must contain the following right:

"Schedule: Creation/Modification".

Procedures

Creating Timeslices

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Timeslice and select New | Timeslice.

• The Timeslice configuration tab appears. 2. Fill in this window as described Configuring Timeslices section below and

click Apply. • The Timeslice appears in the directory tree structure.

Modifying Timeslices

If you modify a Timeslice already used by target objects, your modifications apply to all the target objects associated with this security object.

1. In the tree structure of the Directory panel, select the Timeslice to modify. • The Timeslice configuration tab appears.

2. Fill in this window as described in Section 5.1.2, Configuring Timeslices and click Apply.

• The Timeslice is modified.

5.1.2 Configuring Timeslices

Before Starting

• For general information on the Timeslice Security objects, see Section 5.1, Managing Timeslices.

• To perform the task described in this section, you must have at least the following administration role:




42

Window Example

Procedure

1. Type the Timeslice name. 2. Define the time slot periods during the days of the week hour by hour, by

clicking to validate a time or not. • Red: time slot not valid. • Blue: time slot valid.

3. Define a validity period by selecting start and/or end dates. If not selected, the object validity is permanent.

5.1.3 Displaying Timeslice Event Logs

Subject

The Events tab allows you to display all the events that are directly or indirectly linked to the selected object, for a defined period (the last two days by default). This report contains both User action and administration log entries.

Restriction

The Events tab only appears if you have the following administration role:

• In classic administration mode: "Auditor". • In advanced administration mode, your role must contain the following right:

"Audit: Visualization".

For more details on administration roles, see Section 4, Managing Administrators.

Administrator Guide

43

Procedure

1. In the tree structure of the Directory panel, select the wanted Timeslice. 2. Click the Events tab.

• The Events tab appears. 3. In the Filter area, define a period of time to filter the log entries and click

Apply (for more information on event logs see Section 13.2.1, Filtering Audit Records).

5.1.4 Renaming Timeslices

Before Starting




Procedure

1. In the tree structure of the Directory panel, right-click the Timeslice to rename and select Rename.

2. Type the new name of the object and press Enter.

5.1.5 Deleting Timeslices

Subject

If you delete a Timeslice used by target objects, these target objects will use the default Timeslice.

Before Starting



"Schedule: Deletion".

Procedure

In the tree structure of the Directory panel, right-click the Timeslice to delete and select Delete.

• The Timeslice is deleted from the directory tree structure.


44

5.2 Managing Password Format Control Policies Subject

This section describes how to create, modify and delete Password Format Control Policies (PFCP).

Object Definition

The password format control policies define the number of characters, the minimum and maximum lengths and the types of characters required to provide a valid password during an application authentication phase.

Target Objects

PFCP are required to define Applications.

5.2.1 Creating/Modifying Password Format Control Policies

Before Starting



"Password format control policy: Creation/Modification".

Procedures

Creating Password Format Control Policies

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your PFCP and select New | Password Control Policy.

• The PFCP configuration tab appears. 2. Fill in this window as described in Section 5.2.2, Configuring Password Format

Control Policy and click Apply. • The PFCP appears in the directory tree structure.

Modifying Password Format Control Policies

If you modify a PFCP already used by target objects, your modifications apply to all the target objects associated with this security object.

1. In the tree structure of the Directory panel, select the PFCP to modify. • The PFCP configuration tab appears.

2. Fill in this window as described in Section 5.2.2, Configuring Password Format Control Policy and click Apply.

• The PFCP is modified.

Administrator Guide

45

5.2.2 Configuring Password Format Control Policy

Before Starting

• For general information on the PFCP objects, see Section 5.2, Managing Password Format Control Policies.




Windows Example

Procedure

1. Type the PFCP name. 2. Define the minimum and the maximum number of characters, the maximum

number of the same character allowed in passwords and if you want to prevent the use of successive occurrences of the same character (Password Format area).


46

3. Define the number of lower case, upper case, digits and special characters allowed in passwords and their position (Allowed characters area).

The following special characters are permissible:

~ " # ' { ( [

- | ` £ _ \ @ )

° ] = + } $ % *

, ? ; . : / !

• Accented characters are not permissible. • For each type of character, the check boxes located in the right hand side of

the dialog box allow you to define the position of the character as follows: • The first check box corresponds to the first character. • The second check box corresponds to the middle characters. • The third check box corresponds to the final character.

4. Define a list of forbidden characters (Forbidden characters area). 5. Click the Test password generation button to check if the generated

passwords correspond to your requirements.

5.2.3 Displaying Password Format Control Policy Event Logs

Subject


Restriction





Procedure

1. In the tree structure of the Directory panel, select the wanted PFCP. 2. Click the Events tab.

• The Events tab appears. 3. In the Filter area, define a period of time to filter the log entries and click Apply

(for more information on event logs see Section 13.2.1, Filtering Audit Records).

Administrator Guide

47

5.2.4 Renaming Password Format Control Policies

Before Starting




Procedure

1. In the tree structure of the Directory panel, right-click the PFCP to rename and select Rename.


5.2.5 Deleting Password Format Control Policies

Subject

If you delete a Password Format Control Policy used by target objects, these target objects will use the default PFCP.

Before Starting



"Password format control policy: Deletion".

Procedure

In the Directory panel, right-click the PFCP to delete and select Delete.

• The PFCP is deleted from the directory tree structure.

5.3 Managing User Security Profiles Subject

Managing User Security Profiles consists in creating, modifying and deleting User Security Profiles.

Object Definition

User Security Profiles are security objects that define a set of rights and properties that are applied generically for one or more users.


48

Target objects

User Security Profiles applies to Users.

As mentioned in Section 1. Overview, the User object refers to the user himself, a group of users or an organizational unit that contains users. Thus, User Security Profiles can be applied to the following LDAP directory objects listed in the highest to lowest order of priority:

• User. • User group. • Group of groups. • Organizational Units.

5.3.1 Creating/Modifying User Security Profiles

Before Starting




"User security profile: Creation/Modification". • The Timeslice that will be used by the User Security Profile must be created.

Procedures

Creating User Security Profiles

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your User Security Profile and select New | User Security Profile.

• The User Security Profile configuration tab appears. 2. Fill in this window as described in Section 5.3.2, Configuring User Security

Profiles and click Apply. • The User Security Profile appears in the directory tree structure.

Modifying User Security Profiles

If you modify a User Security Profile already used by Users, your modifications apply to all Users associated with this Security Profile.

1. In the tree structure of the Directory panel, select the User Security Profile to modify.

• The User Security Profile configuration tab appears. 2. Fill in this window as described in Section 5.3.2, Configuring User Security

Profiles and click Apply. • The User Security Profile is modified.

Administrator Guide

49

5.3.2 Configuring User Security Profiles

Before Starting

• For general information on the User Security Profile objects, see Section 5.3, Managing User Security Profiles.



"User security profile: Creation/Modification" and "Temporary password access: Change duration".

Windows Example

Procedure

1. Type the User security profile name. 2. In the Authentication tab, select the authentication methods available for

the Users that will be associated with the User Security Profile, and define the authentication parameters of the User Security Profile, as described in Section 5.3.2.1, Authentication Parameters Configuration ("Authentication" Tab).

3. In the Security tab, define the single sign-on parameters of the User Security Profile, as described in Section 5.3.2.2, Security Parameters Configuration ("Security" Tab).


50

4. In the Unlocking tab, activate and use the Fast User Switching feature, define the unlocking parameters of the User Security Profile, as described in Section 5.3.2.3, Fast User Switching Parameters Configuration ("Unlocking" Tab).

5. In the Emergency Access tab, activate and use the Emergency Access feature, define the password and PIN reset parameters of the User Security Profile, as described in Section 5.3.2.4, Emergency Access Parameters Configuration ("Emergency Access" Tab).

6. In the Biometrics tab, define the biometrics policy, as described in Section 5.3.2.5, Biometrics Parameters Configuration ("Biometrics" Tab).

7. In the Data Privacy tab, configure some aspects of the Data Privacy feature as described in Section 5.3.2.6, Data Privacy Parameters Configuration ("Data Privacy" Tab).

8. In the Audit tab, assign an audit filter to user security profile to generate only relevant audit events, as described in Section 5.3.2.7, Audit Parameters Configuration ("Audit" Tab).

5.3.2.1 Authentication Parameters Configuration (Authentication Tab)

Administrator Guide

51

• User authentication methods area The selected Authentication methods must be consistent with the authentication methods defined in the Access Point Security Profiles associated with the Users (for more details, see Section 5.4.2.1, Security Services Configuration ("Security Services" Tab)).

Authentication methods can only be used if they are activated on the Users' workstations, through the Access Point Security Profile, as described in Section 5.4.2, Configuring Access Point Security Profiles.

• The Session authentication method works only with Active Directory. • For smart card authentication methods (as Cryptoflex smart card, CyberFlex

PKCS#11 or Rainbow iKey3000 for example), you can assign a specific configuration using the Select Configuration button. These configurations are defined in the Smart Card panel. For more details, see Section 7.10, Managing Smart Card Configuration Profiles.

• The "Store-On-Server" and "Store-On-PC" biometric methods cannot be used simultaneously. You must only select one of them. For more information on available biometric methods, see Section 10, Managing Biometric Enrolment.

• Connection parameters area

TAB ELEMENT DESCRIPTION

Timeslice The default Timeslice is selected by default. Click the button to select another existing Timeslice.

Click the button to display and if necessary modify the selected time slice, as described in Section 5.1.1, Creating/Modifying Timeslices.

Use cache and Cache data validity

Select Use Cache to use a cache upon session activation. This allows you to ensure user service continuity, by supporting network interruptions, and to manage Nomad users. It is recommended to indicate a greater time value than the Session Duration, so that the cache is refreshed during authentication and is thus automatically valid again for a specified time.

The "0" value means infinite time: the cache data validity will not refresh.

The cache can only be used if it is active on the workstation. This option is set upon the definition of Access Point Security Profiles, as described in Section 5.4.2, Configuring Access Point Security Profiles.

Session duration (h) Session activation time before re-authentication is required.

The "0" value means infinite time: re-authentication will never be required.

Allow temporary password access for

Duration of the validity of the temporary password, when granted to a user (for more information on TPA, see Section 6.2.2.3, Forcing a New User's Primary Password ("Password" Tab).

When the duration is over, the user cannot log on anymore.


52


Can unlock a workstation

Authorizes the Users associated with this security profile to unlock a workstation locked by another user.

Allow on all access points

• In "access-point-management" mode, authorizes the Users associated with this security profile to authenticate on all Access Points of their domain (Default).

• In "no-access-point-management" mode, a user can open an Enterprise SSO session on an access point of his/her domain only if the Allow on all access points field is selected.

To authorize the Users to log on Access Points registered in external domains, see Section 6.4, Managing Representative Objects.

This option is taken into account when you assign or forbid Access Points to a User: see Section 6.2.5, Assigning/Forbidding Access Points to a User ("Access Points" Tab).

Primary password is stored as an SSO account, encrypt by...

This function is only available if the "Session" authentication method is selected.

This function stores the user primary password as an SSO account: each time the user authenticates, his/her primary password is saved or updated if necessary.

SSOWatch accesses this stored account for each SSO using the primary account.

If the user authenticates with smart card logon, a registry key must be positioned so that SSOWatch can run in Session mode (see Enterprise SSO Advanced Installation and Configuration Guide for details on the registry key).

The drop-down list allows you to select the way the primary account should be ciphered and deciphered:

• User: only the user can decipher his primary account. This is the most secure option.

If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her account.

• User and administrators: you can also decipher the user's accounts. Thus, if you force a new primary password or assign a new smart card using Token Manager, the user's primary account is also recovered.

• User, administrators and external key: allows an external application to decipher the user's account using a public key. For example, you must select this entry if you want to use Enterprise SSO with Web Access Manager (WAM). By selecting this entry, you allow WAM to decipher the Enterprise SSO primary account of the user so that it can perform SSO with this account.

Administrator Guide

53

5.3.2.2 Security Parameters Configuration ("Security" Tab)

• User authentication area


Change password every <n> days

Allows the user to manually change his/her primary password (whatever the authentication method used) every "n" days using the default password format control policy (PFCP) displayed in the "User PFCP" field.

If the manual password change policy detects expiration date of the password when the user authenticates offline, the user is not asked to change his/her password. In this case, you can force the user to authenticate when the directory is available again, so that he/she can manually change his directory password, by setting the following registry key to 1:

"ManualPwdChangeMandatory" (DWORD), which is located in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\

Enatel\WiseGuard\Framework\Authentication.

If you also select the "Change password on token every <n> days" check box, the present option is disabled for users whose authentication method does not require to provide the primary password (smart cards, biometrics).


54


User PFCP The default password format control policy (PFCP) is selected by default. This PFCP applies when the user types his/her password.

Click the button to select another existing PFCP.

Click the button to display and if necessary modify the selected PFCP, as described in Section 5.2.1, Creating/Modifying Password Format Control Policies.

Change password on token every <n> days

This option is available only if: • The directory used is an AD or AD/ADAM. • The user smart card stores the password.

Select this check box to enable the automatic change of the smart card or USB token password every "n" days. This operation has no consequence on the user authentication tasks (the user still uses his/her PIN to authenticate).

Automatic PFCP The default password format control policy (PFCP) is selected by default. This PFCP applies when password change is performed automatically, without user intervention (e.g.: the password is stored on smart card and changes every x days).

Click the button to select another existing PFCP.

Click the button to display and if necessary modify the selected PFCP, as described in Section 5.2.1, Creating/Modifying Password Format Control Policies.

Allow external access Select this check box to specify that the Users associated with this security profile can share their accounts with external applications. You must select this check box to enable the Mobile E-SSO feature. For more information, see Mobile E-SSO Installation and Configuration Guide.

SSO data protected by token is also available on password authentication

Select this check box to specify that the SSO data protected by token can be used even if the User authenticates by password

Grace period (RFID and PKA authentication methods only).

The grace period is the period of time during which the workstation automatically unlocks when the user reenters the unlocking area with the RFID token.

After this period, the user must provide his/her password in addition to the RFID token to log on.

User must provide emergency access answers

Forces the user to provide emergency access answers when he/she wants to reset his/her password.

Administrator Guide

55


Roaming session duration (hours)

A roaming session allows users to open a session on a computer with their physical authentication token, without having to type a secret.

Select this check box to authorize the roaming session mode for users associated with the user profile, during a period of time. The roaming session is created as soon as the user authenticates on an authorized access point, and the session duration time starts from that moment. If you change the duration time in the Roaming session duration field once the roaming session has started, the new value will only be taken into account once the session in progress has expired.

To authorize roaming sessions on an Advanced Login computer, see Section 5.4.2.2, Advanced Login Parameters Configuration ("Advanced Login" Tab).

• Single sign On (SSO) area


Inactivation duration Defines the time of inactivity of the SSOWatch Engine before its state switches to locked.

The "0" value means infinite time: the SSOWatch engine never locks.

Allow SSOEngine control (pause/restart)

Allow SSOEngine refresh

Allow SSOEngine stop

Allows you to define if the Users associated with this User Security Profile can pause, refresh, stop and restart SSOEngine.

Show SSOEngine-launcher in foreground When SSOWatch is started, this check box allows you to define if the SSOEngine desktop can be opened on the application launcher.

Allow personal SSOStudio

Allow enterprise SSOStudio

Allows you to define if the Users associated with this User Security Profile can use SSOStudio personal and SSOStudio Enterprise

Allow role selection Allows you to define if the Users associated with this User Security Profile can select different roles in SSOEngine.

Require strong authentication for SSO Select this check box to specify that a token is necessary to start the SSO.

Authentication on next access/Authenticate immediately

SSO behavior on next card insertion.


56

5.3.2.3 Fast User Switching Parameters Configuration ("Unlocking" Tab)

The Unlocking tab allows you to activate and use the Fast User Switching feature.


User level Enter a User hierarchy level (0 is the lowest level, and 50000 is the highest).

User can unlock sessions of users below level

Select this check box to allow a User to unlock a session locked by another User whose level is below the specified level.

User can close sessions of users below level

Select this check box to allow a User to close a session opened by another User whose level is below the specified level.

Example

Consider the following situation: you want that user 1, who is a User associated with User Security Profile 1 can unlock or close sessions of other Users associated with User Security Profile 1. To do so, you must configure the Unlocking tab as follows:

• User level: X (5 for example). • May unlock user sessions below level: >X (7 for example). • May close user sessions below level: >X (7 for example).

Administrator Guide

57

To check that this example works:

1. Use Advanced Login to log on as User 1. 2. Lock the session. 3. Unlock the session with another user associated with User Security Profile 1

(User 2 for example).

a) SSO Watch is restarted with the SSO data of User 2, and the Session Information window of Advanced Login displays the following:

• E-SSO User: User 2. • Windows User: User 1.

5.3.2.4 Emergency Access Parameters Configuration ("Emergency Access" Tab)

The Emergency Access tab allows you to activate and configure the password and PIN reset features: the user can reset his password and PIN on his own from the Advanced Login authentication window.

The PIN Reset feature is only available in disconnected mode.

Configuration Parameters


58


Availability • With Password Reset server only (connected mode) to enable the Emergency Access feature only when the Password Reset server, which is a component of the Enterprise SSO controller, is available. In this case, you must define the list of Password Reset servers: see the Emergency Access tab in Section 5.4.2, Configuring Access Point Security Profiles.

When a user accesses the Emergency Access feature, his/her account is automatically unlocked by the Password Reset server.

• Always available (disconnected mode) to enable the Emergency Access features even if the Password Reset server is unavailable. For the Password Reset feature, a cache is used (see the "Activate cache and Cache properties button" parameter in Section 5.4.2, Configuring Access Point Security Profiles).

• If the directory is not available, the new password given

by the user in "With Password Reset server only" mode is temporary: the directory is never updated with this password. When the directory is available again, the user is prompted to re-authenticate and to change his password (which will then be changed in the directory).

• If the directory is available, the password is changed in the directory.

• If a user can access the disconnected mode, this automatically implies that he/she can access the connected mode.

Selecting this check box enables the User must contact the help-desk to gain password access parameter, which allows you to define whether the user must call the help desk to reset its password.

Availability (continuation)

For PIN reset, the check box is ignored because the help desk call is mandatory.

• Check box cleared: the user answers to Emergency Access questions (set with SSOWatch); he is then automatically prompted to reset his password on his own (correct answers to questions are sufficient to decrypt the password stored in the cache).

• Check box selected: the user answers to Emergency Access questions (set with SSOWatch), which allows him to obtain a challenge (unlock code). He/she is then prompted to give this challenge to the Help Desk, which will have to give him a challenge in exchange (see Section 6.2.2.4, Managing User Emergency Access ("Emergency Access" Tab)) that will allows him to reset his password or PIN.

• Not available if you do not want to activate the Emergency Access feature.

Administrator Guide

59


Questions area This area allows you to define the number of questions to ask to the end-user and to manage a list of available questions. These questions will be displayed by the Emergency Access wizard (through the SSOWatch engine) to your end users.

For details, see Question List Management Procedure, below.

Security area This area allows you to define your Emergency Access security policy, by defining the number of questions to which the end-user must answer and the minimum number of correct answers that the end-user must enter to reset his/her password.

The Advanced button allows you to define other security parameters, as explained in the following table:

Security area (continuation)

To force the user to populate his/her questions and answers before being able to use SSOWatch on his/her workstation.

To force the user to change his/her answers to question at a defined frequency.

To prevent the user from giving the same answer to different questions.

To prevent the user from using the words used in the questions in his/her answers.

To set the maximum number of attempts to answer questions.

To set the answers of questions as case-insensitive.

To allow the user to connect by password (if he/she is only allowed to connect by smart card) during a defined period of time.


60


To allow the help desk to set the validity of the temporary password, when he provides a challenge to a user.

(This parameter is only available if you have selected the "disconnected mode")

To force the user to use his/her own password and not his/her temporary password when he/her reconnects to the network.

(This parameter is only available if you have selected the "disconnected mode").

To set the maximum number of attempts to use the Emergency Access feature in disconnected mode.

(This parameter is only available if you have selected the "disconnected mode").

To try the use of the Password Reset server before using the disconnected mode.

Question List Management Procedure

To manage the list of available questions, do the following:

1. In the Questions area, click the Select button, and in the displayed window, click Manage questions.

• The Emergency Access question management window appears.

Administrator Guide

61

2. To add a question, do the following:

a) Click the New button.

• The Question Properties area is activated.

b) Fill in this area with the following guidelines:

c) Set the Question Type: select either Predefined Question to specify a question that cannot be modified by the end user or User-supplied question to allow the end user to define his/her own question.

d) Set the Question text. e) Translate the question in a foreign language (optional).

• Click Translations. • Select the language in the drop down list. • Fill in the translation • Click Add. • The translation appears in the available translations area.

• Click OK. • The Emergency access questions window appears.

f) Set the Answer constraints:

• Set the minimal and maximal character length of the answer • Fill in Must match regular expression, to set restrictions on the string

corresponding to the answer entered by the end user. For details on the syntax of regular expressions, see Appendix A. Regular Expressions - Basic Syntax.

g) Click Apply.

• The question appears in the Existing Questions area. 3. Repeat Step 2 as many times as necessary and click Close to finish.

• The Emergency access: list of questions window appears.


62

4. Set a question number to an available question to define a list of available questions for each Question field of the Emergency Access wizard (SSOWatch engine):

a) In the list of questions drop down list, select the Question number, click the Add button.

• The question selection window appears.

b) Select a question in the Select a Question window and click OK.

• The selected question appears in the available question area.

c) Click OK.

Administrator Guide

63

5.3.2.5 Biometrics Parameters Configuration ("Biometrics" Tab)

Subject

The Biometrics tab allows you to define the biometric enrolment policy.

Before Starting

To configure the parameters described in this section, you must work in advanced administration mode, and your role must contain the following right: "Bio: Is enable to allow biometrics pattern enrolment".

For more information on administration modes, see Section 4, Managing Administrators.

Biometrics Tab Description

• Enrolment procedure area This area allows you to make the user biometric data enrolment supervised by an administrator or another user.

• Approval not required: the user biometric data enrolment does not need the authentication of anyone.

• An E-SSO administrator: the user biometric data enrolment requires the authentication of an administrator who has at least the following administration right: "Bio: Is enable to allow biometrics pattern enrolment" (advanced administration mode only).


64

• Another E-SSO user: the user biometric data enrolment requires the authentication of another user of the directory.

• Policy area • User must enrol between x and x finger(s): number of fingers you want the

user to enrol. • Allow user to abort the enrolment process: if this check box is selected,

the user is allowed to cancel the enrolment process by closing the enrolment window.

5.3.2.6 Data Privacy Parameters Configuration ("Data Privacy" Tab)

The Data Privacy tab allows you to configure some aspects of the Data Privacy feature. For a complete description on how to administer Data Privacy, see Section 11, Managing Data Privacy.


User has access to the File Encryption module

Select this check box to allow the users associated with the Security Profile to use the File Encryption software module.

By default, File Encryption ignores files with specific extensions (.exe, .dll for example). You can modify these values using the Configuration button.

Administrator Guide

65


User can refresh his keys from his desktop

Select this check box to enable the Refresh command of the File Encryption software module.

Generate user's personal keys automatically

Select this check box to enable the automatic generation of a key upon the user's logon.

Automatically update key in warning period

Select this check box to enable the automatic update of the user's key.

File Encryption key properties area

This area allows you to define the properties of the keys that will be generated.

5.3.2.7 Audit Parameters Configuration (Audit Tab)

The Audit tab allows you to assign an audit filter to User Security Profile.

To assign an audit filter, see Section 13.2.2, Assigning an Audit Filter to Specific Objects.


66

5.3.3 Displaying User Security Profile Event Logs

Subject


Restriction





Procedure

1. In the tree structure of the Directory panel, select the wanted User Security profile.

2. Click the Events tab. • The Events tab appears.

3. In the Filter area, define a period of time to filter the log entries and click Apply (for more information on event logs see Section 13.2.1, Filtering Audit Records).

5.3.4 Renaming User Security Profiles

Before Starting



"User security profile: Creation/Modification".

Procedure

1. In the tree structure of the Directory panel, right-click the User Security Profile to rename and select Rename.


Administrator Guide

67

5.3.5 Deleting User Security Profiles

Subject

If you delete a User Security Profile used by Users, these Users will use the default User Security Profile.

Before Starting



"User security profile: Deletion".

Procedure

In the tree structure of the Directory panel, right-click the User Security Profile to delete and select Delete.

• The User Security Profile is deleted from the directory tree structure.

5.4 Managing Access Point Security Profiles Subject

Managing Access Point Security Profiles consists in creating, modifying and deleting Access Point Security Profiles.

If you are working in "no-access-point-management" mode, you cannot create Access Point security profiles, nor manage their priority. The default access point security profile is used for all Access Points.

Object Definition

Access Point Security Profiles are security objects that define a set of rights and properties that are applied generically for one or more workstations.

Target Objects

Access Point Security Profiles applies to Access Points.

As mentioned in Section 1, Overview, the Access Point object refers to a specific computer, a group of computers or an organizational unit that contains computers. Thus, Access Point Security Profiles can be applied to the following LDAP directory objects listed in the highest to lowest order of priority:

• Computer. • Groups that contain computers. • Organizational Units that contain computers.


68

5.4.1 Creating/Modifying Access Point Security Profiles

Before Starting

Before starting, check that you meet the following requirements:



"Access point security profile: Creation/Modification". • The Timeslice that will be used by the Access Point Security Profile must be

created. • If you are working in "no-access-point-management" mode, you cannot create

Access Point security profiles.

Procedures

Creating Access Point Security Profiles

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Access Point Security Profile and select New | Access Point Security Profile.

• The Access Point Security Profile configuration tab appears. 2. Fill in this window as described in Section 5.4.2, Configuring Access Point

Security Profiles and click Apply. • The Access Point Security Profile appears in the directory tree structure.

Modifying Access Point Security Profiles

If you modify an Access Point Security Profile already used by Access Points, your modification applies on all the Access Points using this Security Profile.

1. In the tree structure of the Directory panel, select the Access Point Security Profile to modify.

• The Access Point Security Profile configuration tab appears. 2. Fill in this window as described in Section 5.4.2, Configuring Access Point

Security Profiles and click Apply. • The Access Point Security Profile is modified.

5.4.2 Configuring Access Point Security Profiles

Before Starting

• For general information on the Access Point Security Profile objects, see Section 5.4, Managing Access Point Security Profiles.



"Access point security profile: Creation/Modification".

Administrator Guide

69

Window Example

Procedure

1. Type the Access Point security profile name. 2. If you want to select another existing Timeslice, click the button.

Click the button to display and if necessary modify the selected Timeslice configuration, as described in Section 1.1.1, "Creating/Modifying Timeslices".

3. Configure the parameters of the Access Point Security Profile, according to your needs:

• To configure Security Services parameters, see Section 5.4.2.1, Security Services Configuration ("Security Services" Tab).

• To configure Advanced Login parameters, see Section 5.4.2.2, Advanced Login Parameters Configuration ("Advanced Login" Tab).

• To configure Unlocking parameters, see Section 5.4.2.3, SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration.

• To configure SSOWatch parameters, see Section 5.4.2.3, SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration.

• To configure SSOStudio parameters, see Section 5.4.2.3, SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration.

• To configure E-SSO Console parameters, see Section 5.4.2.3, SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration.

• To configure Data Privacy parameters, see Section 5.4.2.3, SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration.


70

• To configure Biometrics parameters, see Section 5.4.2.4, Biometrics Parameters ("Biometrics" Tab).

• To configure Emergency Access parameters, see Section 5.4.2.5, Password Reset Servers Declaration ("Emergency Access" Tab)

• To configure RFID parameters, see Section 5.4.2.6, RFID Detection Area Configuration ("RFID" Tab)"

• To configure Audit parameters, see Section 5.4.2.7, Audit Parameters Configuration ("Audit" Tab)

5.4.2.1 Security Services Configuration ("Security Services" Tab)

FIELD NAME DESCRIPTION

Time between two software inventories

Definition of the check frequency of the Access Points to retrieve the list of the installed software clients (SSOWatch, Advanced Login…). The starting time point is the starting of the Enterprise SSO controller.

Activate cache and Cache properties button

If this check box is not selected, the User cannot authenticate to the workstation if it is not connected to the LDAP directory. This check box can only be used if the User can use a cache, as described in Section 5.3.2, Configuring User Security Profiles. The Cache properties button allows you to configure the cache of the workstations associated with this security profile. For details, see "Cache properties" Window Description, below.

Administrator Guide

71


Time between two directory connection tests

Frequency at which the Enterprise SSO controller checks that the connection to the LDAP directory works.

Set 0 if you don't want to test the connection to the directory (not recommended because the waiting time will be increased to recover the connection).

Network time-out TCP/IP connection parameters. This parameter must not be changed.

Authorized authentication methods

Select the Authentication methods available for the Access Points that will be associated with this Security Profile. The selected Authentication methods must be consistent with the authentication methods defined in the User Security Profiles. For more details, see Section 5.3.2.1, Authentication Parameters Configuration ("Authentication" Tab).

"Cache properties" Window Description

The Cache properties window is divided into the following areas:

• User Data: allows you to configure the validity period of the cache containing the authentication data of the user.

• Application data (Primary domain) and Application data (External domains): these areas allow you to configure:

• The validity period of the cache containing application data.


72

• The asynchronous update of the cache containing application data, which avoids the update of the cache when the end user logs on his/her workstation. Thus the network and the directory are not massively loaded at critical hours (mornings at 9 for instance), and the authentication duration decreases.

The Application data (External domains) area is functional only with Active Directory repositories, as it concerns only inter domain and multi domain infrastructures.

To configure the cache of the workstations associated with this security profile, fill in this window as follows:

• Performance cache validity period: this parameter allows you to configure the period of time during which the data is valid in the cache. When this period of time is over, the data in the cache expires. This means that at the next user log on, the workstation sends a request to the LDAP directory to refresh the cache.

The validity period of the user data cache is expressed in seconds, whereas the validity period of the application data cache is expressed in hours.

• Refresh automatically on expiration: (Application data areas only) select this check box to enable the automatic refresh of the cache containing application data when the validity period expires. This option allows you to configure the frequency, in hours, of the asynchronous update of the cache

• Synchronize data every <days> between <hour1> and <hour2> (Application data areas only): this check box also allows you to configure the asynchronous update of the cache, but in days, using a time slice. In this case, the workstations schedule the update at a random time in the interval.

You can configure only the day, and enter null values for hour1 and hour2. In this case, the update is scheduled at a random time in the day.

• The workstations must be switched on to perform the update. • If a workstation is switched off, the asynchronous update may have been by

passed when the workstation is switched on again. In this case, if the cache data is not up to date: • If time slices are defined, and if the current time is in the defined interval, the

update is done. If the current time is not in the interval, the update will be performed the next period defined by the time slice.

• If there is no time slice, the update is done.

Administrator Guide

73

5.4.2.2 Advanced Login Parameters Configuration ("Advanced Login" Tab)

The following table details only the drop-down lists and check boxes that require additional description.

For more details about the Advanced Login application, see Enterprise SSO Advanced Login for Windows User Guide.

Configuration Parameters


Default action when token removed

Workstation behavior at authentication token removal.

Delay before action Time elapsed before Advanced Login applies the action defined in the Default action when token removed drop-down list.

Delay before automatic locking Time interval before automatic locking of the Windows session.

Allow local connection Select this check box to allow the user connecting to the access point to use the local computer account, which is not part of the Enterprise SSO architecture.

Allow remote unblocking of tokens

Select this check box to allow Users associated with this Access Point to unlock their smart cards directly on the workstation using the unlocking secret code given by the "Smart card administrator".


74


Remember authentication role Select this check box to allow SSOEngine to use the last selected Role upon restart of the workstations associated with this Security Profile.

Only allow unlocking with the same windows credential

If you select this check box, the workstations that use this Security Profile can only be unlocked by the users who have locked their sessions.

Allow password change

Allow PIN change

These check boxes allow you to show or hide password change or PIN change buttons of the Advanced Login Session Information window.

Enable smart card detection on Ctrl-Alt-Del

• Select this check box to prompt the user to type his PIN if a smart card is detected when he presses Ctrl+Alt+Del.

• Clear this check box to prompt the user to type his password even if a smart card is detected when he presses Ctrl+Alt+Del.

Allow windows domain connection (only for non Active Directory configurations)

When the architecture is not based on Active Directory environment, Advanced Login allows authentication on the security directory and, if allowed, locally.

Select this check box to allow the authentication on the Windows domain to which the computer belongs, in case the dedicated directory is not available or there are some troubles (cache corruptions …).

The Windows domain to which the computer belongs will be added to the domain list displayed to the user.

Allow roaming session A roaming session allows users to open a session on a computer with their physical authentication token, without having to type a secret.

When a user authorized to access roaming sessions (see Section 5.3.2.2, Security Parameters Configuration ("Security" Tab)) authenticates on the computer, a roaming session is automatically created for the user.

Select this check box to authorize the roaming session mode on the computer.

For performance reason, we recommend to allow the roaming session mode only on access point that will actually use it.

Grace period for administrator authentication

Specifies the administrator’s grace period. You can define the maximum time between the user’s smart card withdrawal while the SHIFT key is pressed and the completion of another user authentication. The default value is 60 seconds.

Administrator Guide

75


Excluded accounts button Allows you to exclude accounts from the Enterprise SSO solution. It means that the account authentication is performed by Windows and not by Enterprise SSO.

An excluded account can only be used with the password authentication method, not with tokens.

For details, see Setting Excluded Account List below.

Setting Excluded Account List 1. To set an excluded account list, click Excluded accounts ….

• The excluded account window appears.

2. To exclude an account, do one of the following way: • Select the Add button to choose a group to be excluded. • Select the first check box to exclude local administrators • Select the second check box to exclude accounts that are not able to perform

an Enterprise SSO authentication.


76

5.4.2.3 SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration

The SSOWatch Tab

The SSOStudio Tab

The E-SSO Console Tab

Administrator Guide

77

The Data Privacy Tab

The following table details only the drop-down lists and check boxes that require additional description.

TAB FIELD NAME DESCRIPTION

SSOWatch module is authorized on this workstation

All the Access Points associated with this Security Profile can run the SSOWatch software module if installed.

Show splash screen -

Show SSOWatch icon in the task bar

-

Time between two window detection sequences

This combo box allows you to define the frequency (in ms) used by SSOWatch to scan the workstation Windows desktop to detect the presence of authentication windows.

SSOWatch

Do not lock SSOWatch on smart card withdrawal

-

SSOStudio SSOStudio module is authorized on this workstation

All the Access Points associated with this Security Profile can run the SSOStudio software module if installed.

E-SSO Console

E-SSO Console is authorized on this workstation

All the Access Points associated with this Security Profile can run the E-SSO Console software module if installed.

Data Privacy tab

File Encryption is authorized on this workstation

All the Access Points associated with this Security Profile can run the File Encryption software module if installed.


78

5.4.2.4 Biometrics Parameters ("Biometrics" Tab)

Subject

This tab allows you to configure biometric parameters on computers on which it is used.

This tab is only available if you have selected the "Store-On-Server" authentication method in the Authentication tab (see Section 5.3.2.1, Authentication Parameters Configuration ("Authentication" Tab)).

Before Starting

To configure the parameters described in this section, you must work in advanced administration mode, and your role must contain the following right: "Bio: Is enable to allow biometrics pattern enrolment".


"Biometrics" Tab Description

• Sensitivity area False accepted rate (read the instructions displayed in the area).

Administrator Guide

79

• Policy area

a) Remove unused cached patterns on the workstation after x days check box

• Check box selected: local cache biometric data will be deleted if it has not been used after a defined number of days.

• Check box cleared: local cache biometric data is never deleted.

b) Users must confirm biometric scan to log on check box

• Check box selected: to log on to the computer, users must place their finger in the scanner and then click OK in the Advanced Login welcome screen.

• Check box cleared: to log on to the computer, users only have to place their finger in the scanner. The validation is automatic.

5.4.2.5 Password Reset Servers Declaration ("Emergency Access" Tab)


Reset password servers

This area displays the list of Password Reset servers you want to use. The position of servers in the list corresponds to the working order (if the first server does not respond, the second one is tested, and so on).

Remove button This button removes the selected server from the list.

Add button Type a server address in the field and click this button to add it to the server list.


80

5.4.2.6 RFID Detection Area Configuration ("RFID" Tab)

This tab allows you to modify the detection areas of RFID tokens. For details, see Section 9.4, Modifying the Detection Areas and the Grace Period.

Administrator Guide

81

5.4.2.7 Audit Parameters Configuration ("Audit" Tab)

The Audit tab allows you to assign an audit filter to Access Point Security Profile to generate only relevant audit events.

To assign an audit filter, see Section 13.2.2, Assigning an Audit Filter to Specific Objects.

5.4.3 Displaying Access Point Security Profile Event Logs

Subject


Restriction






82

Procedure

1. In the tree structure of the Directory panel, select the wanted Access Point Security Profile.



5.4.4 Renaming Access Point Security Profiles

Before Starting



"Access point security profile: Creation/Modification".

Procedure

1. In the tree structure of the Directory panel, right-click the Access Point Security Profile to rename and select Rename.


5.4.5 Deleting Access Point Security Profiles

Subject

If you delete an Access Point Security Profile used by Access Points, these Access Points will use the default Access Point Security Profile.

Before Starting



"Access point security profile: Deletion".

Procedure

In the Directory panel, right-click the Access Point Security Profile to delete and select Delete.

• The Access Point Security Profile is deleted from the directory tree structure.

Administrator Guide

83

5.5 Managing Application Security Profiles Subject

Managing Application Security Profiles consists in creating, modifying and deleting Application Security Profiles.

As Password Generation Policies (PGP) are only used to define Application Security Profiles, they are also described in this section.

Object Definition

Application Security Profiles are security objects that define a set of rights and properties that are applied generically for one or more applications.

Target Objects

Application Security Profiles applies to Applications.

5.5.1 Managing Password Generation Policies

Subject

This section describes how to create, modify and delete Password Generation Policies (PGP).

Object Definition

The Password Generation Policies define the way an Application must generate for a password.

Target Objects

PGP are required to define Application Security Profiles.

5.5.1.1 Creating/Modifying Password Generation Policies

Before Starting



"Password generation policy: Creation/Modification".


84

Procedures

Creating Password Generation Policies

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your PGP and select New | Password Generation Policy.

• The PGP configuration tab appears. 2. Fill in this window as described in Section 5.5.1.2, Configuring the Password

Generation Policy and click Apply. • The PGP appears in the directory tree structure.

Modifying Password Generation Policies

If you modify a PGP already used by target objects, your modifications apply on all the target objects associated with this Security Object.

1. In the tree structure of the Directory panel, select the PGP to modify. • The PGP configuration tab appears.

2. Fill in this window as described in Section 5.5.1.2, Configuring the Password Generation Policy and click Apply.

• The PGP is modified.

5.5.1.2 Configuring the Password Generation Policy

Before Starting

• For general information on the PFCP objects, see Section 5.5.1, Managing Password Generation Policies.




Administrator Guide

85

Window Example

Procedure

1. Type the PGP name. 2. Define the behavior of the Applications associated with this PGP during a

password change request (request the User to generate a password compatible with the PFCP or automatic generation of a new password).

3. Define the frequency with which the Application can force the modification of the authentication password upon a session start and the number of old passwords that cannot be reused, to prevent users replacing their passwords by a password that is too recent.

4. Define a list of forbidden passwords, using the Add and Remove buttons.

The Add button is activated when you type a forbidden password in the field located in the left hand side of the button.


86

5.5.1.3 Displaying Password Generation Policy Event Logs

Subject


Restriction





Procedure

1. In the tree structure of the Directory panel, select the wanted Password generation policy.



5.5.1.4 Renaming Password Generation Policies

Before Starting




Procedure

1. In the tree structure of the Directory panel, right-click the PGP to rename and select Rename.


Administrator Guide

87

5.5.1.5 Deleting Password Generation Policies

Subject

If you delete a PGP used by Application objects, these Applications will use the default PGP

Before Starting



"Password generation policy: Deletion".

Procedure

In the Directory panel, right-click the PGP to delete and select Delete.

• The PGP is deleted from the directory tree structure.

5.5.2 Creating/Modifying Application Security Profiles

Before Starting




"Application profile: Creation/Modification". • The Password Generation Policy that will be used by the Application Security

Profile must be created.

Procedures

Creating Application Security Profiles

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Application Security Profile and select New | Application Profile.

• The Application Security Profile configuration tab appears. 2. Fill in this window as described in Section 5.5.3, Configuring Application

Security Profiles and click Apply. • The Application Security Profile appears in the directory tree structure.


88

Modifying Application Security Profiles

If you modify an Application Security Profile already used by Applications, your modifications apply to all the Applications associated with this Security Profile.

1. In the tree structure of the Directory panel, select the Application Security Profile to modify.

• The Application Security Profile configuration tab appears. 2. Fill in this window as described Section 5.5.3, Configuring Application Security

Profiles and click Apply. • The Application Security Profile is modified.

5.5.3 Configuring Application Security Profiles

Before Starting

• For general information on the Application Security Profile objects, see Section 5.5, Managing Application Security Profiles.



"Application profile: Creation/Modification".

Window Example

Administrator Guide

89

Procedure

1. Type the Application Profile name. 2. Define the rules for accessing SSO accounts using the following tabs:

• General tab: see Section 5.5.3.1, General Parameters Configuration ("General" Tab).

• Account tab: see Section 5.5.3.2, Account Parameters Configuration ("Account" Tab).

• Authentication method tab: see Section 5.5.3.3, Authentication Method Definition ("Authentication method" Tab).

• Delegation tab: see Section 5.5.3.4, Delegation Parameters Configuration ("Delegation" Tab).

5.5.3.1 General Parameters Configuration ("General" Tab)


Use password control policy specified here

Select this check box to select a PFCP for the security profile. If you do not select any PFCP, the application PFCP is used.

Click the button to display and if necessary modify the selected PFCP, as described in Section 5.2, Managing Password Format Control Policies.

Password generation policy

The default PGP is selected by default. Click the button to select another existing PGP.

Click the button to display and if necessary modify the selected PGP, as described in Section 5.5.1.1, Creating/Modifying Password Generation Policies.


90


User must re-authenticate to perform SSO

Select this option if the Applications associated with the Security Profile need systematically a User's primary authentication to start.

Launch application at start-up of SSOWatch

Select this check box to start the Application associated with the Security Profile when SSOWatch starts. In this case, the Application starting parameters must be defined at the SSOStudio level.

Show application on user's SSOWatch desktop

Select this check box to display the SSO data of the Applications associated with the Security Profile on the SSOEngine desktop.

When application is used, set user's 'unlocking level' to

If you want to use a different user level than the one specified in the User Security Profile, as described in Section 5.3.2, Configuring User Security Profiles, select this check box and define the new level of the user for the Applications associated with this Security Profile.

5.5.3.2 Account Parameters Configuration ("Account" Tab)


Credential storage Storage location of the user accounts used by Applications associated with the Security Profile.

Password change at first connection

Select this check box to make the password expire just after having been collected. The password is then changed according to the password policy (see Section 5.5.1.2, Configuring the Password Generation Policy).

Administrator Guide

91


User can modify account

Select this check box to allow users to modify their passwords with SSOWatch. This option ensures that SSO data are only managed centrally.

User can display password

Select this check box to allow users to display their passwords with SSOWatch.

Encrypt by This drop-down list allows you to select the way the Accounts are ciphered and deciphered. Select one of the following entries:

• User: if you select this entry, only the user can decipher his account. This is the most secure option.

If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her secondary accounts.

• User and administrators: you can also decipher the user's accounts. Thus, if you force a new primary password or assign a new smart card using Token Manager, the user's secondary accounts are also recovered.

• User, administrators and external key: select this entry to allow an external application to decipher the user's secondary accounts using a public key. For example, you must select this entry if you want to use E-SSO with Web Access Manager. By selecting this entry, you allow Web Access Manager to decipher the E-SSO secondary accounts of the user so that Web Access Manager can perform SSO with these accounts.

User can cancel Single Sign-On

Select this check box to allow users to cancel the SSO authentication process with the Applications associated with the Security Profile:

• For the current session only : The user can cancel the SSO authentication process for the whole current session.

• For the application (until reset) : The user can cancel the SSO authentication process for the current application.

• For the current window only : The user can cancel the SSO windows, but SSOWatch continues to detect windows associated with the application.


92

5.5.3.3 Authentication Method Definition ("Authentication method" Tab)

This tab allows you to:

• Select the necessary authentication methods to perform SSO. • Authorize access to application (SSO) in case the roaming session mode is

activated (see roaming session activation parameters in Section 5.4.2.2, Advanced Login Parameters Configuration ("Advanced Login" Tab) and Section 51.3.2.2, Security Parameters Configuration ("Security" Tab)).

Administrator Guide

93

5.5.3.4 Delegation Parameters Configuration ("Delegation" Tab)

The Delegation tab allows you to define delegation permissions, which authorize users to delegate their SSO account so that it can be used by other users.

• Limit delegation duration to x days check box Allows you to set the maximum number of days of application delegation.

• Authorize delegation to all users check box Authorizes delegation to all users of the application.

• Authorize delegation to members of the same group check box Authorizes delegation to all users of the same group.

• Authorize delegation to members of the same organization entity check box Authorizes delegation to all users of the same organization.

• Advanced mode, list users/groups/organizational entities authorized for delegation check box Authorizes delegation to a selection of users, groups, organization units.

• Authorize delegated user to generate new password check box Authorizes the delegated user(s) to modify the delegated SSO account password.

A user can delegate its SSO account from the SSOWatch Engine (for details, see Enterprise SSO - SSOWatch Administrator Guide).


94

5.5.4 Displaying Application Security Profile Event Logs

Subject


Restriction




For more details on administration roles, see Section 4, Managing Administrators).

Procedure

1. In the tree structure of the Directory panel, select the wanted Application Security profile.



5.5.5 Renaming Application Security Profiles

Before Starting



"Application profile: Creation/Modification".

Procedure

• In the tree structure of the Directory panel, right-click the Application Security Profile to rename and select Rename.

• Type the new name of the object and press Enter.

Administrator Guide

95

5.5.6 Deleting Application Security Profiles

Subject

If you delete an Application Security Profile used by Application objects, these Applications will use the default Application Security Profile.

Before Starting



"Application profile: Deletion".

Procedure

In the Directory panel, right-click the Application Security Profile to delete and select Delete.

• The Application Security Profile is deleted from the directory tree structure.

5.6 Defining Security Profiles Default Values Subject

The Security objects (Timeslice, Password Format Control Policy, Password Generation Policy, User Security Profile, Access Point Security Profile and Application Security Profile) can be applied to various target objects.

Upon their creation, these target objects are automatically associated with the default Security objects. If necessary, you can change this default Security object. To prevent you from changing systematically the default Security object applied to the created target objects, you can configure the Security Profiles default values.

Before Starting



a) In classic administration mode: "Security object administrator".

b) In advanced administration mode, your role must contain the following rights:

• "Directory: Browsing". • "Access point security profile: Creation/Modification". • "Application profile: Creation/Modification". • "Password format control policy: Creation/Modification". • "Password generation policy: Creation/Modification".


96

• "Schedule: Creation/Modification". • "User security profile: Creation/Modification".

• The Security objects that you want to define as default Security objects must be created.

Procedure

1. In the File menu, select Configuration. 2. In the displayed window, click the Default Values tab.

3. In the Default Values tab, define the Security objects applied by default during the creation of target objects as follows:

• Click the Select button. • Browse the directory tree structure or use the Search tab to find your

Security object. • Click OK.

4. Click OK.

Administrator Guide

97

5.7 Managing User and Access Point Security Profiles Priorities

Subject

Depending on your organization, a user or a workstation can belong to different groups. Consider that a user belongs to two groups. If a User Security Profile is applied to each group, then it is necessary to define priorities for the two User Security Profiles, to avoid conflict during the resolution of the User Security Profile used by the user, as shown in the following illustration.

Group Group

User

Before Starting




"User security profile: Creation/Modification" or "Access point security profile: Creation/Modification".

• The Security objects that you want to define as default Security objects must be created.

• If you are working in "no-access-point-management" mode, you cannot manage Access Point security profiles priorities.

Procedure

1. In the File menu, select either Manage User Security Profile Priority or Manage Access Point Security Profile Priority.

The Manage Access Point Security Profile Priority functionality is only available if Enterprise SSO manages Access Points.

• The User Profile priority window appears.


98

The User Security Profile priority management window and the Access Point Security Profile management priority window are exactly the same.

2. Select a User Security Profile/Access Point Security Profile and use the Increase and Decrease buttons to define its priority. You can also use the Default button to define the default priority value. This value is used if a user/workstation is not associated with a User/Access Point Security Profile. The Reset button allows you to re-order the User/Access Point Security Profiles in a random way.

The lowest level profile has the highest priority.

3. Click Close when finished.

Administrator Guide

99

6 Managing Directory Objects Subject

This section describes how to manage the Users, Access Points and Applications, which must be declared, configured and linked to each other, as described in Section 1.1, Enterprise SSO Concepts.

It also explains how to manage representative objects, cluster of access points and how to select a domain controller.

Before Starting

• To perform the tasks described in this section, you must have at least one of the following administration roles:

• In classic administration mode: "Security object administrator" or "Access administrator" or "Rights administrator".

• In advanced administration mode: "Directory: Browsing" and the rights listed in the following task sections.

For more information on administration roles, see Section 4, Managing Administrators.

• To optimize network traffic, you can use the update management feature. By default, the Enterprise SSO workstations retrieve the whole SSO configuration periodically. The update management feature allows you to post an update, which generates a unique identifier. The workstations retrieve the application data and this identifier. As long as the identifier is unchanged between the directory and the cache of the workstations, the workstations do not update their SSO configurations.

To Enable/Disable the update management feature, in the File menu of Enterprise SSO Console select Manage updates. When a workstation runs an update, it retrieves the entire configuration (and not only the configuration corresponding to the last posted update). So this feature does not avoid workstations retrieving the applications configured by administrators after the last posted update if the data on the workstation is older than the last posted update.


100

6.1 Managing Applications Subject

This section describes how to define existing applications (corporate applications) and configure them to implement network strategies and user single sign-on data.

If your directory infrastructure is composed of several domains, the definitions of your corporate applications are saved only in the domain where they are defined.

Before Starting

Before reading the following sub-sections, check that the following steps are carried out:

1. Make the inventory of the applications for which you want to control the access using Enterprise SSO Console.

2. For each application, list all the authentication windows (login, new password, incorrect password, etc.).

3. For each application, create the corresponding technical reference using SSOStudio Enterprise.

• The technical reference is a technical description of an application. This allows

you to configure the accesses to this application, and particularly to enable the single sign-on. The creation of technical references is described in Enterprise SSO - SSOWatch Administrator Guide.

• To manage technical references, you must have at least the following administration role: • In classic administration mode: "Security object administrator". • In advanced administration mode, your role must contain the following right:

"Technical reference: Creation/Modification" and "Technical reference: Deletion".

6.1.1 Creating an Application

Creating an application consists in adding an Application object in the directory tree structure. You can create an Application through one of the following methods:

• Creating an Application without using any template: see Section 6.1.1.1 Creating and Application without Using a Template.

• Using templates to create SAP and Windows application objects: see Section 6.1.1.2 Creating and Application Using a Template.

6.1.1.1 Creating and Application without Using a Template

Subject

The following procedure explains how to create a new Application object without using existing templates.

Administrator Guide

101

Before Starting



"Application: Creation/Modification".

Procedure

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Application and select New | Application.

• The Information tab appears. 2. Fill in at least the Name field and press Enter.

• The Application object is created. You must now configure it, as described in the following sections.

6.1.1.2 Creating an Application Using Templates

Subject

Enterprise SSO Console allows you to use templates to create SAP and Windows application objects. The Template Application item allows you to create an Application object with a number of pre-defined parameters. They should be used for specific authentication scenarios. The predefined template applications are:

• SAP, for SAP R/3 application authentication. • Windows, for authentication to an external LDAP directory.

Template applications are managed in the same way as Application objects. They enable the SSO function for specific authentication procedures. A template application has a number of predefined parameters.

The following procedure explains how to create a new Windows or SAP Application object using existing templates.

Before Starting


• In classic administration mode: "Security object administrator" • In advanced administration mode, your role must contain the following right:



102

Procedures

Creating a Windows Application

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Application and select New | Template-based Application | Windows.

• The Windows Application window appears.

2. Fill in the window with the Application and Application domain names. 3. Click OK.

• The Application object is created with pre-defined parameters for a Windows Application. You can configure or modify it, as described in the following sections.

Creating an SAP Application

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Application and select New | Template-base Application | SAP.

• The SAP Application window appears.

2. Fill in the window to create the SAP Application. 3. Click OK.

• The Application object is created with pre-defined parameters for an AP Application. You can configure or modify it, as described in the following sections.

Administrator Guide

103

6.1.2 Defining the General Properties of an Application ("Configuration"/"General" Tab)

Subject

The application's general properties allow you to define:

• The Application access Timeslice. • The authentication type authorized.

Before Starting


• The Application access Timeslice object must be created. For more details, see Section 5.1, Managing Timeslices.




Procedure

1. In the tree structure of the Directory panel, select the wanted Application. 2. In the Configuration tab, click the General tab.

• The General tab appears.

3. Fill in this tab with the following guidelines: • Timeslice area:

Click the button to change the Timeslice used by the Application.

To display the selected Timeslice parameters, click


104

• Properties area: You cannot change the authentication type authorized (only the password method is supported for the time being).

• Audit area: You can assign an audit filter to the application to generate only relevant audit events: see Section 13.2.2, Assigning an Audit Filter to Specific Objects.

• Click Apply.

6.1.3 Creating the Account Properties of an Application

Subject

The account properties of an Application allow you to define login/password requirements, the list of parameters supported by the application and if Applications use the same Account Bases. You define the Account properties through the Account Base and Account Rule tabs located in the Configuration tab of an Application object.

Before Starting


• In classic administration mode: "Security object administrator" and you must be manager of the application.

• In advanced administration mode, your role must contain the following rights: "Application: Creation/Modification", "Parameter: Creation/Modification", "Parameter: Deletion", and you must be manager of the application or possess the "Application: Manage all applications" right.

• For more information on administration roles, see Section 4, Managing

Administrators. • For more information on application management rights, see Section 6.1.7

Sharing the Administration of an Application.

6.1.3.1 Defining Account Base Parameters ("Configuration"/"Account Base" Tab)

Subject

The Account Base tab allows you to define common bases of Accounts for several applications.

Procedure

1. In the tree structure of the Directory panel, select the wanted Application. 2. In the Configuration tab, click the Account Base tab.

Administrator Guide

105

• The Account Base tab appears.

3. Read carefully the information note and the following section to fill in this tab. 4. Click Apply.

Account Base Tab Description

• The application uses primary accounts check box

a) Check box cleared: The application standard account is used to perform SSO on the selected application.

b) Check box selected: The primary account (the user name and password that the user types to open his Windows session) is used to perform SSO on the selected application. The Windows username can be used in the following formats:

• Short name: username only. • Windows 2000 (and later): username including the Windows domain, for

instance: [email protected]. • NT 4: username preceded by NETBIOS domain, for instance: QUEST\jsmith.

• Share Account Base with Another Application button This button allows you to share the account base of the selected application (application A) with another application (application B). Application B will then only use the accounts of application A.

If users have already collected accounts for application B, these accounts will not be visible anymore; the only visible accounts will be those of application A.

Once you have shared the account base of the selected application, the accounts are displayed from both applications (in the Accounts tab, see Displaying Accounts Associated With the Application ("Accounts" Tab)), but you can only stop the sharing from application A (see below).

If you try to stop the sharing from application B, the operation will not be taken into account.


106

• Stop Sharing Account Base with Another Application button This button allows you to stop sharing the account base of the selected application (application A) with another application (application B).

Application B recovers the accounts that had been collected for it.

6.1.3.2 Defining Account Properties ("Configuration"/"Account Properties" Tab)

Subject

The Account Properties tab allows you to define the login and password requirements for the selected Application, and the list of parameters supported by the application. The end user will have to follow these rules at Application login/password collection time.

Procedure

1. In the tree structure of the Directory panel, select the wanted Application. 2. In the Configuration tab, click the Account Properties tab.

• The Account Properties tab appears.

3. Fill in the Login, Password and Parameters tabs with the instructions given in the following "Accounts" Tab Description" section.

4. Click Apply.

Administrator Guide

107

"Account Properties" Tabs—Description

Login Tab

• Login creation rule area This area allows you to define the rule for the application login value, on the basis of the information read from the user object.

a) Rule field: Between parentheses, type the exact name of the user LDAP attribute(s) that you want to be displayed to the user in the Application Login field. Example: (mail) indicates that the login is the user's mail address. If you want to add several LDAP attributes, they must be separated by a comma inside the parentheses. Example: (mail,dn)

To get the exact LDAP attribute name, use an LDAP browser.

You can be more specific about the login value by using the following rules:

• To keep only the first n characters of the LDAP value, use the syntax (attLDAP,n).

• Three functions are used to handle LDAP values: UPPER, LOWER and CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case.

b) User can modify login check box:

• Clear this check box to indicate that the login creation rule is mandatory, which means that the user cannot modify the application login.

• Select this check box to indicate that the login creation rule defined is only for information and that the user can modify the application login.

• Login constraints area

The settings defined in this section must be coherent with the rule defined in the Login creation rule area.


108

a) Length area: set the minimum and maximum number of characters of the login by using the up and down arrows.

b) Forbidden characters area: one after another, type the character(s) that you want to forbid to the user.

Password Tab

The password is checked using a PFCP object, which must be created. For more details, see Section 5.2, Managing Password Format Control Policies.

• Click the button to choose the PFCP used by the Application. • Click the button to display the selected PFCP parameters.

Parameters Tab

Administrator Guide

109

The Parameters tab allows you to add a list of additional authentication parameters (as Windows Domains or Languages for example). These parameters will enable you to define other fields than the user name/password fields of the target application authentication window.

If you are defining a Linux application, you must add in this tab the Unix Host Identifier parameter (Default type), which is aimed to contain the name of the Linux machine on which the authentication will be performed by the user.

Do not forget to check the consistency between the list of authentication parameters for the application and the parameters defined at the technical reference level, which is done using SSOStudio Enterprise. For details, see Enterprise SSO - SSOWatch Administrator Guide.

• Add button: click this button to add a parameter. The Add Parameter window appears.

• To add an existing parameter, select it and click OK. • To create a new parameter, type its name in the Name field and click New. • To delete or rename an existing parameter, select it and click Delete or

Rename. • To define an External Name for a parameter, select the wanted parameter,

click External Name and fill in the displayed window.

External names for parameters allow you to define a mapping between the parameter that you are configuring within Enterprise SSO Console and the name of an external parameter (created using another SSO tool).

This option is particularly useful to integrate User Provisioning or Web Access Manager with the Enterprise SSO module. For more details, see Section 6.1.6, Assigning Users to an Application.

• Delete button: select a parameter a click Delete.


110

• Properties button: Select a parameter then click this button to define the properties of the selected parameter.

a) Parameter type:

• Default: The value of the parameter is collected for each SSO account and can be modified by the user.

• Global: The parameter is the same for all SSO accounts and is not proposed to the user.

• Rule: The value is dynamically defined as a user data function, and cannot be changed.

b) Value: This is the default value assigned to the parameter. If nothing is entered here, it will be requested at first authentication (data collection) as a function of the parameter type defined previously. If you have selected Rule in the Parameter type area, between parentheses, get the exact LDAP attribute name (using an LDAP browser) and type it in the Value field. For example, type (mail) to indicate that the parameter value is the user's mail address.

• If you want to add several LDAP attributes, they must be separated by a

comma inside the parentheses. Example: (mail,dn). • You can be more specific about the parameter value by using the following rules:

- To keep only the first n characters of the LDAP value, use the syntax (attLDAP,n).- Three functions are used to handle LDAP values: UPPER, LOWER and CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case.

6.1.4 Defining the Single Sign-On Properties of an Application ("Configuration"/"SSO" Tab)

Subject

The single sign-on properties of an application allows you to define:

• The application's authentication method. • The Application Security Profiles (access strategies) defined for the application.

Administrator Guide

111

Before Starting


• In classic administration mode: "Security object administrator" and you must be manager of the application.

• In advanced administration mode, your role must contain the following right: "Application: Creation/Modification", and you must be manager of the application or possess the "Application: Manage all applications" right.


Administrators. • For more information on application management rights, see Section 6.1.8,

Generating/Importing Accounts for an Application.

Procedure

1. In the tree structure of the Directory panel, select the wanted Application. 2. In the Configuration tab, click the SSO tab.

• The SSO tab appears.

3. Fill in the Methods, Access Strategies and OLE/Automation tabs with the following guidelines:

a) Methods tab: The following authentication methods are available:

• SSO: this authentication method stipulates that authentication will be done through a technical reference. The technical reference is stipulated during the authorization of the application on an access point. At the Application level, the default technical reference to be used can be defined (not mandatory).

For information on how to create technical references, see Enterprise SSO - SSOWatch Administrators Guide.


112

• Windows authentication: this authentication method defines the SSO accounts that can be used by the GINA. This allows several Windows accounts to be used. If you are defining a Linux application, you must select this propagation method.

• OLE/Automation: this method stipulates that the application can be accessed through the OLE. The secret code allowing the connection to be established must be defined in the OLE Automation tab.

b) Access Strategies tab: The Access strategies tab defines the list of Application Security profiles that the application can use. The profile to be used is selected at the time the application is assigned to the user. If only one profile is available, it is automatically selected.

c) OLE/Automation tab: this tab allows you to define the secret code used to access the application if the OLE/Automation method is selected in the Methods tab.

4. Click Apply.

6.1.5 Defining External Names ("Configuration"/"External Names" Tab)

This tab allows you to define a mapping between an application that you are configuring using Enterprise SSO Console and the name of an external application (created using another SSO tool) for which you want to configure an access.

This option is particularly useful to integrate User Provisioning or Web Access Manager with Enterprise SSO. For example, if you are defining an application called MyHTMLApplication that already uses Web Access Manager Account Bases, enter the names of the Web Access Manager Account Bases defined for this application. By this way, the Enterprise SSO controller will be able to use these Web Access Manager Account Bases to perform SSO with this application.

Administrator Guide

113

6.1.6 Assigning Users to an Application

You can authorize a User to run an Application through the User Access tab, either from the Application object or from the User object. Whatever the selected object type, the tab is exactly the same. For details on how to fill in this tab, please refer to Section 6.2.9, Assigning Applications to a User ("Application Access" Tab).

6.1.7 Sharing the Administration of an Application ("Administrators" Tab)

Subject

When you create an Application, you are the only manager of the Application. This gives you administration rights over this Application. If wanted, you can define other administrators to manage this Application, with different control level.

If you use the Enterprise SSO Console in advanced administration mode, the "Application: Manage all applications" administration right can be delegated to administrators so that they can manage all applications even if they have not created them. For more details on administration rights, see Section 4, Managing Administrators.

Procedure

1. In the tree structure of the Directory panel, select the wanted Application. 2. Click the Administrators tab.

• The Administrators tab appears.

3. From this tab, you can: • Modify the main administrator of the Application, using the Select button. • Define other administrators allowed to manage the Application, using the

Add and Remove buttons.


114

• For each added administrator, you can define his/her administration level on the Application using the Modify button. You can define the following levels:

CONTROL LEVEL DESCRIPTION

None Administration rights are removed.

Password control The administrator can change the SSO data of users.

Total control The administrator can change the application access strategies.

6.1.8 Generating/Importing Accounts for an Application ("Account Generation" Tab)

Subject

This section describes how to generate or import Accounts for an application to allow a User to run the selected Application.

Before Starting

• You must authorize the User to run the Application, as described in Section 6.2.9, Assigning Applications to a User ("Application Access" Tab).


• In classic administration mode: "Security object administrator" or "Access administrator" and you must be manager of the application.

• In advanced administration mode, your role must contain the following rights: "Account: Creation/Modification", "Account: Manage parameters" and you must be manager of the application or possess the "Application: Manage all applications" right.




Procedure

1. In the tree structure of the Directory panel, select the wanted Application. 2. Click the Account Generation tab.

• The account generation tab appears.

Administrator Guide

115

3. Fill in this tab as follows:

a) Fill in the Credentials area. This area allows you to define the Account creation rules. Enter the following information:

• In the Login field, enter a login creation rule. For example, type (cn) to define the Common Name as the name used as the Account login.

For more details on the login creation rule syntax, see Section 6.1.3, Creating the Account Properties of an Application, Step 3 of the Defining Account Rules procedure.

• Then: Either select Random password generation to define a random password for each Account. This password is created depending on the defined PFCP (for more details, see Section 5.2, Managing Password Format Control Policies). Or if you want a single password for all the Accounts, clear Random password generation and enter a password in the Password field.

b) The Parameters area is optional. It allows you to add additional authentication parameters if needed (as Windows Domains or Languages for example).

c) Fill in the Generate accounts for only these users area. This area allows you to select the users who must have Accounts. Depending on your needs, do one of the following:

• If you want to create Accounts for all the users who have access to the Application (that is who are listed in the User Access tab), but who do not have any Account created, check that Do not modify existing accounts is selected.

• If you want to create Accounts for all the users who have access to the Application, including the users who have already an Account (that is, if you want to renew their Accounts), clear Do not modify existing accounts.


116

• If you want to create Accounts for some users who have access to the Application, use the Add and Remove buttons to select the wanted users and select or clear Do not modify existing accounts.

d) Use the Select button to:

• Either define the name and the location of the .csv file that will be used to import Accounts.

• Or select an existing .csv file.

e) Click Import to build the file.

• The Account import window appears.

f) Click Start to generate/import the Accounts.

6.1.9 Assigning Access Points to an Application ("Access Points" Tab)

Subject

To configure single sign-on for a User, you must define the following links:

• Authorize the User on an Access Point. • Authorize an Application to run on an Access Point. • Authorize the User to access an Application.

This section describes how to authorize an Application to run on an Access Point.

Before Starting

• The software corresponding to the Application object must be installed on the Access Point.

Administrator Guide

117


• In classic administration mode: "Security object administrator" or "Access administrator".

• In advanced administration mode, your role must contain the following right: "Authorization for application on access point: Creation/Modification" and "Authorization for application on access point: Deletion".

• If you are working in "no-access-point-management" mode, the Access Point tab is not displayed.

Procedure

1. In the tree structure of the Directory panel, select the wanted Application. 2. Click the Access Points tab.

• The access point tab appears.

3. Read carefully the Information area to fill in this tab.

If you select Allow access from all access points declared in the local directory, the selected Application will be available on all the computers registered in the same domain as the Application. To set the Application available for computers registered in different domains, use the Representative objects, as described in Section 6.4, Managing Representative Objects.

If you do not select Allow access from all access points declared in the local directory, do the following:

a) Click the Add/Remove buttons to select the Access Points that you want to be accessible to the selected Application.


118

b) To be more specific about the list of accessible Access Points, use the following buttons:

• Allow/Forbid If you have added a group of Access Points and you want to forbid one or more Access Point(s) of this group, use the Allow and Forbid buttons.

• Propagation method If you want to specify a specific Access Point, and if your Application uses the SSO propagation method, you must indicate a technical reference. By default, the technical reference specified on the Application is used, as described in Section 6.1.4, Defining the Single Sign-On Properties of an Application ("Configuration"/"SSO" Tab).

6.1.10 Displaying Accounts Associated With the Application ("Accounts" Tab)

Subject

The Accounts tab allows you to filter and display the accounts associated with the selected application, and to export them as a .csv file.

Procedure

1. In the tree structure of the Directory panel, select the wanted Application. 2. Click the Accounts tab.

• The Accounts tab appears.

3. In the Filter list, select the filter you want to apply to the Accounts associated with the selected application and click Apply.

• Display all accounts without access Shows all Accounts that have been collected from users for the selected Application, but that are not associated with the Application anymore.

Administrator Guide

119

• Display all unregistered accounts Shows all Users that are authorized to access the selected Application, and for that have not registered their Account for this Application (the Account is not collected).

• Display all registered accounts Shows all Users that are authorized to access the selected Application, and that have registered their Account for this Application (the Account is collected).

• Display all accounts Shows all Users that are authorized to access the selected Application (unregistered and registered accounts).

• The area displays the list of selected Accounts. 4. In the Export area, select the element of the displayed list you want to export

as a .csv file and click Export.

6.1.11 Displaying Application Event Logs ("Events" Tab)

Subject


Restriction

The Events tab appears only if you have the following administration role:




Procedure

1. In the tree structure of the Directory panel, select the wanted Application. 2. Click the Events tab.


Apply (for more information on event logs, see Section 13.2.1, Filtering Audit Records).


120

6.1.12 Displaying/Modifying Application Information ("Information" Tab)

Subject

You can at any time update or modify the Application information entered upon the creation of an Application, as described in the following procedure:

Procedure

1. In the tree structure of the Directory panel, select the wanted Application. 2. Click the Information tab. 3. Check and if necessary modify the wanted fields and press Enter.

6.1.13 Renaming Applications

Subject

This section describes how to rename Applications.

Procedure

1. In the tree structure of the Directory panel, right-click the Application and select Rename.

2. In the Information tab, type the new name of the object and press Enter.

6.1.14 Deleting Applications

Subject

This section describes how to delete Applications.

Before Starting



"Application: Deletion".

Procedure

In the tree structure of the Directory panel, right-click the Application to delete and select Delete.

The Application and all its related objects are deleted.

Administrator Guide

121

6.2 Managing Users Subject

This section describes the operations specific to user management. They are specific to the User object and related to his/her primary authentication.

If your directory infrastructure is composed of several LDAP domains, the operations related to Users are saved only in the domain where they are done.

Before Starting

Before reading the following sub-sections, check that the following steps are carried out:

1. Your LDAP directory perimeter contains all the users that you will manage using Enterprise SSO Console.

2. Organizational Units, groups and users are sorted according to the organizations in which they are to be placed.

All these tasks must be carried out with the appropriate LDAP tools, as for example Microsoft Users and Computers for Active Directory.

6.2.1 Displaying User General Information ("Information" Tab)

Subject

You can display User general information. This data is retrieved from the LDAP directory.

Procedure

1. In the tree structure of the Directory panel, select the wanted User. 2. Click the Information tab.

• The tab appears.


122

If you have defined specific data to add in this tab, you can click the Other button to display it. For more details, see Section 14.2, Adding User Attribute Information.

6.2.2 Defining User Connection Parameters ("Connection" Tab)

Subject

This section describes how to set the User's authentication parameters to your created applications.

Before Starting

To perform the tasks described in this section, you must have the following administration role:


"User: Modification".


6.2.2.1 Suspending or Limiting Temporarily a User Access ("General" Tab)

Subject

You can suspend a User access. When the User is suspended, he/she is informed of this during the authentication phase.

Procedure

1. In the tree structure of the Directory panel, select the wanted User. 2. In the Connection tab, click the General tab.

• The tab appears.

Administrator Guide

123

3. From this panel, you can lock/unlock the User and set an Acceptance date and an Expiry date to limit temporarily the User access.

4. Click Apply to validate your modifications.

6.2.2.2 Displaying User Authentication Information and Administering Roaming Sessions ("Authentication" Tab)

Subject

The User Authentication tab allows you to:

• Check if a User's account is still being used. • Manage roaming sessions by displaying their duration, and delete them if

necessary.

Before Starting

To be able to delete roaming session, you must work in advanced administration mode, and your role must contain the following right: "Roaming: Delete user’s sessions".


Procedure

1. In the tree structure of the Directory panel, select the wanted User. 2. In the Connection tab, click Authentication.

• The Authentication tab appears.


124

This tab displays:

• The last successful and unsuccessful authentication dates. • The roaming session duration.

The Delete roaming session button allows you to delete the current roaming session to force the user to authenticate again at next session opening. It also allows you to disable the roaming session in case the user has lost his/her physical token.

6.2.2.3 Forcing a New User's Primary Password ("Password" Tab)

Subject

The Password tab allows you to preset the user's primary password without the user losing these recoverable SSO data.

• The User's private accounts are lost in this process. • Performing this action automatically unlocks the user account (if the unlocking

operation fails, you are not warned).

Moreover, this tab allows you to authorize a user to temporarily use the password authentication method. This feature can be useful if you want to force the use of tokens within the company: in this case, you disable the password authentication for all users, and activate temporary password access (TPA) in the Password tab for users who do not have their smart card.

Before Starting

To carry out this task, you must have recovery rights, that is:

• In classic administration mode: • The "SSO Data Recoverer" administration role. • The SSO data recoverer right on your administration smart card.

• In advanced administration mode, you administration role must contains the following rights: "User: Password modification", "Temporary password access: Creation" and "Temporary password access: Deletion".

Procedure

1. In the tree structure of the Directory panel, right-click the wanted User and select Force Password.

• The Password tab appears.

Administrator Guide

125

2. To modify the user's primary password, do one of the following: • In the New password and Confirmation fields, type the new User primary

password and click Apply. • Click the Generate button to automatically generate the user’s password and

click Apply. 3. To active temporary password access for the user, do the following:

a) Fill-in the New password and Confirmation fields.

b) Select the User can connect using password authentication check box and click Apply.

The TPA duration cannot be modified from this tab: the value is read from the user security profile associated with the user (see Section 5.3.2, Configuring User Security Profiles").

The tab shows the TPA expiration date. If the user connects with a token, the TPA is automatically deleted.

c) To extend the TPA duration, clear the User can connect using password authentication check box and create a new one.

4. To avoid site replication problems if you use Active Directory: in the User is logged on computer field, type the name of the user's computer so that the password reset operation be done on a domain controller located on the same site as the computer (and not on the domain controller on which you are connected) and click Apply.

For more information on domain controller selection, see Section 6.6, Selecting a Domain Controller.

The whole password reset operation will be done on this server. The administration connection will switch back to the previous domain controller once the password reset operation is performed.


126

6.2.2.4 Managing User Emergency Access ("Emergency Access" Tab)

Subject

The Emergency Access tab allows you to display and manage the password and PIN reset feature information for a user. You can perform the following operations:

• Displaying the user Emergency Access information. • Resetting the password attempts for the user if he or she has reached the

maximum number of attempts • Generating challenges (unlock codes) to allow the user to reset his password

or his PIN.

Before Starting


• In classic administration mode: "Security object administrator" or "Rights administrator" or "SSO Data Recoverer".

• In advanced administration mode, your role must contain the following rights: "Emergency access: Answer deletion" and "Emergency access: Challenge generation" and "Emergency access: Reset attempt counter".

Procedure

1. In the tree structure of the Directory panel, select the wanted User. 2. In the Connection tab, click Emergency Access.

• The Emergency Access tab appears.

This tab displays the dates of the last user use of the Emergency Access feature.

Administrator Guide

127

3. Do one of the following, depending on the action you want to perform: • To reset to 0 the password attempts for the user, click the Reset button

(works only in connected mode). • To delete the answers given by the user so that he/she has to provide them

again, click the Reset answers button. • To generate a challenge, click the Generate Unblocking Code button.

The Unlock code window appears.

a) Follow the instructions displayed on screen and in User challenge, type the challenge the user gave you.

If a temporary password access (TPA) has been given to the user, the Temporary password access duration field displays the number of days left during which the user will be able to use a password to connect (for more information, see Forcing a New User's Primary Password ("Password" Tab)).

b) Click the Generate button.

• The result appears, you can then give it to the user so that he or she resets his/her password or PIN.

The user password reset attempts are automatically reset to 0 once the password has been reset (if the operation fails, you are not warned).

6.2.2.5 Defining an Audit Identifier

Subject

By default, an Audit identifier is automatically generated for each administered user. If wanted, you can modify this identifier. In this case, it is strongly recommended to modify it just one time, upon the first definition of the user, to avoid the situation where you will have several audit identifiers for one user.


128

Procedure

1. In the tree structure of the Directory panel, select the wanted User. 2. Click the Connection tab. 3. In the Audit identifier area, modify the identifier. 4. Click Apply when done.

6.2.2.6 Creating a Welcome Message

Subject

You can create individual welcome message. This message appears to the user as a balloon help when he/she starts SSOWatch.

Procedure

1. In the tree structure of the Directory panel, select the wanted User. 2. Click the Connection tab. 3. In the User message area, type the User welcome message. 4. Click Apply when done.

6.2.3 Assigning a User Security Profile to a User ("Security Profile" Tab)

Subject

The assignment of a User Security Profile to a User is an important step in the management of User objects. Globally, User Security Profile objects define:

• The authentication methods authorized for the Users. • Parameters associated with the use of SSOWatch.

Before Starting

• The User Security Profile to assign must be created, as described in Section 5.3, "Managing User Security Profiles".



"User security profile: Assignment".

Procedure

1. In the tree structure of the Directory panel, select the wanted User.

You can also select a group of users by selecting a folder containing the wanted users. Note that this is not possible if the Enterprise SSO data is separate from other data (Fedora Directory server in cooperative mode, or Active Directory + ADAM infrastructure for example).

Administrator Guide

129

2. Click the Security Profiles tab. • The Security Profiles tab appears.

• By default, the default User Security Profile is selected (for details on how to configure the default security profiles objects, see Section 5.6, Defining Security Profiles Default Values).

3. To assign another User Security Profile, click the button.

Click the button to display and if necessary modify the selected User Security Profile.

4. Click Apply.

6.2.4 Declaring a User as an Administrator ("Administration" Tab)

Any User declared in the directory can become an administrator. To declare a User as an administrator, you must:

1. Assign administration rights to the User, through the Administration tab, as described in Section 4, Managing Administrators.

2. If the access to Enterprise SSO Console calls for a strong authentication facility, you must assign a smart card to the User, through the Smart Card tab, as described in Section 7, Managing Smart Cards.

6.2.5 Assigning/Forbidding Access Points to a User ("Access Points" Tab)

Subject




130

This section describes how to authorize a User to log-on an Access Point, from the User object. This access is checked by Advanced Login or by the GINA of the workstation client. A User not authorized attempting to logon a workstation will obtain the following message "You are not authorized to log in on this access point".

You can also authorize a User to log on an Access Point from the Access Point object, as described in Section 6.3.3, Assigning/Forbidding Users to Access Points. ("Authorized Users" Tab).

Before Starting



• In advanced administration mode, your role must contain the following right: "Authorization for user on access point: Creation/Modification" and "Authorization for user on access point: Deletion".

• If you are working in "no-access-point-management" mode, it is not possible to configure user access to individual Access Points or to objects representing sets of Access Points (groups, organizations and so on). A User is authorized to connect to an Access Point of his/her domain only if his/her User Security Profile indicates "Allow on all Access Points".

Procedure

1. In the tree structure of the Directory panel, select the wanted User. 2. Click the Access Points tab.

• The Access Points tab appears.

3. If the Allow on all Access Points parameter of the User Security Profile associated with this user is selected (for details see Section 5.3.2, "Configuring User Security Profiles), you can let this tab blank to authorize all the Access Points of the directory domain for the selected Users. If you want to define authorized/forbidden Access Points, do the following:

a) Click the Add/Remove buttons to select the Access Points that you want to be accessible to the selected Application.

Administrator Guide

131

b) To be more specific about the list of accessible Access Points, use the following buttons:

• Allow/Forbid If you have added a group of Access Points and you want to forbid one or more Access Point(s) of this group, use the Allow and Forbid buttons.

• Modules To prevent the User from accessing some of the software modules installed on the Access Point (Advanced Login, E-SSO Console, SSOWatch or SSOStudio), use the Modules button.

The Enterprise SSO controller uses the following algorithm to assign or forbid Access Points to Users:

1. Checks whether the user is authorized or denied. 2. Checks whether a user primary group is authorized or denied. 3. Checks whether a user group is authorized or denied. 4. Checks whether a parent organizational unit grants or denies access.

6.2.6 Managing User's Accounts ("Accounts" Tab)

Subject The Accounts tab allows you to manage User's accounts.

Before Starting


• In classic administration mode: "Security object administrator" or "Access administrator" and you must be manager of the application.

• In advanced administration mode, your role must contain the following rights: "Account: Creation/Modification", "Account: Deletion", "Account: Manage parameters", "User role: Creation/Modification", "User role: Deletion" and you must be manager of the application or possess the "Application: Manage all applications" right.




Procedure

1. In the tree structure of the Directory panel, select the wanted User. 2. Click the Accounts tab.

• The Accounts tab appears. 3. Select the account you want to manage and perform the wanted action using the

available buttons, as explained in the following Accounts Tab Description section.


132

"Accounts" Tab Description

• Show unregistered account check box • Check box selected: the tab displays all the accounts that are not collected. • Check box cleared: the tab only displays the accounts that have been

collected. • Export button • Exports the User’s account list in a .csv file. • Lock/Unlock button • Locks/Unlocks the account. If the account is locked, the user is not able to

connect to the application anymore. • Properties button

Displays the account properties window, which allows you to manage the selected account SSO Data and delegation properties

Administrator Guide

133

a) SSO Data Tab

• Login field Account login.

• Password field Account password. You can manually type it or automatically generate it by clicking the Generate button.

• Password must change at next logon check box If this check box is selected, the user will be prompted to change his/her password at first application logon with this account.

• Clear password history check box If this check box is selected, all previous passwords are deleted, which means that previously existing password can be used again.

• Parameters area If any, displays additional parameters for the account, and allows you to define them.

b) Delegation Tab This tab displays the list of user(s) to whom the user has delegated his/her account, using SSOWatch.

• New button Displays the personal account creation window, which allows you to create another user account for the same application.

• Delete button

Deletes the selected account.

• Clear all accounts button Deletes all the user accounts.

6.2.7 Managing User's Smart Cards ("Smart Card" Tab)

You can manage User's smart cards from the Directory panel, through the Smart Cards tab. But you can also manage smart cards from the Smart Card panel. For practical reasons, all administration tasks related to smart cards are described in a well-marked section. Thus, for more information on how to manage smart cards, see Section 7, Managing Smart Cards.

The Smart Card tab only appears if you have the "Smart card administrator" role.


134

6.2.8 Displaying User’s Biometric Data ("Biometrics" Tab)

Subject

The Biometrics tab displays information about the user biometric data enrolment, and allows you to remove enrolment biometric data from the controller.

Before Starting

To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Bio: Is enable to allow biometrics pattern enrolment".


Window Description

• Provider field Name of the biometric reader provider that you want to be used.

• Clear all Patterns button Removes enrolled biometric data from the controller.

• Enrolled patterns Displays the enrolment pattern quality for each finger.

• Last enrolment field Last user enrolment date and time.

• Enrolment approved by field Name of the user or administrator who has authenticated at enrolment time to validate the user enrolment.

Administrator Guide

135

6.2.9 Assigning Applications to a User ("Application Access" Tab)

Subject



This section describes how to authorize a User to run an Application, from the User object.

Before Starting 1. To perform the task described in this section, you must have at least the

following administration role: 2. In classic administration mode: "Security object administrator" or "Access

administrator". • In advanced administration mode, your role must contain the following right:

"Authorization to use application: Creation/Modification" and "Authorization to use application: Deletion".

Procedure

1. In the tree structure of the Directory panel, select the wanted User. 2. Click the Application Access tab.

• The Application Access tab appears.

3. Fill in this tab with the following guidelines: • Select Show inherited access to display all the applications inherited from

the parent groups and organizational units.


136

• Click Add to select Applications to assign to the selected User, then fill in the Access properties area and click Apply.

• The Application appears in the Access list.

For more details on the Access properties area, see the sub-section just below.

At any time, you can click the Edit and Remove buttons to modify or delete entries of the Access list.

The Access Properties Area

• The Access properties area allows you to define how Users access the application using the following parameters:

• Account Type: this drop-down list allows you to select between the following entries the Account type used by the User:

• Shared: account shared between several users who belong to the same group of users.

• Primary: account allowing the user's connection data to be used to produce an SSO. This account is only available if the user password is authenticated.

• Standard: account type that is automatically associated with the application when it is added to the user.

• Specified on the Application: account type defined in the account base of the application (Primary account or Standard account).

• Format: If you select the primary account type, select in this drop-down list the format of the Windows user name (user name preceded by NETBIOS domain or including Windows domain for example).

• Application profile: if you have defined several Application Security profiles at application level, you can specify the profile to be used for this access.

To enable the Mobile E-SSO feature, you must select an Application Profile that allows external accesses.

• Role: if the User has access to various accounts for the selected Application, you must assign different roles to these accounts using the Manage button.

• Users can create additional accounts: select this option to authorize the User to create as many accounts as he/she wants.

6.2.10 Managing User's RFID Tokens ("RFID" Tab)

The RFID tab allows you to assign, lock or unlock, send into a blacklist and delete, or display information on the RFID tokens of a user. For details on how to manage tokens through this tab, see Section 9, Managing RFID Tokens.

6.2.11 Managing Data Privacy ("DP" Tab)

The DP tab allows you to generate and update the encryption key associated with a user. For details on how to use the Data Privacy feature, see Section 11, Managing Data Privacy.

Administrator Guide

137

6.2.12 Displaying User Event Logs ("Event" Tab)

Subject


Restriction

The Events tab appears only if you have at least the following administration role:




Procedure

1. In the tree structure of the Directory panel, select the wanted User. 2. Click the Events tab.

• The Events tab appears. 3. In the Filter area, define a period of time to filter the log entries and click Apply

(for more information on event logs, see Section 13, Managing Audit Events).

6.3 Managing Access Points Subject

This section describes the operations specific to the Access Points management. The definition of the Access Point object and its relationship with the User and Application objects is provided in Section 1.1, Enterprise SSO Concepts.

If your directory infrastructure is composed of several domains, the operations on Access Points are saved only in the domain where they are done.

Before Starting

• Access Points are only included in the Enterprise SSO administration domain if the following conditions are met:

• The workstation is included in the Enterprise SSO operating environment in the reference LDAP directory domain.

• If you want to assign different Access Point profiles, sort your workstations according to the organizations (Organization unit) in which they are to be placed. If necessary, use the tree structure to define specific parameters for them in the security policy.

These tasks must be carried out directly in your LDAP directory, with the appropriate tools.


138

• The Enterprise SSO client must be installed on the workstations included in the Enterprise SSO administration domain.

Only the workstations on which the Enterprise SSO client is deployed appear in the tree structure (Directory panel).

• If you are working in "no-access-point-management" mode, client Access Points do not appear in the directory tree.

If you are using Active Directory, Access Points appear in the tree but cannot be modified.

6.3.1 Displaying Access Point General Information ("Information" Tab)

Subject

You can display Access Point general information. This data is retrieved from the installation of the Enterprise SSO client and from the LDAP directory.

Procedure

1. In the tree structure of the Directory panel, select the wanted Access Point. 2. Click the Information tab.

• The Information tab appears.

Administrator Guide

139

6.3.2 Defining Access Point Configuration Parameters ("Configuration" Tab)

6.3.2.1 Assigning an Access Point Security Profile to an Access Point

Subject

The assignment of an Access Point Security Profile to an Access Point is an important step in the management of Access Point objects. Among other things, Access Point Security Profile objects define:

• The authentication methods enabled for the workstations associated with the Access Point Security Profile.

• The software modules (SSOWatch, Advanced Login...) enabled for these workstations.

Access Point Security Profile should be used on TSE type Access Points to indicate that on these workstations, the SSO Engine must not display the splash screen or the engine management icon in the notification bar.

Before Starting

• The Access Point Security Profile to assign must be created, as described in Section 5.4, Managing Access Point Security Profiles.



"Access point security profile: Assignment". • If you are working in "no-access-point-management" mode, Access Point

security profiles cannot be applied on Access points.

Procedure

1. In the tree structure of the Directory panel, select the wanted Access Point. 2. Click the Configuration tab.

• The Configuration tab appears.


140

• By default, the default Access Point Security Profile is selected (for details on how to configure the default security profiles objects, see Section 5.6, Defining Security Profiles Default Values).

3. To assign another Access Point Security Profile, click the button.

Click the button to search, display and if necessary modify the selected Access Point Security Profile.

6.3.2.2 Managing the Access Point Available Services

Subject

If an Enterprise SSO controller is installed on the selected Access Point, you can manage the list of services that this controller should provide: when a workstation needs to connect to an Enterprise SSO controller, the Enterprise SSO security services connect to an Enterprise SSO controller that explicitly provides the required Service.

For more information on Enterprise SSO controllers and service management, see Section 1.2, Enterprise SSO Controller.

Procedure

1. In the tree structure of the Directory panel, select the wanted Access Point. 2. Click the Configuration tab.


• The Available E-SSO services area display the port number used by the Enterprise SSO controller (for information) and the list of available services.

3. Select the check boxes corresponding to the Services you want to be provided by the Enterprise SSO controller installed on this computer. Changing the list of available Services has not impact on the Enterprise SSO controller itself.

• Any change is taken into account by workstations at cache refresh time.

Administrator Guide

141

6.3.3 Assigning/Forbidding Users to Access Points ("Authorized Users" Tab)

Subject



This section describes how to authorize a User to logon an Access Point, from the Access Point object. This access is checked by Advanced Login or by the GINA of the workstation client. A User not authorized who is attempting to log on a workstation will obtain the following message "You are not authorized to log in on this access point".

You can also authorize a User to logon an Access Point from the User object, as described in section 6.5.2, Assigning/Forbidding Access Points to a User ("Access Points" Tab).

Before Starting



• In advanced administration mode, your role must contain the following right: "Authorization for user on access point: Creation/Modification" and "Authorization for user on access point: Deletion".

• If you are working in "no-access-point-management" mode, it is not possible to configure user access to individual Access Points or to objects representing sets of Access Points (groups, organizations and so on). The User Access tab is not displayed. A User is authorized to connect to an Access Point of his/her domain only if his/her User Security Profile indicates "Allow on all Access Points".

Procedure

1. In the tree structure of the Directory panel, select the wanted Access Point. 2. Click the Authorized Users tab.

• The Authorized Users tab appears.


142

3. If the Allow on all Access Points parameter of the User Security Profile associated with this user is selected (for details see Section 5.3.2, Configuring User Security Profiles), you can let this tab blank to authorize all the Access Points of the directory domain for the selected Users. If you want to define authorized/forbidden Users, do the following:

• Allow/Forbid If you have added a group of Users and you want to forbid one or more User(s) of this group, use the Allow and Forbid buttons.

• Modules To prevent Users from accessing some of the software modules installed on the Access Point (Advanced Login, E-SSO Console, SSOWatch or SSOStudio), use the Modules button.

The Enterprise SSO controller uses the following algorithm to assign or forbid Access Points to Users:

• Check whether the user is authorized or denied. • Check whether a user primary group is authorized or denied. • Check whether a user group is authorized or denied. • Check whether a parent organizational unit grants or denies access.

6.3.4 Assigning/Forbidding Applications to Access Points ("Available Applications" Tab)

Subject



This section describes how to authorize an Application to run on an Access Point.

Administrator Guide

143

Before Starting

• The software corresponding to the Application object must be installed on the Access Point.

The Enterprise SSO controller uses the following algorithm to assign or forbid Applications to Access Points:

• Check whether the Access Point authorizes the application. • Check whether an Access Point primary group authorizes or prohibits the

Application. • Check whether an Access Point group authorizes or prohibits the application. • Check whether an Access Point parent Organizational Unit grants or denies

access.



• In advanced administration mode, your role must contain the following right: "Authorization for application on access point: Creation/Modification" and "Authorization for application on access point: Deletion"

• If you are working in "no-access-point-management" mode, it is not possible to make applications available on individual Access Points or on objects representing sets of Access Points (groups, organizations and so on) other than "outbound representatives". The Application Available tab is not displayed.

Procedure

1. In the tree structure of the Directory panel, select the wanted Access Point. 2. Click the Available Applications tab.

• The Available Applications tab appears.

3. Click the Add/Remove buttons to select the Applications that you want to be accessible to the selected Access Point.


144

4. To be more specific about the list of accessible Applications, use the following buttons:

• Allow/Forbid If you have added a group of Applications and you want to forbid one or more Application(s) of this group, use the Allow and Forbid buttons.

• Propagation method If you want to specify a specific Application, and if your Application uses the SSO propagation method, you must indicate a technical reference. By default, the technical reference specified on the Application is used, as described in Section 6.1.4, Defining the Single Sign-On Properties of an Application ("Configuration"/"SSO" Tab).

6.3.5 Displaying Access Point Event Logs ("Events" Tab)

Subject


Restriction




For more details on administration roles, see Section 4., Managing Administrators.

Procedure

1. In the tree structure of the Directory panel, select the wanted Access Point. 2. Click the Events tab.


Apply (for more information on event logs, see Section 13, Managing Audit Events).

6.4 Managing Representative Objects Subject

A representative object is an LDAP object representing a set of target objects (Users or Access Points) that are not part of the domain the representative object belongs to. Thus, a represented User can logon an access point which is not part of his/her domain, and access his/her local domain applications.

This section explains how to create, modify and delete representative objects.

Administrator Guide

145

Object Definition

A representative object represents objects (Users or Access points) that are not part of its local domain.

These objects are of two types:

• Inbound type: the object represents a set of external users. • Outbound type: the object represents a set of external access points

By default, two Representative objects are created: they represent all external domains.

In "no-access-point-management" mode,

• The inbound representative object must have a security profile allowing it to authenticate on all access points.

• The outbound representative object represents a domain of the computers.

6.4.1 Managing Inbound Representative Objects

Subject

An Inbound Representative object represents a set of Users that are not part of the domain the Representative belongs to.

You assign a security profile to this representative, and choose what access points of the local domain must be accessible to the represented users in "access-point-management" mode. Thus, these users will be able to logon to access points that are not part of their domain.

Before Starting


• You must be authorized to access the external domains in which reside the Users to be represented (see Section 4, Managing Administrators).



"Representative: Creation/Modification". • The User Security Profile that you want to assign to the external users must be

created, as described in Section 5.3, Managing User Security Profiles. • In "no-access-point-management" mode, a user can open an Enterprise SSO

session on an access point of a foreign domain only if the representative of the user is authorized to authenticate on all access points. In the security profile of the representative, the Allow on all Access Points field must be selected, as described in Section 5.3.2.1, Authentication Parameters Configuration ("Authentication" Tab).


146

6.4.1.1 Creating/Modifying an Inbound Representative Object

Procedures

Creating an Inbound Object

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Inbound object and select New | Representative.

• The selection window appears.

2. Click Inbound access and click OK. • The Inbound Object configuration tabs appears

3. In the Configuration tab, in the Representative area, type the name of the Representative you are creating.

4. Configure the Representative object, as described in the following sections: • Define the set of Users to represent: see Section 6.4.1.2, Defining the Set of

Users to Represent ("Configuration" Tab). • Assign a User Security Profile to the Representative: see Section 6.4.1.3,

Assigning a User Security Profile to the Inbound Representative Object ("Security Profile" Tab).

• Choose the Access Points that the Representative will be authorize to access: see Section 6.4.1.4, Selecting the Access Points Available to the Representative ("Access Points" Tab).

5. Click Apply. • The Inbound Object appears in the directory tree structure.

Modifying an Inbound Object

1. In the tree structure of the Directory panel, select the Inbound Object to modify.

• The Inbound Object configuration tab appears. 2. Modify the configuration of the Representative object, as described in the

following sections: • To modify the set of Users to represent: see Section 6.4.1.2, Defining the Set

of Users to Represent ("Configuration" Tab). • To modify the User Security Profile assigned to the Representative: Section

6.4.1.3, Assigning a User Security Profile to the Inbound Representative Object ("Security Profile" Tab).

Administrator Guide

147

• To modify the selection of Access Points that the Representative is authorized to access: see Section 6.4.1.4, Selecting the Access Points Available to the Representative ("Access Points" Tab).

3. Click Apply. • The Inbound Object is modified.

6.4.1.2 Defining the Set of Users to Represent ("Configuration" Tab)

Subject

You must select the external Users that you want the Representative object to represent.

Procedure

In the Configuration tab, in the Represented population area, use the Add and Remove buttons to choose the Users of external domains that you want to be represented by the Representative.


148

6.4.1.3 Assigning a User Security Profile to the Inbound Representative Object ("Security Profile" Tab)

Subject

You must assign a User Security Profile to the Representative object. When a represented user will authenticate on an access point which is not part of his/her domain, his/her profile will be half part of his/her domain, and half part of domain to which belong the access point.

• The Security and Emergency Access tabs are used to compose the part of the profile belonging to the domain of the user.

• The Authentication and Unlocking tabs are used to compose the part of the profile belonging to the domain welcoming the user.

Before Starting

The User Security Profile to assign must be created, as described in Section 5.3, Managing User Security Profiles.

Procedure

1. Click the Security Profiles tab. • The security profile tab appears.

• By default, the default User Security Profile is selected (for details on how to

configure the default security profiles objects, see Section 5.6, Defining Security Profiles Default Values).

2. To assign another User Security Profile, click the button.

Click the button to display and if necessary modify the selected User Security Profile.

3. Click Apply.

6.4.1.4 Selecting the Access Points Available to the Representative ("Access Points" Tab)

Subject

The Access Points tab is only available if Enterprise SSO manages Access Points.

This section describes how to authorize the represented Users to logon Access Points which are not part of their domain.

Administrator Guide

149

Procedure

1. Click the Access Points tab. • The access point tab appears.

2. Click the Add/Remove buttons to select the Access Points that you want to be accessible to the selected Representative.

The Allow on all Access Points parameter of the User Security Profile associated with the Representative has no effect on the accessibility of Access Points to the selected Representative.

3. To be more specific about the list of accessible Access Points, use the following buttons:

• Allow/Forbid If you have added a group of Access Points and you want to forbid one or more Access Point(s) of this group, use the Authorize and Forbid buttons.

• Modules To prevent the Representative from accessing some of the software modules installed on the Access Point (Advanced Login, E-SSO Console, SSOWatch or SSOStudio), use the Restriction button.

6.4.2 Managing Outbound Representative Objects

Subject

A Representative Outbound object represents a set of access points that are not part of the domain the Representative belongs to.

You decide what applications of the local domain must be available on these access points. Thus, users will be able to access applications of their local domain from access points that are not part of their domain.


150

Before Starting


• You must be allowed to access the external domains in which reside the Access points to be represented (see Section 4, Managing Administrators).



"Representative: Creation/Modification".

6.4.2.1 Creating/Modifying an Outbound Object

Procedures

Creating an Outbound Object

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Outbound object and select New | Representative.

• The selection window appears.

2. Click Outbound access and click OK. • The Outbound Object configuration tabs appears

3. In the Configuration tab, in the Representative area, type the name of the Representative you are creating.

4. Configure the Representative object, as described in the following sections: • Define the set of Access Points to represent: see Section 6.4.2.2, Defining

the Set of Access Points to Represent ("Configuration" Tab). • Choose the Applications that the Representative will be authorize to access:

see Section 6.4.2.3, Selecting the Applications Available to the Representative ("Available Applications" Tab).

5. Click Apply. • The Outbound Object appears in the directory tree structure.

Administrator Guide

151

Modifying an Outbound Object

1. In the tree structure of the Directory panel, select the Outbound Object to modify. The Outbound Object configuration tab appears.

2. Modify the configuration of the Representative object, as described in the following sections:

• To modify the set of Access Points to represent: see Section 6.4.1.2, Defining the Set of Users to Represent ("Configuration" Tab).

• To modify the selection of Applications that the Representative is authorized to access: see Section 6.4.1.4, Selecting the Access Points Available to the Representative ("Access Points" Tab).

The Outbound Object is modified.

6.4.2.2 Defining the Set of Access Points to Represent ("Configuration" Tab)

Subject

You must select the external Access Points that you want the Representative object to represent.

Procedure

In the Configuration tab, in the Represented population area, use the Add and Remove buttons to choose the Access Points of external domains that you want to be represented by the Representative.

In "no-access-point-management" mode, the represented population is everyone or a specific domain. It is not possible to browse the sub-tree of domain-level objects.


152

6.4.2.3 Selecting the Applications Available to the Representative ("Available Applications" Tab)

Subject

This section describes how to authorize the represented Access Point to access Applications which are not part of their domain.

Before Starting

The software corresponding to the Application object must be installed on the Access Point.

Procedure

1. Click the Available Applications tab. • The Available Applications tab appears.

2. Click the Add/Remove buttons to select the Application that you want to be accessible from external Access Points.

3. To be more specific about the list of accessible Applications, use the following buttons:

• Allow/Forbid If you have added a group of Applications and you want to forbid one or more Application(s) of this group, use the Authorize and Forbid buttons.

• Propagation method If you want to specify an Application that uses the SSO propagation method, you must indicate a technical reference. The technical reference specified on the Application is used by default, described in Section 6.1.4, Defining the Single Sign-On Properties of an Application ("Configuration"/"SSO.

Administrator Guide

153

6.4.3 Displaying Representative Event Logs

Subject


Restriction





Procedure

1. In the tree structure of the Directory panel, select the wanted Representative. 2. Click the Events tab.

• The Events tab appears.


6.4.4 Renaming Representative Objects

Before Starting



"Representative: Creation/Modification".


154

Procedure

1. In the tree structure of the Directory panel, right-click the Representative object to rename and select Rename.


6.4.5 Deleting Representative Objects

Before Starting



"Representative: Deletion".

Procedure

In the Directory panel, right-click the Representative Object to delete and select Delete.

The Representative Object is deleted from the directory tree structure.

6.5 Managing Clusters of Access Points Definition

A Cluster of access points is a set of computers on which the Windows sessions are synchronized by Enterprise SSO. Operations that a user performs on the Windows session (opening, closing, locking, unlocking) of a computer that belongs to the cluster are automatically and simultaneously performed on all the other computers that form the cluster.

The number of workstations you can include in a cluster is not limited.

In a cluster of access points, the computer on which the user performs an action is called the master computer. The same action is simultaneously performed on the other computers of the cluster, called slaves.

An Enterprise SSO Controller does not work in Cluster mode.

Administrator Guide

155

Mechanism Description

When a user performs an operation (opening, closing, locking, unlocking) on a computer, this computer becomes the master computer and periodically informs the slave computers of the operation performed. This allows the management of slave computer behaviors.

• Session Opening When a user opens a session on a computer of the cluster, all the sessions of other computers of the cluster open with the same user account.

• If a slave computer is not reachable at session opening on the master computer, the session opening operation on this slave computer will be performed as soon as the network is restored.

• If a slave computer restarts, and if the last operation performed on the master computer is a session opening, a session will be opened on this slave computer as soon as it is available.

• If the session of a slave computer is locked by another user, the session is unlocked only if the Fast User Switching (FUS) option is activated for this computer (see Section 5.3.2.3, Fast User Switching Parameters Configuration ("Unlocking" Tab).

• If a user performs a FUS on a computer, all the other computers of the cluster perform the FUS.

• If an "Excluded Account" opens a session on a computer that is part of the cluster, this computer is automatically excluded from the cluster.

• For more information on excluded accounts, see the Excluded accounts button in Section 5.4.2.2, Advanced Login Parameters Configuration ("Advanced Login" Tab).

• Session Locking • When a computer is locked, all the other computers are locked according to

their defined lock mode (see Section 6.5.1, Creating and Configuring a Cluster of Access Points).

• If a slave computer with an open session does not receive any information from the master for a period of 30 seconds, it is automatically locked according to its defined lock mode (see Section 6.5.1, Creating and Configuring a Cluster of Access Points).

• Session Closing When the user closes a computer, all the other computers of the cluster are closed.

A slave computer can only accept orders from the master computer if they are compatible with its current session. For example, if a user locks a computer session while all the other cluster computer sessions are closed, these sessions will remain closed.

• Screensaver When a computer screensaver is activated, the computer is not locked. It becomes locked at the end of the screensaver period: it then becomes the master and locks all computers of the cluster.

You must configure the screensaver according to the wanted computer behavior.


156

6.5.1 Creating and Configuring a Cluster of Access Points

Subject

The following procedure explains how to create a new cluster of access points, and configure it:

• You can authorize users to temporarily remove a computer from the cluster. • You can define a locking behavior for each computer of the cluster

Before Starting

• To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Cluster: Creation/Modification".


• Make sure that none of the computer you want to place in the cluster is an Enterprise SSO Controller.

• Make sure all the computers you want to gather in a cluster are connected to each other, and configured according to your needs (automatic screen-saver launching, locking).

• DNS resolution must work properly so that orders sent from the master can be easily transmitted to slaves.

• Port 3644 must be open on all computers you want to gather in a cluster. • Enterprise SSO must be configured in "manage-access-point" mode. • The following license keys must be installed on the Enterprise SSO Controller

and Clients: "Cluster mode" and "Audit and advanced security".

Procedure

1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Cluster of access points and select New | Cluster of access points.


Administrator Guide

157

2. Fill in the Name field. 3. Click the Add button to select the access points you want to add to the cluster.

Use the Browse tab to browse the directory tree structure or use the Search tab to find the access point by typing its name.

4. Define the cluster properties as explained in the following "Configuration" Tab Description" section.

5. Click Apply. • The Cluster object is created and configured.

"Configuration" Tab Description


158

• Allow users to temporarily withdraw a computer from the cluster check box If this check box is selected, users allowed to access one of the cluster computer will be able to temporarily exclude a computer from the cluster, from the SSOWatch application module.

• Option button Gives access to the Cluster Lock Mode window.

For each computer of the cluster, this window allows you to define its behavior as a slave in the following cases:

• When it receives a locking order from the master computer. • When it does not receive any order from the master for more than 30

seconds. The behavior selected here only applies when the computer is a slave.

• Do nothing The selected computer is not locked.

• Lock keyboard and mouse The selected computer is not locked, but keyboard and mouse are disabled. Pressing Ctrl+Alt+Del on this computer unlocks it.

• Lock session (default value) The selected computer is locked.

• Remove button Removes the selected computer from the cluster.

• Add button Allows you to select the access points you want to add to the cluster.

The Browse tab allows you to browse the directory tree structure and the Search tab allows you to find the access point by typing its name.

Administrator Guide

159

6.5.2 Displaying Cluster Event Logs ("Events" Tab)

Subject


Restriction




For more details on administration roles, see Section 4., Managing Administrators.

Procedure

1. In the tree structure of the Directory panel, select the wanted Cluster. 2. Click the Events tab.


Apply (for more information on event logs, see Section 13, Managing Audit Events).

6.5.3 Renaming Clusters

Subject

This section describes how to rename a Cluster.

Before Starting

To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Cluster:Creation/Modification".


Procedure

1. In the tree structure of the Directory panel, right-click the Cluster and select Rename.

2. In the Configuration tab, type the new name of the object and press Enter.


160

6.5.4 Deleting Clusters

Subject

This section describes how to delete Clusters.

Before Starting

To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Cluster: Deletion".


Procedure

In the tree structure of the Directory panel, right-click the Cluster to delete and select Delete.

The Cluster is deleted.

6.6 Selecting a Domain Controller Subject

When you modify an object in the directory, if the domain controller on which the modification is done is not the same domain controller as for the user workstation, the user will have to wait for the replication to be completed between all the domain controllers (for more information on domain controllers, see Section 1, Overview).

In Enterprise SSO, this occurs for example when an administrator sets a new password to a user account. The new password is immediately replicated (this is a special feature of Active Directory replication process). But for Enterprise SSO the new password implies a new key for this user (computed from his password) used to cipher the SSO data of this user. And the SSO data modification replication follows the normal process, which can take hours to reach the user site.

The following procedure explains how to select a specific domain controller to work on.

Administrator Guide

161

Procedure

1. Click File | Select another LDAP server. • The domain controller selection window appears.

By default, this window proposes the list of the domain controllers from the site on which the Enterprise SSO administration controller is located.

2. To add another domain controller, read the displayed instructions and click the Search button.

• If you have enter a computer or server name in the Server or computer name text box, all the domain controllers matching the search criteria are listed.

• If a computer name is matching the search, all the domain controllers of the computer site are listed.

3. Select the domain controller you want to work on and click the Select button. • The new domain controller will then be used for all the administration tasks,

until you close the Enterprise SSO Console, or select another controller.


162

7. Managing Smart Cards Subject

This section describes all the administration tasks related to smart card management. It focuses for the most part on how to use the smart card administration module, which can be displayed using the Smart Card button of the navigation bar. This module allows you to assign smart cards to users, format smart cards, display information on a specific smart card and much more.

As "Smart card administrator", you will assign smart cards and frequently change their states, as shown in the following diagram:

Smart Card Locked

Assigned Smart Card

Smart CardBlacklisted

Formatting

Formatting

Formatting

Assignment

LockingUnlocking

Blacklisting

BlacklistingBlank

Smart Card

Before Starting

If you use a smart card to perform your administration tasks, all tasks described in this section require to be "Smart card manager" (this right is granted at card assignation time, in the Administration tab).

Administrator Guide

163

Interface Design

Depending on your administration profile, you can manage smart cards through the following panels of Enterprise SSO Console interface:


• In classic administration mode: • If you just have the "Smart card administrator" role, then you have only

access to the Smart Card panel. • If you have the "Smart card administrator" role and at least on of the following

roles: "Security object administrator" or "Access administrator" or "Rights administrator", then you have access to the Directory panel and can also use it to manage smart cards.

• In advanced administration mode: • If you just have the "Token: <right name>" administration right, then you have

only access to the Smart Card panel. • If you have the "Token: <corresponding right >" and "Directory: Browsing"

administration rights, then you have access to the Directory panel and can also use it to manage smart cards.

Depending on the panel used to manage smart cards, procedures are different. Moreover, you can carry out some tasks from one of these two panels, as described in the following table:

IF YOU WANT TO… USE THE…

Assign a smart card to a specific user Directory panel

Assign smart card to many users Smart Card panel

Format smart cards Smart Card panel

Unlock smart cards Directory or Smart Card panel

Disable/Enable smart cards of a user Directory or Smart Card panel

Send smart cards to a blacklist Directory or Smart Card panel

Force a new PIN Smart Card panel

Extend the validity of a smart card Smart Card panel

Lend a smart card Directory panel

Return a lending card Smart Card or Directory panel

Find the owner of a smart card Smart Card panel

Display the list of supported smart cards Smart Card panel

Manage smart cards configuration profiles Smart Card panel

Manage smart card's authentication parameter Directory panel

Managing smart card batch Directory panel


164

7.1 Assigning Smart Cards to Users You can assign smart cards in two ways: user by user or by batch.

• To know how to assign smart cards by batch, see Section 7.1.1, Assigning Smart Cards to Many Users.

• To know how to assign smart cards user by user, see Section 7.1.2, Assigning a Smart Card to a User.

7.1.1 Assigning Smart Cards to Many Users

Subject

This section describes how to assign smart cards by batch. For information on how to assign smart cards user by user, see Section 7.1.2, Assigning a Smart Card to a User.

Before Starting



• In classic administration mode: "Smart card administrator". • In advanced administration mode, your role must contain the following right:

"Token: Assignment". • If you have authenticated with a smart card, you must be a "Smart card

manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section.

• You must have as much as blank smart cards as the number of users requiring smart cards and at least two smart card readers.

Procedure

1. In the Smart Card panel, click the button located in the toolbar. • The user selection window appears.

Administrator Guide

165

2. Click the Add button and in the displayed window, select the wanted users.

You can select an Organizational Unit to add all the users registered in this OU.

• The users are listed in the Selected users area. 3. Click Assign.

• The smart card assignment window appears.

4. Insert the smart card of the corresponding user in a smart card reader, fill in this window as follows, and then click OK:

a) In the Smart card area, select the smart card to assign.

b) In the Configuration area, select a card model:

• Advanced Login and Advanced Login—Smart card Storage: these models generate a card which can be used with the Enterprise SSO software modules.

• It is mandatory to select this card model if you want to store user's authentication data on token. For more information, see Section 7.1.3, Assigning a new Smart Card Allowing a User to log on a Workstation which is Disconnected from the Directory.

• It is recommended to select this card model if the card is only used with Enterprise SSO software modules, and if certificates are not used.

• Windows Smartlogon Compatible: (you cannot apply this model using Windows Remote Desktop). This model generates a card which can be used with standard Windows authentication. It manages a single certificate, which is the smart card authentication certificate. It is not compatible with the two Advanced Login models.

• Cryptoflex IK Compatible: (you cannot apply this model using Windows Remote Desktop). This configuration generates a card which can be used with standard Windows authentication, in conjunction with IK software from Schlumberger/Axalto. This configuration loads the authentication certificate and allows two further certificates to be imported from PFX/PKCS#12 files.

Cards generated using this model cannot be used on workstations which do not have the IK software.

• It is also possible to create customized smart card models if you have specific requirements. Contact your Quest representative for further information.


166

c) The smart card assignment properties window appears.

5. Fill in this window and click OK. • The smart card is assigned to the user, and then the smart card allocation

window appears again. 6. Repeat Steps 4 and 5 for each selected user.

7.1.2 Assigning a Smart Card to a User

Subject

This section describes how to assign smart cards to a single user. For information on how to assign smart cards by batch, see Section 7.1.1, Assigning Smart Cards to Many Users.

Before Starting


• To perform the task described in this section, you must have at least the following administration roles:

• In classic administration mode: "Smart card administrator" and at least, one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator".

• In advanced administration mode, your role must contain the following rights: "Token: Assignment" and "Directory: Browsing".

• If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section.

• You must have at least one blank smart card and two smart card readers.

Administrator Guide

167

Procedure

1. In the tree structure of the Directory panel, click the user for which you want to assign a smart card.

2. In the Smart Card tab, click the Assign button. • The smart card assignment window appears.

3. Insert the smart card of the corresponding user in a smart card reader, fill in this window as follows then click OK.

a) In the Smart card area, select the smart card to assign.

b) In the Configuration area, select a card model:

• Advanced Login and Advanced Login—Smart card Storage: these models generate a card that can be used with the Enterprise SSO software modules.

• It is mandatory to select this card model if you want to store user's authentication data on token. For more information, see Section 7.1.3, Assigning a new Smart Card Allowing a User to log on a Workstation which is Disconnected from the Directory.

• It is recommended to select this card model if the card is only used with Enterprise SSO software modules, and if certificates are not used.

• Windows Smartlogon Compatible: (you cannot apply this model using Windows Remote Desktop). This model generates a card which can be used with standard Windows authentication. It manages a single certificate, which is the smart card authentication certificate. It is not compatible with the two Advanced Login models.

• Cryptoflex IK Compatible: (you cannot apply this model using Windows Remote Desktop). This configuration generates a card which can be used with standard Windows authentication, in conjunction with IK software from Schlumberger/Axalto. This configuration loads the authentication certificate and allows two further certificates to be imported from PFX/PKCS#12 files.

Cards generated using this model cannot be used on workstations which do not have the IK software.

• It is also possible to create customized smart card models if you have specific requirements. Contact your Quest representative for further information.


168

c) The smart card assignment properties window appears.

4. Fill in this window and click OK. • The smart card is assigned to the user.

7.1.3 Assigning a new Smart Card Allowing a User to log on a Workstation which is Disconnected from the Directory

Subject

The following procedure describes how to allow a user who uses his/her smart card for the first time to log on a workstation that is disconnected from the LDAP directory.

Procedure

1. You must apply the Advanced Login—Smart Card Storage model when you assign the smart card.

2. (Optional) Depending on your security policy, check that Application Security Profiles associated with applications used by this user have the option Credential storage: on Token selected.

Administrator Guide

169

7.2 Formatting Smart Cards Subject

Formatting smart cards allows you to re initialize them. Indeed, when a card is assigned to a user, its data is customized depending on the directory where the user is registered. Thus, it can only be used on this directory. If you want to use the card on another directory, it must be reformatted.

Likewise, any reset of the base of smart cards from the security module, calls for all the cards to be reformatted first, otherwise they will be lost.

Restriction

If you want to format a blacklisted smart card, you can only do it with Cryptoflex cards. It is impossible to format a blacklisted card used in PKCS#11.

Before Starting




"Token: Formatting". • If you have authenticated with a smart card, you must be a "Smart card


• You must have at least two smart card readers.

Procedure

1. In the Smart Card panel, click the button located in the toolbar. • The smart card formatting window appears.

2. If necessary, insert the smart card to format in the smart card reader and click Format.

• A confirmation window appears. 3. Validate.

• The smart card is formatted.


170

7.3 Forcing a New PIN Subject

You can force a new PIN to unlock the smart card of a user who has lost his/her code or exceeded the maximum number of login attempts.

Before Starting




"Token: Force PIN". • If you have authenticated with a smart card, you must be a "Smart card


• You must have at least two smart card readers.

Procedure

1. In the Smart Card panel, click the button located in the toolbar. • The Force PIN window appears.

2. If necessary, insert the wanted smart card in the smart card reader. 3. Either click Generate to create a random new PIN, or enter it manually in the

New PIN Code field. 4. Click Force.

• The PIN is changed.

Administrator Guide

171

7.4 Disabling Temporarily Smart Cards When you need to momentarily deactivate a smart card (for example when a user loses is smart card), you must disable the smart card. This function deactivates a smart card but does not delete its assignment.

7.4.1 Disabling Temporarily Smart Cards from the Smart Card Panel

Subject

This section describes how enable/disable smart cards from the Smart Card panel. For information on how to enable/disable smart cards from the Directory panel, see Section 7.4.2, Disabling Smart Cards of a User from the Directory Panel.

Before Starting



"Token: Modification". • If you have authenticated with a smart card, you must be a "Smart card


Procedure

1. In the Smart Card panel, click the Reports tab. 2. In the displayed window, filter if needed the smart cards to display and click

Apply. 3. Select the wanted smart card and click Disable.

• The smart card is disabled.

7.4.2 Disabling Smart Cards of a User from the Directory Panel

Subject

This section describes how enable/disable smart cards from the Directory panel. For information on how to enable/disable smart cards from the Smart Card panel, see Section 7.4.1, Disabling Temporarily Smart Cards from the Smart Card Panel.

Before Starting



• In advanced administration mode, your role must contain the following rights: "Token: Modification" and "Directory: Browsing".


172


Procedure

1. In the tree structure of the Directory panel, click the user for which you want to unlock a smart card.

2. In the Smart Card tab, click the Disable button. • The smart card is disabled.

7.5 Unlocking Smart Cards If the user exceeds the maximum number of attempts authorized to enter his PIN, then his/her smart card is locked. You must then unlock his/her smart card by using an unlocking secret code that you must give to the user, so that he/her can use his/her smart card again without changing the PIN:

T he us e r e xc e e ds thema xim u m n u m be r o fa tte mpts a utho rize d fo rP IN c o de e ntry

T he a d minis tra to r e nte rs a n un lo c kin g c o de o n the c o nso le

T he us e r us e s theun lo c kin g s e c re t c o de

T he a d minis tra to r ha s e nte re da ca rd un lo c kin g s e c re t c o de

T he c a rd P IN c o de is ma rke da s lo c ke d in the dire c to ry

S ma rt c a rdo pe ra te s c o rre c tly

Management of the Smart Card PIN Status

The following sections describe the two ways to unlock smart cards: from the Directory panel and from the Smart Card panel.

7.5.1 Unlocking Smart Cards from the Smart Card Pane

Subject

This section describes how to unlock smart cards from the Smart Card panel. For information on how to unlock smart cards from the Directory panel, see Section 7.5.2, Unlocking Smart Cards from the Directory Panel.

Administrator Guide

173

Before Starting





Procedure

1. In the Smart Card panel, click the Manage tab. • The smart card management tab appears.

2. In the Management of locked smart cards area, to check that the number of locked smart card is up to date, click Refresh.

3. Click Manage. • The blocked smart card management window appears.


174

4. Select the wanted smart card and click Unblock. 5. In the displayed window, enter the secret code that you will give to the user

and validate. • The secret code appears in the Unblocking Secret column.

6. You can now give this secret code to the user so that he/she can use it to unlock his/her smart card.

7.5.2 Unlocking Smart Cards from the Directory Panel

Subject

This section describes how to unlock smart cards from the Directory panel. For information on how to unlock smart cards from the Smart Card panel, see Section 7.5.1, Unlocking Smart Cards from the Smart Card Panel.

Before Starting



• In advanced administration mode, your role must contain the following rights: "Token: Modification" and "Directory: Browsing".


Procedure

1. In the tree structure of the Directory panel, click the user for which you want to unlock a smart card.

2. In the Smart Card tab, click the Unblock button. 3. In the displayed window, enter the secret code that you will give to the user

and validate. 4. You can now give this secret code to the user so that he/she can use it to

unlock his/her smart card.

7.5.3 Defining Contact Information

Subject

By default, when the end user locks his/her smart card, an information message appears telling him/her to contact the administrator. You can complete this message with more details on the contact, as described in the following procedure:

Administrator Guide

175

Procedure

1. In the File menu, click Configuration. • The configuration window appears.

2. Fill in the General tab with any contact information useful to the end user (as the name, phone number or e-mail address of the administrator).

3. Click OK. • The information message is completed with the following line: "Your contact

is <information you entered in the General tab>".

7.6 Sending Smart Cards to a Blacklist The blacklisting of a smart card is an irreversible step which indicates that the smart card is permanently lost.

A blacklisted smart card cannot be reactivated and must be reformatted before it can be used again (smart cards used in PKCS#11 cannot be reformatted after having been blacklisted; you can only reformat Cryptoflex blacklisted cards).

7.6.1 Sending Smart Cards to a Blacklist from the Smart Card Panel

Subject

This section describes how to blacklist smart cards from the Smart Card panel. For information on how to blacklist smart cards from the Directory panel, see Section 7.6.2, Sending Smart Cards to a Blacklist from the Directory Panel.

Before Starting



"Token: Blacklist". • If you have authenticated with a smart card, you must be a "Smart card


Procedure

• In the Smart Card panel, click the Reports tab. • In the displayed window, filter if needed the smart cards to display and click

Apply. • Select the wanted smart card and click Blacklist. • A confirmation window appears. Validate

• The smart card is blacklisted.


176

7.6.2 Sending Smart Cards to a Blacklist from the Directory Panel

Subject

This section describes how to blacklist smart cards from the Directory panel. For information on how to blacklist smart cards from the Smart Card panel, see Section 7.6.1, Sending Smart Cards to a Blacklist from the Smart Card Panel.

Before Starting



• In advanced administration mode, your role must contain the following rights: "Token: Blacklist" and "Directory: Browsing".


Procedure

1. In the tree structure of the Directory panel, click the user for which you want to blacklist a smart card.

2. Select the smart card to blacklist and click the Blacklist button. • A confirmation window appears.

3. Validate. • The smart card is revoked.

You can click the Revocation tab to display more information on the date and the administrator who performed this operation.

7.7 Extending the Validity of a Smart Card Subject

Once the expiry date of a smart card has passed, the card can no longer be used. This section describes how to extend the validity of smart cards.

If you cannot extend the validity of a smart card, it must be send to a blacklist, as described in Section 7.6, Sending Smart Cards to a Blacklist.

Before Starting





Administrator Guide

177

Procedure

1. In the Smart Card panel, click the Manage tab. • The smart card management window appears.

2. In the Management of expired smart cards area, to check that the number of locked smart card is up to date, click Refresh.

3. Click Manage. • The expired smart card management window appears.

4. Select the wanted smart card and click Change. 5. In the displayed window, select the new validity date of the smart card and

validate. • The new expiry date appears in the Expiry Date column.

6. Contact the smart card owner to inform him/her that his/her smart card is active again.


178

7.8 Displaying Smart Card Properties Subject

The Smart Card panel allows you to identify a smart card and retrieve the following information:

• Owner. • Token type (principal or temporary). • Card status. • Card PIN status. • Token class. • Token serial number. • The configuration used to customize the token.

Before Starting



• In classic administration mode: "Smart card administrator". • In advanced administration mode, your role must at least contain the

following right: "Token: Modification". • If you have authenticated with a smart card, you must be a "Smart card


• You must have the smart card to identify and at least two smart card readers.

Procedure

1. In the Smart Card panel, click the button located in the toolbar. • The smart card properties window appears.

2. If necessary, insert the smart card in the smart card reader, and select the corresponding smart card reader in the list box.

• The properties of the smart card appears, as in the following example:

Administrator Guide

179

If you have sufficient administration rights, you can click the button to display the Smart Card tab of the corresponding user in the Directory panel.

7.9 Displaying the List of Supported Smart Cards Subject

The different smart card types that can be supported by the solution are defined upon the installation of the Enterprise SSO controller. This information is stored in an XML configuration file.

This module is for information only.

You can display the XML configuration file used to extract this information. For more details, see Section 14, Customizing Configuration Files.

Before Starting


• In classic administration mode: "Smart card administrator". • In advanced administration mode, if you use a smart card to perform your

administration tasks you only need to be "Smart card manager" (this right is granted at card assignation time, in the Administration tab).


180

Procedure

In the Smart Card panel, click the Information tab.

The smart card information tab appears.

7.10 Managing Smart Card Configuration Profiles You can use smart card configuration profiles to define the default values proposed upon the allocation of smart cards to users.

7.10.1 Creating / Modifying Configuration Profiles

Before Starting



"Token configuration: Creation/Modification". • If you have authenticated with a smart card, you must be a "Smart card


Procedures

Creating Configuration Profiles

1. In the Smart Card panel, click the Configuration tab. 2. In the Smart card type drop-down list box, select a type of smart card.

• The existing smart card configuration profiles appear in the Configurations area.

Administrator Guide

181

3. Click New. • A new entry appears in the Configurations area.

4. Type a name for this new profile, and fill in the Global, Personalization, Temporary Card and PIN Format tabs.

These tabs allow you to set:

• The PIN renewal period (default value 300 days): once this time has elapsed, the user must enter a new PIN number for authentication purposes.

• Default PIN number: this value will be used when assigning the token. • PIN number change on next login: this value is the default value used when

the token is assigned with this profile.

The number attempts to enter the correct PIN before the card is locked: this value is used during the customizing of the card. It cannot be changed subsequently without reformatting the token.

An expiry date (number of days after the assignment) for the token: this expiry date can be changed after customization.

The default values used during the assignment of a loan card (number of days before the loan card expires, behavior of the main card if it is handed over when the user has a loan card).

A PIN format policy, which defines requirements. The default PIN number must comply with these requirements.

5. Click Apply. • The new configuration profile is created.

Modifying Configuration Profiles


• The existing smart card configuration profiles appear in the Configurations area.

3. Select a configuration profile, and fill in the Global, Personalization, Temporary Card and PIN Format tabs.

4. Click Apply. • The default values proposed upon the allocation of a smart card using this

configuration profile are modified.

7.10.2 Renaming Configuration Profiles

Before Starting



"Token configuration: Creation/Modification". • If you have authenticated with a smart card, you must be a "Smart card



182

Procedure


• The existing smart card configuration profiles appear in the Configurations area. 3. Select a configuration profile and click Rename. 4. Type the new name of the object and press Enter.

7.10.3 Deleting Configuration Profiles

Before Starting



"Token configuration: Deletion". • If you have authenticated with a smart card, you must be a "Smart card


Procedure


• The existing smart card configuration profiles appear in the Configurations area. 3. Select a configuration profile and click Remove.

7.11 Managing Loan Cards

7.11.1 Assigning a Loan Card to a User

Subject

When a user has forgotten his authentication smart card, you can assign him/her a loan card. In this case, the principal card of the user is deactivated: a user can only have one token active at the same time.

If the principal smart card has just been reformatted or blacklisted, the loan card becomes the principal card.

Before Starting




Administrator Guide

183

• In advanced administration mode, you role must contain the following rights: "Token: Lending" and "Directory: Browsing".


• You must have at least one blank smart card and two smart card readers.

Procedure

1. In the tree structure of the Directory panel, click the user for which you want to loan a smart card.

2. In the Smart Card tab, click Lend. • The smart card allocation window appears.

3. Fill in this window as described in Section 7.1.2, Assigning a Smart Card to a User.

• The loan card appears as Enabled and the principal card state changes to Temporary replaced.

7.11.2 Returning Loan Cards

When a user retrieves his/her principal smart card, you must return the loan card and unlock the principal smart card, as described in the following procedure.

7.11.2.1 Returning Loan Cards from the Directory Panel

Before Starting



• In advanced administration mode, you role must contain the following rights: "Token: Lending" and "Directory: Browsing".


Procedure

1. In the tree structure of the Directory panel, click the user for which you want to return a loan card.

• In the Smart Card tab, select the loan card to return and click Return. 2. Select the smart card to return and click Return.

• The Format window appears. 3. Fill in the format window as described in Section 7.2, Formatting Smart Cards.

• Once the smart card is formatted, the loan card state switches to Old card and the principal card becomes Enabled. The user can authenticate using his/her principal card again.


184

7.11.2.2 Returning a Loan Card from the Smart Card Panel

Before Starting



"Token: Lending". • If you have authenticated with a smart card, you must be a "Smart card


Procedure

1. In the Smart Card panel, click the Reports tab. • The Reports tab appears.

2. Set the Filter Type to temporary and click Apply. • The list of temporary smart card owners appears.

3. Select the smart card to return and click Return. • The Format window appears.

4. Fill in the format window as described in Section 7.2, Formatting Smart Cards. • Once the smart card is formatted, the loan card state switches to Old card

and the principal card becomes Enabled. The user can authenticate using his/her principal card again.

Administrator Guide

185

7.12 Managing Smart Card's Authentication Parameters

Subject

You can change the authentication parameters of a smart card. Through the Directory panel, you can configure dynamically:

• The fact that the smart card PIN number must be changed on the next login. • The smart card expiry date. • The principal smart card behavior, if a loan card is in use.

Before Starting



• In advanced administration mode, you role must contain the following rights: "Token: Modification" and "Directory: Browsing".


Procedure

1. In the tree structure of the Directory panel, click the user for which you want to change smart cards authentication parameters.

2. In the Smart Card tab, select the wanted smart card. 3. In the Management area of the Information tab, select/clear the check boxes

depending on your requirements, to change the PIN on next connection, to change the smart card expiry date, and to enable/disable the automatic unlocking of principal smart cards when the user authenticates using a loan card, as in the following example:


186

The Automatically re-enable main card when next presented check box is available only if you have selected a loan card.

7.13 Managing Batches of Smart Cards The smart card batch feature allows you to perform the following operations:

• Entering stocks of blank smart cards (smart card which are not assigned). • Limiting smart card assignment to those which are declared in stock. • Displaying the following information:

• Number of smart cards kept available in stock and not assigned yet. • Number of smart cards that are assigned or lent to users. • Number of blacklisted smart cards.

7.13.1 Defining a Stock of Tokens

Subject

This section explains how to register a stock of blank smart cards. Once you have registered a stock, you can compare it with the actual assigned/lent/blacklisted or unused tokens corresponding to the entered stock, so that it gives you the state of the stock: see Section 7.13.2, Displaying Information on Stocks.

Administrator Guide

187

Before Starting

• To be able to define a stock of tokens, you must have at least the following administration role:

• In classic administration mode: "Security object administrator" role. • In advanced administration mode, you role must contain the following rights:

"Batch of cards: Creation/Modification", "Batch of cards: Deletion" and "Directory: Browsing".


• A smart card can be assigned to one stock only.

Procedure

1. In the directory tree, select the tree or the container for which you want to define a stock, and click the Batches of cards tab.

• The Batches of cards tab appears. 2. Do one of the following, depending on the actions you want to perform:

• To add a stock of tokens, click the Add button. • To modify an existing stock of smart cards, click the smart card stock and

click Edit. • The detail window appears.

3. Fill-in the window with the following instructions: • Name: the label you want to use for the stock. • Class: the type of tokens that make up the stock. • Number of tokens: the quantity of tokens in the stock.


188

• First/Last serial number: the identification of the smart card stock. If you do not know the serial numbers, type 0000000000000000 for the first number and FFFFFFFFFFFFFFFF for the last number: in this case, there is one token stock by token type.

• Administrators allowed to assign tokens from this batch area: an empty list means that all the administrators are allowed to assign tokens from the batch.

7.13.2 Displaying Information on Stocks

Subject

The following procedure explains how to display the list of smart card stocks that have been already defined, and how to display the following information about a stock:

• Name of the stock. • Number of tokens in the stock. • Number of assigned tokens. • Number of lent tokens. • Number of blacklisted tokens. • Number of unused tokens.

Procedure

1. In the directory tree, select the tree or the container for which you want to define a stock, and click the Batches of Cards tab:

• The Batches of Cards tab appears.

This window lists stocks of smart cards that have already been already defined.

Administrator Guide

189

2. If you are authorized to administer several domains: in the Domain list, select the domain for which you want to display the defined stocks.

• The list of stocks for the selected domain is displayed. 3. Click the smart card stock(s) for which you want to see the state and click State.

• The state window appears and displays information about the selected stock(s).

7.13.3 Forcing the Use of Smart Cards Defined in the Batch

Subject

If you force the use of the tokens that are defined in the batch, the Enterprise SSO controller checks at assignation time if the token is present in the batch. If it is not, the token cannot be assigned.

Before Starting

To perform the task described in this section, you must be a super administrator.

Procedure

1. In the File menu, click Configuration. 2. In the displayed window, click the Batches of Cards tab.

• The Batches of Cards tab appears.

3. Select the Administrator can assign tokens only from authorized batches check box to force the use of smart cards defined in the batch.


190

8. Managing SA Server Devices Subject

Enterprise SSO Console allows you to manage the Gemalto Strong Authentication Server as follows:

• SA Server user management: user creation and update. • OATH device management: update. • User-device linking management.

Enterprise SSO does not manage SA Server policies, keys and roles.

Authentication Mechanism

The Gemalto Strong Authentication requires two independent ways to establish identity:

• A static password, which is associated with a user ID. • An OTP (One-Time Password), which is obtained from the OATH device.

In SA Server, the user ID and the device are linked together for a specified user, and both are required to authenticate.

From Enterprise SSO console this link between User ID and device is managed, and does not need the use of the SA Server administration portal.

To each Enterprise SSO user corresponds a specified User ID, and only one device may be assigned to this user.

The SA Server can be accessible using HTTPS as a security measure.

8.1 Configuring Enterprise SSO for SA Server Management

Subject This section explains how to set the SA Server connection and configuration parameters.

Before Starting

• The SA Server must be installed on a machine (to know how to install SA Server, refer to Gemalto documentation)

• You must have the Enterprise SSO SA Server license (SASRV).

Administrator Guide

191

8.1.1 Configuring SA Server Connection

Procedure

1. In Enterprise SSO Console, click File/Configuration and select the SA Server Hosts tab.

2. Fill-in the Host description area with the instructions given in the following "SA Server Hosts" Tab Description section.

3. Click the Add to Host List button to add the server to the list of SA Server managed by Enterprise SSO.

4. Perform step 2 and 3 again for each server you want to be connected to Enterprise SSO.

5. Manage the host connection order by click the Up and Down button in the Hosts area.

6. Click OK. • The SA Server(s) are connected to Enterprise SSO.

"SA Server Hosts" Tab Description

• Hosts area

This area displays the SA Server hosts that are connected to Enterprise SSO.

• Up/Down buttons These buttons allow you to define the host connection order. If the first host does not respond, Enterprise SSO connects to the following one

• Edit button Edits the selected hosts for modification in the Host description area.

• Remove button Removes the selected host.


192

• Host description area • Server URL/Port fields

SA Server URL and used port. The SA Server URL must be entered with the following syntax: <SA Server host name>/<SA Server base folder> Example: 123.456.78.912/saserver If you do not enter a port number, the default one will be used.

• Proxy URL/Port fields Proxy URL and port, if necessary.

• Connect to the server using SSL check box Enable HTTPS connection (this option depends on the SA Server installation).

• Check Host Validity button Check the connection to the entered host and displays a confirmation message if the connection succeeds.

• Add to Host List button Adds the entered host URL to the host list in the Host area.

8.1.2 Configuring the SA Server Device Management

Subject

Configuration parameters are available for all SA Servers declared in the SA Server Hosts tab.

Procedure

1. In Enterprise SSO Console, click File/Configuration and select the SA Server Configuration tab.

2. Fill-in the tab with the instructions given in the following "SA Server Configuration" Tab Description section.

3. Click OK. • The SA Server is configured.

Administrator Guide

193

"SA Server Configuration" Tab Description

• Administrator parameters area User ID and password of an SA Server administrator who is allowed to manage devices and users.

This user must be created in SA Server (at installation time for example).

This user must have an "admin" role.

• Security questions to answer in case of loss of device area The two questions required here are asked in case a user looses his device. Correct answers provide a list of OTP.

• SA Server mode area The mode in which SA Server has been installed (see Gemalto SA Server documentation for more details).

• Action on device formatting area Action to perform on SA Server devices when they are formatted from Enterprise SSO Console:

• Initialize: the device can be used again. • Revoke: the device cannot be used anymore (irreversible).


194

• User ID rule field Each user to whom is assigned a SA Server device has his own user ID in SA Server. This rule allows you to choose the User ID syntax, according to the chosen LDAP parameters.

Example: if the User ID rule is (givenName).(sn), the user whose givenName is "John" and whose sn is "Smith" will get "John.Smith" as associated User ID.

The default rule is "displayName". It is applied even if no rule is set.

• Action on device blacklisting area Action to perform on SA Server devices when they are blacklisted from Enterprise SSO Console:

• Initialize: the device can be used again. • Revoke: the device cannot be used anymore (irreversible).

8.2 Managing SA Server Devices Subject

In Enterprise SSO Console, you can manage SA Server devices as smart cards.

The device ID associated with each SA Server device is saved in the directory, and allows Enterprise SSO Console to detect whether the device is a device registered in SA Server.

Before Starting

• SA Server must be configured in Enterprise SSO, as explained in Section 8.1, Configuring Enterprise SSO for SA Server Management.

• All devices must be provisioned in SA Server by the SA Server administrator.

8.2.1 Assigning an SA Server Device to a User

Subject

This section describes how to assign an SA Server OATH device to a single user.

The assignment procedure is the same as the classical smart card assignment procedure, except that for SA Server devices, you must fill-in the SA Server tab, as explained in this section.

Before Starting




Administrator Guide

195



• The device you want to assign must have a device ID, and have previously been provisioned in SA Server. Its state must be "Initialized" in SA Server.

Procedure

1. Follow the smart card assignation procedure explained in Section 7.1.2, Assigning a Smart Card to a User.

2. Fill-in the SA Server tab with the instruction given in the following "SA Server" Tab Description section. This tab allows you to register the device as a SA Server device and to link the selected user to this device.

3. Click OK. • A window asks you to enter the PIN.

4. Type the device PIN and click OK. • Once assigned, the device ID and the user ID are linked together. The device

and the user have the state "Active".

"SA Server" Tab Description

• Associated user area The User ID field is automatically fill-in according to the User ID rule defined while configuring the SA Server device management (see Section 8.1.2, Configuring the SA Server Device Management).

• If the SA Server is configured in "Full DB", you must fill-in the Password and Confirm password fields for the selected user.

• If the SA Server is configured in "Mixed mode", the Password field is not available.


196

• Answer to security questions area The questions displayed here are the one chosen while configuring the SA Server device management (see Section 8.1.2, Configuring the SA Server Device Management).

You must answer these questions with the user, so that he can get OTP in case he looses his device.

In case the User ID already exists in SA Server and the answers already recorded, the fields are empty.

• If you fill-in again these fields, the corresponding answers will be updated in SA Server.

• If you let these fields empty, the answers will not be updated in SA Server.

• Device ID field The device ID is read from the device.

• Validate check box • Check box selected: the SA Server is updated with the information entered

in the tab when you click the OK button, the link between the device and the user is established in SA Server.

• Check box cleared: the SA Server is not updated with the information entered in the tab when you click the OK button, no link is established between the device and the user in SA Server. You can do the assignation later on: see Link User/Remove User button in Section 8.2.4, Managing the Link between User and SA Server Device.

8.2.2 Formatting an SA Server Device

The formatting procedure is detailed in Section 7.2, "Formatting Smart Cards".

When a SA Server device is formatted, the action performed on the device depends on the configuration set while configuring the SA Server device management, in the Action on device formatting area (see Section 8.1.2, Configuring the SA Server Device Management):

• If the Revoke option is set, the device state becomes "Revoked" and cannot be used anymore.

• If the Initialize option is set: the device state becomes "Initialized". If a user was linked to this device, the link is removed.

8.2.3 Blacklisting an SA Server Device

The blacklisting procedure is detailed in Section 7.6, Sending Smart Cards to a Blacklist.

Administrator Guide

197

When a SA Server device is blacklisted, the action performed on the device depends on the configuration set while configuring the SA Server device management, in the Action on device blacklisting area (see Section 8.1.2, Configuring the SA Server Device Management):

• If the Revoke option is set, the device state becomes "Revoked" and cannot be used anymore.

• If the Initialize option is set: the device state becomes "Initialized". If a user was linked to this device, the link is removed.

8.2.4 Managing the Link between User and SA Server Device

In the Directory panel of Enterprise SSO Console, in the Smart Card tab, the SA Server tab allows you to manage the SA Server device of a user.

User Information area

• User ID/User State: information fields. • Block/Unblock button:

• The Block button allows you to prevent the user from authenticating. The user cannot authenticate when his state is "Block". In this case, the button becomes Unblock.

• The Unblock button allows you to authorize a blocked user to authenticate again.


198

• Revoke button: This button allows you to revoke the user by definitively cancelling his user ID. This action is irreversible.

• Unlock button: This button is only available if the user is locked, which means he has reached the maximum number of allowed password attempts (this number is defined in Gemalto SA Server user settings).

This button allows you to unlock the user by resetting the user password attempts.

Associated device area

• Device ID/Device state: information fields retrieved from the device. • Device expiration check box:

This check box makes available the device expiration field and allows you to update the device expiration date.

• OTP attempts field: This field displays the OTP attempts counter as follows: <number of OTP attempts>/<maximum attempts before lock> The maximum number of OTP attempts is defined in Gemalto SA Server OATH policy.

• Reset OTP attempts button: This button allows you to unlock the device in case it has reach the maximum number of OTP attempts.

• Block/Unblock button: • The Block button allows you to prevent the device from being used. The

device cannot be used to authenticate when his state is "Block". In this case, the button becomes Unblock.

• The Unblock button allows you to allow a blocked device to authenticate again. • Revoke button:

This button allows you to revoke the device by definitively cancelling it. This action is irreversible, the device cannot be used again.

• Link User/Remove User button

a) The Link User button is displayed in the following cases:

b) If the device-user link is not established in SA Server. In this case, this button allows you to link the device to the user in SA Server with the following window.

Administrator Guide

199

This window allows you to update in the SA Server the information entered while assigning the device to the user.

The information already entered at assignment time (see Section 8.2.1, Assigning an SA Server Device to a User) is not displayed in the window:

• If you fill-in again these fields, the corresponding answers will be replaced in SA Server.

• If you let these fields empty, the SA Server will not be updated.

c) If the user does not exist in SA Server yet. In this case, this button allows you to create the user and link the device to the user in SA Server, with the following window:

This window allows you to enter the necessary information to link the device to the user, as described in Section 8.2.1, Assigning an SA Server Device to a User.

d) The Remove User button allows you to remove the device-user link. If you remove a device-user link, you will be able to link them again later on without having to re-enter the necessary information, with the Link User button.


200

9. Managing RFID Tokens

• To enable the management of RFID tokens, the RFID option must have been selected upon the installation of Enterprise SSO Console. For more details, see Enterprise SSO Advanced Installation and Configuration Guide.

• Workstations using RFID tokens must be equipped with a compliant RFID hardware system. For details on the supported RFID products, see Quest Enterprise SSO Release Notes.

RFID Definition

RFID, which is the acronym of Radio Frequency IDentification is a technology used anywhere that a unique identification system is needed. In information systems, RFID can be used to secure equipped workstations. An RFID system consists of an antenna and a transceiver (short for transmitter-receiver), which read the radio frequency and transfer the information to an RFID token, which contains the information to be transmitted.

Enterprise SSO can handle active and passive RFID tokens. For more information on supported RFID technologies, see Quest Enterprise SSO Release Notes

Possible States of an RFID Token

Locked RFIDToken

Assigned RFID Token

RFID TokenBlacklisted

AvailableRFID Token

Deletion

Assignment

LockingUnlocking

Blacklisting

Blacklisting

Administrator Guide

201

Interface Design

To manage RFID tokens, you will use the following administration panels:

• The RFID panel, which gives you an overview of the RFID tokens used in the company. You may use the intuitive filter area, useful when managing many and many tokens.

• The Directory panel, which allows you to manage the RFID tokens of a

specific User and to configure RFID parameters:


202

9.1 Assigning an RFID Token Before Starting

• To be able to assign an RFID token, you must have either the RFID token itself or its serial number.


• In classic administration mode: "Smart card administrator" and at least, one of the following profiles: "Security object administrator" or "Access administrator" or "Rights administrator".



Procedure

1. Make sure that the following security profiles have one of the RFID authentication method selected:

• The Access Point Security Profile associated with the Access Point equipped with an RFID hardware system (for details, see Section 5.4.2, Configuring Access Point Security Profiles).

• The User Security Profile associated with the User for whom you want to assign the token (for details, see Section 5.3.2, Configuring User Security Profiles).

2. In the directory tree (Directory panel), select the User for whom you want to assign an RFID token and click the RFID tab.

• The RFID tab appears.

Administrator Guide

203

3. Click Assign. • The RFID token selection window appears.

If your workstation is not equipped with RFID hardware, the Select a present RFID option is disabled.

4. Define the RFID token to assign using one of the following methods: • If you have the RFID token to assign, select it in the drop-down list. • Else, enter its serial number.

5. (Optional): select Expiry date to define the day and hour of the RFID token expiration.

You can change at any time this option through the RFID tab of the selected user.

6. Click OK.

9.2 Locking and Unlocking an RFID Token There are two ways to lock and unlock an RFID token, as detailed in the following subsections.

9.2.1 Locking and Unlocking an RFID Token from the Directory Panel

Subject

This section explains how to lock and unlock an RFID token from the Directory panel.

Before Starting


• In classic administration mode: "Smart card administrator". • In advanced administration mode, your role must contain the following rights:

"Token: Modification" and "Directory: Browsing".


204


Procedure

1. Browse the directory tree to select the wanted user and click the RFID tab. • The list of RFID tokens assigned to this user appears.

2. Select the RFID token to lock and click the Lock button. • The state of the token changes to Locked.

3. To unlock it, select it and click the Unlock button. • The state of the token changes to Active.

9.2.2 Locking and Unlocking an RFID Token from the RFID Panel

Subject

This section explains how to lock and unlock an RFID token from the RFID panel.

Before Starting





Administrator Guide

205

Procedure

1. Modify the RFID filter (optional) and click the Apply button. • A list of RFID tokens appears.

2. Select in the list the token to lock and click the Lock button. • The state of the token changes to Locked.

3. To unlock it, select it and click the Unlock button. • The state of the token changes to Active.

9.3 Blacklisting and Deleting an RFID Token There are two ways to blacklist and delete an RFID token, as detailed in the following subsections.

9.3.1 Blacklisting and Deleting an RFID Token From the Directory Panel

Subject

This section explains how to blacklist and delete an RFID token from the Directory panel.


206

Before Starting


• In classic administration mode: "Smart card administrator". • In advanced administration mode, your role must contain the following rights:

"Token: Blacklist" and "Directory: Browsing". • If you have authenticated with a smart card, you must be a "Smart card


Procedure

1. Browse the directory tree to select the wanted user and click the RFID tab. • The list of RFID tokens assigned to this user appears.

2. Select the RFID token to blacklist and click the Blacklist button. • The state of the token changes to History.

3. To delete it, select it and click the Delete button. • The token disappears from the list.

Administrator Guide

207

9.3.2 Blacklisting and Deleting an RFID Token from the RFID Panel

Subject

This section explains how to blacklist and delete an RFID token from the RFID panel.

Before Starting



"Token: Blacklist". • If you have authenticated with a smart card, you must be a "Smart card


Procedure

1. Modify the RFID filter (optional) and click the Apply button. • A list of RFID tokens appears.

2. Select in the list the token to blacklist and click the Blacklist button. • The state of the token changes to Blacklisted.

3. To delete it, select it and click the Delete button. • The token disappears from the list.


208

9.4 Modifying the Detection Areas and the Grace Period

Definitions

The Detection Areas

The RFID tokens and the antenna/transceiver are in constant encrypted two-way wireless communication with each other. As an authorized user approaches the workstation, the token unlocks the workstation when the user enters a pre-set detection zone (the unlock area) and allows the user to enter his/her password to log on.

The area starting from the sensor antenna through the limit of the lock range is called the visibility area. In this area, the Enterprise SSO controller is able to identify owners of RFID tokens.

When the authorized user moves out of this area, the workstation is automatically secured (the lock area).

Sensor/ Antenna

unlock range

lock range

Session Kept Alive

Session Locked/ Closed

Unlock Area

Visibility Area

Lock Area

Able to Open/ Unlock

The Grace Period For convenience purposes, you can define a Grace Period, in which the workstation will unlock thanks to the RFID token only. After this period, the user must provide his/her password in addition to the RFID token to log on.

Before Starting

• To perform the tasks described in this section, you must have at least the following administration role:


"Token: Modification" and "Directory: Browsing". • If you have authenticated with a smart card, you must be a "Smart card


Administrator Guide

209

Procedures

Modifying the Detection Areas

1. In the Directory panel, select the Access Point Security Profile associated with the Access Points for which you want to modify the detection areas, and click the RFID tab.

• The RFID tab appears.

2. Move the sliders to modify the values depending on your needs and click Apply.

The upper slider allows you to define the unlock range. The lower slider defines the lock range. It is not possible to set the second value lower than the first one. It is a normal behavior.

Modifying the Grace Period

1. In the Directory panel, select the User Security Profile associated with the users for whom you want to modify the grace period, and click the Security tab.

• The Security tab appears.


210

2. Modify the Grace period option.

Setting the Grace period to 0 minute is equivalent to clearing the Grace period check box.

3. Click Apply.

9.5 Exporting a List of RFID Tokens Subject

You can export at any time a list of RFID tokens used in your company. This feature allows you to create reports for example. The generated files are created in the Comma Separated Value (CSV) format, which is particularly useful to exchange data between databases and spreadsheet software such as Microsoft Excel or Business Objects Crystal Reports.

Before Starting


• In classic administration mode: "Smart card administrator". • In advanced administration mode, if you use a smart card to perform your

administration tasks you only need to be "Smart card manager" (this right is granted at card assignation time, in the Administration tab).

Procedure

1. In the RFID panel, filter the entries that you want to export and click Apply. • The list of tokens appears.

2. Click the Export button, and select in the displayed window the save location of the file.

Administrator Guide

211

10. Managing Biometric Enrolment

Workstations using biometrics must be equipped with a compliant biometric scanner system. For details on the supported biometric products, see Quest Enterprise SSO Release Notes.

Subject

Enterprise SSO Console allows you to manage biometric enrolment of users.

Biometric Modes

Enterprise SSO can work in three modes to authenticate users with their biometric data.

You select the biometric mode from the two following directory objects:

• In the Access Point security profile: see Section 5.4.2.1, Security Services Configuration ("Security Services" Tab).

• In the User security profile configuration: see Section 5.3.2.1, Authentication Parameters Configuration ("Authentication" Tab).

Store On PC mode

User biometric data and LDAP password are stored in their workstation local cache, and are protected by the Enterprise SSO Client and the administration rights set on the workstation.

Users must enrol their biometric data on every workstation they use.

Store On Card mode

User biometric data and smart card PIN are stored on their smart card (public area), and are protected by the Enterprise SSO Client.

Users enrol their biometric data once and this data is stored in their smart card.


212

Store On Server mode

User biometric data enrolment is centralized by the Enterprise SSO Controller and stored in the directory. In this mode, an Enterprise SSO Controller must be available for authentication.

Users enrol their biometric data once by typing their name and password before placing their finger on the biometric scanner. Then they can connect to every workstation of the Enterprise SSO forest without having to enrol their biometric data on each workstation they use.

On every workstation on which the user authenticates, a local cache is created, as in the "Store on PC" mode, and the Enterprise SSO Controller retrieves biometric data from the directory to store it in this cache.

Interface Design

To manage biometric enrolment, you will use the following administration panels:

• The Biometrics panel, which displays the list of users having enrolled biometric patterns, and allows you to export it.

Administrator Guide

213

• The Directory panel, which allows you to manage biometric enrolment in the user security profile, and for a specific user, you can also configure biometric parameters on computers in the access point security profile.

10.1 Defining the Biometric Enrolment Policy You define the biometric enrolment policy in the User security profile, as explained in Section 5.3.2.5, Biometrics Parameters Configuration ("Biometrics" Tab).

10.2 Defining the Biometric Workstation Parameters You define the biometric workstation parameters in the Access Point security profile, as explained in Section 5.4.2.4, Biometrics Parameters ("Biometrics" Tab).

10.3 Managing the User Enrolment You can manage the user biometric data enrolment from the User object, as explained in Section 6.2.8, Displaying User’s Biometric Data ("Biometrics" Tab).


214

10.4 Displaying and Exporting the Biometric Enrolment Report

Subject

The Biometrics panel allows you to display and export the list of users who have enrolled biometric patterns, as explained in the following procedure.

Before Starting

To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Bio: Is enable to allow biometrics pattern enrolment".


Procedure

1. In the Biometrics panel, click the View button. • The panel displays the list of users having enrolment their biometric data, the

enrolment date and name of the user who approved the enrolment.

2. To export the list in a .csv file, click the Export button and fill-in the Save As window.

• The list displayed is saved in a .csv file.

Administrator Guide

215

11. Managing Data Privacy Subject

With Data Privacy, Enterprise SSO end users have the possibility to encrypt files on their workstations and share these files with some users. This section describes how to enable and administer this feature.

Before Starting

• The Data Privacy component must have been selected upon the installation of Enterprise SSO Console.

• The File Encryption software module must have been installed on the related workstations.

For details, see Enterprise SSO Advanced Installation and Configuration Guide.

Interface

To manage the Data Privacy feature, you will use the following administration panels:

• The Data Privacy panel, which gives you an overview of the encryption keys used in the company. You may use the intuitive filter area, useful when managing many keys.


216

• The Directory panel, which allows you to manage the key of a specific User and to configure Data Privacy parameters:

• Key States: key icons have different aspects depending on their states as described in the following table:

KEY ICON DESCRIPTION

Key active.

Key in the warning period.

Key expired.

The key will be active upon user's log on.

Waiting user's logon: key in the warning period.

Waiting user's logon: key will expire.

Administrator Guide

217

11.1 Generating Keys The encryption of files is performed using strong encryption algorithms (AES and Triple-DES). These algorithms change data into a form that can be read only by the intended receiver using the proper decryption key.

There are several ways for generating File Encryption keys. This operation can be done directly on the user object, on a User Security Profile, or on LDAP containers, for a massive key generation.

11.1.1 Generating Keys for a Single User or a Group of Users

Before Starting To be allowed to generate keys, you must have at least the following administration role:

• In classic administration mode: the "File Encryption administrator" role. • In advanced administration mode, your role must contain the following rights:

"File Encryption Key: Generation" and "Directory: Browsing".


Procedure 1. Check the following:

• The User Security Profile associated with the user or the group for whom you want to enable Data Privacy must have the option User has access to the File Encryption module selected (for details, see Section 5.3.2, Configuring User Security Profiles).

• The Access Point Security Profile associated with the Access Point of the wanted user/group must have the option File Encryption is authorized on this workstation selected (for details, see Section 5.4.2, Configuring Access Point Security Profiles).

2. In the directory tree (Directory panel), select the wanted user or group and click the Data Privacy tab.

• The Data Privacy tab appears.


218

3. Click Generate:

4. Fill in this window and click OK.

You can modify the name of the key, the validity date and the warning date after the generation of the key.

The generated key appears in the list.

11.1.2 Massive Keys Generation (Batch Mode)

Before Starting

To be allowed to generate keys, you must have at least the following administration role:




Procedure 1. Check the following:

• The User Security Profile associated with the user or the group for whom you want to enable Data Privacy must have the option User has access to the File Encryption module selected (for details, see Section 5.3.2, Configuring User Security Profiles).

• The Access Point Security Profile associated with the Access Point of the wanted user/group must have the option File Encryption is authorized on this workstation selected (for details, see Section 5.4.2, Configuring Access Point Security Profiles).

Administrator Guide

219

2. In the Data Privacy panel, click Data Privacy | Generate keys for multiple users (menu bar).

• The File Encryption key generation window appears.

3. Use the Add and Remove buttons to the wanted users and if necessary, modify the File Encryption key properties area. Then click Next.

4. A window displaying all the selected users appears. Click Start.

11.1.3 Configuring the Automatic Generation of a Key upon User's Logon

Before Starting





Procedure

1. Make sure that the Access Point Security Profile associated with the Access Point of the wanted user has the options File Encryption is authorized on this workstation selected (for details, see Section 5.4.2, Configuring Access Point Security Profiles).

2. In the User Security Profile associated with the user for whom you want to enable Key automatic generation, click the Data Privacy tab.


220

3. Select the following options: • User has access to the File Encryption module. • Generate user's personal key automatically, and modify if necessary the

File Encryption key properties area.

Note that this option relates with all the users associated with this security profile.

4. Click Apply.

11.2 Renewing Keys You can manually renew a key or you can configure an automatic update of the key, on the user's logon, when the key is about to expire. This update can be the prolongation of the current key or the generation of a new one.

11.2.1 Renewing Manually a Key

11.2.1.1 Renewing Manually a Key from the Directory Panel

Subject

This section explains how to renew manually a key from the Directory panel.

Administrator Guide

221

Before Starting





Procedure

1. In the directory tree (Directory panel), select the wanted user or group and click the Data Privacy tab.

• The Data Privacy tab appears.

2. Select the displayed key and click either Edit or Renew.

• If you want to update the expiration date, the name of the key and the warning

time, use the Edit button. • If you want in addition to modify the encryption algorithm, use the Renew button.

3. Fill in the displayed window and click OK.

For details on the significance on the different key icons, see Interface in Section 11, Managing Data Privacy.


222

11.2.1.2 Renewing Manually a Key from the Data Privacy Panel

Subject

This section explains how to renew manually a key from the Data Privacy panel.

Before Starting



"File Encryption Key: Generation".


Procedure

1. Modify the Data Privacy filter (optional), and click the Apply button. • A list of keys appears.

2. Select in the list the key to renew and click either the Edit or the Renew button.

• If you want to update the expiration date, the name of the key and the warning

time, use the Edit button. • If you want in addition to modify the encryption algorithm, use the Renew

button.

3. Fill in the displayed window and click OK.

For details on the significance on the different key icons, see Interface in Section 11, Managing Data Privacy.

11.2.2 Configuring Automatic Updates of Keys

Before Starting





Administrator Guide

223

Procedure 1. In the User Security Profile associated with the user for whom you want to

enable Key automatic generation, click the Data Privacy tab. • The Data Privacy tab appears.

2. Select the following options:

• User has access to the File Encryption module. • Automatically update key in warning period, and modify if necessary the

File Encryption key properties area.

Note that this option relates with all the users associated with this security profile.

3. Click Apply.

11.3 Allowing Users to Refresh their Keys from the Directory

Subject To limit LDAP traffic, the keys are stored in the user's cache (like the Enterprise SSO data), directly on the user's workstation. If the data between the cache and the LDAP directory are not synchronized, the File Encryption software module installed on the workstation may not work. To solve this problem, the user must refresh the cache of his/her workstation.

The File Encryption cache can become unsynchronized in the following cases:

• The key associated with a group of users is renewed (which means that all the users of the group need to retrieve the new key).

• The user switches from a workstation where the key is automatically renewed to a workstation where the key is not renewed (which means that all the files encrypted with the new key are not readable until the new key is retrieved from the directory).

The following procedure describes how to allow users to refresh their keys.


224

Before Starting



"File Encryption Key: Generation", "Directory: Browsing" and "User security profile: Creation/Modification".


Procedure

1. Make sure that the Access Point Security Profile associated with the Access Point of the wanted user has the options File Encryption is authorized on this workstation selected (for details, see Section 5.4.2, Configuring Access Point Security Profiles).

2. In the User Security Profile associated with the user for whom you want to enable Key automatic generation, click the Data Privacy tab.

• The Data Privacy tab appears. 3. Select the following options:

• The user has access to the File Encryption module. • The user can ask for a refresh of the keys from his desktop.

Note that this option relates to all the users associated with this security profile.

4. Click Apply.

Administrator Guide

225

11.4 Exporting a List of Generated Keys Subject

You can export at any time a list of the keys used in your company. This feature allows you to create reports for example. The generated files are created in the Comma Separated Value (CSV) format, which is particularly useful to exchange data between databases and spreadsheet software such as Microsoft Excel or Business Objects Crystal Reports.

Before Starting



"File Encryption Key: Generation".


Procedure

1. In the Data Privacy panel, filter the entries that you want to export and click Apply.

• The list of keys appears. 2. Click the Export button, and select in the displayed window the save location

of the file.


226

12. Enabling the Public Key Authentication Method

The PKA Authentication Method

Quest Enterprise SSO provides smart card authentication. This authentication method is used to store the user’s directory credentials necessary to access the user’s SSO data. In addition, Enterprise SSO supports Microsoft smart card logon authentication, but this authentication method is limited to Microsoft compliant Public Key Infrastructures.

The Public Key Authentication (PKA) is another authentication method supported by Enterprise SSO that can be used to grant SSO to users. The goal of Enterprise SSO PKA is to provide user authentication and SSO based on X.509 certificates: authentication and access to SSO is provided only if the user’s certificate is valid and if the user can prove his certificate ownership. Enterprise SSO PKA supports smart card driven certificates, the most widespread method of deploying certificates.

PKA Authentication Process

Once the PKA authentication method enabled, the Enterprise SSO PKA authentication process is as follows:

1. Identification of the inserted smart card (this implies the use of a smart card XML description file that is properly configured).

2. If the smart card is PKA compliant, the Enterprise SSO client reads the certificate and retrieves the user’s name using the attribute mapping rules (contents of the certificate on one side and user’s attributes in the LDAP directory on the other side).

3. Once the user has been identified, the Enterprise SSO client prompts the user for his/her smart card PIN.

4. Verification of the user’s public key certificate. 5. Certificate enrollment: if this is the first time the user logs on his/her

workstation using the PKA authentication method, the Enterprise SSO controller automatically creates in the Enterprise SSO directory an object that contains the user’s LDAP credentials (login name and password). To create the LDAP object, the Enterprise SSO controller does the following:

• It verifies the user’s certificate (validity period, authorized usage, trusted certification authority, proper revocation status).

• If the certificate is valid, Enterprise SSO prompts the user for his LDAP credentials (login name and password).

Administrator Guide

227

• If these credentials grant access to the LDAP directory, Enterprise SSO encrypts them using the user’s public key certificate.

• Enterprise SSO then creates an LDAP object where the user’s encrypted LDAP credentials are stored. Access to this LDAP object is restricted to that user; moreover, that user must authenticate using that certificate to gain access to his LDAP credentials.

6. Retrieving encrypted LDAP credentials from the Enterprise SSO directory. 7. Decrypting the LDAP credentials using the user’s private key stored on the

smart card. 8. Using the decrypted LDAP credentials to retrieve Enterprise SSO data from

the LDAP directory.

Revocation

The Enterprise SSO PKA authentication process relies on a public key certificate to identify the incoming user. It is therefore necessary to ensure that any public key certificate used to authenticate a user is valid and properly trusted.

This requires external PKI material such as a set of public key certificates for each Certification Authority and an access to an On-line Certificate Status Protocol responder or to a set of Certificate Revocation Lists (CRL).

During the certificate enrollment, the user’s public key certificate is validated as follows:

• Its issuing Certification Authority must be identified as a trusted authority for the purpose of Enterprise SSO PKA.

• If a CRL or OCSP responder is defined for that issuing Certification Authority (or defined in the certificate itself), the revocation status is checked.

The revocation engine is included in the Enterprise SSO controller. Its job is to maintain the accuracy of the revocation status of all public key certificates used for Enterprise SSO PKA. For each CRL distribution point or OCSP responder defined, the revocation engine:

• Computes the time for next revocation update. • Collects the revocation information. • Checks the revocation status of all enrolled public key certificates. • Checks the revocation status of the public key certificate of all trusted

Certification Authority.

Anytime a user’s public key certificate is revoked, its status is updated in the Enterprise SSO directory and the user’s smart card is automatically blacklisted.


228

12.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method

Before Starting

• A smart card XML description file must exist and it must contain the description of the specific type(s) of smart card that will be used for PKA authentication. Several reserved keywords are used in the XML file to specify to Enterprise SSO that this smart card will be used for that purpose.


• In classic administration mode: Security Object administrator. • In advanced administration mode, your role must contain the following rights:

"User security profile: Creation/Modification", "Access point security profile: Creation/Modification".

Procedure

1. Import a smart card XML description file, which is properly configured, see Section 14, Customizing Configuration Files.

2. Create (or modify) a User Security Profile with the following mandatory requirements:

• The authentication method which is PKA compliant must be selected. • The Password authentication method must also be selected.

For more details, see Section 5.3.2, Configuring User Security Profiles.

3. Create (or modify) an Access Point Security Profile with exactly the same mandatory requirements. For more details, see Section 5.4.2, Configuring Access Point Security Profiles.

12.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities To perform the task described in this section, you must have at least the following administration role:


"PKA authority: Creation/Modification", "PKA authority: Deletion".

Administrator Guide

229

12.2.1 Activating the PKA Authentication Method

Procedure

1. In the Enterprise SSO Console File menu, click Configuration, and in the displayed window select the Public Key Authentication tab.

The Public Key Authentication tab only appears upon a successful extension of the Enterprise SSO directory and a successful creation of the default objects. For more information, see Enterprise SSO Advanced Installation and Configuration Guide.

2. Select the first check box: Users can authenticate using a public key Certificate. Any valid certificate (…) to authenticate users.

• This check box enables all the other options of the tab. 3. Select the second check box: Users can enroll their public key Certificate.

Any valid certificate (…) may be enrolled.

It is mandatory to select this check box with this version of Enterprise SSO.

4. You must then configure the set of authorized certification authorities by filling in the Certification Authorities area, as described below.


230

12.2.2 Configuring the Set of Authorized Certification Authorities

Only public key certificates issued by explicitly identified certification authorities can be used for Enterprise SSO PKA. It is therefore necessary to configure the set of authorized certification authorities.

You can import Certification Authorities using different methods, as described in the following sub-sections. You can combine these methods.

12.2.2.1 Importing Certification Authorities from PEM or DER Encoded Files

Procedure

1. In the Certification Authorities area, click the Import button, and use the displayed window to select a CA certificate from a DER-encoded (*.cer or *.crt) or a PEM encoded (*.pem) file.

• A summary window appears.

2. To view the detailed contents of the certificate, click Details.

Administrator Guide

231

3. To confirm the activation of the Certification Authority as a permitted emitter of users’ public key certificate for Enterprise SSO PKA, click the Import button

• The imported Certification Authority appears.

If the imported CA certificate contains the URL of a point of distribution of certification revocation information (available in the form of a CRL or an OCSP responder), the creation of the Certification Authority in the E-SSO directory also creates an object corresponding to each point of distribution (this is the case in our example).

12.2.2.2 Importing Certification Authorities from Windows System Storage

Procedure

1. In the Certification Authorities area, select the Import Certification Authorities from Windows system storage check box and click the Import button.

• The certificate selection window appears.


232

2. Select the certificate from the list. To display the detailed contents of the certificate, click the View Certificate button. Then, click OK button to resume the import of the certificate.

12.2.2.3 Deleting a Certification Authority

Procedure

In the Certification Authorities area, select the Certification Authorities to remove and click the Delete button.

The Certification Authority is removed from the list of trusted CAs.

If the removed public key certificate contains a revocation information point of distribution, the associated CRL or OCSP responder is NOT removed from Enterprise SSO PKA: the revocation status of users’ certificates will still be updated by the Enterprise SSO PKA revocation engine. However, the enrolment of a user’s certificate emitted by the removed Certification Authority will be denied

12.3 Configuring the Automatic Update of the Revocation Information

You may use Enterprise SSO PKA without checking the revocation status of users’ certificates. However, for obvious security reasons, this is strongly discouraged.



"PKA authority: Creation/Modification", "PKA authority: Deletion".

Administrator Guide

233

12.3.1 Importing a CRL Point of Distribution

Subject

In most cases, the URL of a revocation information point of distribution is included in a public key certificate. When importing the public key certificate of a Certification Authority, Enterprise SSO Console automatically imports the associated revocation information point of distribution.

However, in some cases, CA certificates do not use the same CRL than users’ certificates. It is then necessary to manually import the URL of CRLs that publish the revocation status of these users’ certificates.

Procedure

1. In the Revocation Information area, select the Supports CRL check box and click the Import button.

• The CRL importation window appears.

2. Fill in the URL or filename field and click OK.

This version of Enterprise SSO PKA supports HTTP (http://...), FTP (ftp://...) in addition to local files (file://...) as a valid protocol to collect CRLs. Future version may support alternative protocols such as LDAP.

• If the provided URL is valid, the CRL is downloaded from the Internet through the configured HTTP proxy server if required (Use this HTTP proxy field).

3. Once a CRL has been taken into account, you may perform its explicit update. For that purpose, select the CRL in the available list and click the Update button. The CRL is then immediately downloaded and verified.

12.3.2 Importing an OCSP Responder

Subject

In most cases, the URL of a revocation information point of distribution is included in a public key certificate. When importing the public key certificate of a Certification Authority, the Enterprise SSO Console automatically imports the associated revocation information point of distribution.

However, in some cases, CA certificates do not use the same OCSP responder than users’ certificates. It is then necessary to manually import the OCSP responders that publish the revocation status of these users’ certificates.


234

Procedure

1. In the Revocation Information area, select the Supports OCSP check box and click the Import button.

• The OCSP importation window appears.

2. Enter in the URL or filename field the URL of the OCSP responder and select the Import URL as an OCSP responder check box.

• The Certificate file field becomes available. 3. Enter the path name of a valid public key certificate used by the OCSP

responder server and click OK. 4. Once an OCSP responder has been taken into account, you may need to

update its public key certificate. For that purpose, select the OCSP responder in the list, click the Certificate button and select the DER-encoded or PEM-encoded file that contains the public key certificate used by the OCSP responder to sign its responses.

12.3.3 Deleting a CRL Point of Distribution or an OCSP Responder

Procedure

To remove a CRL distribution point or an OCSP responder, select it from the list and click the Delete button

The removed CRL or OCSP responder is removed from the Enterprise SSO PKA configuration in the domain directory and disappears from the list.

Administrator Guide

235

13. Managing Audit Events Overview

The following picture shows the streams of audit events within Enterprise SSO.

Audit Cache

Audit Collection

AuditConsolidation

Audit Analysis

Audit Cache

E-SSO Audit Server

E-SSO Administration Server

Central AuditDatabase

User Workstation

AdministratorWorkstation

E-SSOSecurityServices

E-SSO SecurityServices

E-SSO Managerconsole

E-SSO Administration Service

E-SSO Audit Service

Local Audit Database

Audit Cache

Audit events are created on users’ workstations and stored locally in audit cache files. Events are then collected (on a regular basis) by an Enterprise SSO controller that provides the Enterprise SSO Audit Services. The controller stores the collected audit events in a local audit database.

The Enterprise SSO Audit Services servers should then be configured to upload collected events into a consolidation central audit SQL database.

Administrators using the Enterprise SSO Console retrieve the audit events stored in the central audit database.

Audit Cache Mechanism

All the audit events are registered in a centralized SQL database, managed by the Enterprise SSO controllers.


236

An audit cache mechanism is located on:

• The client workstations enabling the storage of the audit events if the workstation is disconnected from the network.

• The Enterprise SSO controllers enabling the storage of the audit events if the server is disconnected from the SQL database.

The Enterprise SSO controller compiles all the events associated with user authentication and administration actions in all LDAP domains, and it provides a consistent overview of the history of the accesses to all your applications.

By administration actions, we mean any operation that modifies the directory content: creation, modification, deletion and renaming of any directory object.

If the audit cache file is deleted, Enterprise SSO sends an audit event to the Enterprise SSO controller. The event indicates the name of the workstation and when the file deletion was detected.

Enterprise SSO Audit Servers

The Enterprise SSO audit servers:

• Ensure the stream of audit events by detecting audit cache file deletion. • Make sure an Enterprise SSO controller is always available to Enterprise SSO

Administrators. • Do not generate audit events that are not relevant to the customer’s security

policy. The administrator can apply an audit filter to an application, a computer, a user or an administration profile

13.1 Displaying Audit Events Subject

Depending on your needs, you can display audit events in the following ways:

• Globally, using the Audit panel, to display the whole Enterprise SSO audit events.

• Contextually, using the Directory panel (Events tab of a selected object), to display only the audit events associated directly or indirectly with the selected object. For example, let us consider an Application object. The Events tab of this object displays any administration action directly associated with this object (as the modification of an option or of the administrator's list for example), but also any event linked to the creation of accounts associated with this Application.

The following procedure focuses on how to display globally audit events. For details on how to display the audit records of a specific object, see Section 5.5.1.3, Displaying Password Generation Policy Event Logs and Section 6, Managing Directory Objects.

Administrator Guide

237

Before Starting




For more information on administration role, see Section 4, Managing Administrators.

Procedure

1. In the Audit panel, select the time range corresponding to the events you want to display, and click Apply.

By default, the audit report displays all the audit events of the last two days.

• All the audit events corresponding to the time range selected are displayed. 2. To filter the displayed list, click the Advanced Filter button.

• The Audit base filter window appears (for details on how to build a filter, see Section 13.2.1, Filtering Audit Records.

3. To display more details about an event, double-click the corresponding line. • The Event detail window appears.

13.2 Managing Audit Filters The audit filters allow you to filter the events:

• At the time of their visualization. • At the time of the event creation for specific objects (administration role, user

security profile, access point security profile, application). All defined audit filters will be applied before the Enterprise SSO Security Services decide whether this operation should be audited. If at least one filter indicates that the operation should be audited, then the associated audit event is created.

13.2.1 Filtering Audit Records

Subject To adapt the list of audit events in the report to your needs, you can apply a filter.

Before Starting To perform the task described in this section, you must have at least the following administration role:

• In classic administration mode: Security Object administrator. • In advanced administration mode, your role must contain the following rights:

"Audit filter: Creation/Modification" and "Audit filter: Deletion".

For more information on administration role, see Section 4, Managing Administrators.


238

Procedure

1. In the Audit panel, click Advanced Filter. • The audit database search filter window appears.

This window allows you to select the category of event to display.

CRITERION DESCRIPTION

Access point This criterion is used to filter certain Access Points.

Application This criterion filters the events only concerning one or more applications.

Audit ID This criterion can be used to select audit events only concerning certain audit identifiers.

Category This criterion can be used to choose the family of audit events required: • SSO audit events. • Authentication audit events. • Access point audit events. • Administration audit events.

Event code The event code defines the audit events that must be included in the audit report.

The OR logic operator applies to the conditions of a given category and the AND logic operator applies between categories.

2. To add a condition on the category to display, click the Add a Condition window. • Depending on the category chosen, an audit filter selection window appears.

3. Follow the guidelines given in the window to choose the condition you want to apply, and click OK.

4. In the Audit Database Search Filter window, click Apply. • The filter is instantly taken into account.

5. Click Close to display in the Audit panel the event records corresponding to the selected filter. To interpret audit events, see Section 13.3, Interpreting Audit Events.

Administrator Guide

239

13.2.2 Assigning an Audit Filter to Specific Objects

Subject

You can apply an audit filter to the following objects:

• Administration role • User Security Profile • Access Point Security Profile • Application

Before Starting


• In classic administration mode: "Auditor". • In advanced administration mode, your role must contain the following rights:

"Application: Audit filter assignment" and/or "Access Point security profile: Audit filter assignment" and/or "User security profile: Audit filter assignment" and/or "Administration profile: Audit filter assignment".


Procedure

1. Select the object from the tree view of the Directory panel. 2. Access the Audit area as explained in the appropriate section of the present

guide. 3. Assign an audit filter as explained in the following Audit Filtering Area

Description section.

Audit Filtering Area Description

• All events To log all the events related to the object.

• No events To log none events related to the object.


240

• Events matching filter To only log events that match an audit filter.

The Select button allows you to select an existing audit filter or to create a new one.

FIELD DESCRIPTION

Audit Filter List of available audit filters.

Delete button To delete an audit filter.

Edit button To edit the audit filter selected in the list.

New button To add a new audit filter: see the following Filter Creation Window section.

Administrator Guide

241

Filter Creation Window

The filter creation window displays the following information:

INTERFACE ELEMENT DESCRIPTION

Name Filter name.

Description Filter description.

Free text item that allows administrator to have more information about the content of the audit filter

Category Category of the event, which can be: • File Encryption: encryption events • Admin: administration event • SSO: event concerning User accounts • Authentication: event concerning User authentication on

Access Points and Applications • System: action performed automatically by the system.

Audit successes Select this option to audit only successful events.

Audit failures Select this option to audit only failed events.

Events not audited List of not audited events.

Audited events List of audited events.

Add button To add the selected event to the list of audited events.

Remove button To remove the selected event from the list of audited events.


242

13.3 Interpreting Audit Events This section covers the description of the audit main window, and of the Event detail window.

13.3.1 The Audit Main Window

Window Example

• The Advanced Filter button allows you to filter audit records (see Section 13.2.1,

Filtering Audit Records. • The Export button allows you to export audit events to a formatted file (see

Section 13.4, Exporting Audit Events.

Description

The audit main window displays the following information:

COLUMN TITLE DESCRIPTION

Timestamp Date and time of the event.

The color of the icon indicates the event type:

• (green icon): normal event.

• (red icon): error event.

Administrator Guide

243

COLUMN TITLE DESCRIPTION

Category Category of the event, which can be: • Admin: administration events. • SSO: events concerning User accounts. • Authentication: events concerning User authentication on Access

Points and Applications. • System: actions performed automatically by the system.

Event Code The event code is built using the following values: • Type of the audited object. • Operation performed on this object.

For a complete description on how the Event code of administration audits is generated , see Section 13.3.3, Detailed Information on Administration Audit Events.

Audit ID ID of the user who has performed the event.

Application Name of the Application object associated with the event (blank if the Application is not concerned).

Access Point Name of the Access Point associated with the event.

Distinguished Name of object

(Administration events only).

Distinguished Name of the object associated with the Admin event: • For modification, renaming and deletion operations, the DN

displayed is the DN of the object. • For creation operations, the DN displayed is the object parent DN.


244

13.3.2 The "Event Details" Window

Window Example

The following example shows the detailed information on an administration event related to the creation of a time slice.

Description

The Events Details window gives you more information on a selected event. Compared with the audit main window, it contains two pieces of additional information:

• The error code (Error code field). • The description of the event (Description field).

The other fields display the same information as the main audit window.

• The User's audit ID field corresponds to the Audit ID column of the audit main

window. • The Event type field corresponds to the Event code column of the audit main

window.

FIELD DESCRIPTION

Error code This field informs you on the cause of the error

Description This area gives more information on the event (for a detailed description of this field for Admin events, see Section 13.3.3, Detailed Information on Administration Audit Events.

Administrator Guide

245

13.3.3 Detailed Information on Administration Audit Events

Subject

This section focuses on the information displayed by two specific fields of the audit windows:

• The Event Type field of the Event Details window (which corresponds to the Event Code column in the main audit window).

• The Description field of the Event Details window.

The Event Type Field

The Event Type field (or Event Code in the main audit window) is built using the type of the audited object and the administration action on this object. Just combine one entry of the Object Type column with one entry of the Administration Operation column below to get the list of possible values that can appear in the Event type field of an Admin event:

The aim of the following table is to show you as many combinations as possible, but it does not pretend to be exhaustive.

Examples:

• The creation of a PFCP object has the following value: PFCP—Creation. • Account modifications have the following value: Account—Modification.

The Description Field

The Description field of administration audit events displays two groups of information:

• An optional description giving you detailed information on the audited object, as shown in the following example:

This description is available with the following objects:

• Token. • User—Application access. • Application—Access Point access. • Account's parameter. • Account. • Application administration profile. • Access Point—User access.

For a detailed description, per object, of the displayed information, see the table below.


246

• The values of the implied LDAP attributes, as shown in the following example:

Detailed Description per Object

OBJECT DESCRIPTION

Token • Token class. • Token serial number. • Token state. • Owner (owner name and DN).

User—Application access • Application (name and DN). • User (list of the authorized users).

Application—Access Point access • Application (name and DN). • Access Point (name and DN).

Account's parameter • Name (name and DN of the account's parameter. • User (name and DN). • Login. • AccountBaseID. • Application (name and DN).

Account • User (name and DN). • Login. • AccountBaseID. • Application (name and DN).

Application administration profile • User (name and DN). • Application (name and DN).

Access Point—User access • User (name and DN). • Access Point (name and DN).

Administrator Guide

247

13.4 Exporting Audit Events Subject

Displayed audit events can be exported to a formatted file (CSV or XML file).

Audit events export is available from the Audit module of the Enterprise SSO Console or while browsing the directory.

Procedure

1. From the Audit module of the Enterprise SSO Console, in the Audit panel, or from the tree structure of the Directory panel, in the Events tab of the selected object, select the audit events you want to export. If no events are selected, all retrieved events will be exported.

2. Click the Export button. • The export window appears.

3. Select the format and the path name of the export file. 4. Click Export.

• A message confirms the completion of the export operation.

Exported audit events remain in the audit database.

13.5 Archiving Audit Records Subject

The archiving functionality allows you to backup a selection of audit records in a CSV file, and delete these records from the audit database.

Before Starting


• In classic administration mode: Security Object administrator. • In advanced administration mode, your role must contain the following right:

"Audit database: Management".


Procedure

1. In the Audit menu, click Archive. • The Audit database export tool appears.

2. Follow the instructions displayed by the wizard to perform the following operations:

• Step 1: select the time range of the audit records to export. • Step 2: select the file that will receive the audit records.


248

• Step 3: delete the exported records from the Audit database.

If you do not want to delete the exported audit records from the Audit database, click Cancel at Step 3.

13.6 Retrieving User ID from Audit ID Subject

The following procedure explains how to get a User identifier from an Audit identifier.

Procedure

1. In the Audit menu, click Solve Audit ID. • The Solve Audit ID window appears.

2. Type the Audit ID to solve in the field and click the Add button. • The Audit ID is added in the Audit ID list.

3. Select the Audit ID line in the Audit ID list and click Solve.

If you click Solve without selecting an Audit ID, the entire list of Audit ID is solved.

• The corresponding User name appears in the User Name column. 4. Click the Close button to close the window.

13.7 Retrieving Event Codes To retrieve event codes, execute the Enterprise SSO Errors program (ESSOERRORS.exe) to list the audit event encountered (For more information, see Appendix B. "Listing Audit Events and Error Codes").

Administrator Guide

249

14. Customizing Configuration Files Subject

Enterprise SSO Console uses configuration files that can be customized if the default configuration parameters do not meet your requirements. You can customize the list of supported authentication tokens and User information retrieved from the LDAP directory.

Before Starting

To perform the tasks described in this section, you must be a super-administrator.

14.1 Importing a List of Supported Authentication Tokens Procedure

1. In the File menu, select Configuration. • The configuration window appears.

2. Click the Authentication tab. • The tab appears.


250

3. Click the Select button, and in the displayed window, browse to the new XML configuration file.

4. Click OK. 5. Restart Enterprise SSO controllers and workstations to take into account the

new XML file.

14.2 Adding User Attribute Information Subject

As described in Section 6.2.1, Displaying User General Information ("Information" Tab), you can display Extended User information using the Other button of the User Information tab. This section describes how to configure the information displayed by this button.

Procedure

1. In the File menu, select Configuration. • The configuration window appears.

2. Click the Other User Attributes tab. • The tab appears.

Administrator Guide

251

3. Fill in this window as follows: • In the Attribute description field, type a name for the User attribute that you

want to add. • In the Attribute type drop-down list, select either Integer or String depending

on the type of the attribute. • In the LDAP field, type the name of the corresponding LDAP attribute. • Click Add. • The new attribute appears in the Attributes list.

At any time, you can click the Delete button to delete an entry of the attributes list.

4. Click OK.


252

15. Creating Scripts Enterprise SSO Console allows you to write scripts. This may help you to batch process accesses to applications and to automate accounts creation.

15.1 Using the Script Editor Procedure

1. In the File menu, click Scripting. • The script editor interface appears.

2. If you are working with several domains, select in the Domain drop-down list the domain where the script will be applied.

3. Type the script (for details, see Section 15.2, Script Commands), or import a script file (for details, see Section 15.3, Importing Script Files).

4. Click Apply to run the script.

Administrator Guide

253

15.2 Script Commands

15.2.1 CREATE_ROLE

Definition

This command creates a role.

Syntax

CREATE_ROLE(Role), where Role is the name of the role.

If the Role name already exists, a warning message appears upon the execution of the script.

Example

CREATE_ROLE(Vendor)

15.2.2 CREATE_ACCESS

Definition

This command creates an access, which allows a user to access an application.

Syntax CREATE_ACCESS(appName,userName,userType,accountType, appProfile_Name,roleName,dynamicAccount)

Where:

ARGUMENT NAME DESCRIPTION

appName Application name as it is declared in E-SSO Console.

userName User name as it appears in E-SSO Console.

The term User refers to the user himself, a group of users or an Organization Unit.

userType User type. This argument takes one of the following values (in uppercase letters):

• ALL: all the users of the directory. In this case, the argument userName is not taken into account.

• USER: userName refers to a single user. • GROUP: userName refers to a group of users. • UO: userName refers to an Organization Unit.


254


accountType Account type. This argument takes one of the following values (in uppercase letters):

• UNDEFINED: enter this value if the account is defined in the account base of the application.

• STANDARD: standard account. • SHARED: account shared with several users who belong to the

same group of users. • PRIMARY_SHORT: primary account using a short naming format

(example: jSmith). • PRIMARY_NT: primary account using an NT naming format

(example: DOMAIN\Smith). • PRIMARY_ADSI: primary account using an ADSI naming format

(example: [email protected]).

appProfile_Name Name of the Application Profile associated with the application. Enter DEFAULT (in uppercase letters) to use the default Application Profile of the application.

roleName If the user may use several accounts to log on the application, enter the name of the Role associated with the wanted account. If the user has only one account, enter NOROLE.

dynamicAccount Enter TRUE to authorize the user to create as many accounts as he/she wants for the application. Else, enter FALSE.

Examples

• In a simple configuration, you may type the following command to allow the user jSmith to access the acmeApp application:

CREATE_ACCESS(acmeApp,jSmith,USER,STANDARD,DEFAULT,NOROLE,FALSE)

• If you want to allow jSmith to access acmeApp with the Vendor role, type: CREATE_ACCESS(acmeApp,jSmith,USER,STANDARD,DEFAULT,Vendor,FALSE)

• The following command allows the group of users tinyGroup who uses a shared account to access acmeApp:

CREATE_ACCESS(acmeApp,tinyGroup,USER,SHARED,DEFAULT,NOROLE,FALSE)

15.2.3 CREATE_ACCOUNT

Definition

This command allows you to create an account, which enables a user to log on an application.

Syntax CREATE_ACCOUNT(accountType,userName,appName,roleName, accountOwner,loginName,Password)

Administrator Guide

255

Where:


accountType Account type. This argument takes one of the following values (in uppercase letters):

• STANDARD: standard account. • SHARED: account shared with several users who belong to the

same group of users.

userName Depending on the accountType value, userName must not refer to the same object:

• If accountType = STANDARD, enter the name of a user as it appears in E-SSO Console.

• If accountType = SHARED, enter the name of a group of users.

appName Application name as it is declared in E-SSO Console.

roleName If the user may use several accounts to log on the application, enter the name of the Role associated with the wanted account. If the user has only one account, enter NOROLE.

accountOwner • If accountType = SHARED, enter the name of the account owner. • If accountType = STANDARD, enter NOVALUE.

loginName Login name value.

Password Password value.

Example

• To create a standard account for jSmith and the acmeApp application, use the following command:

CREATE_ACCOUNT(STANDARD,jSmith,acmeApp,NOROLE,NOVALUE,LoginName,Password)

• To create a shared account for the group of users tinyGroup (which is owned by user admin) and the acmeApp application, enter the following:

CREATE_ACCOUNT(SHARED,tinyGroup,acmeApp,NOROLE,admin,LoginName,Password)


256

15.3 Importing Script Files Before Starting

A text file containing the script commands must be created and saved as a wgs file.

Procedure

1. In the script editor window, click Import. 2. Select in the displayed window the wanted wgs file and click Open.

• The content of the file appears in the script editor window, as in the following example:

Administrator Guide

257

A. Regular Expressions–Basic Syntax

Subject This section lists special characters you can use to create regular expressions to configure the Emergency Access feature. For details on how to enable and configure Emergency Access, see Section 5.3.2.4, Emergency Access Parameters Configuration ("Emergency Access" Tab).

Basic Syntax

CHARACTER DESCRIPTION

. Matches any single character.

[ ] Indicates a character class. Matches any character inside the brackets (for example, [abc] matches "a", "b" or "c").

^ If this metacharacter occurs at the start of a character class, it negates the character class. A negated character class matches any character except those inside the brackets (for example, [^abc] matches all characters except "a", "b", and "c").

If ^ is at the beginning of the regular expression, it matches the beginning of the input (for example, ^[abc] will only match input that begins with "a", "b", or "c").

- In a character class, indicates a range of characters (for example, [0-9] matches any of the digits "0" through "9").

? Indicates that the preceding expression is optional: it matches once or not at all (for example, [0-9][0-9]? matches "2" and "12").

+ Indicates that the preceding expression matches one or more times (for example, [0-9]+ matches "1", "13", "666", and so on).

* Indicates that the preceding expression matches zero or more times.

??, +?, *? Non-greedy versions of ?, +, and *. This match as little as possible, unlike the greedy versions which match as much as possible. Example: given the input "<abc><def>", <.*?> matches "<abc>" while <.*> matches "<abc><def>".

( ) Grouping operator. Example: (\d+,)*\d+ matches a list of numbers separated by commas (such as "1" or "1,23,456").

{ } Indicates a match group (for example, abc{2.} matches "ab" followed by two or more "c").


258

CHARACTER DESCRIPTION

\ Escape character: interpret the next character literally (for example, [0-9]+ matches one or more digits, but [0-9]\+ matches a digit followed by a plus character). Also used for abbreviations (such as \a for any alphanumeric character).

If \ is followed by a number n, it matches the nth match group (starting from 0). Example: <{.*?}>.*?</\0> matches "<head>Contents</head>".

Note that in C++ string literals, two backslashes must be used: "\\+", "\\a", "<{.*?}>.*?</\\0>".

$ At the end of a regular expression, this character matches the end of the input. Example: [0-9]$ matches a digit at the end of the input.

| Alternation operator: separates two expressions, exactly one of which matches (for example, T|the matches "The" or "the").

! Negation operator: the expression following ! does not match the input. Example: a!b matches "a" not followed by "b".

Administrator Guide

259

B. Listing Audit Events and Error Codes

Subject

Quest Enterprise SSO provides the Errors and Events tool to list the audit events and the error codes encountered.

Using the Enterprise SSO Errors program, you can:

• Get the list of all supported audit events. • Get the description associated with a given code. • Get the list of all supported error messages.

The list of audit events and error messages can be exported in a CVS or XML file. You can export the entire list or some selected lines of the list.

B.1 Listing Audit Events Procedure

1. To open the Errors and Events tools, click Start | Programs | Quest Software | Enterprise SSO | Errors and Events.

On users’ workstations, this program is usually available from the following path:

%CommonProgramFiles%\ Evidian\WGSS\EssoErrors.exe

2. Click Audit Events. • The audit event list appears.


260

Window Description

The Audit Events window displays the following information:

INTERFACE ELEMENT

DESCRIPTION

Cat. Category code.

Category Category of the event, which can be: • Admin: administration event. • SSO: event related to User accounts. • Authentication: event related to User authentication on Access

Points and Applications. • System: action performed automatically by the system. • File Encryption: action performed by the File Encryption software

module.

Event Event code.

Description Event description.

CSV Format of the file in which audit events will be exported (Comma Separated Values).

Separator Field separator for CSV file.

Default: #

XML Format of the file in which audit events will be exported.

Administrator Guide

261

INTERFACE ELEMENT

DESCRIPTION

Syntax Syntax of the generated XML file.

You can not modify the XML syntax.

File path Output file path name.

The button allows you to select in a directory an existing file or a default file (ESSO-AuditEvents-en.csv or ESSO-AuditEvents-en.xml).

Export button To export all the list or only selected lines of the list to the chosen formatted file.

B.2 Listing Error Codes Procedure

1. To open the Errors and Events tool, click Start | Programs | Quest Software | Enterprise SSO | Errors and Events.

On users’ workstations, this program is usually available from the following path:

%CommonProgramFiles%\ Evidian\WGSS\EssoErrors.exe

2. Click Error Codes. • The error code list appears.


262

Window Description

The Error Codes window displays the following information:

INTERFACE ELEMENT

DESCRIPTION

Error Error code.

Description Error description.

CSV Format of the file in which error codes will be exported (Comma Separated Values).

Separator Field separator for CSV file.

Default: #

XML Format of the file in which error codes will be exported.

Syntax Syntax of the generated XML file.

You can not modify the XML syntax.

File path Output file path name.

The button allows you to select in a directory an existing file or a default file (ESSO-Errors-en.csv or ESSO-Errors-en.xml).

Export button To export all the list or only selected lines of the list to the chosen formatted file.

E-SSO Error Code Specific error code you want to find.

Display as a Windows error

To retrieve the error message from the Windows operating system.

Administrator Guide

263

C. List of Administration Rights The following table lists all the predefined administration profiles (in classic administration mode) and their corresponding administration rights in advanced administration mode.

CLASSIC ADMINISTRATION MODE PROFILE NAME

ADVANCED ADMINISTRATION MODE: RIGHT NAME

SE

CU

RIT

Y O

BJE

CT

A

DM

INIS

TRA

TOR

AC

CE

SS

AD

MIN

ISTR

ATO

R

RIG

HTS

AD

MIN

ISTR

ATO

R

SM

AR

T C

AR

D A

DM

INIS

TRA

TOR

FILE

EN

CR

YP

TIO

N

AD

MIN

ISTR

ATO

R

AU

DIT

OR

SS

O D

ATA

RE

CO

VE

RE

R

AU

THO

RIZ

E P

RO

PA

GA

TIO

N O

F

AD

MIN

ISTR

ATI

ON

RIG

HTS

Access point security profile: Assignment

X

Access Point security profile: Audit filter assignment

X

Access point security profile: Creation/Modification

X

Access point security profile: Deletion X

Account: Creation/Modification X X

Account: Deletion X X

Account: Manage parameters X

Administration profile: Audit filter assignment

X

Administration profile: Creation/Modification

Administration profile: Deletion

Application profile: Creation/Modification

X


264



SE

CU

RIT

Y O

BJE

CT

A

DM

INIS

TRA

TOR

AC

CE

SS

AD

MIN

ISTR

ATO

R

RIG

HTS

AD

MIN

ISTR

ATO

R

SM

AR

T C

AR

D A

DM

INIS

TRA

TOR

FILE

EN

CR

YP

TIO

N

AD

MIN

ISTR

ATO

R

AU

DIT

OR

SS

O D

ATA

RE

CO

VE

RE

R

AU

THO

RIZ

E P

RO

PA

GA

TIO

N O

F

AD

MIN

ISTR

ATI

ON

RIG

HTS

Application profile: Deletion X

Application: Audit filter assignment X

Application: Creation/Modification X

Application: Deletion X

Application: Manage all applications

Audit database: Management X

Audit filter: Creation/Modification X

Audit filter: Deletion X

Audit: Visualization X

Authorization for application on access point: Creation/Modification

X X

Authorization for application on access point: Deletion

X X

Authorization for user on access point: Creation/Modification

X X

Authorization for user on access point: Deletion

X X

Authorization to use application: Creation/Modification

X X

Authorization to use application: Deletion

X X

Batch of cards: Creation/Modification X

Batch of cards: Deletion X

Bio: Is enable to allow biometrics pattern enrolment

Cluster: Creation/Modification

Cluster: Deletion

Administrator Guide

265



SE

CU

RIT

Y O

BJE

CT

A

DM

INIS

TRA

TOR

AC

CE

SS

AD

MIN

ISTR

ATO

R

RIG

HTS

AD

MIN

ISTR

ATO

R

SM

AR

T C

AR

D A

DM

INIS

TRA

TOR

FILE

EN

CR

YP

TIO

N

AD

MIN

ISTR

ATO

R

AU

DIT

OR

SS

O D

ATA

RE

CO

VE

RE

R

AU

THO

RIZ

E P

RO

PA

GA

TIO

N O

F

AD

MIN

ISTR

ATI

ON

RIG

HTS

Directory: Browsing X X X X X

Emergency access: Answer deletion X X X X X X X

Emergency access: Challenge generation

X X X X X X X

Emergency access: Reset attempt counter

X X X X

File Encryption Key: Generation X

Parameter: Creation/Modification X X

Parameter: Deletion X X

Password format control policy: Creation/Modification

X

Password format control policy: Deletion

X

Password generation policy: Creation/Modification

X

Password generation policy: Deletion X

PKA authority: Creation/Modification X

PKA authority: Deletion X

Representative: Creation/Modification X

Representative: Deletion X

Roaming: Delete user’s sessions

Schedule: Creation/Modification X

Schedule: Deletion X

Technical reference: Creation/Modification

X

Technical reference: Deletion X


266



SE

CU

RIT

Y O

BJE

CT

A

DM

INIS

TRA

TOR

AC

CE

SS

AD

MIN

ISTR

ATO

R

RIG

HTS

AD

MIN

ISTR

ATO

R

SM

AR

T C

AR

D A

DM

INIS

TRA

TOR

FILE

EN

CR

YP

TIO

N

AD

MIN

ISTR

ATO

R

AU

DIT

OR

SS

O D

ATA

RE

CO

VE

RE

R

AU

THO

RIZ

E P

RO

PA

GA

TIO

N O

F

AD

MIN

ISTR

ATI

ON

RIG

HTS

Temporary password access: Change duration

Temporary password access: Creation X

Temporary password access: Deletion X

Token configuration: Creation/Modification

X

Token configuration: Deletion X

Token: Assignment X

Token: Blacklist X

Token: Force PIN X

Token: Formatting X

Token: Lending X

Token: Modification X

User administration profile: Delegation X

User administration profile: administration rights manager

User role: Creation/Modification X X

User role: Deletion X X

User security profile: Assignment X

User security profile: Audit filter assignment

X

User security profile: Creation/Modification

X

User security profile: Deletion X

User: Modification X

User: Password modification X

Administrator Guide

267

About Quest Software, Inc. Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management products—helping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software Phone 949.754.8000 (United States and Canada)

Email [email protected]

Mail Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA

Web site www.quest.com

Please refer to our Web site for regional and international office information.

Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/

From SupportLink, you can do the following:

• Retrieve thousands of solutions from our online Knowledgebase • Download the latest releases and service packs • Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com.


mailto:[email protected]�


http://support.quest.com/�

http://support.quest.com/�

e-sso 803 consoleadminguide

Documents