E-SSO 803 ConsoleAdminGuide

Enterprise Single Sign-On 8.0.
3
Administrator Guide
Enterprise SSO Console
Copyright 1998-2009 Quest Software and/or its Licensors ALL RIGHTS RESERVED.
This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.
DISCLAIMER
The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.
Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners. World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com Please refer to our website for regional and international office information. Quest Enterprise SSO Updated January 2010 Software version 8.0.3
CONTENTS
About This Guide ...................................................................................................... 7
Access Management ......................................................................................................... 7 Conventions ............................................................................................................... 8
1. Overview................................................................................................................. 9
1.1 Enterprise SSO Concepts ........................................................................................... 9 1.2 Enterprise SSO Controllers ....................................................................................... 10 1.2.1 Enterprise SSO Services................................................................................ 10 1.2.2 Domain Controller Selection........................................................................... 12 1.3 A Multi-Domain Architecture...................................................................................... 12 1.4 General Ergonomic Design ....................................................................................... 15 1.4.1 Home Window ................................................................................................ 15 1.4.2 Directory Panel Overview ............................................................................... 17
2. Authenticating to E-SSO Console and Managing Protection Modes ............ 19

2.1 Starting/Stopping the Enterprise SSO Console ........................................................ 19 2.1.1 Starting the Enterprise SSO Console............................................................. 19 2.1.2 Stopping the Enterprise SSO Console ........................................................... 21 2.2 Managing Protection Modes...................................................................................... 21 2.2.1 Displaying the Current Protection Mode ........................................................ 21 2.2.2 Migrating from Software Mode to Hardware Mode ........................................ 22 2.2.3 Managing Administrators whose Administration Keys are Protected by Software Encryption ........................................................................... 23
3. Searching the Directory Tree ............................................................................. 25

3.1 Searching for Directory Objects ................................................................................ 25 3.2 Deleting Search Requests......................................................................................... 27
4. Managing Administrators ................................................................................... 28

4.1 Administration ModesPresentation ........................................................................ 28 4.1.1 The Classic Administration Mode................................................................... 28 4.1.2 The Advanced Administration Mode .............................................................. 30 4.1.3 Administration Role Inheritance ..................................................................... 30 4.2 Delegating Administration Profiles ............................................................................ 31 4.3 Managing Administration Profiles.............................................................................. 33 4.3.1 Creating/Editing an Administration Profile...................................................... 33 4.3.2 Deleting an Administration Profile .................................................................. 36 4.4 Transferring an Administration Role.......................................................................... 36 4.5 Deleting Administration Role ..................................................................................... 37 4.6 Displaying your Administration Role ......................................................................... 37 4.7 Modifying the Parent Administrator ........................................................................... 38 4.8 Defining Multiple Primary Administrators .................................................................. 39
5. Managing Security Profiles ................................................................................ 40

5.1 Managing Timeslices................................................................................................. 40 5.1.1 Creating/Modifying Timeslices ....................................................................... 41 5.1.2 Configuring Timeslices ................................................................................... 41 5.1.3 Displaying Timeslice Event Logs.................................................................... 42 5.1.4 Renaming Timeslices ..................................................................................... 43
i
5.1.5 Deleting Timeslices......................................................................................... 43 5.2 Managing Password Format Control Policies ........................................................... 44 5.2.1 Creating/Modifying Password Format Control Policies.................................. 44 5.2.2 Configuring Password Format Control Policy ................................................ 45 5.2.3 Displaying Password Format Control Policy Event Logs ............................... 46 5.2.4 Renaming Password Format Control Policies................................................ 47 5.2.5 Deleting Password Format Control Policies................................................... 47 5.3 Managing User Security Profiles ............................................................................... 47 5.3.1 Creating/Modifying User Security Profiles...................................................... 48 5.3.2 Configuring User Security Profiles ................................................................. 49 5.3.3 Displaying User Security Profile Event Logs.................................................. 66 5.3.4 Renaming User Security Profiles ................................................................... 66 5.3.5 Deleting User Security Profiles....................................................................... 67 5.4 Managing Access Point Security Profiles.................................................................. 67 5.4.1 Creating/Modifying Access Point Security Profiles ........................................ 68 5.4.2 Configuring Access Point Security Profiles .................................................... 68 5.4.3 Displaying Access Point Security Profile Event Logs .................................... 81 5.4.4 Renaming Access Point Security Profiles ...................................................... 82 5.4.5 Deleting Access Point Security Profiles ......................................................... 82 5.5 Managing Application Security Profiles..................................................................... 83 5.5.1 Managing Password Generation Policies ...................................................... 83 5.5.2 Creating/Modifying Application Security Profiles............................................ 87 5.5.3 Configuring Application Security Profiles ....................................................... 88 5.5.4 Displaying Application Security Profile Event Logs........................................ 94 5.5.5 Renaming Application Security Profiles ......................................................... 94 5.5.6 Deleting Application Security Profiles............................................................. 95 5.6 Defining Security Profiles Default Values.................................................................. 95 5.7 Managing User and Access Point Security Profiles Priorities................................... 97
6 Managing Directory Objects ............................................................................... 99

6.1 Managing Applications ............................................................................................ 100 6.1.1 Creating an Application ................................................................................ 100 6.1.2 Defining the General Properties of an Application ("Configuration"/"General" Tab)............................................................................. 103 6.1.3 Creating the Account Properties of an Application ...................................... 104 6.1.4 Defining the Single Sign-On Properties of an Application ("Configuration"/"SSO" Tab) .................................................................................. 110 6.1.5 Defining External Names ("Configuration"/"External Names" Tab) ............. 112 6.1.6 Assigning Users to an Application................................................................ 113 6.1.7 Sharing the Administration of an Application ("Administrators" Tab)........... 113 6.1.8 Generating/Importing Accounts for an Application ("Account Generation" Tab)................................................................................... 114 6.1.9 Assigning Access Points to an Application ("Access Points" Tab) .............. 116 6.1.10 Displaying Accounts Associated With the Application ("Accounts" Tab) ... 118 6.1.11 Displaying Application Event Logs ("Events" Tab)..................................... 119 6.1.12 Displaying/Modifying Application Information ("Information" Tab) ............. 120 6.1.13 Renaming Applications............................................................................... 120 6.1.14 Deleting Applications .................................................................................. 120
ii
6.2 Managing Users ...................................................................................................... 121 6.2.1 Displaying User General Information ("Information" Tab)............................ 121 6.2.2 Defining User Connection Parameters ("Connection" Tab) ......................... 122 6.2.3 Assigning a User Security Profile to a User ("Security Profile" Tab) ........... 128 6.2.4 Declaring a User as an Administrator ("Administration" Tab) ........................ 129 6.2.5 Assigning/Forbidding Access Points to a User ("Access Points" Tab) ........ 129 6.2.6 Managing User's Accounts ("Accounts" Tab)............................................... 131 6.2.7 Managing User's Smart Cards ("Smart Card" Tab) ..................................... 133 6.2.8 Displaying Users Biometric Data ("Biometrics" Tab)................................... 134 6.2.9 Assigning Applications to a User ("Application Access" Tab) .......................... 135 6.2.10 Managing User's RFID Tokens ("RFID" Tab)............................................. 136 6.2.11 Managing Data Privacy ("DP" Tab) ............................................................ 136 6.2.12 Displaying User Event Logs ("Event" Tab)................................................. 137 6.3 Managing Access Points ......................................................................................... 137 6.3.1 Displaying Access Point General Information ("Information" Tab) .............. 138 6.3.2 Defining Access Point Configuration Parameters ("Configuration" Tab) ..... 139 6.3.3 Assigning/Forbidding Users to Access Points ("Authorized Users" Tab) .... 141 6.3.4 Assigning/Forbidding Applications to Access Points ("Available Applications" Tab) ............................................................................... 142 6.3.5 Displaying Access Point Event Logs ("Events" Tab) ................................... 144 6.4 Managing Representative Objects .......................................................................... 144 6.4.1 Managing Inbound Representative Objects ................................................. 145 6.4.2 Managing Outbound Representative Objects .............................................. 149 6.4.3 Displaying Representative Event Logs ........................................................ 153 6.4.4 Renaming Representative Objects............................................................... 153 6.4.5 Deleting Representative Objects .................................................................. 154 6.5 Managing Clusters of Access Points....................................................................... 154 6.5.1 Creating and Configuring a Cluster of Access Points .................................. 156 6.5.2 Displaying Cluster Event Logs ("Events" Tab) ............................................. 159 6.5.3 Renaming Clusters ....................................................................................... 159 6.5.4 Deleting Clusters .......................................................................................... 160 6.6 Selecting a Domain Controller................................................................................. 160
7. Managing Smart Cards ..................................................................................... 162

7.1 Assigning Smart Cards to Users ............................................................................. 164 7.1.1 Assigning Smart Cards to Many Users ........................................................ 164 7.1.2 Assigning a Smart Card to a User................................................................ 166 7.1.3 Assigning a new Smart Card Allowing a User to log on a Workstation which is Disconnected from the Directory................................. 168 7.2 Formatting Smart Cards .......................................................................................... 169 7.3 Forcing a New PIN .................................................................................................. 170 7.4 Disabling Temporarily Smart Cards ........................................................................ 171 7.4.1 Disabling Temporarily Smart Cards from the Smart Card Panel ................. 171 7.4.2 Disabling Smart Cards of a User from the Directory Panel.......................... 171 7.5 Unlocking Smart Cards............................................................................................ 172 7.5.1 Unlocking Smart Cards from the Smart Card Pane ..................................... 172 7.5.2 Unlocking Smart Cards from the Directory Panel ........................................ 174 7.5.3 Defining Contact Information ........................................................................ 174
iii
7.6 Sending Smart Cards to a Blacklist......................................................................... 175 7.6.1 Sending Smart Cards to a Blacklist from the Smart Card Panel ................. 175 7.6.2 Sending Smart Cards to a Blacklist from the Directory Panel .......................... 176 7.7 Extending the Validity of a Smart Card ................................................................... 176 7.8 Displaying Smart Card Properties ........................................................................... 178 7.9 Displaying the List of Supported Smart Cards ........................................................ 179 7.10 Managing Smart Card Configuration Profiles ....................................................... 180 7.10.1 Creating / Modifying Configuration Profiles................................................ 180 7.10.2 Renaming Configuration Profiles................................................................ 181 7.10.3 Deleting Configuration Profiles ................................................................... 182 7.11 Managing Loan Cards ........................................................................................... 182 7.11.1 Assigning a Loan Card to a User ............................................................... 182 7.11.2 Returning Loan Cards ................................................................................ 183 7.12 Managing Smart Card's Authentication Parameters............................................. 185 7.13 Managing Batches of Smart Cards ....................................................................... 186 7.13.1 Defining a Stock of Tokens......................................................................... 186 7.13.2 Displaying Information on Stocks ............................................................... 188 7.13.3 Forcing the Use of Smart Cards Defined in the Batch ............................... 189
8. Managing SA Server Devices........................................................................... 190

8.1 Configuring Enterprise SSO for SA Server Management ....................................... 190 8.1.1 Configuring SA Server Connection .............................................................. 191 8.1.2 Configuring the SA Server Device Management ......................................... 192 8.2 Managing SA Server Devices ................................................................................. 194 8.2.1 Assigning an SA Server Device to a User.................................................... 194 8.2.2 Formatting an SA Server Device.................................................................. 196 8.2.3 Blacklisting an SA Server Device ................................................................. 196 8.2.4 Managing the Link between User and SA Server Device ............................ 197
9. Managing RFID Tokens..................................................................................... 200

9.1 Assigning an RFID Token ....................................................................................... 202 9.2 Locking and Unlocking an RFID Token................................................................... 203 9.2.1 Locking and Unlocking an RFID Token from the Directory Panel ............... 203 9.2.2 Locking and Unlocking an RFID Token from the RFID Panel ..................... 204 9.3 Blacklisting and Deleting an RFID Token................................................................ 205 9.3.1 Blacklisting and Deleting an RFID Token From the Directory Panel ........... 205 9.3.2 Blacklisting and Deleting an RFID Token from the RFID Panel .................. 207 9.4 Modifying the Detection Areas and the Grace Period............................................. 208 9.5 Exporting a List of RFID Tokens ............................................................................. 210
10. Managing Biometric Enrolment ..................................................................... 211

10.1 Defining the Biometric Enrolment Policy ............................................................... 213 10.2 Defining the Biometric Workstation Parameters ................................................... 213 10.3 Managing the User Enrolment............................................................................... 213 10.4 Displaying and Exporting the Biometric Enrolment Report................................... 214
11. Managing Data Privacy ................................................................................... 215

11.1 Generating Keys .................................................................................................... 217 11.1.1 Generating Keys for a Single User or a Group of Users............................ 217 11.1.2 Massive Keys Generation (Batch Mode).................................................... 218 11.1.3 Configuring the Automatic Generation of a Key upon User's Logon ......... 219
iv
11.2 Renewing Keys...................................................................................................... 220 11.2.1 Renewing Manually a Key .......................................................................... 220 11.2.2 Configuring Automatic Updates of Keys .................................................... 222 11.3 Allowing Users to Refresh their Keys from the Directory ...................................... 223 11.4 Exporting a List of Generated Keys ...................................................................... 225
12. Enabling the Public Key Authentication Method ......................................... 226

12.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method........................................................................................... 228 12.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities.................................................................................................. 228 12.2.1 Activating the PKA Authentication Method................................................. 229 12.2.2 Configuring the Set of Authorized Certification Authorities ........................ 230 12.3 Configuring the Automatic Update of the Revocation Information........................ 232 12.3.1 Importing a CRL Point of Distribution ......................................................... 233 12.3.2 Importing an OCSP Responder.................................................................. 233 12.3.3 Deleting a CRL Point of Distribution or an OCSP Responder ................... 234
13. Managing Audit Events................................................................................... 235

13.1 Displaying Audit Events......................................................................................... 236 13.2 Managing Audit Filters........................................................................................... 237 13.2.1 Filtering Audit Records ............................................................................... 237 13.2.2 Assigning an Audit Filter to Specific Objects.............................................. 239 13.3 Interpreting Audit Events ....................................................................................... 242 13.3.1 The Audit Main Window.............................................................................. 242 13.3.2 The "Event Details" Window....................................................................... 244 13.3.3 Detailed Information on Administration Audit Events................................. 245 13.4 Exporting Audit Events .......................................................................................... 247 13.5 Archiving Audit Records ........................................................................................ 247 13.6 Retrieving User ID from Audit ID ........................................................................... 248 13.7 Retrieving Event Codes......................................................................................... 248
14. Customizing Configuration Files .................................................................... 249

14.1 Importing a List of Supported Authentication Tokens ........................................... 249 14.2 Adding User Attribute Information ......................................................................... 250
15. Creating Scripts............................................................................................... 252

15.1 Using the Script Editor........................................................................................... 252 15.2 Script Commands .................................................................................................. 253 15.2.1 CREATE_ROLE ......................................................................................... 253 15.2.2 CREATE_ACCESS .................................................................................... 253 15.2.3 CREATE_ACCOUNT ................................................................................. 254 15.3 Importing Script Files............................................................................................. 256
A. Regular ExpressionsBasic Syntax ............................................................... 257 B. Listing Audit Events and Error Codes............................................................ 259
B.1 Listing Audit Events................................................................................................. 259 B.2 Listing Error Codes ................................................................................................. 261
C. List of Administration Rights .......................................................................... 263 About Quest Software, Inc. .................................................................................. 267
Contacting Quest Software............................................................................................ 267 Contacting Quest Support ............................................................................................. 267
v
Administrator Guide
About This Guide

Access Management
Subject This guide describes how to administer an Quest Enterprise SSO solution using Enterprise SSO Console, the centralized administration and audit consultation tool. System integrators. Administrators. Enterprise SSO Console 8.0 evolution 3 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to Quest Enterprise SSO Release Notes. Enterprise SSO Console runs only on Windows systems.
Intended Reader Software/Hardware Required
Supported Operating Systems
Quest Enterprise SSO 8.0.3 - Enterprise SSO Console
Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and crossreferences.
ELEMENT CONVENTION
Select Bolded text Italic text Bold Italic text Blue text
This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.
+ |
A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.
Administrator Guide
1. Overview
This guide describes how to use Enterprise SSO (or E-SSO) Console, the administration tool that allows you to define your company Access Management configuration, from the setting up of the basic security objects to the definition of access rights for users, workstations and applications.
1.1 Enterprise SSO Concepts

Enterprise SSO is the module of the Access Management solution that provides centralized management of application and network access strategies and security data and for this purpose is based on the management of three types of objects: The company's users. The company's applications for which you will enable the single sign-on functionality. The client workstations (Access Points) on which users log on to access their applications. Quest Enterprise SSO offers two Access Point functional modes. The wanted mode is selected at installation time (see Enterprise SSO Advanced Installation and Configuration Guide):
In "manage-access-point" mode, you can define security policies for individual workstations and group of workstations. In "no-access-point-management" mode, no objects representing client workstations are created or used in the directory and one security policy is applied to all access points. In this mode, Enterprise SSO controllers do not "authenticate" client workstations.
You main administration task consists in implementing the relations between these three types of objects, as shown in the following diagram:
Password Format Policy
Password Generation Policy
Access
User A
Application
Connection
Availability
Access Point
The term User refers to the user himself, a group of users or an organizational unit that contains users. Likewise, the term Access Point refers to the access point itself (which is a computer), a group of computers or an organizational unit that contains computers.
1.2 Enterprise SSO Controllers

1.2.1 Enterprise SSO Services
Enterprise SSO Services Overview When an Enterprise SSO controller is installed, several services dedicated to specific features are installed at the same time. The set of functions provided by Enterprise SSO are gathered in the following services: Administration. Audit collection. Access point registration. User enrolment.
Each Enterprise SSO controller may offer the set of services or only a part of these services.
10
Administrator Guide
Enterprise SSO Services Management At installation time, Enterprise SSO controllers are not specialized: all the above services are available. The Enterprise SSO Console allows you to dedicate an Enterprise SSO controller to a subset of services. Once specialized, each controller continues to run all the services but only a part of them is used by the workstations. At any time, you can change the Enterprise SSO controller configuration from the Enterprise SSO Console (as explained in Section 6.3.2.2, Managing the Access Point Available Services) without having to install anything on the controller. Workstation Connection to Enterprise SSO controllers All the controllers and their services are registered in the directory. The first time a workstation needs to connect to an Enterprise SSO controller, it obtains the list of existing controllers from the directory and builds in a cache the list of the available services classified by sites. Then the workstation tries to connect to an Enterprise SSO controller that explicitly provides the required Service in its site. If no such controller is available, then the workstation tries to connect to an Enterprise SSO controller that provides all Services in its site. If no such controller is available it tries in the other sites. This list is rebuilt only at the cache expiration, so when you change the services configuration from the Enterprise SSO Console, it needs time before all the workstation use the new services. For this reason and for backward compatibility with the previous version of Enterprise SSO, an Enterprise SSO controller provides all Services. Example To ensure high availability and good performances, it is interesting to install Enterprise SSO on several servers and to dedicate it to specific services. The following figure shows an example of service distribution: one server is dedicated to the audit and another to the administration.
E-SSO Controller Audit Service E-SSO Controller
Audit Master Database
Administration Service
Audit Server
Audit Collection
Corporate LDAP Directory
Administration Audit Analysis
Administration Server
E-SSO Middleware Advanced Login SSO Watch Advanced Login
E-SSO Middleware SSO Studio Administration Console
User Workstation
Administrator Workstation
11
1.2.2 Domain Controller Selection

Windows Reminders In Active Directory (AD), the concept of Sites is a physical group of computers represented by one or more IP subnets. On Windows server systems, a Domain Controller (DC) is a server that manages all security-related aspects between user and domain interactions (authentication, permissions and so on) within the Windows server domain. Each domain controller has a copy of the Active Directory (synchronized by a multimaster replication) and is associated with a site. Within the same site, replication is fast (with an appropriate data transmission), but it can take a long time between different sites, depending on the data type and the configuration of the replication. Enterprise SSO Functionality Enterprise SSO introduces a way to select a specific domain controller to work on. There are two situations where the current domain controller can be changed: Persistent change: see Section 6.6, Selecting a Domain Controller. Password reset operation: see Section 6.2.2.3, Forcing a New User's Primary Password ("Password" Tab).
1.3 A Multi-Domain Architecture

Active Directory Case In a multi-domain forest the Active Directory database becomes partitioned. That is, each domain maintains a list of only those objects that belong to that domain. So, for example, a user created in Domain A would be listed only in Domain A's domain controllers. With this architecture, the storage of the Enterprise SSO data can be done in two ways: Enterprise SSO data is stored in the AD directories and is thus distributed in the forest: see the following figure showing a multi-domain architecture with Enterprise SSO data stored in Active Directory.
12
Administrator Guide
User Computer OU E-SSO Classes and Attributes
Corporate Active Directory with a Multi-Domain Forest Extended for the Quest ESSO Module
User Computer OU E-SSO Classes and Attributes
DOMAIN 1
DOMAIN 2
E-SSO Controller
(Domain 1)
Audit Master Database
E-SSO Controller
(Domain 2)
E-SSO Workstation Clients Running Applications (Domain 1)
1 Administration / Audit Data 2 Read / Write data
E-SSO Security Services

Advanced Login SSO Watch E-SSO Console

Advanced Login SSO Watch
E-SSO
Console
When the Enterprise SSO data is stored in the multi-domain forest AD, the propagation of the data in the other directories of the forest is made by AD, but you have to declare the Enterprise SSO administrators in others domains if they have to manage data stored in theses others domains and you have to declare representatives of users and access points if the users have to connect on the workstations of the others domains.
13
Enterprise SSO data is stored at only one place in an ADAM directory and the administration console makes it possible to see at the same time the data in AD and in ADAM: see the following figure showing a multi-domain architecture with Enterprise SSO data stored in ADAM.
User Computer OU
Corporate Active Directory with a Multi-Domain Forest
User Computer OU
AD DOMAIN 1
1 Administration / Audit Data 2 Read / Write data
AD DOMAIN 2
2 Audit Master Database E-SSO Controller

(Domain 1)
E-SSO Controller
(Domain 2)
1 E-SSO Data
DOMAIN 1

Advanced Login SSO Watch E-SSO Console

Advanced Login SSO Watch
E-SSO
Console
When the Enterprise SSO data is stored in ADAM, the Enterprise SSO administration is greatly simplified and identical to the mono domain administration Architecture Components The above illustration shows an Enterprise SSO software architecture that allows administrators to manage users that reside in different LDAP domains.
The software architecture depends on the way the Enterprise SSO module is installed. For details on the possible architectures depending on the LDAP directories infrastructures, see Enterprise SSO Advanced Installation and Configuration Guide.
14
Administrator Guide
It consists of the following modules: The corporate LDAP directory, which was a baseline of users of the company, before the implementation of the Enterprise SSO architecture. During the installation of the software suite, the schema of this directory is extended with Enterprise SSO specific classes and attributes. The Enterprise SSO controllers (primary controller, secondary controllers, associated controllers), which provide administration and audit communications between client stations and the LDAP directory. A centralized audit base (called the Master database), which contains all the log entries of every individual Enterprise SSO controller. This concerns both user action log entries and administration action log entries. In that case, the local SQL Server databases of individual servers are only used to store the audit events temporarily, before sending them to the Master base. This audit base can be hosted on other databases than SQL Server. For details on the supported databases, see Quest Enterprise SSO Release Notes. The Enterprise SSO client workstations, which communicate directly with the corporate LDAP directory and the Enterprise SSO controllers (for administration and audit data). They are the user's Access Points to applications The applications of the Enterprise SSO module, which are based on the Enterprise SSO Security Services:
Enterprise SSO Console: centralized administration and audit consultation tool. This administration console can be installed on any client workstations and allows you to manage users that reside in different LDAP domains. SSOWatch and SSOStudio: the Single Sign-On (SSO) tools. Advanced Login: tool for user authentication by password, smart card, RFID or biometrics, and workstation security protection.
1.4 General Ergonomic Design

1.4.1 Home Window
The Enterprise SSO Console home window gives access to all Enterprise SSO available modules. Some module icons may not be available for the following reasons: The module is not installed. You have not enough administration rights to access a module.
The status bar displays the name of the Enterprise SSO Controller that the Enterprise SSO Console uses.
15
ICON
DESCRIPTION
Gives access to the Directory panel, which allows you to manage all directory objects. This panel is explained in the following sections of this guide: Section 3, Searching the Directory Tree. Section 4, Managing Administrators. Section 5, Managing Security Profiles. Section 6, Managing Directory Objects.
Gives access to the Smart Card panel, which allows you to manage smart cards. This panel is explained in the following sections of this guide: Section 7, Managing Smart Cards. Section 8, Managing SA Server Devices. Gives access to the Biometrics panel, which allows you to display and export the list of users who have enrolled their biometric data. This panel is explained in Section 10, Managing Biometric Enrolment of this guide. Gives access to the RFID panel, which allows you to manage RFID badges. This panel is explained in Section 9., "Managing RFID Tokens" of this guide. Gives access to the Data Privacy panel, which allows you to manage file encryption. This panel is explained in Section 11, Managing Data Privacy of this guide. Gives access to the Audit panel, which allows you to audit events. This panel is explained in Section 13, Managing Audit Events of this guide.
16
Administrator Guide
1.4.2 Directory Panel Overview

The graphical user interface (GUI) of the Enterprise SSO administration console Directory panel is divided in different areas, as shown in the following illustration:
AREA
NAME
DESCRIPTION
Menu bar
The menu bar contains 2 types of menus: Static menus (File, View and Help), which are always available and always display the same commands. A dynamic menu (Directory in the above illustration), which displays specific commands depending on the administration panel selected in area 5.
2 3
Tool bar Tabbed panel
The tool bar is dynamic. It displays buttons that are shortcuts to the menu bar items. Depending on your administration role and on the selected administration panel, this area displays tabbed panels that allow you to manage and stores access rights and user accounts in the LDAP directory (Directory panel), manage a base of corporate smart carts (Smart Card panel), manage a base of RFID tokens (RFID panel), configure file encryption for some users (Data Privacy panel), display biometry data (Biometrics panel), display Audit information (Audit panel). This area appears in the Directory panel only. It displays your LDAP directory administration perimeter.
17
Directory tree
Quest Enterprise SSO 8.0.3 - Enterprise SSO Console AREA NAME DESCRIPTION
Navigation bar
This area allows you to switch rapidly between the different administration panels. The active panel is shown in a gray circle. Depending on your administration rights, some buttons may be deactivated.
18
Administrator Guide
2. Authenticating to E-SSO Console and Managing Protection Modes

Quest provides the two following protection modes for the Enterprise SSO security database: Hardware protection mode: Enterprise SSO operating mode in which administration encryption keys are protected by cryptographic smart cards. In this mode, smart cards are required to perform Enterprise SSO administration tasks. Software protection mode: Enterprise SSO operating mode in which administration keys are protected by passwords and, if wanted, by smart cards. In this mode, smart cards are not required to perform Enterprise SSO administration tasks.
The protection mode is chosen at installation time, during the primary controller initialization (for more information on installation, see Enterprise SSO Advanced Installation and Configuration Guide).
2.1 Starting/Stopping the Enterprise SSO Console

This section explains how to start and stop the Enterprise SSO Console.
2.1.1 Starting the Enterprise SSO Console

Subject As the Enterprise SSO console is an administration console, the way to start it depends on the protection mode used: In hardware protection mode, see Section 2.1.1.1, Starting the Enterprise SSO Console in Hardware Protection Mode. In software protection mode, see Section 2.1.1.2, "Starting the Enterprise SSO Console in Software Protection Mode.
Upon the first start of Enterprise SSO Console, you authenticate from the Security Module or pass phrase as the super-administrator. Then, depending on your needs, you can define as many administrators as you want, and assign for each one an administration role, with specific administration profiles and for specific organizations of the directory (see Section 4, Managing Administrators).
19
2.1.1.1 Starting the Enterprise SSO Console in Hardware Protection Mode

Before Starting To start the Enterprise SSO console in hardware protection mode, make sure you have the Security Module or an administration smart card. Procedure 1. In the Windows task bar, click Start | Programs | Quest Software | Enterprise SSO | Enterprise SSO Console.
The Enterprise SSO Console authentication window appears.
2.
Insert the Security Module or an administration smart card and type your PIN.
The Enterprise SSO Console appears.
2.1.1.2 Starting the Enterprise SSO Console in Software Protection Mode

Before Starting If you start the Enterprise SSO console in software protection mode for the first time, you must be a primary administrator. If you are not a primary administrator, you must have an administration profile to start the console.
Procedure First Start 1. In the Windows task bar, click Start | Programs | Quest Software | Enterprise SSO | Enterprise SSO Console.
2.
As a super-administrator, type your identifier and password.

The administration pass-phrase window appears.
3.
Type the pass-phrase that has been entered at installation time, during the primary controller initialization (see Enterprise SSO Advanced Installation and Configuration Guide) and click OK.
20
Administrator Guide
Everyday Start 1. In the Windows task bar, click Start | Programs | Quest Software | Enterprise SSO | Enterprise SSO Console.
2.
Type your PIN (smart card) or identifier and password.

2.1.2 Stopping the Enterprise SSO Console

Subject The following procedure explains how to normally quit the Enterprise SSO console. Procedure 1. 2. To stop the Enterprise SSO console, click File | Exit.
A confirmation window appears.
Click Yes.
The Enterprise SSO Console is closed.
2.2 Managing Protection Modes

2.2.1 Displaying the Current Protection Mode
Procedure The Enterprise SSO Console allows you to display the current protection mode. In Enterprise SSO Console, click File | Protection Mode. The protection mode administration window appears, displaying the current protection mode and information about it. The following window shows an example of software protection mode.
21
2.2.2 Migrating from Software Mode to Hardware Mode

Subject If you migrate from software to hardware protection mode, the administration keys will be protected by smart cards only; you will no longer be able to logon to Enterprise SSO without smart card. In hardware mode: The administration keys are protected by the Security Module. The security Module or a smart card is required to start Enterprise SSO Console. The Password Reset server is configured to use smart card authentication. You must be a primary administrator to perform this task. Make sure all administrators possess smart cards that grant administration rights. Make sure you have an Enterprise SSO Security Module smart card and the administration pass-phrase that is currently protecting the security database. If you use the Enterprise SSO Password Reset server, make sure it is configured to use smart card authentication (see Enterprise SSO Advanced Installation and Configuration Guide).
Before starting
22
Administrator Guide
Procedure 1. 2. Display the protection mode as explained in Section 2.2.1, Displaying the Current Protection Mode. In the Migration tab, click the Migrate to hardware mode button.
The change protection mode window appears, asking you to insert the Security Module, its associated PIN and the administration pass-phrase.
3. 4.
Enter the information required and click OK.

Click OK.
You are now working in hardware protection mode.
2.2.3 Managing Administrators whose Administration Keys are Protected by Software Encryption
Subject The migration from software to hardware protection mode does not delete all copies of the administration keys from the directory: the directory contains an encrypted copy of one or both of the following administration keys: SSO Recovery: key pair that protects the copy of the owner's recoverable SSO key in the directory. Token Administration: key pair that protects smart card administration data in the directory.
This section explains how to display and manage the administrators who have copies of one or both of these administration keys. Before Starting You must be a primary administrator to delete copies of an administration key.
23
Procedure 1. 2. Display the protection mode as explained in Section 2.2.1, Displaying the Current Protection Mode. Click the Software Mode Keys tab.
The tab lists the names of the administrators who have copies (stored in the directory) of one or both administrative encryption keys.
3.
To delete the copies of the administration keys, select the wanted line and click Delete Keys.
The copies of the administration keys encrypted by the recoverable keys of the selected users are deleted from the directory.
24
Administrator Guide
3. Searching the Directory Tree

Subject The searching functionality is available from the Directory panel. The search results appear as a tree under the Search request node. If you execute several search requests, they all appear as a node in the tree.
For performance reasons, you cannot search for a directory container in the directory. Objects designated with a CN are the only ones that can be found.
Before starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator" or "Access administrator" or "Rights administrator" or "Smart card administrator" or "File Encryption administrator". In advanced administration mode, your role must contain the following right: "Directory: Browsing".
3.1 Searching for Directory Objects

Subject This section explains how to use the search function in Enterprise SSO Console. You can only find objects that you are allowed to access, according to your administration rights. Procedure 1. In the Directory panel, click the Search request node, or press CTRL+F.
The search configuration tab appears. For a full description of the tab, see the following Search Configuration Tab - Description section.
2.
In the Search root field, click the Select button to select the organization in which you want to search an object: Use the Browse tab to browse the directory tree structure or use the Search tab to find the organization according to its name In the Object type list, select the type of object you want to search.
25
3.
4.
In the Filter field, type the wanted search request, as explained in the tab instructions and click Search.
The search result appears in a new node in the Directory panel, under the Search request node. The following example window shows the result of two search requests.
Search Configuration Tab - Description Search root field The container in which is performed the search. If you leave this field empty, the search is performed in all the directory organizations to which you are authorized to access.
Select button Opens the organization selection window, which allows you to browse the directory tree structure (Browse tab) or filter the directory tree (Search tab) to find the organization. Remove button Removes the organization from the field. An empty field means all organizations.
Object type list List of directory objects you can search for in the directory.
For performance reasons, you cannot search for an organization in the directory. Objects designated with a CN are the only one that can be found.
Filter field Name of the object (or part of the name, using the * character) you want to search for.
Search button Performs the search. Clear all button Deletes all search requests from the directory tree.
26
Administrator Guide
3.2 Deleting Search Requests

Subject You can delete search requests one by one or all requests simultaneously. Procedures Deleting a Search Request 1. In the directory tree, select the search request you want to delete.
The Information tab appears.
2.
Click the Delete button.

The search request node disappears from the tree.
Deleting All Search Requests 1. 2. In the directory tree, select the Search request node.
The search configuration tab appears.
Click the Clear all button.

All search request nodes disappear from the tree.
27
4. Managing Administrators
Subject This section describes how to delegate, transfer and delete administration profiles to manage the users declared in your LDAP directory who are allowed to administer the Quest Enterprise SSO solution though the Enterprise SSO Console. An administration role is made up of the following elements: The administration role scope: the objects of the directory on which the administration role applies. One or several administration profile(s): the administration rights allocated to the administration role. A parent administrator (optional). An audit filter that indicates what administrator actions should be audited.
Enterprise SSO Console allows you to assign administration profiles to users so that they can perform the corresponding administration tasks.
4.1 Administration ModesPresentation

Quest provides the two following administration modes: The classic administration mode: see Section 4.1.1, The Classic Administration Mode. The advanced administration mode: see Section 4.1.2, The Advanced Administration Mode.
The administration mode is selected at installation time.
4.1.1 The Classic Administration Mode

Definition In classic administration mode, administration rights are classified into eight predefined administration profiles that you apply to users so that they can perform their administration tasks in the Enterprise SSO Console. These administration profiles cannot be modified.
28
Administrator Guide
To migrate from the classic administration mode to the advanced administration mode, see Enterprise SSO Advanced Installation and Configuration Guide.
The list of existing administration profiles and their corresponding administration rights (available in advanced administration mode) is given in Appendix C. List of Administration Rights). Delivered Administration Profiles Quest delivers the following administration profiles:
ADMINISTRATION PROFILE NAME DESCRIPTION
"Security object administrator"
This role allows the administrator to manage tokens' inventory and change the following security objects: Time slices. Password Format Control Policies (PFCP). Password Generation Policies (PGP). User Security Profiles. Access Point Security Profiles. Application Security Profiles
"Access administrator" "Rights administrator"
This role allows the administrator to authorize applications and users on access points. This role allows the administrator to authorize a user to use an application. This right also requires administration rights on the application. This role allows the administrator to manage smart cards. This role allows the administrator to manage the Data Privacy feature. This role allows the administrator to manage the audit. This role allows the administrator to reassign recoverable accounts to the user and to change the user's means of authentication without the user losing his SSO data. This option allows the administrator to delegate his/her administration rights. This delegation is restricted to the administrator's rights and visibility.
"Smart card administrator" "File Encryption administrator" "Auditor" "SSO Data Recoverer"
Authorize propagation of administration rights"
29
4.1.2 The Advanced Administration Mode

Definition In advanced administration mode, the administration profiles are not limited to eight categories: you can create your own administration profiles by selecting the wanted administration rights. Possible administration rights The list of administration rights available in advanced administration mode (and their corresponding administration profiles in classic administration mode) is given in Appendix C. List of Administration Rights.
4.1.3 Administration Role Inheritance

The administration role inheritance principle can be represented by the following tree structure:
IT Security Manager
(Security Module or Pass phrase)
Super Administrator
Admin 1
Admin 2
Admin 3
Admin 4
Admin 5
Administration Role Inheritance
The tree structure root is the IT Security Manager (or primary administrator which corresponds to a specific user created in the LDAP directory during the installation of the solution. The IT Security Manager administration keys are encrypted with a Security Module or a pass phrase (for more information on the protection modes, see Section 2, Authenticating to E-SSO Console and Managing Protection Modes). Upon the first start of Enterprise SSO Console, you authenticate from the Security Module or pass phrase as the super-administrator. Then, depending on your needs, you can define as many administrators as you want, and assign for each one an administration profile, with specific administration roles and for specific organizations of the directory.
30
Administrator Guide
Administration role is inherited in the following ways: Delegate: the current administrator copies his/her administrator role to the selected user. Transfer: the administration role of the selected user is transferred to another user (who must not have administration rights yet). This new user replaces the previous administrator. Delete: the administration role of the selected user is deleted. The parent of these child items in the administration tree structure is now the parent of the child item whose rights were removed.
In advanced administration mode, the "User administration profile: administration rights manager" administration right allows an administrator to delegate his administration rights or to delete rights to/from an administrator for whom he/she is not the parent administrator.
4.2 Delegating Administration Profiles

Subject Delegating administration profiles consists in copying to a user all or a part of your administration role.
For more details on the administration profiles inheritance mechanisms, see Section 4.1.3, Administration Role Inheritance.
Before Starting Check that you meet the following requirements: The user for which you want to delegate administration profiles must be created in the directory. You must have at least the following administration role:
In classic administration mode: "Authorize propagation of administration rights" and one of the following profiles: "Security object administrator", or "Access administrator" or "Rights administrator". In advanced administration mode, you role must contains the following rights: "User administration profile: Delegation" and "Directory: Browsing".
In software protection mode, the user for which you want to delegate administration profiles must have authenticated to the Enterprise SSO Console at least once.
Restriction You cannot delegate Organizational Units that are outside your administration perimeter.
31
Procedure 1. 2. In the Directory panel, select the user for which you want to delegate your administration profile. In the Administration tab, click Delegate.
The tab is automatically filled in with your administration profile attributes and the selected user has an administration profile. Classic Administration Mode
Advanced Administration Mode
3.
If you want to modify the delegated administration profile, modify this tab as follows: a) Advanced organization(s) area: In this area, modify the administration perimeter, by adding or removing Organizational Units (OU) using the Add and Remove buttons.
For a complete visibility, select the directory root. You can add as organizations as required.
b)
Managed users area By default, this area is empty. It means the administrator can manage all the people registered in the administered organizations. To restrict the number of users to administer, define in this area the groups and organizational units of the administration perimeter containing the users to administer.
32
Administrator Guide
c)
Administration role area:

In Classic Administration Mode: Select the check boxes corresponding to the administration profiles you want to delegate to the user (for more details on existing administration profiles, see Section 4.1.1, The Classic Administration Mode). In Advanced Administration Mode: Select the administration profiles you want to assign to the user by using the Add and Remove buttons. To create a new administration profile, see Section 4.3, Managing Administration Profiles.
d)
Set Parent Administrator button: By default, the parent administrator is the administrator who delegates his administration rights. If you want set another parent administrator, click Set Parent Administrator. For more details, see Section 4.7, Modifying the Parent Administrator. Audit area (advanced administration mode only): Assign an audit filter to the selected administrator, as explained in Section 13.2.2, Assigning an Audit Filter to Specific Objects.
e)
4. 5.
Click Apply. Assign an authentication token with administrator rights to the user. For more details, see Section 7.1.2, Assigning a Smart Card to a User.
4.3 Managing Administration Profiles

Subject An administration profile is a set of administration rights. Enterprise SSO Console used in advanced administration mode allows you to define your own administration profiles by selecting a number of administration rights.
This functionality is only available if you use Enterprise SSO Console in advanced administration mode
4.3.1 Creating/Editing an Administration Profile

Subject This section explains how to create or modify an administration profile. Before Starting To add to the administration profile an administration right, you must either possess this right, or possess the "User administration profile: administration rights manager" right. Make sure you have all the administration rights you want to add to the profile, or the "User administration profile: administration rights manager" right. To be able to perform the tasks described in this section, your role must contain the following administration rights: "User administration profile: Delegation", "Administration profile: Creation/Modification", "Directory: Browsing".
33
Procedure 1. In the Administration profile tab, in the Administration role area, click the Add button.
The administration profile selection window appears.
2.
Do one of the following, depending on the operation you want to perform:

To create a new profile, click the Add button. To modify an existing profile, select the wanted profile and click Edit. The Administration profile edition window appears.
3. 4.
In the Administration profile name field, type a name for the administration profile you are creating or modifying. Set the scope of the administration profile (optional) and use the Add and Remove buttons to select the administration rights you want to be contained in the profile, as explained in the following Administration Profile Window Description section.
34
Administrator Guide
Administration Profile Window Description This section describes the administration profile edition window.
INTERFACE ELEMENT
DESCRIPTION
Profile name Additional organization (optional)
Name of the administration profile you are creating or modifying. Scope of the administration profile: all the objects on which the administration profile applies. This field allows you to define the organizations that must be assigned to the administrator at the same time as the administration profile. The button allows you to select in the directory the perimeter of the administration profile, by browsing the directory or by executing a search request. The Clear button removes the organization from the field.
Administration rights
List of all available Enterprise SSO administration rights that you can add in the administration profile. All rights are written in the following format: <object or authorization name>:<right name>
Administration rights granted by this profile
List of administration rights that will be assigned to the administrator. You cannot add to the profile an administration right that you do not already own.
Add button Remove button
Adds the selected administration rights to the administration profile. Removes the selected administration rights from the administration profile.
35
4.3.2 Deleting an Administration Profile

Subject This section explains how to delete an administration profile. You can delete an administration profile even if you have not created it. Before Starting To be able to perform the task described in this section, you must have at least the following administration right: "Administration profile: Deletion". Procedure 1. In the Administration profile tab, in the Administration role area, click the Add button.
The administration role selection window appears.
2.
Select the profile you want to delete and click Delete.
4.4 Transferring an Administration Role

Subject Transferring an administration role consists in transferring to a user an administration role. The user who transfers his administration role is no longer administrator.
For more details on the administration profiles inheritance mechanisms, see Section 4.1.3, Administration Role Inheritance.
Before Starting Check that you meet the following requirements: The user for which you want to transfer administration role must be created in the directory. Make sure you have at least the following administration role:
In classic administration mode: "Authorize propagation of administration rights" and one of the following profiles: "Security object administrator", or "Access administrator" or "Rights administrator". In advanced administration mode, you role must contains the following administration right: "User administration profile: Delegation".
Procedure 1. 2. 3. In the Directory panel, select the administrator for which you want to transfer the administration role. In the Administration tab, click Transfer.
The User selection window appears.
Select the user for which you want to transfer the administration role of the selected administrator and click OK.
The administration role of the administrator is deleted and transferred to the selected user.
36
Administrator Guide
4.5 Deleting Administration Role

Subject Deleting an administration role consists in removing the administration role of a user.
If this administration role is a parent administration role, then the parent administrator is the parent administrator of the deleted administrator.
Before Starting To perform this task, you must be a parent administrator. Procedure 1. 2. In the Directory panel, select the user for which you want to delete his administration profile. In the Administration Profile tab, click Delete.
The administration profile of the user is deleted.
4.6 Displaying your Administration Role

Subject At any time, you can display your administration role to have more information on your administration profiles (and rights, if working in advanced administration mode), your administration perimeter, your parent administrator. Procedure 1. In the File menu, click Administration Profile | Current profile.
The current profile tab appears. Classic administration mode
37
Advanced administration mode
2.
From this window, click the wanted tab to display the following information:
The Current profile tab displays: You parent administrator (not defined if this involves the security module or pass-phrase). Your LDAP directory administration perimeter. Your administration profiles. In advanced administration mode, the Show rights button allows you to displays the administration rights corresponding to the displayed profiles.
Profile propagation tree tab displays the administration rights propagation tree to indicate all the administrators of the LDAP directory and their links (parent/child/no link). Administered applications tab displays the list of applications for which you have administration rights. Administered users tab displays the list of u for which you have administration rights.
4.7 Modifying the Parent Administrator

Subject By default, the administrator who creates an administration profile is the parent administrator of this profile. If needed, you can modify the parent administrator. Before Starting To perform this task, you must be a parent administrator. Procedure 1. 2. 3.
38
In the Directory panel, select the user for which you want to modify the parent administrator. In the Administration Profile tab, click Set Parent Administrator.
The User selection window appears.
Select the new parent administrator and click OK.
Administrator Guide
4.8 Defining Multiple Primary Administrators

Subject This option allows the definition of multiple super administrators. A super administrator is allowed to manage: All the LDAP directories. All the Applications.
Procedure 1. In the File menu, click Configuration and select the Primary administrators tab.
The Primary Administrator tab appears.
2.
Use the Add and Remove buttons to define auxiliary primary administrators.
All Policy Manager administrators are Enterprise SSO super administrators. Do not remove them.
39
5. Managing Security Profiles

Subject Upon the installation of the Enterprise SSO controller, default security profiles are created. These objects are required to manage the target objects, which are Users, Access Points and Applications. Depending on your administration perimeter, you can use the default Security Profiles, or create, modify, delete your own ones, as described in this section. Before Starting To optimize network traffic, you can use the update management feature. By default, the Enterprise SSO workstations retrieve the whole SSO configuration periodically. The update management feature allows you to post an update, which generates a unique identifier. The workstations retrieve the application data and this identifier. As long as the identifier is unchanged between the directory and the cache of the workstations, the workstations do not update their SSO configurations.
To Enable/Disable the update management feature, in the File menu of Enterprise SSO Console select Manage updates. When a workstation runs an update, it retrieves the entire configuration (and not only the configuration corresponding to the last posted update). So this feature does not avoid workstations retrieving the applications configured by administrators after the last posted update if the data on the workstation is older than the last posted update.
5.1 Managing Timeslices

Subject Managing Timeslices consists in creating, modifying and deleting Timeslices. Object Timeslices are Security objects that define the periods during which the target objects can be accessed or are inhibited. Target objects Timeslices are required to define the following target objects:
40
User Security Profiles. Access Point Security Profiles. Applications.
Administrator Guide
5.1.1 Creating/Modifying Timeslices

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Schedule: Creation/Modification".
Procedures Creating Timeslices 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Timeslice and select New | Timeslice.
The Timeslice configuration tab appears.
2.
Fill in this window as described Configuring Timeslices section below and click Apply.
The Timeslice appears in the directory tree structure.
Modifying Timeslices
If you modify a Timeslice already used by target objects, your modifications apply to all the target objects associated with this security object.
1. 2.
In the tree structure of the Directory panel, select the Timeslice to modify.
The Timeslice configuration tab appears.
Fill in this window as described in Section 5.1.2, Configuring Timeslices and click Apply.
The Timeslice is modified.
5.1.2 Configuring Timeslices

Before Starting For general information on the Timeslice Security objects, see Section 5.1, Managing Timeslices. To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Schedule: Creation/Modification".
41
Window Example
Procedure 1. 2. Type the Timeslice name. Define the time slot periods during the days of the week hour by hour, by clicking to validate a time or not.
Red: time slot not valid. Blue: time slot valid.
3.
Define a validity period by selecting start and/or end dates. If not selected, the object validity is permanent.
5.1.3 Displaying Timeslice Event Logs

Subject The Events tab allows you to display all the events that are directly or indirectly linked to the selected object, for a defined period (the last two days by default). This report contains both User action and administration log entries. Restriction The Events tab only appears if you have the following administration role: In classic administration mode: "Auditor". In advanced administration mode, your role must contain the following right: "Audit: Visualization".
For more details on administration roles, see Section 4, Managing Administrators.
42
Administrator Guide
Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted Timeslice. Click the Events tab.
The Events tab appears.
In the Filter area, define a period of time to filter the log entries and click Apply (for more information on event logs see Section 13.2.1, Filtering Audit Records).
5.1.4 Renaming Timeslices

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Schedule: Creation/Modification".
Procedure 1. 2. In the tree structure of the Directory panel, right-click the Timeslice to rename and select Rename. Type the new name of the object and press Enter.
5.1.5 Deleting Timeslices

Subject
If you delete a Timeslice used by target objects, these target objects will use the default Timeslice.
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Schedule: Deletion".
Procedure In the tree structure of the Directory panel, right-click the Timeslice to delete and select Delete. The Timeslice is deleted from the directory tree structure.
43
5.2 Managing Password Format Control Policies

Subject This section describes how to create, modify and delete Password Format Control Policies (PFCP). Object Definition The password format control policies define the number of characters, the minimum and maximum lengths and the types of characters required to provide a valid password during an application authentication phase. Target Objects PFCP are required to define Applications.
5.2.1 Creating/Modifying Password Format Control Policies

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Password format control policy: Creation/Modification".
Procedures Creating Password Format Control Policies 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your PFCP and select New | Password Control Policy.
The PFCP configuration tab appears.
2.
Fill in this window as described in Section 5.2.2, Configuring Password Format Control Policy and click Apply.
The PFCP appears in the directory tree structure.
Modifying Password Format Control Policies

If you modify a PFCP already used by target objects, your modifications apply to all the target objects associated with this security object.
1. 2.
In the tree structure of the Directory panel, select the PFCP to modify.
The PFCP configuration tab appears.
Fill in this window as described in Section 5.2.2, Configuring Password Format Control Policy and click Apply.
The PFCP is modified.
44
Administrator Guide
5.2.2 Configuring Password Format Control Policy

Before Starting For general information on the PFCP objects, see Section 5.2, Managing Password Format Control Policies. To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Password format control policy: Creation/Modification".
Windows Example
Procedure 1. 2. Type the PFCP name. Define the minimum and the maximum number of characters, the maximum number of the same character allowed in passwords and if you want to prevent the use of successive occurrences of the same character (Password Format area).
45
3.
Define the number of lower case, upper case, digits and special characters allowed in passwords and their position (Allowed characters area).
The following special characters are permissible:
~ , | ] ?
" ` = ;
# + .
' _ } :
{ \ $ /
( @ % !
[ ) *
Accented characters are not permissible. For each type of character, the check boxes located in the right hand side of the dialog box allow you to define the position of the character as follows: The first check box corresponds to the first character. The second check box corresponds to the middle characters. The third check box corresponds to the final character.
4. 5.
Define a list of forbidden characters (Forbidden characters area). Click the Test password generation button to check if the generated passwords correspond to your requirements.
5.2.3 Displaying Password Format Control Policy Event Logs

Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted PFCP. Click the Events tab.
46
Administrator Guide
5.2.4 Renaming Password Format Control Policies

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Password format control policy: Creation/Modification".
Procedure 1. 2. In the tree structure of the Directory panel, right-click the PFCP to rename and select Rename. Type the new name of the object and press Enter.
5.2.5 Deleting Password Format Control Policies

Subject
If you delete a Password Format Control Policy used by target objects, these target objects will use the default PFCP.
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Password format control policy: Deletion".
Procedure In the Directory panel, right-click the PFCP to delete and select Delete. The PFCP is deleted from the directory tree structure.
5.3 Managing User Security Profiles

Subject Managing User Security Profiles consists in creating, modifying and deleting User Security Profiles. Object Definition User Security Profiles are security objects that define a set of rights and properties that are applied generically for one or more users.
47
Target objects User Security Profiles applies to Users.

As mentioned in Section 1. Overview, the User object refers to the user himself, a group of users or an organizational unit that contains users. Thus, User Security Profiles can be applied to the following LDAP directory objects listed in the highest to lowest order of priority: User. User group. Group of groups. Organizational Units.
5.3.1 Creating/Modifying User Security Profiles

Before Starting Check that you meet the following requirements: To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "User security profile: Creation/Modification".
The Timeslice that will be used by the User Security Profile must be created.
Procedures Creating User Security Profiles 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your User Security Profile and select New | User Security Profile.
The User Security Profile configuration tab appears.
2.
Fill in this window as described in Section 5.3.2, Configuring User Security Profiles and click Apply.
The User Security Profile appears in the directory tree structure.
Modifying User Security Profiles

If you modify a User Security Profile already used by Users, your modifications apply to all Users associated with this Security Profile.
1.
In the tree structure of the Directory panel, select the User Security Profile to modify.
The User Security Profile configuration tab appears.
2.
Fill in this window as described in Section 5.3.2, Configuring User Security Profiles and click Apply.
The User Security Profile is modified.
48
Administrator Guide
5.3.2 Configuring User Security Profiles

Before Starting For general information on the User Security Profile objects, see Section 5.3, Managing User Security Profiles. To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "User security profile: Creation/Modification" and "Temporary password access: Change duration".
Windows Example
Procedure 1. 2. Type the User security profile name. In the Authentication tab, select the authentication methods available for the Users that will be associated with the User Security Profile, and define the authentication parameters of the User Security Profile, as described in Section 5.3.2.1, Authentication Parameters Configuration ("Authentication" Tab). In the Security tab, define the single sign-on parameters of the User Security Profile, as described in Section 5.3.2.2, Security Parameters Configuration ("Security" Tab).
3.
49
4.
5.
6. 7.
8.
In the Unlocking tab, activate and use the Fast User Switching feature, define the unlocking parameters of the User Security Profile, as described in Section 5.3.2.3, Fast User Switching Parameters Configuration ("Unlocking" Tab). In the Emergency Access tab, activate and use the Emergency Access feature, define the password and PIN reset parameters of the User Security Profile, as described in Section 5.3.2.4, Emergency Access Parameters Configuration ("Emergency Access" Tab). In the Biometrics tab, define the biometrics policy, as described in Section 5.3.2.5, Biometrics Parameters Configuration ("Biometrics" Tab). In the Data Privacy tab, configure some aspects of the Data Privacy feature as described in Section 5.3.2.6, Data Privacy Parameters Configuration ("Data Privacy" Tab). In the Audit tab, assign an audit filter to user security profile to generate only relevant audit events, as described in Section 5.3.2.7, Audit Parameters Configuration ("Audit" Tab).
5.3.2.1 Authentication Parameters Configuration (Authentication Tab)
50
Administrator Guide
User authentication methods area The selected Authentication methods must be consistent with the authentication methods defined in the Access Point Security Profiles associated with the Users (for more details, see Section 5.4.2.1, Security Services Configuration ("Security Services" Tab)).
Authentication methods can only be used if they are activated on the Users' workstations, through the Access Point Security Profile, as described in Section 5.4.2, Configuring Access Point Security Profiles. The Session authentication method works only with Active Directory. For smart card authentication methods (as Cryptoflex smart card, CyberFlex PKCS#11 or Rainbow iKey3000 for example), you can assign a specific configuration using the Select Configuration button. These configurations are defined in the Smart Card panel. For more details, see Section 7.10, Managing Smart Card Configuration Profiles. The "Store-On-Server" and "Store-On-PC" biometric methods cannot be used simultaneously. You must only select one of them. For more information on available biometric methods, see Section 10, Managing Biometric Enrolment.
Connection parameters area

DESCRIPTION
TAB ELEMENT
Timeslice
The default Timeslice is selected by default. Click the to select another existing Timeslice.
button
Click the button to display and if necessary modify the selected time slice, as described in Section 5.1.1, Creating/Modifying Timeslices. Use cache and Cache data validity Select Use Cache to use a cache upon session activation. This allows you to ensure user service continuity, by supporting network interruptions, and to manage Nomad users. It is recommended to indicate a greater time value than the Session Duration, so that the cache is refreshed during authentication and is thus automatically valid again for a specified time. The "0" value means infinite time: the cache data validity will not refresh. The cache can only be used if it is active on the workstation. This option is set upon the definition of Access Point Security Profiles, as described in Section 5.4.2, Configuring Access Point Security Profiles. Session duration (h) Session activation time before re-authentication is required. The "0" value means infinite time: re-authentication will never be required. Allow temporary password access for Duration of the validity of the temporary password, when granted to a user (for more information on TPA, see Section 6.2.2.3, Forcing a New User's Primary Password ("Password" Tab). When the duration is over, the user cannot log on anymore.
51
Quest Enterprise SSO 8.0.3 - Enterprise SSO Console TAB ELEMENT DESCRIPTION
Can unlock a workstation Allow on all access points
Authorizes the Users associated with this security profile to unlock a workstation locked by another user. In "access-point-management" mode, authorizes the Users associated with this security profile to authenticate on all Access Points of their domain (Default). In "no-access-point-management" mode, a user can open an Enterprise SSO session on an access point of his/her domain only if the Allow on all access points field is selected. To authorize the Users to log on Access Points registered in external domains, see Section 6.4, Managing Representative Objects. This option is taken into account when you assign or forbid Access Points to a User: see Section 6.2.5, Assigning/Forbidding Access Points to a User ("Access Points" Tab).
Primary password is stored as an SSO account, encrypt by...
This function is only available if the "Session" authentication method is selected. This function stores the user primary password as an SSO account: each time the user authenticates, his/her primary password is saved or updated if necessary. SSOWatch accesses this stored account for each SSO using the primary account. If the user authenticates with smart card logon, a registry key must be positioned so that SSOWatch can run in Session mode (see Enterprise SSO Advanced Installation and Configuration Guide for details on the registry key). The drop-down list allows you to select the way the primary account should be ciphered and deciphered: User: only the user can decipher his primary account. This is the most secure option. If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her account. User and administrators: you can also decipher the user's accounts. Thus, if you force a new primary password or assign a new smart card using Token Manager, the user's primary account is also recovered. User, administrators and external key: allows an external application to decipher the user's account using a public key. For example, you must select this entry if you want to use Enterprise SSO with Web Access Manager (WAM). By selecting this entry, you allow WAM to decipher the Enterprise SSO primary account of the user so that it can perform SSO with this account.
52
Administrator Guide
5.3.2.2 Security Parameters Configuration ("Security" Tab)
User authentication area

DESCRIPTION
TAB ELEMENT
Change password every <n> days
Allows the user to manually change his/her primary password (whatever the authentication method used) every "n" days using the default password format control policy (PFCP) displayed in the "User PFCP" field. If the manual password change policy detects expiration date of the password when the user authenticates offline, the user is not asked to change his/her password. In this case, you can force the user to authenticate when the directory is available again, so that he/she can manually change his directory password, by setting the following registry key to 1: "ManualPwdChangeMandatory" (DWORD), which is located in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Enatel\WiseGuard\Framework\Authentication. If you also select the "Change password on token every <n> days" check box, the present option is disabled for users whose authentication method does not require to provide the primary password (smart cards, biometrics).
53
User PFCP
The default password format control policy (PFCP) is selected by default. This PFCP applies when the user types his/her password. Click the button to select another existing PFCP.
Click the button to display and if necessary modify the selected PFCP, as described in Section 5.2.1, Creating/Modifying Password Format Control Policies. Change password on token every <n> days This option is available only if: The directory used is an AD or AD/ADAM. The user smart card stores the password. Select this check box to enable the automatic change of the smart card or USB token password every "n" days. This operation has no consequence on the user authentication tasks (the user still uses his/her PIN to authenticate). Automatic PFCP The default password format control policy (PFCP) is selected by default. This PFCP applies when password change is performed automatically, without user intervention (e.g.: the password is stored on smart card and changes every x days). Click the button to select another existing PFCP.
Click the button to display and if necessary modify the selected PFCP, as described in Section 5.2.1, Creating/Modifying Password Format Control Policies. Allow external access Select this check box to specify that the Users associated with this security profile can share their accounts with external applications. You must select this check box to enable the Mobile E-SSO feature. For more information, see Mobile E-SSO Installation and Configuration Guide. Select this check box to specify that the SSO data protected by token can be used even if the User authenticates by password (RFID and PKA authentication methods only). The grace period is the period of time during which the workstation automatically unlocks when the user reenters the unlocking area with the RFID token. After this period, the user must provide his/her password in addition to the RFID token to log on. User must provide emergency access answers Forces the user to provide emergency access answers when he/she wants to reset his/her password.
SSO data protected by token is also available on password authentication Grace period
54
Administrator Guide TAB ELEMENT DESCRIPTION
Roaming session duration (hours)
A roaming session allows users to open a session on a computer with their physical authentication token, without having to type a secret. Select this check box to authorize the roaming session mode for users associated with the user profile, during a period of time. The roaming session is created as soon as the user authenticates on an authorized access point, and the session duration time starts from that moment. If you change the duration time in the Roaming session duration field once the roaming session has started, the new value will only be taken into account once the session in progress has expired. To authorize roaming sessions on an Advanced Login computer, see Section 5.4.2.2, Advanced Login Parameters Configuration ("Advanced Login" Tab).
Single sign On (SSO) area

DESCRIPTION
TAB ELEMENT
Inactivation duration
Defines the time of inactivity of the SSOWatch Engine before its state switches to locked. The "0" value means infinite time: the SSOWatch engine never locks.
Allow SSOEngine control (pause/restart) Allow SSOEngine refresh Allow SSOEngine stop Show SSOEngine-launcher in foreground
Allows you to define if the Users associated with this User Security Profile can pause, refresh, stop and restart SSOEngine.
When SSOWatch is started, this check box allows you to define if the SSOEngine desktop can be opened on the application launcher. Allows you to define if the Users associated with this User Security Profile can use SSOStudio personal and SSOStudio Enterprise Allows you to define if the Users associated with this User Security Profile can select different roles in SSOEngine. Select this check box to specify that a token is necessary to start the SSO. SSO behavior on next card insertion.
Allow personal SSOStudio Allow enterprise SSOStudio Allow role selection
Require strong authentication for SSO Authentication on next access/Authenticate immediately
55
5.3.2.3 Fast User Switching Parameters Configuration ("Unlocking" Tab)

The Unlocking tab allows you to activate and use the Fast User Switching feature.
TAB ELEMENT
DESCRIPTION
User level User can unlock sessions of users below level User can close sessions of users below level
Enter a User hierarchy level (0 is the lowest level, and 50000 is the highest). Select this check box to allow a User to unlock a session locked by another User whose level is below the specified level. Select this check box to allow a User to close a session opened by another User whose level is below the specified level.
Example Consider the following situation: you want that user 1, who is a User associated with User Security Profile 1 can unlock or close sessions of other Users associated with User Security Profile 1. To do so, you must configure the Unlocking tab as follows: User level: X (5 for example). May unlock user sessions below level: >X (7 for example). May close user sessions below level: >X (7 for example).
56
Administrator Guide
To check that this example works: 1. 2. 3. Use Advanced Login to log on as User 1. Lock the session. Unlock the session with another user associated with User Security Profile 1 (User 2 for example). a) SSO Watch is restarted with the SSO data of User 2, and the Session Information window of Advanced Login displays the following:
E-SSO User: User 2. Windows User: User 1.
5.3.2.4 Emergency Access Parameters Configuration ("Emergency Access" Tab)

The Emergency Access tab allows you to activate and configure the password and PIN reset features: the user can reset his password and PIN on his own from the Advanced Login authentication window.
The PIN Reset feature is only available in disconnected mode.
Configuration Parameters
57
Availability
With Password Reset server only (connected mode) to enable the Emergency Access feature only when the Password Reset server, which is a component of the Enterprise SSO controller, is available. In this case, you must define the list of Password Reset servers: see the Emergency Access tab in Section 5.4.2, Configuring Access Point Security Profiles. When a user accesses the Emergency Access feature, his/her account is automatically unlocked by the Password Reset server. Always available (disconnected mode) to enable the Emergency Access features even if the Password Reset server is unavailable. For the Password Reset feature, a cache is used (see the "Activate cache and Cache properties button" parameter in Section 5.4.2, Configuring Access Point Security Profiles). If the directory is not available, the new password given by the user in "With Password Reset server only" mode is temporary: the directory is never updated with this password. When the directory is available again, the user is prompted to re-authenticate and to change his password (which will then be changed in the directory). If the directory is available, the password is changed in the directory. If a user can access the disconnected mode, this automatically implies that he/she can access the connected mode. Selecting this check box enables the User must contact the helpdesk to gain password access parameter, which allows you to define whether the user must call the help desk to reset its password.
Availability (continuation)
For PIN reset, the check box is ignored because the help desk call is mandatory. Check box cleared: the user answers to Emergency Access questions (set with SSOWatch); he is then automatically prompted to reset his password on his own (correct answers to questions are sufficient to decrypt the password stored in the cache). Check box selected: the user answers to Emergency Access questions (set with SSOWatch), which allows him to obtain a challenge (unlock code). He/she is then prompted to give this challenge to the Help Desk, which will have to give him a challenge in exchange (see Section 6.2.2.4, Managing User Emergency Access ("Emergency Access" Tab)) that will allows him to reset his password or PIN. Not available if you do not want to activate the Emergency Access feature.
58
Questions area
This area allows you to define the number of questions to ask to the end-user and to manage a list of available questions. These questions will be displayed by the Emergency Access wizard (through the SSOWatch engine) to your end users. For details, see Question List Management Procedure, below.
Security area
This area allows you to define your Emergency Access security policy, by defining the number of questions to which the end-user must answer and the minimum number of correct answers that the end-user must enter to reset his/her password. The Advanced button allows you to define other security parameters, as explained in the following table:
Security area (continuation)
To force the user to populate his/her questions and answers before being able to use SSOWatch on his/her workstation. To force the user to change his/her answers to question at a defined frequency. To prevent the user from giving the same answer to different questions. To prevent the user from using the words used in the questions in his/her answers. To set the maximum number of attempts to answer questions. To set the answers of questions as case-insensitive. To allow the user to connect by password (if he/she is only allowed to connect by smart card) during a defined period of time.
59
To allow the help desk to set the validity of the temporary password, when he provides a challenge to a user. (This parameter is only available if you have selected the "disconnected mode") To force the user to use his/her own password and not his/her temporary password when he/her reconnects to the network. (This parameter is only available if you have selected the "disconnected mode"). To set the maximum number of attempts to use the Emergency Access feature in disconnected mode. (This parameter is only available if you have selected the "disconnected mode"). To try the use of the Password Reset server before using the disconnected mode.
Question List Management Procedure To manage the list of available questions, do the following: 1. In the Questions area, click the Select button, and in the displayed window, click Manage questions.
The Emergency Access question management window appears.
60
Administrator Guide
2.
To add a question, do the following: a) b) c) Click the New button.

The Question Properties area is activated.
Fill in this area with the following guidelines: Set the Question Type: select either Predefined Question to specify a question that cannot be modified by the end user or User-supplied question to allow the end user to define his/her own question. Set the Question text. Translate the question in a foreign language (optional).
Click Translations. Select the language in the drop down list. Fill in the translation Click Add. The translation appears in the available translations area.
d) e)
Click OK. The Emergency access questions window appears.
f)
Set the Answer constraints:

Set the minimal and maximal character length of the answer Fill in Must match regular expression, to set restrictions on the string corresponding to the answer entered by the end user. For details on the syntax of regular expressions, see Appendix A. Regular Expressions - Basic Syntax.
g) 3.
Click Apply.
The question appears in the Existing Questions area.
Repeat Step 2 as many times as necessary and click Close to finish.

The Emergency access: list of questions window appears.
61
4.
Set a question number to an available question to define a list of available questions for each Question field of the Emergency Access wizard (SSOWatch engine): a) In the list of questions drop down list, select the Question number, click the Add button.
The question selection window appears.
b)
Select a question in the Select a Question window and click OK.

The selected question appears in the available question area.
c)
Click OK.
62
Administrator Guide
5.3.2.5 Biometrics Parameters Configuration ("Biometrics" Tab)

Subject The Biometrics tab allows you to define the biometric enrolment policy. Before Starting To configure the parameters described in this section, you must work in advanced administration mode, and your role must contain the following right: "Bio: Is enable to allow biometrics pattern enrolment".
For more information on administration modes, see Section 4, Managing Administrators.
Biometrics Tab Description
Enrolment procedure area This area allows you to make the user biometric data enrolment supervised by an administrator or another user.
Approval not required: the user biometric data enrolment does not need the authentication of anyone. An E-SSO administrator: the user biometric data enrolment requires the authentication of an administrator who has at least the following administration right: "Bio: Is enable to allow biometrics pattern enrolment" (advanced administration mode only).
63
Another E-SSO user: the user biometric data enrolment requires the authentication of another user of the directory.
Policy area
User must enrol between x and x finger(s): number of fingers you want the user to enrol. Allow user to abort the enrolment process: if this check box is selected, the user is allowed to cancel the enrolment process by closing the enrolment window.
5.3.2.6 Data Privacy Parameters Configuration ("Data Privacy" Tab)

The Data Privacy tab allows you to configure some aspects of the Data Privacy feature. For a complete description on how to administer Data Privacy, see Section 11, Managing Data Privacy.
TAB ELEMENT
DESCRIPTION
User has access to the File Encryption module
Select this check box to allow the users associated with the Security Profile to use the File Encryption software module. By default, File Encryption ignores files with specific extensions (.exe, .dll for example). You can modify these values using the Configuration button.
64
User can refresh his keys from his desktop Generate user's personal keys automatically Automatically update key in warning period File Encryption key properties area
Select this check box to enable the Refresh command of the File Encryption software module. Select this check box to enable the automatic generation of a key upon the user's logon. Select this check box to enable the automatic update of the user's key. This area allows you to define the properties of the keys that will be generated.
5.3.2.7 Audit Parameters Configuration (Audit Tab)

The Audit tab allows you to assign an audit filter to User Security Profile.
To assign an audit filter, see Section 13.2.2, Assigning an Audit Filter to Specific Objects.
65
5.3.3 Displaying User Security Profile Event Logs

Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted User Security profile. Click the Events tab.
5.3.4 Renaming User Security Profiles

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "User security profile: Creation/Modification".
Procedure 1. 2. In the tree structure of the Directory panel, right-click the User Security Profile to rename and select Rename. Type the new name of the object and press Enter.
66
Administrator Guide
5.3.5 Deleting User Security Profiles

Subject
If you delete a User Security Profile used by Users, these Users will use the default User Security Profile.
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "User security profile: Deletion".
Procedure In the tree structure of the Directory panel, right-click the User Security Profile to delete and select Delete. The User Security Profile is deleted from the directory tree structure.
5.4 Managing Access Point Security Profiles

Subject Managing Access Point Security Profiles consists in creating, modifying and deleting Access Point Security Profiles. If you are working in "no-access-point-management" mode, you cannot create Access Point security profiles, nor manage their priority. The default access point security profile is used for all Access Points. Object Definition Access Point Security Profiles are security objects that define a set of rights and properties that are applied generically for one or more workstations. Target Objects Access Point Security Profiles applies to Access Points.
As mentioned in Section 1, Overview, the Access Point object refers to a specific computer, a group of computers or an organizational unit that contains computers. Thus, Access Point Security Profiles can be applied to the following LDAP directory objects listed in the highest to lowest order of priority: Computer. Groups that contain computers. Organizational Units that contain computers.
67
5.4.1 Creating/Modifying Access Point Security Profiles

Before Starting Before starting, check that you meet the following requirements: To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Access point security profile: Creation/Modification".
The Timeslice that will be used by the Access Point Security Profile must be created. If you are working in "no-access-point-management" mode, you cannot create Access Point security profiles.
Procedures Creating Access Point Security Profiles 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Access Point Security Profile and select New | Access Point Security Profile.
The Access Point Security Profile configuration tab appears.
2.
Fill in this window as described in Section 5.4.2, Configuring Access Point Security Profiles and click Apply.
The Access Point Security Profile appears in the directory tree structure.
Modifying Access Point Security Profiles

If you modify an Access Point Security Profile already used by Access Points, your modification applies on all the Access Points using this Security Profile.
1.
In the tree structure of the Directory panel, select the Access Point Security Profile to modify.
The Access Point Security Profile configuration tab appears.
2.
Fill in this window as described in Section 5.4.2, Configuring Access Point Security Profiles and click Apply.
The Access Point Security Profile is modified.
5.4.2 Configuring Access Point Security Profiles

Before Starting For general information on the Access Point Security Profile objects, see Section 5.4, Managing Access Point Security Profiles. To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Access point security profile: Creation/Modification".
68
Administrator Guide
Window Example
Procedure 1. 2. Type the Access Point security profile name. If you want to select another existing Timeslice, click the button.
Click the button to display and if necessary modify the selected Timeslice configuration, as described in Section 1.1.1, "Creating/Modifying Timeslices".
3.
Configure the parameters of the Access Point Security Profile, according to your needs:
To configure Security Services parameters, see Section 5.4.2.1, Security Services Configuration ("Security Services" Tab). To configure Advanced Login parameters, see Section 5.4.2.2, Advanced Login Parameters Configuration ("Advanced Login" Tab). To configure Unlocking parameters, see Section 5.4.2.3, SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration. To configure SSOWatch parameters, see Section 5.4.2.3, SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration. To configure SSOStudio parameters, see Section 5.4.2.3, SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration. To configure E-SSO Console parameters, see Section 5.4.2.3, SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration. To configure Data Privacy parameters, see Section 5.4.2.3, SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration.
69
To configure Biometrics parameters, see Section 5.4.2.4, Biometrics Parameters ("Biometrics" Tab). To configure Emergency Access parameters, see Section 5.4.2.5, Password Reset Servers Declaration ("Emergency Access" Tab) To configure RFID parameters, see Section 5.4.2.6, RFID Detection Area Configuration ("RFID" Tab)" To configure Audit parameters, see Section 5.4.2.7, Audit Parameters Configuration ("Audit" Tab)
5.4.2.1 Security Services Configuration ("Security Services" Tab)
FIELD NAME
DESCRIPTION
Time between two software inventories
Definition of the check frequency of the Access Points to retrieve the list of the installed software clients (SSOWatch, Advanced Login). The starting time point is the starting of the Enterprise SSO controller. If this check box is not selected, the User cannot authenticate to the workstation if it is not connected to the LDAP directory. This check box can only be used if the User can use a cache, as described in Section 5.3.2, Configuring User Security Profiles. The Cache properties button allows you to configure the cache of the workstations associated with this security profile. For details, see "Cache properties" Window Description, below.
Activate cache and Cache properties button
70
Administrator Guide FIELD NAME DESCRIPTION
Time between two directory connection tests
Frequency at which the Enterprise SSO controller checks that the connection to the LDAP directory works. Set 0 if you don't want to test the connection to the directory (not recommended because the waiting time will be increased to recover the connection). TCP/IP connection parameters. This parameter must not be changed. Select the Authentication methods available for the Access Points that will be associated with this Security Profile. The selected Authentication methods must be consistent with the authentication methods defined in the User Security Profiles. For more details, see Section 5.3.2.1, Authentication Parameters Configuration ("Authentication" Tab).
Network time-out Authorized authentication methods
"Cache properties" Window Description
The Cache properties window is divided into the following areas: User Data: allows you to configure the validity period of the cache containing the authentication data of the user. Application data (Primary domain) and Application data (External domains): these areas allow you to configure:
The validity period of the cache containing application data.
71
The asynchronous update of the cache containing application data, which avoids the update of the cache when the end user logs on his/her workstation. Thus the network and the directory are not massively loaded at critical hours (mornings at 9 for instance), and the authentication duration decreases. The Application data (External domains) area is functional only with Active Directory repositories, as it concerns only inter domain and multi domain infrastructures.
To configure the cache of the workstations associated with this security profile, fill in this window as follows: Performance cache validity period: this parameter allows you to configure the period of time during which the data is valid in the cache. When this period of time is over, the data in the cache expires. This means that at the next user log on, the workstation sends a request to the LDAP directory to refresh the cache.
The validity period of the user data cache is expressed in seconds, whereas the validity period of the application data cache is expressed in hours.
Refresh automatically on expiration: (Application data areas only) select this check box to enable the automatic refresh of the cache containing application data when the validity period expires. This option allows you to configure the frequency, in hours, of the asynchronous update of the cache Synchronize data every <days> between <hour1> and <hour2> (Application data areas only): this check box also allows you to configure the asynchronous update of the cache, but in days, using a time slice. In this case, the workstations schedule the update at a random time in the interval.
You can configure only the day, and enter null values for hour1 and hour2. In this case, the update is scheduled at a random time in the day. The workstations must be switched on to perform the update. If a workstation is switched off, the asynchronous update may have been by passed when the workstation is switched on again. In this case, if the cache data is not up to date: If time slices are defined, and if the current time is in the defined interval, the update is done. If the current time is not in the interval, the update will be performed the next period defined by the time slice. If there is no time slice, the update is done.
72
Administrator Guide
5.4.2.2 Advanced Login Parameters Configuration ("Advanced Login" Tab)
The following table details only the drop-down lists and check boxes that require additional description.
For more details about the Advanced Login application, see Enterprise SSO Advanced Login for Windows User Guide. Configuration Parameters
FIELD NAME DESCRIPTION
Default action when token removed Delay before action
Workstation behavior at authentication token removal. Time elapsed before Advanced Login applies the action defined in the Default action when token removed drop-down list. Time interval before automatic locking of the Windows session. Select this check box to allow the user connecting to the access point to use the local computer account, which is not part of the Enterprise SSO architecture. Select this check box to allow Users associated with this Access Point to unlock their smart cards directly on the workstation using the unlocking secret code given by the "Smart card administrator".
73
Delay before automatic locking Allow local connection
Allow remote unblocking of tokens
Quest Enterprise SSO 8.0.3 - Enterprise SSO Console FIELD NAME DESCRIPTION
Remember authentication role
Select this check box to allow SSOEngine to use the last selected Role upon restart of the workstations associated with this Security Profile. If you select this check box, the workstations that use this Security Profile can only be unlocked by the users who have locked their sessions. These check boxes allow you to show or hide password change or PIN change buttons of the Advanced Login Session Information window. Select this check box to prompt the user to type his PIN if a smart card is detected when he presses Ctrl+Alt+Del. Clear this check box to prompt the user to type his password even if a smart card is detected when he presses Ctrl+Alt+Del. When the architecture is not based on Active Directory environment, Advanced Login allows authentication on the security directory and, if allowed, locally. Select this check box to allow the authentication on the Windows domain to which the computer belongs, in case the dedicated directory is not available or there are some troubles (cache corruptions ). The Windows domain to which the computer belongs will be added to the domain list displayed to the user.
Only allow unlocking with the same windows credential Allow password change Allow PIN change Enable smart card detection on Ctrl-Alt-Del
Allow windows domain connection (only for non Active Directory configurations)
Allow roaming session
A roaming session allows users to open a session on a computer with their physical authentication token, without having to type a secret. When a user authorized to access roaming sessions (see Section 5.3.2.2, Security Parameters Configuration ("Security" Tab)) authenticates on the computer, a roaming session is automatically created for the user. Select this check box to authorize the roaming session mode on the computer. For performance reason, we recommend to allow the roaming session mode only on access point that will actually use it.
Grace period for administrator authentication
Specifies the administrators grace period. You can define the maximum time between the users smart card withdrawal while the SHIFT key is pressed and the completion of another user authentication. The default value is 60 seconds.
74
Excluded accounts button
Allows you to exclude accounts from the Enterprise SSO solution. It means that the account authentication is performed by Windows and not by Enterprise SSO. An excluded account can only be used with the password authentication method, not with tokens. For details, see Setting Excluded Account List below.
Setting Excluded Account List 1. To set an excluded account list, click Excluded accounts .
The excluded account window appears.
2.
To exclude an account, do one of the following way:

Select the Add button to choose a group to be excluded. Select the first check box to exclude local administrators Select the second check box to exclude accounts that are not able to perform an Enterprise SSO authentication.
75
5.4.2.3 SSOWatch, SSOStudio, E-SSO Console, and Data Privacy Parameters Configuration
The SSOWatch Tab
The SSOStudio Tab
The E-SSO Console Tab
76
Administrator Guide
The Data Privacy Tab
The following table details only the drop-down lists and check boxes that require additional description.
TAB FIELD NAME DESCRIPTION
SSOWatch
SSOWatch module is authorized on this workstation Show splash screen Show SSOWatch icon in the task bar Time between two window detection sequences Do not lock SSOWatch on smart card withdrawal
All the Access Points associated with this Security Profile can run the SSOWatch software module if installed. This combo box allows you to define the frequency (in ms) used by SSOWatch to scan the workstation Windows desktop to detect the presence of authentication windows. -
SSOStudio
SSOStudio module is authorized on this workstation E-SSO Console is authorized on this workstation File Encryption is authorized on this workstation
All the Access Points associated with this Security Profile can run the SSOStudio software module if installed. All the Access Points associated with this Security Profile can run the E-SSO Console software module if installed. All the Access Points associated with this Security Profile can run the File Encryption software module if installed.
E-SSO Console Data Privacy tab
77
5.4.2.4 Biometrics Parameters ("Biometrics" Tab)

Subject This tab allows you to configure biometric parameters on computers on which it is used. This tab is only available if you have selected the "Store-On-Server" authentication method in the Authentication tab (see Section 5.3.2.1, Authentication Parameters Configuration ("Authentication" Tab)). Before Starting To configure the parameters described in this section, you must work in advanced administration mode, and your role must contain the following right: "Bio: Is enable to allow biometrics pattern enrolment".
"Biometrics" Tab Description
Sensitivity area False accepted rate (read the instructions displayed in the area).
78
Administrator Guide
Policy area a) Remove unused cached patterns on the workstation after x days check box
Check box selected: local cache biometric data will be deleted if it has not been used after a defined number of days. Check box cleared: local cache biometric data is never deleted.
b)
Users must confirm biometric scan to log on check box

Check box selected: to log on to the computer, users must place their finger in the scanner and then click OK in the Advanced Login welcome screen. Check box cleared: to log on to the computer, users only have to place their finger in the scanner. The validation is automatic.
5.4.2.5 Password Reset Servers Declaration ("Emergency Access" Tab)
TAB ELEMENT
DESCRIPTION
Reset password servers
This area displays the list of Password Reset servers you want to use. The position of servers in the list corresponds to the working order (if the first server does not respond, the second one is tested, and so on). This button removes the selected server from the list. Type a server address in the field and click this button to add it to the server list.
79
Remove button Add button
5.4.2.6 RFID Detection Area Configuration ("RFID" Tab)
This tab allows you to modify the detection areas of RFID tokens. For details, see Section 9.4, Modifying the Detection Areas and the Grace Period.
80
Administrator Guide
5.4.2.7 Audit Parameters Configuration ("Audit" Tab)

The Audit tab allows you to assign an audit filter to Access Point Security Profile to generate only relevant audit events.
To assign an audit filter, see Section 13.2.2, Assigning an Audit Filter to Specific Objects.
5.4.3 Displaying Access Point Security Profile Event Logs

81
Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted Access Point Security Profile. Click the Events tab.
5.4.4 Renaming Access Point Security Profiles

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Access point security profile: Creation/Modification".
Procedure 1. 2. In the tree structure of the Directory panel, right-click the Access Point Security Profile to rename and select Rename. Type the new name of the object and press Enter.
5.4.5 Deleting Access Point Security Profiles

Subject
If you delete an Access Point Security Profile used by Access Points, these Access Points will use the default Access Point Security Profile.
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Access point security profile: Deletion".
Procedure In the Directory panel, right-click the Access Point Security Profile to delete and select Delete. The Access Point Security Profile is deleted from the directory tree structure.
82
Administrator Guide
5.5 Managing Application Security Profiles

Subject Managing Application Security Profiles consists in creating, modifying and deleting Application Security Profiles.
As Password Generation Policies (PGP) are only used to define Application Security Profiles, they are also described in this section.
Object Definition Application Security Profiles are security objects that define a set of rights and properties that are applied generically for one or more applications. Target Objects Application Security Profiles applies to Applications.
5.5.1 Managing Password Generation Policies

Subject This section describes how to create, modify and delete Password Generation Policies (PGP). Object Definition The Password Generation Policies define the way an Application must generate for a password. Target Objects PGP are required to define Application Security Profiles.
5.5.1.1 Creating/Modifying Password Generation Policies

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Password generation policy: Creation/Modification".
83
Procedures Creating Password Generation Policies 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your PGP and select New | Password Generation Policy.
The PGP configuration tab appears.
2.
Fill in this window as described in Section 5.5.1.2, Configuring the Password Generation Policy and click Apply.
The PGP appears in the directory tree structure.
Modifying Password Generation Policies

If you modify a PGP already used by target objects, your modifications apply on all the target objects associated with this Security Object.
1. 2.
In the tree structure of the Directory panel, select the PGP to modify.
The PGP configuration tab appears.
Fill in this window as described in Section 5.5.1.2, Configuring the Password Generation Policy and click Apply.
The PGP is modified.
5.5.1.2 Configuring the Password Generation Policy

Before Starting For general information on the PFCP objects, see Section 5.5.1, Managing Password Generation Policies. To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Password generation policy: Creation/Modification".
84
Administrator Guide
Window Example
Procedure 1. 2. Type the PGP name. Define the behavior of the Applications associated with this PGP during a password change request (request the User to generate a password compatible with the PFCP or automatic generation of a new password). Define the frequency with which the Application can force the modification of the authentication password upon a session start and the number of old passwords that cannot be reused, to prevent users replacing their passwords by a password that is too recent. Define a list of forbidden passwords, using the Add and Remove buttons.
The Add button is activated when you type a forbidden password in the field located in the left hand side of the button.
3.
4.
85
5.5.1.3 Displaying Password Generation Policy Event Logs

Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted Password generation policy. Click the Events tab.
5.5.1.4 Renaming Password Generation Policies

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Password generation policy: Creation/Modification".
Procedure 1. 2. In the tree structure of the Directory panel, right-click the PGP to rename and select Rename. Type the new name of the object and press Enter.
86
Administrator Guide
5.5.1.5 Deleting Password Generation Policies

Subject
If you delete a PGP used by Application objects, these Applications will use the default PGP
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Password generation policy: Deletion".
Procedure In the Directory panel, right-click the PGP to delete and select Delete. The PGP is deleted from the directory tree structure.
5.5.2 Creating/Modifying Application Security Profiles

Before Starting Before starting, check that you meet the following requirements: To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Application profile: Creation/Modification".
The Password Generation Policy that will be used by the Application Security Profile must be created.
Procedures Creating Application Security Profiles 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Application Security Profile and select New | Application Profile.
The Application Security Profile configuration tab appears.
2.
Fill in this window as described in Section 5.5.3, Configuring Application Security Profiles and click Apply.
The Application Security Profile appears in the directory tree structure.
87
Modifying Application Security Profiles

If you modify an Application Security Profile already used by Applications, your modifications apply to all the Applications associated with this Security Profile.
1.
In the tree structure of the Directory panel, select the Application Security Profile to modify.
The Application Security Profile configuration tab appears.
2.
Fill in this window as described Section 5.5.3, Configuring Application Security Profiles and click Apply.
The Application Security Profile is modified.
5.5.3 Configuring Application Security Profiles

Before Starting For general information on the Application Security Profile objects, see Section 5.5, Managing Application Security Profiles. To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Application profile: Creation/Modification".
Window Example
88
Administrator Guide
Procedure 1. 2. Type the Application Profile name. Define the rules for accessing SSO accounts using the following tabs:
General tab: see Section 5.5.3.1, General Parameters Configuration ("General" Tab). Account tab: see Section 5.5.3.2, Account Parameters Configuration ("Account" Tab). Authentication method tab: see Section 5.5.3.3, Authentication Method Definition ("Authentication method" Tab). Delegation tab: see Section 5.5.3.4, Delegation Parameters Configuration ("Delegation" Tab).
5.5.3.1 General Parameters Configuration ("General" Tab)
FIELD NAME
DESCRIPTION
Use password control policy specified here
Select this check box to select a PFCP for the security profile. If you do not select any PFCP, the application PFCP is used. Click the button to display and if necessary modify the selected PFCP, as described in Section 5.2, Managing Password Format Control Policies.
Password generation policy
The default PGP is selected by default. Click the select another existing PGP.
button to
Click the button to display and if necessary modify the selected PGP, as described in Section 5.5.1.1, Creating/Modifying Password Generation Policies.
89
Quest Enterprise SSO 8.0.3 - Enterprise SSO Console FIELD NAME DESCRIPTION
User must reauthenticate to perform SSO Launch application at start-up of SSOWatch
Select this option if the Applications associated with the Security Profile need systematically a User's primary authentication to start. Select this check box to start the Application associated with the Security Profile when SSOWatch starts. In this case, the Application starting parameters must be defined at the SSOStudio level. Select this check box to display the SSO data of the Applications associated with the Security Profile on the SSOEngine desktop. If you want to use a different user level than the one specified in the User Security Profile, as described in Section 5.3.2, Configuring User Security Profiles, select this check box and define the new level of the user for the Applications associated with this Security Profile.
Show application on user's SSOWatch desktop When application is used, set user's 'unlocking level' to
5.5.3.2 Account Parameters Configuration ("Account" Tab)
FIELD NAME
DESCRIPTION
Credential storage Password change at first connection
Storage location of the user accounts used by Applications associated with the Security Profile. Select this check box to make the password expire just after having been collected. The password is then changed according to the password policy (see Section 5.5.1.2, Configuring the Password Generation Policy).
90
User can modify account User can display password Encrypt by
Select this check box to allow users to modify their passwords with SSOWatch. This option ensures that SSO data are only managed centrally. Select this check box to allow users to display their passwords with SSOWatch. This drop-down list allows you to select the way the Accounts are ciphered and deciphered. Select one of the following entries: User: if you select this entry, only the user can decipher his account. This is the most secure option. If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her secondary accounts. User and administrators: you can also decipher the user's accounts. Thus, if you force a new primary password or assign a new smart card using Token Manager, the user's secondary accounts are also recovered. User, administrators and external key: select this entry to allow an external application to decipher the user's secondary accounts using a public key. For example, you must select this entry if you want to use E-SSO with Web Access Manager. By selecting this entry, you allow Web Access Manager to decipher the E-SSO secondary accounts of the user so that Web Access Manager can perform SSO with these accounts.
User can cancel Single Sign-On
Select this check box to allow users to cancel the SSO authentication process with the Applications associated with the Security Profile: For the current session only : The user can cancel the SSO authentication process for the whole current session. For the application (until reset) : The user can cancel the SSO authentication process for the current application. For the current window only : The user can cancel the SSO windows, but SSOWatch continues to detect windows associated with the application.
91
5.5.3.3 Authentication Method Definition ("Authentication method" Tab)
This tab allows you to: Select the necessary authentication methods to perform SSO. Authorize access to application (SSO) in case the roaming session mode is activated (see roaming session activation parameters in Section 5.4.2.2, Advanced Login Parameters Configuration ("Advanced Login" Tab) and Section 51.3.2.2, Security Parameters Configuration ("Security" Tab)).
92
Administrator Guide
5.5.3.4 Delegation Parameters Configuration ("Delegation" Tab)
The Delegation tab allows you to define delegation permissions, which authorize users to delegate their SSO account so that it can be used by other users. Limit delegation duration to x days check box Allows you to set the maximum number of days of application delegation. Authorize delegation to all users check box Authorizes delegation to all users of the application. Authorize delegation to members of the same group check box Authorizes delegation to all users of the same group. Authorize delegation to members of the same organization entity check box Authorizes delegation to all users of the same organization. Advanced mode, list users/groups/organizational entities authorized for delegation check box Authorizes delegation to a selection of users, groups, organization units. Authorize delegated user to generate new password check box Authorizes the delegated user(s) to modify the delegated SSO account password.
A user can delegate its SSO account from the SSOWatch Engine (for details, see Enterprise SSO - SSOWatch Administrator Guide).
93
5.5.4 Displaying Application Security Profile Event Logs

For more details on administration roles, see Section 4, Managing Administrators).
Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted Application Security profile. Click the Events tab.
5.5.5 Renaming Application Security Profiles

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Application profile: Creation/Modification".
Procedure In the tree structure of the Directory panel, right-click the Application Security Profile to rename and select Rename. Type the new name of the object and press Enter.
94
Administrator Guide
5.5.6 Deleting Application Security Profiles

Subject
If you delete an Application Security Profile used by Application objects, these Applications will use the default Application Security Profile.
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Application profile: Deletion".
Procedure In the Directory panel, right-click the Application Security Profile to delete and select Delete. The Application Security Profile is deleted from the directory tree structure.
5.6 Defining Security Profiles Default Values

Subject The Security objects (Timeslice, Password Format Control Policy, Password Generation Policy, User Security Profile, Access Point Security Profile and Application Security Profile) can be applied to various target objects. Upon their creation, these target objects are automatically associated with the default Security objects. If necessary, you can change this default Security object. To prevent you from changing systematically the default Security object applied to the created target objects, you can configure the Security Profiles default values. Before Starting Check that you meet the following requirements: To perform the task described in this section, you must have at least the following administration role: a) b) In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following rights:
"Directory: Browsing". "Access point security profile: Creation/Modification". "Application profile: Creation/Modification". "Password format control policy: Creation/Modification". "Password generation policy: Creation/Modification".
95
"Schedule: Creation/Modification". "User security profile: Creation/Modification".
The Security objects that you want to define as default Security objects must be created.
Procedure 1. 2. In the File menu, select Configuration. In the displayed window, click the Default Values tab.
3.
In the Default Values tab, define the Security objects applied by default during the creation of target objects as follows:
Click the Select button. Browse the directory tree structure or use the Search tab to find your Security object. Click OK.
4.
Click OK.
96
Administrator Guide
5.7 Managing User and Access Point Security Profiles Priorities

Subject Depending on your organization, a user or a workstation can belong to different groups. Consider that a user belongs to two groups. If a User Security Profile is applied to each group, then it is necessary to define priorities for the two User Security Profiles, to avoid conflict during the resolution of the User Security Profile used by the user, as shown in the following illustration.
Group
Group
User
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "User security profile: Creation/Modification" or "Access point security profile: Creation/Modification".
The Security objects that you want to define as default Security objects must be created. If you are working in "no-access-point-management" mode, you cannot manage Access Point security profiles priorities.
Procedure 1. In the File menu, select either Manage User Security Profile Priority or Manage Access Point Security Profile Priority.
The Manage Access Point Security Profile Priority functionality is only available if Enterprise SSO manages Access Points. The User Profile priority window appears.
97
The User Security Profile priority management window and the Access Point Security Profile management priority window are exactly the same.
2.
Select a User Security Profile/Access Point Security Profile and use the Increase and Decrease buttons to define its priority. You can also use the Default button to define the default priority value. This value is used if a user/workstation is not associated with a User/Access Point Security Profile. The Reset button allows you to re-order the User/Access Point Security Profiles in a random way.
The lowest level profile has the highest priority.
3.
Click Close when finished.
98
Administrator Guide
6 Managing Directory Objects

Subject This section describes how to manage the Users, Access Points and Applications, which must be declared, configured and linked to each other, as described in Section 1.1, Enterprise SSO Concepts. It also explains how to manage representative objects, cluster of access points and how to select a domain controller. Before Starting To perform the tasks described in this section, you must have at least one of the following administration roles:
In classic administration mode: "Security object administrator" or "Access administrator" or "Rights administrator". In advanced administration mode: "Directory: Browsing" and the rights listed in the following task sections. For more information on administration roles, see Section 4, Managing Administrators.
To optimize network traffic, you can use the update management feature. By default, the Enterprise SSO workstations retrieve the whole SSO configuration periodically. The update management feature allows you to post an update, which generates a unique identifier. The workstations retrieve the application data and this identifier. As long as the identifier is unchanged between the directory and the cache of the workstations, the workstations do not update their SSO configurations.
To Enable/Disable the update management feature, in the File menu of Enterprise SSO Console select Manage updates. When a workstation runs an update, it retrieves the entire configuration (and not only the configuration corresponding to the last posted update). So this feature does not avoid workstations retrieving the applications configured by administrators after the last posted update if the data on the workstation is older than the last posted update.
99
6.1 Managing Applications

Subject This section describes how to define existing applications (corporate applications) and configure them to implement network strategies and user single sign-on data.
If your directory infrastructure is composed of several domains, the definitions of your corporate applications are saved only in the domain where they are defined.
Before Starting Before reading the following sub-sections, check that the following steps are carried out: 1. 2. 3. Make the inventory of the applications for which you want to control the access using Enterprise SSO Console. For each application, list all the authentication windows (login, new password, incorrect password, etc.). For each application, create the corresponding technical reference using SSOStudio Enterprise.
The technical reference is a technical description of an application. This allows you to configure the accesses to this application, and particularly to enable the single sign-on. The creation of technical references is described in Enterprise SSO - SSOWatch Administrator Guide. To manage technical references, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Technical reference: Creation/Modification" and "Technical reference: Deletion".
6.1.1 Creating an Application

Creating an application consists in adding an Application object in the directory tree structure. You can create an Application through one of the following methods: Creating an Application without using any template: see Section 6.1.1.1 Creating and Application without Using a Template. Using templates to create SAP and Windows application objects: see Section 6.1.1.2 Creating and Application Using a Template.
6.1.1.1 Creating and Application without Using a Template

Subject The following procedure explains how to create a new Application object without using existing templates.
100
Administrator Guide
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Application: Creation/Modification".
Procedure 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Application and select New | Application.
2.
Fill in at least the Name field and press Enter.

The Application object is created. You must now configure it, as described in the following sections.
6.1.1.2 Creating an Application Using Templates

Subject Enterprise SSO Console allows you to use templates to create SAP and Windows application objects. The Template Application item allows you to create an Application object with a number of pre-defined parameters. They should be used for specific authentication scenarios. The predefined template applications are: SAP, for SAP R/3 application authentication. Windows, for authentication to an external LDAP directory.
Template applications are managed in the same way as Application objects. They enable the SSO function for specific authentication procedures. A template application has a number of predefined parameters. The following procedure explains how to create a new Windows or SAP Application object using existing templates. Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator" In advanced administration mode, your role must contain the following right: "Application: Creation/Modification".
101
Procedures Creating a Windows Application 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Application and select New | Template-based Application | Windows.
The Windows Application window appears.
2. 3.
Fill in the window with the Application and Application domain names. Click OK.
The Application object is created with pre-defined parameters for a Windows Application. You can configure or modify it, as described in the following sections.
Creating an SAP Application 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Application and select New | Template-base Application | SAP.
The SAP Application window appears.
2. 3.
Fill in the window to create the SAP Application. Click OK.

The Application object is created with pre-defined parameters for an AP Application. You can configure or modify it, as described in the following sections.
102
Administrator Guide
6.1.2 Defining the General Properties of an Application ("Configuration"/"General" Tab)

Subject The application's general properties allow you to define: The Application access Timeslice. The authentication type authorized.
Before Starting Check that you meet the following requirements: The Application access Timeslice object must be created. For more details, see Section 5.1, Managing Timeslices. To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Application: Creation/Modification".
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Application. In the Configuration tab, click the General tab.
The General tab appears.
3.
Fill in this tab with the following guidelines:

Timeslice area: Click the button to change the Timeslice used by the Application. To display the selected Timeslice parameters, click
103
Properties area: You cannot change the authentication type authorized (only the password method is supported for the time being). Audit area: You can assign an audit filter to the application to generate only relevant audit events: see Section 13.2.2, Assigning an Audit Filter to Specific Objects. Click Apply.
6.1.3 Creating the Account Properties of an Application

Subject The account properties of an Application allow you to define login/password requirements, the list of parameters supported by the application and if Applications use the same Account Bases. You define the Account properties through the Account Base and Account Rule tabs located in the Configuration tab of an Application object. Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator" and you must be manager of the application. In advanced administration mode, your role must contain the following rights: "Application: Creation/Modification", "Parameter: Creation/Modification", "Parameter: Deletion", and you must be manager of the application or possess the "Application: Manage all applications" right.
For more information on administration roles, see Section 4, Managing Administrators. For more information on application management rights, see Section 6.1.7 Sharing the Administration of an Application.
6.1.3.1 Defining Account Base Parameters ("Configuration"/"Account Base" Tab)

Subject The Account Base tab allows you to define common bases of Accounts for several applications. Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Application. In the Configuration tab, click the Account Base tab.
104
Administrator Guide
The Account Base tab appears.
3. 4.
Read carefully the information note and the following section to fill in this tab. Click Apply. The application uses primary accounts check box a) Check box cleared: The application standard account is used to perform SSO on the selected application. Check box selected: The primary account (the user name and password that the user types to open his Windows session) is used to perform SSO on the selected application. The Windows username can be used in the following formats:
Short name: username only. Windows 2000 (and later): username including the Windows domain, for instance: jsmith@quest.com. NT 4: username preceded by NETBIOS domain, for instance: QUEST\jsmith.
Account Base Tab Description
b)
Share Account Base with Another Application button This button allows you to share the account base of the selected application (application A) with another application (application B). Application B will then only use the accounts of application A. If users have already collected accounts for application B, these accounts will not be visible anymore; the only visible accounts will be those of application A. Once you have shared the account base of the selected application, the accounts are displayed from both applications (in the Accounts tab, see Displaying Accounts Associated With the Application ("Accounts" Tab)), but you can only stop the sharing from application A (see below). If you try to stop the sharing from application B, the operation will not be taken into account.
105
Stop Sharing Account Base with Another Application button This button allows you to stop sharing the account base of the selected application (application A) with another application (application B). Application B recovers the accounts that had been collected for it.
6.1.3.2 Defining Account Properties ("Configuration"/"Account Properties" Tab)

Subject The Account Properties tab allows you to define the login and password requirements for the selected Application, and the list of parameters supported by the application. The end user will have to follow these rules at Application login/password collection time. Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Application. In the Configuration tab, click the Account Properties tab.
The Account Properties tab appears.
3. 4.
Fill in the Login, Password and Parameters tabs with the instructions given in the following "Accounts" Tab Description" section. Click Apply.
106
Administrator Guide
"Account Properties" TabsDescription Login Tab
Login creation rule area This area allows you to define the rule for the application login value, on the basis of the information read from the user object. a) Rule field: Between parentheses, type the exact name of the user LDAP attribute(s) that you want to be displayed to the user in the Application Login field. Example: (mail) indicates that the login is the user's mail address. If you want to add several LDAP attributes, they must be separated by a comma inside the parentheses. Example: (mail,dn)
To get the exact LDAP attribute name, use an LDAP browser.
You can be more specific about the login value by using the following rules:
To keep only the first n characters of the LDAP value, use the syntax (attLDAP,n). Three functions are used to handle LDAP values: UPPER, LOWER and CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case.
b)
User can modify login check box:

Clear this check box to indicate that the login creation rule is mandatory, which means that the user cannot modify the application login. Select this check box to indicate that the login creation rule defined is only for information and that the user can modify the application login.
Login constraints area

The settings defined in this section must be coherent with the rule defined in the Login creation rule area.
107
a) b)
Length area: set the minimum and maximum number of characters of the login by using the up and down arrows. Forbidden characters area: one after another, type the character(s) that you want to forbid to the user.
Password Tab
The password is checked using a PFCP object, which must be created. For more details, see Section 5.2, Managing Password Format Control Policies. Click the Click the button to choose the PFCP used by the Application. button to display the selected PFCP parameters.
Parameters Tab
108
Administrator Guide
The Parameters tab allows you to add a list of additional authentication parameters (as Windows Domains or Languages for example). These parameters will enable you to define other fields than the user name/password fields of the target application authentication window. If you are defining a Linux application, you must add in this tab the Unix Host Identifier parameter (Default type), which is aimed to contain the name of the Linux machine on which the authentication will be performed by the user.
Do not forget to check the consistency between the list of authentication parameters for the application and the parameters defined at the technical reference level, which is done using SSOStudio Enterprise. For details, see Enterprise SSO - SSOWatch Administrator Guide.
Add button: click this button to add a parameter. The Add Parameter window appears.
To add an existing parameter, select it and click OK. To create a new parameter, type its name in the Name field and click New. To delete or rename an existing parameter, select it and click Delete or Rename. To define an External Name for a parameter, select the wanted parameter, click External Name and fill in the displayed window. External names for parameters allow you to define a mapping between the parameter that you are configuring within Enterprise SSO Console and the name of an external parameter (created using another SSO tool). This option is particularly useful to integrate User Provisioning or Web Access Manager with the Enterprise SSO module. For more details, see Section 6.1.6, Assigning Users to an Application.
Delete button: select a parameter a click Delete.
109
Properties button: Select a parameter then click this button to define the properties of the selected parameter.
a)
Parameter type:
Default: The value of the parameter is collected for each SSO account and can be modified by the user. Global: The parameter is the same for all SSO accounts and is not proposed to the user. Rule: The value is dynamically defined as a user data function, and cannot be changed.
b)
Value: This is the default value assigned to the parameter. If nothing is entered here, it will be requested at first authentication (data collection) as a function of the parameter type defined previously. If you have selected Rule in the Parameter type area, between parentheses, get the exact LDAP attribute name (using an LDAP browser) and type it in the Value field. For example, type (mail) to indicate that the parameter value is the user's mail address.
If you want to add several LDAP attributes, they must be separated by a comma inside the parentheses. Example: (mail,dn). You can be more specific about the parameter value by using the following rules: - To keep only the first n characters of the LDAP value, use the syntax (attLDAP,n). - Three functions are used to handle LDAP values: UPPER, LOWER and CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case.
6.1.4 Defining the Single Sign-On Properties of an Application ("Configuration"/"SSO" Tab)

Subject The single sign-on properties of an application allows you to define:
110
The application's authentication method. The Application Security Profiles (access strategies) defined for the application.
Administrator Guide
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator" and you must be manager of the application. In advanced administration mode, your role must contain the following right: "Application: Creation/Modification", and you must be manager of the application or possess the "Application: Manage all applications" right.
For more information on administration roles, see Section 4, Managing Administrators. For more information on application management rights, see Section 6.1.8, Generating/Importing Accounts for an Application.
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Application. In the Configuration tab, click the SSO tab.
The SSO tab appears.
3.
Fill in the Methods, Access Strategies and OLE/Automation tabs with the following guidelines: a) Methods tab: The following authentication methods are available:
SSO: this authentication method stipulates that authentication will be done through a technical reference. The technical reference is stipulated during the authorization of the application on an access point. At the Application level, the default technical reference to be used can be defined (not mandatory). For information on how to create technical references, see Enterprise SSO SSOWatch Administrators Guide.
111
Windows authentication: this authentication method defines the SSO accounts that can be used by the GINA. This allows several Windows accounts to be used. If you are defining a Linux application, you must select this propagation method. OLE/Automation: this method stipulates that the application can be accessed through the OLE. The secret code allowing the connection to be established must be defined in the OLE Automation tab.
b)
Access Strategies tab: The Access strategies tab defines the list of Application Security profiles that the application can use. The profile to be used is selected at the time the application is assigned to the user. If only one profile is available, it is automatically selected. OLE/Automation tab: this tab allows you to define the secret code used to access the application if the OLE/Automation method is selected in the Methods tab.
c)
4.
Click Apply.
6.1.5 Defining External Names ("Configuration"/"External Names" Tab)
This tab allows you to define a mapping between an application that you are configuring using Enterprise SSO Console and the name of an external application (created using another SSO tool) for which you want to configure an access. This option is particularly useful to integrate User Provisioning or Web Access Manager with Enterprise SSO. For example, if you are defining an application called MyHTMLApplication that already uses Web Access Manager Account Bases, enter the names of the Web Access Manager Account Bases defined for this application. By this way, the Enterprise SSO controller will be able to use these Web Access Manager Account Bases to perform SSO with this application.
112
Administrator Guide
6.1.6 Assigning Users to an Application

You can authorize a User to run an Application through the User Access tab, either from the Application object or from the User object. Whatever the selected object type, the tab is exactly the same. For details on how to fill in this tab, please refer to Section 6.2.9, Assigning Applications to a User ("Application Access" Tab).
6.1.7 Sharing the Administration of an Application ("Administrators" Tab)

Subject When you create an Application, you are the only manager of the Application. This gives you administration rights over this Application. If wanted, you can define other administrators to manage this Application, with different control level.
If you use the Enterprise SSO Console in advanced administration mode, the "Application: Manage all applications" administration right can be delegated to administrators so that they can manage all applications even if they have not created them. For more details on administration rights, see Section 4, Managing Administrators.
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Application. Click the Administrators tab.
The Administrators tab appears.
3.
From this tab, you can:

Modify the main administrator of the Application, using the Select button. Define other administrators allowed to manage the Application, using the Add and Remove buttons.
113
For each added administrator, you can define his/her administration level on the Application using the Modify button. You can define the following levels:
CONTROL LEVEL DESCRIPTION
None Password control Total control
Administration rights are removed. The administrator can change the SSO data of users. The administrator can change the application access strategies.
6.1.8 Generating/Importing Accounts for an Application ("Account Generation" Tab)

Subject This section describes how to generate or import Accounts for an application to allow a User to run the selected Application. Before Starting You must authorize the User to run the Application, as described in Section 6.2.9, Assigning Applications to a User ("Application Access" Tab). To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator" or "Access administrator" and you must be manager of the application. In advanced administration mode, your role must contain the following rights: "Account: Creation/Modification", "Account: Manage parameters" and you must be manager of the application or possess the "Application: Manage all applications" right. For more information on administration roles, see Section 4, Managing Administrators. For more information on application management rights, see Section 6.1.7, Sharing the Administration of an Application.
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Application. Click the Account Generation tab.
The account generation tab appears.
114
Administrator Guide
3.
Fill in this tab as follows: a) Fill in the Credentials area. This area allows you to define the Account creation rules. Enter the following information:
In the Login field, enter a login creation rule. For example, type (cn) to define the Common Name as the name used as the Account login. For more details on the login creation rule syntax, see Section 6.1.3, Creating the Account Properties of an Application, Step 3 of the Defining Account Rules procedure. Then: Either select Random password generation to define a random password for each Account. This password is created depending on the defined PFCP (for more details, see Section 5.2, Managing Password Format Control Policies). Or if you want a single password for all the Accounts, clear Random password generation and enter a password in the Password field.
b)
The Parameters area is optional. It allows you to add additional authentication parameters if needed (as Windows Domains or Languages for example). Fill in the Generate accounts for only these users area. This area allows you to select the users who must have Accounts. Depending on your needs, do one of the following:
If you want to create Accounts for all the users who have access to the Application (that is who are listed in the User Access tab), but who do not have any Account created, check that Do not modify existing accounts is selected. If you want to create Accounts for all the users who have access to the Application, including the users who have already an Account (that is, if you want to renew their Accounts), clear Do not modify existing accounts.
c)
115
If you want to create Accounts for some users who have access to the Application, use the Add and Remove buttons to select the wanted users and select or clear Do not modify existing accounts.
d)
Use the Select button to:

Either define the name and the location of the .csv file that will be used to import Accounts. Or select an existing .csv file.
e)
Click Import to build the file.

The Account import window appears.
f)
Click Start to generate/import the Accounts.
6.1.9 Assigning Access Points to an Application ("Access Points" Tab)

Subject To configure single sign-on for a User, you must define the following links: Authorize the User on an Access Point. Authorize an Application to run on an Access Point. Authorize the User to access an Application.
This section describes how to authorize an Application to run on an Access Point. Before Starting The software corresponding to the Application object must be installed on the Access Point.
116
Administrator Guide
To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator" or "Access administrator". In advanced administration mode, your role must contain the following right: "Authorization for application on access point: Creation/Modification" and "Authorization for application on access point: Deletion".
If you are working in "no-access-point-management" mode, the Access Point tab is not displayed.
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Application. Click the Access Points tab.
The access point tab appears.
3.
Read carefully the Information area to fill in this tab.

If you select Allow access from all access points declared in the local directory, the selected Application will be available on all the computers registered in the same domain as the Application. To set the Application available for computers registered in different domains, use the Representative objects, as described in Section 6.4, Managing Representative Objects.
If you do not select Allow access from all access points declared in the local directory, do the following: a) Click the Add/Remove buttons to select the Access Points that you want to be accessible to the selected Application.
117
b)
To be more specific about the list of accessible Access Points, use the following buttons:
Allow/Forbid If you have added a group of Access Points and you want to forbid one or more Access Point(s) of this group, use the Allow and Forbid buttons. Propagation method If you want to specify a specific Access Point, and if your Application uses the SSO propagation method, you must indicate a technical reference. By default, the technical reference specified on the Application is used, as described in Section 6.1.4, Defining the Single Sign-On Properties of an Application ("Configuration"/"SSO" Tab).
6.1.10 Displaying Accounts Associated With the Application ("Accounts" Tab)

Subject The Accounts tab allows you to filter and display the accounts associated with the selected application, and to export them as a .csv file. Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Application. Click the Accounts tab.
The Accounts tab appears.
3.
In the Filter list, select the filter you want to apply to the Accounts associated with the selected application and click Apply.
Display all accounts without access Shows all Accounts that have been collected from users for the selected Application, but that are not associated with the Application anymore.
118
Administrator Guide
Display all unregistered accounts Shows all Users that are authorized to access the selected Application, and for that have not registered their Account for this Application (the Account is not collected). Display all registered accounts Shows all Users that are authorized to access the selected Application, and that have registered their Account for this Application (the Account is collected). Display all accounts Shows all Users that are authorized to access the selected Application (unregistered and registered accounts). The area displays the list of selected Accounts.
4.
In the Export area, select the element of the displayed list you want to export as a .csv file and click Export.
6.1.11 Displaying Application Event Logs ("Events" Tab)

Subject The Events tab allows you to display all the events that are directly or indirectly linked to the selected object, for a defined period (the last two days by default). This report contains both User action and administration log entries. Restriction The Events tab appears only if you have the following administration role: In classic administration mode: "Auditor". In advanced administration mode, your role must contain the following right: "Audit: Visualization".
Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted Application. Click the Events tab.
In the Filter area, define a period of time to filter the log entries and click Apply (for more information on event logs, see Section 13.2.1, Filtering Audit Records).
119
6.1.12 Displaying/Modifying Application Information ("Information" Tab)

Subject You can at any time update or modify the Application information entered upon the creation of an Application, as described in the following procedure: Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted Application. Click the Information tab. Check and if necessary modify the wanted fields and press Enter.
6.1.13 Renaming Applications

Subject This section describes how to rename Applications. Procedure 1. 2. In the tree structure of the Directory panel, right-click the Application and select Rename. In the Information tab, type the new name of the object and press Enter.
6.1.14 Deleting Applications

Subject This section describes how to delete Applications. Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Application: Deletion".
Procedure In the tree structure of the Directory panel, right-click the Application to delete and select Delete. The Application and all its related objects are deleted.
120
Administrator Guide
6.2 Managing Users

Subject This section describes the operations specific to user management. They are specific to the User object and related to his/her primary authentication.
If your directory infrastructure is composed of several LDAP domains, the operations related to Users are saved only in the domain where they are done.
Before Starting Before reading the following sub-sections, check that the following steps are carried out: 1. 2. Your LDAP directory perimeter contains all the users that you will manage using Enterprise SSO Console. Organizational Units, groups and users are sorted according to the organizations in which they are to be placed.
All these tasks must be carried out with the appropriate LDAP tools, as for example Microsoft Users and Computers for Active Directory.
6.2.1 Displaying User General Information ("Information" Tab)

Subject You can display User general information. This data is retrieved from the LDAP directory. Procedure 1. 2. In the tree structure of the Directory panel, select the wanted User. Click the Information tab.
The tab appears.
121
If you have defined specific data to add in this tab, you can click the Other button to display it. For more details, see Section 14.2, Adding User Attribute Information.
6.2.2 Defining User Connection Parameters ("Connection" Tab)

Subject This section describes how to set the User's authentication parameters to your created applications. Before Starting To perform the tasks described in this section, you must have the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "User: Modification".
6.2.2.1 Suspending or Limiting Temporarily a User Access ("General" Tab)

Subject You can suspend a User access. When the User is suspended, he/she is informed of this during the authentication phase. Procedure 1. 2. In the tree structure of the Directory panel, select the wanted User. In the Connection tab, click the General tab.
The tab appears.
122
Administrator Guide
3. 4.
From this panel, you can lock/unlock the User and set an Acceptance date and an Expiry date to limit temporarily the User access. Click Apply to validate your modifications.
6.2.2.2 Displaying User Authentication Information and Administering Roaming Sessions ("Authentication" Tab)
Subject The User Authentication tab allows you to: Check if a User's account is still being used. Manage roaming sessions by displaying their duration, and delete them if necessary.
Before Starting To be able to delete roaming session, you must work in advanced administration mode, and your role must contain the following right: "Roaming: Delete users sessions".
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted User. In the Connection tab, click Authentication.
The Authentication tab appears.
123
This tab displays: The last successful and unsuccessful authentication dates. The roaming session duration. The Delete roaming session button allows you to delete the current roaming session to force the user to authenticate again at next session opening. It also allows you to disable the roaming session in case the user has lost his/her physical token.
6.2.2.3 Forcing a New User's Primary Password ("Password" Tab)

Subject The Password tab allows you to preset the user's primary password without the user losing these recoverable SSO data.
The User's private accounts are lost in this process. Performing this action automatically unlocks the user account (if the unlocking operation fails, you are not warned).
Moreover, this tab allows you to authorize a user to temporarily use the password authentication method. This feature can be useful if you want to force the use of tokens within the company: in this case, you disable the password authentication for all users, and activate temporary password access (TPA) in the Password tab for users who do not have their smart card. Before Starting To carry out this task, you must have recovery rights, that is: In classic administration mode:
The "SSO Data Recoverer" administration role. The SSO data recoverer right on your administration smart card.
In advanced administration mode, you administration role must contains the following rights: "User: Password modification", "Temporary password access: Creation" and "Temporary password access: Deletion".
Procedure 1. In the tree structure of the Directory panel, right-click the wanted User and select Force Password.
The Password tab appears.
124
Administrator Guide
2.
To modify the user's primary password, do one of the following:

In the New password and Confirmation fields, type the new User primary password and click Apply. Click the Generate button to automatically generate the users password and click Apply.
3.
To active temporary password access for the user, do the following: a) b) Fill-in the New password and Confirmation fields. Select the User can connect using password authentication check box and click Apply.
The TPA duration cannot be modified from this tab: the value is read from the user security profile associated with the user (see Section 5.3.2, Configuring User Security Profiles").
The tab shows the TPA expiration date. If the user connects with a token, the TPA is automatically deleted. c) 4. To extend the TPA duration, clear the User can connect using password authentication check box and create a new one.
To avoid site replication problems if you use Active Directory: in the User is logged on computer field, type the name of the user's computer so that the password reset operation be done on a domain controller located on the same site as the computer (and not on the domain controller on which you are connected) and click Apply.
For more information on domain controller selection, see Section 6.6, Selecting a Domain Controller.
The whole password reset operation will be done on this server. The administration connection will switch back to the previous domain controller once the password reset operation is performed.
125
6.2.2.4 Managing User Emergency Access ("Emergency Access" Tab)

Subject The Emergency Access tab allows you to display and manage the password and PIN reset feature information for a user. You can perform the following operations: Displaying the user Emergency Access information. Resetting the password attempts for the user if he or she has reached the maximum number of attempts Generating challenges (unlock codes) to allow the user to reset his password or his PIN.
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator" or "Rights administrator" or "SSO Data Recoverer". In advanced administration mode, your role must contain the following rights: "Emergency access: Answer deletion" and "Emergency access: Challenge generation" and "Emergency access: Reset attempt counter".
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted User. In the Connection tab, click Emergency Access.
The Emergency Access tab appears.
This tab displays the dates of the last user use of the Emergency Access feature.
126
Administrator Guide
3.
Do one of the following, depending on the action you want to perform:

To reset to 0 the password attempts for the user, click the Reset button (works only in connected mode). To delete the answers given by the user so that he/she has to provide them again, click the Reset answers button. To generate a challenge, click the Generate Unblocking Code button.
The Unlock code window appears.
a)
Follow the instructions displayed on screen and in User challenge, type the challenge the user gave you.
If a temporary password access (TPA) has been given to the user, the Temporary password access duration field displays the number of days left during which the user will be able to use a password to connect (for more information, see Forcing a New User's Primary Password ("Password" Tab)).
b)
Click the Generate button.

The result appears, you can then give it to the user so that he or she resets his/her password or PIN. The user password reset attempts are automatically reset to 0 once the password has been reset (if the operation fails, you are not warned).
6.2.2.5 Defining an Audit Identifier

Subject By default, an Audit identifier is automatically generated for each administered user. If wanted, you can modify this identifier. In this case, it is strongly recommended to modify it just one time, upon the first definition of the user, to avoid the situation where you will have several audit identifiers for one user.
127
Procedure 1. 2. 3. 4. In the tree structure of the Directory panel, select the wanted User. Click the Connection tab. In the Audit identifier area, modify the identifier. Click Apply when done.
6.2.2.6 Creating a Welcome Message

Subject You can create individual welcome message. This message appears to the user as a balloon help when he/she starts SSOWatch. Procedure 1. 2. 3. 4. In the tree structure of the Directory panel, select the wanted User. Click the Connection tab. In the User message area, type the User welcome message. Click Apply when done.
6.2.3 Assigning a User Security Profile to a User ("Security Profile" Tab)

Subject The assignment of a User Security Profile to a User is an important step in the management of User objects. Globally, User Security Profile objects define: The authentication methods authorized for the Users. Parameters associated with the use of SSOWatch. The User Security Profile to assign must be created, as described in Section 5.3, "Managing User Security Profiles". To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "User security profile: Assignment".
Before Starting
Procedure 1. In the tree structure of the Directory panel, select the wanted User.
You can also select a group of users by selecting a folder containing the wanted users. Note that this is not possible if the Enterprise SSO data is separate from other data (Fedora Directory server in cooperative mode, or Active Directory + ADAM infrastructure for example).
128
Administrator Guide
2.
Click the Security Profiles tab.

The Security Profiles tab appears.
By default, the default User Security Profile is selected (for details on how to configure the default security profiles objects, see Section 5.6, Defining Security Profiles Default Values).
3.
To assign another User Security Profile, click the

Click the Profile.
button.
button to display and if necessary modify the selected User Security
4.
Click Apply.
6.2.4 Declaring a User as an Administrator ("Administration" Tab)

Any User declared in the directory can become an administrator. To declare a User as an administrator, you must: 1. 2. Assign administration rights to the User, through the Administration tab, as described in Section 4, Managing Administrators. If the access to Enterprise SSO Console calls for a strong authentication facility, you must assign a smart card to the User, through the Smart Card tab, as described in Section 7, Managing Smart Cards.
6.2.5 Assigning/Forbidding Access Points to a User ("Access Points" Tab)

129
This section describes how to authorize a User to log-on an Access Point, from the User object. This access is checked by Advanced Login or by the GINA of the workstation client. A User not authorized attempting to logon a workstation will obtain the following message "You are not authorized to log in on this access point".
You can also authorize a User to log on an Access Point from the Access Point object, as described in Section 6.3.3, Assigning/Forbidding Users to Access Points. ("Authorized Users" Tab).
Before Starting To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator" or "Access administrator". In advanced administration mode, your role must contain the following right: "Authorization for user on access point: Creation/Modification" and "Authorization for user on access point: Deletion".
If you are working in "no-access-point-management" mode, it is not possible to configure user access to individual Access Points or to objects representing sets of Access Points (groups, organizations and so on). A User is authorized to connect to an Access Point of his/her domain only if his/her User Security Profile indicates "Allow on all Access Points".
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted User. Click the Access Points tab.
The Access Points tab appears.
3.
If the Allow on all Access Points parameter of the User Security Profile associated with this user is selected (for details see Section 5.3.2, "Configuring User Security Profiles), you can let this tab blank to authorize all the Access Points of the directory domain for the selected Users. If you want to define authorized/forbidden Access Points, do the following: a) Click the Add/Remove buttons to select the Access Points that you want to be accessible to the selected Application.
130
Administrator Guide
b)
Allow/Forbid If you have added a group of Access Points and you want to forbid one or more Access Point(s) of this group, use the Allow and Forbid buttons. Modules To prevent the User from accessing some of the software modules installed on the Access Point (Advanced Login, E-SSO Console, SSOWatch or SSOStudio), use the Modules button. The Enterprise SSO controller uses the following algorithm to assign or forbid Access Points to Users: 1. Checks whether the user is authorized or denied. 2. Checks whether a user primary group is authorized or denied. 3. Checks whether a user group is authorized or denied. 4. Checks whether a parent organizational unit grants or denies access.
6.2.6 Managing User's Accounts ("Accounts" Tab)

Subject The Accounts tab allows you to manage User's accounts. Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator" or "Access administrator" and you must be manager of the application. In advanced administration mode, your role must contain the following rights: "Account: Creation/Modification", "Account: Deletion", "Account: Manage parameters", "User role: Creation/Modification", "User role: Deletion" and you must be manager of the application or possess the "Application: Manage all applications" right.
For more information on administration roles, see Section 4, Managing Administrators. For more information on application management rights, see Section 6.1.7, Sharing the Administration of an Application.
Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted User. Click the Accounts tab.
The Accounts tab appears.
Select the account you want to manage and perform the wanted action using the available buttons, as explained in the following Accounts Tab Description section.
131
"Accounts" Tab Description
Show unregistered account check box

Check box selected: the tab displays all the accounts that are not collected. Check box cleared: the tab only displays the accounts that have been collected.
Export button Exports the Users account list in a .csv file. Lock/Unlock button Locks/Unlocks the account. If the account is locked, the user is not able to connect to the application anymore. Properties button Displays the account properties window, which allows you to manage the selected account SSO Data and delegation properties
132
Administrator Guide
a)
SSO Data Tab

Login field Account login. Password field Account password. You can manually type it or automatically generate it by clicking the Generate button. Password must change at next logon check box If this check box is selected, the user will be prompted to change his/her password at first application logon with this account. Clear password history check box If this check box is selected, all previous passwords are deleted, which means that previously existing password can be used again. Parameters area If any, displays additional parameters for the account, and allows you to define them.
b)
Delegation Tab This tab displays the list of user(s) to whom the user has delegated his/her account, using SSOWatch.
New button Displays the personal account creation window, which allows you to create another user account for the same application.
Delete button Deletes the selected account. Clear all accounts button Deletes all the user accounts.
6.2.7 Managing User's Smart Cards ("Smart Card" Tab)

You can manage User's smart cards from the Directory panel, through the Smart Cards tab. But you can also manage smart cards from the Smart Card panel. For practical reasons, all administration tasks related to smart cards are described in a wellmarked section. Thus, for more information on how to manage smart cards, see Section 7, Managing Smart Cards.
The Smart Card tab only appears if you have the "Smart card administrator" role.
133
6.2.8 Displaying Users Biometric Data ("Biometrics" Tab)

Subject The Biometrics tab displays information about the user biometric data enrolment, and allows you to remove enrolment biometric data from the controller. Before Starting To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Bio: Is enable to allow biometrics pattern enrolment".
Window Description
Provider field Name of the biometric reader provider that you want to be used. Clear all Patterns button Removes enrolled biometric data from the controller. Enrolled patterns Displays the enrolment pattern quality for each finger. Last enrolment field Last user enrolment date and time. Enrolment approved by field Name of the user or administrator who has authenticated at enrolment time to validate the user enrolment.
134
Administrator Guide
6.2.9 Assigning Applications to a User ("Application Access" Tab)

This section describes how to authorize a User to run an Application, from the User object. Before Starting 1. 2. To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator" or "Access administrator".
In advanced administration mode, your role must contain the following right: "Authorization to use application: Creation/Modification" and "Authorization to use application: Deletion".
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted User. Click the Application Access tab.
The Application Access tab appears.
3.
Fill in this tab with the following guidelines:

Select Show inherited access to display all the applications inherited from the parent groups and organizational units.
135
Click Add to select Applications to assign to the selected User, then fill in the Access properties area and click Apply. The Application appears in the Access list. For more details on the Access properties area, see the sub-section just below. At any time, you can click the Edit and Remove buttons to modify or delete entries of the Access list.
The Access Properties Area The Access properties area allows you to define how Users access the application using the following parameters: Account Type: this drop-down list allows you to select between the following entries the Account type used by the User:
Shared: account shared between several users who belong to the same group of users. Primary: account allowing the user's connection data to be used to produce an SSO. This account is only available if the user password is authenticated. Standard: account type that is automatically associated with the application when it is added to the user. Specified on the Application: account type defined in the account base of the application (Primary account or Standard account).
Format: If you select the primary account type, select in this drop-down list the format of the Windows user name (user name preceded by NETBIOS domain or including Windows domain for example). Application profile: if you have defined several Application Security profiles at application level, you can specify the profile to be used for this access.
To enable the Mobile E-SSO feature, you must select an Application Profile that allows external accesses.
Role: if the User has access to various accounts for the selected Application, you must assign different roles to these accounts using the Manage button. Users can create additional accounts: select this option to authorize the User to create as many accounts as he/she wants.
6.2.10 Managing User's RFID Tokens ("RFID" Tab)

The RFID tab allows you to assign, lock or unlock, send into a blacklist and delete, or display information on the RFID tokens of a user. For details on how to manage tokens through this tab, see Section 9, Managing RFID Tokens.
6.2.11 Managing Data Privacy ("DP" Tab)

The DP tab allows you to generate and update the encryption key associated with a user. For details on how to use the Data Privacy feature, see Section 11, Managing Data Privacy.
136
Administrator Guide
6.2.12 Displaying User Event Logs ("Event" Tab)

Subject The Events tab allows you to display all the events that are directly or indirectly linked to the selected object, for a defined period (the last two days by default). This report contains both User action and administration log entries. Restriction The Events tab appears only if you have at least the following administration role: In classic administration mode: "Auditor". In advanced administration mode, your role must contain the following right: "Audit: Visualization".
Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted User. Click the Events tab.
In the Filter area, define a period of time to filter the log entries and click Apply (for more information on event logs, see Section 13, Managing Audit Events).
6.3 Managing Access Points

Subject This section describes the operations specific to the Access Points management. The definition of the Access Point object and its relationship with the User and Application objects is provided in Section 1.1, Enterprise SSO Concepts.
If your directory infrastructure is composed of several domains, the operations on Access Points are saved only in the domain where they are done.
Before Starting Access Points are only included in the Enterprise SSO administration domain if the following conditions are met:
The workstation is included in the Enterprise SSO operating environment in the reference LDAP directory domain. If you want to assign different Access Point profiles, sort your workstations according to the organizations (Organization unit) in which they are to be placed. If necessary, use the tree structure to define specific parameters for them in the security policy. These tasks must be carried out directly in your LDAP directory, with the appropriate tools.
137
The Enterprise SSO client must be installed on the workstations included in the Enterprise SSO administration domain. Only the workstations on which the Enterprise SSO client is deployed appear in the tree structure (Directory panel).
If you are working in "no-access-point-management" mode, client Access Points do not appear in the directory tree.
If you are using Active Directory, Access Points appear in the tree but cannot be modified.
6.3.1 Displaying Access Point General Information ("Information" Tab)

Subject You can display Access Point general information. This data is retrieved from the installation of the Enterprise SSO client and from the LDAP directory. Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Access Point. Click the Information tab.
138
Administrator Guide
6.3.2 Defining Access Point Configuration Parameters ("Configuration" Tab)

6.3.2.1 Assigning an Access Point Security Profile to an Access Point
Subject The assignment of an Access Point Security Profile to an Access Point is an important step in the management of Access Point objects. Among other things, Access Point Security Profile objects define: The authentication methods enabled for the workstations associated with the Access Point Security Profile. The software modules (SSOWatch, Advanced Login...) enabled for these workstations.
Access Point Security Profile should be used on TSE type Access Points to indicate that on these workstations, the SSO Engine must not display the splash screen or the engine management icon in the notification bar.
Before Starting The Access Point Security Profile to assign must be created, as described in Section 5.4, Managing Access Point Security Profiles. To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Access point security profile: Assignment".
If you are working in "no-access-point-management" mode, Access Point security profiles cannot be applied on Access points.
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Access Point. Click the Configuration tab.
The Configuration tab appears.
139
By default, the default Access Point Security Profile is selected (for details on how to configure the default security profiles objects, see Section 5.6, Defining Security Profiles Default Values).
3.
To assign another Access Point Security Profile, click the
button.
button to search, display and if necessary modify the selected Click the Access Point Security Profile.
6.3.2.2 Managing the Access Point Available Services

Subject If an Enterprise SSO controller is installed on the selected Access Point, you can manage the list of services that this controller should provide: when a workstation needs to connect to an Enterprise SSO controller, the Enterprise SSO security services connect to an Enterprise SSO controller that explicitly provides the required Service.
For more information on Enterprise SSO controllers and service management, see Section 1.2, Enterprise SSO Controller.
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Access Point. Click the Configuration tab.
The Available E-SSO services area display the port number used by the Enterprise SSO controller (for information) and the list of available services.
3.
Select the check boxes corresponding to the Services you want to be provided by the Enterprise SSO controller installed on this computer. Changing the list of available Services has not impact on the Enterprise SSO controller itself.
Any change is taken into account by workstations at cache refresh time.
140
Administrator Guide
6.3.3 Assigning/Forbidding Users to Access Points ("Authorized Users" Tab)

This section describes how to authorize a User to logon an Access Point, from the Access Point object. This access is checked by Advanced Login or by the GINA of the workstation client. A User not authorized who is attempting to log on a workstation will obtain the following message "You are not authorized to log in on this access point".
You can also authorize a User to logon an Access Point from the User object, as described in section 6.5.2, Assigning/Forbidding Access Points to a User ("Access Points" Tab).
In classic administration mode: "Security object administrator" or "Access administrator". In advanced administration mode, your role must contain the following right: "Authorization for user on access point: Creation/Modification" and "Authorization for user on access point: Deletion".
If you are working in "no-access-point-management" mode, it is not possible to configure user access to individual Access Points or to objects representing sets of Access Points (groups, organizations and so on). The User Access tab is not displayed. A User is authorized to connect to an Access Point of his/her domain only if his/her User Security Profile indicates "Allow on all Access Points".
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Access Point. Click the Authorized Users tab.
The Authorized Users tab appears.
141
3.
If the Allow on all Access Points parameter of the User Security Profile associated with this user is selected (for details see Section 5.3.2, Configuring User Security Profiles), you can let this tab blank to authorize all the Access Points of the directory domain for the selected Users. If you want to define authorized/forbidden Users, do the following:
Allow/Forbid If you have added a group of Users and you want to forbid one or more User(s) of this group, use the Allow and Forbid buttons. Modules To prevent Users from accessing some of the software modules installed on the Access Point (Advanced Login, E-SSO Console, SSOWatch or SSOStudio), use the Modules button. The Enterprise SSO controller uses the following algorithm to assign or forbid Access Points to Users: Check whether the user is authorized or denied. Check whether a user primary group is authorized or denied. Check whether a user group is authorized or denied. Check whether a parent organizational unit grants or denies access.
6.3.4 Assigning/Forbidding Applications to Access Points ("Available Applications" Tab)

This section describes how to authorize an Application to run on an Access Point.
142
Administrator Guide
Before Starting The software corresponding to the Application object must be installed on the Access Point.
The Enterprise SSO controller uses the following algorithm to assign or forbid Applications to Access Points: Check whether the Access Point authorizes the application. Check whether an Access Point primary group authorizes or prohibits the Application. Check whether an Access Point group authorizes or prohibits the application. Check whether an Access Point parent Organizational Unit grants or denies access.
To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator" or "Access administrator". In advanced administration mode, your role must contain the following right: "Authorization for application on access point: Creation/Modification" and "Authorization for application on access point: Deletion"
If you are working in "no-access-point-management" mode, it is not possible to make applications available on individual Access Points or on objects representing sets of Access Points (groups, organizations and so on) other than "outbound representatives". The Application Available tab is not displayed.
Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Access Point. Click the Available Applications tab.
The Available Applications tab appears.
3.
Click the Add/Remove buttons to select the Applications that you want to be accessible to the selected Access Point.
143
4.
To be more specific about the list of accessible Applications, use the following buttons:
Allow/Forbid If you have added a group of Applications and you want to forbid one or more Application(s) of this group, use the Allow and Forbid buttons. Propagation method If you want to specify a specific Application, and if your Application uses the SSO propagation method, you must indicate a technical reference. By default, the technical reference specified on the Application is used, as described in Section 6.1.4, Defining the Single Sign-On Properties of an Application ("Configuration"/"SSO" Tab).
6.3.5 Displaying Access Point Event Logs ("Events" Tab)

For more details on administration roles, see Section 4., Managing Administrators.
Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted Access Point. Click the Events tab.
6.4 Managing Representative Objects

Subject A representative object is an LDAP object representing a set of target objects (Users or Access Points) that are not part of the domain the representative object belongs to. Thus, a represented User can logon an access point which is not part of his/her domain, and access his/her local domain applications. This section explains how to create, modify and delete representative objects.
144
Administrator Guide
Object Definition A representative object represents objects (Users or Access points) that are not part of its local domain. These objects are of two types: Inbound type: the object represents a set of external users. Outbound type: the object represents a set of external access points
By default, two Representative objects are created: they represent all external domains. In "no-access-point-management" mode, The inbound representative object must have a security profile allowing it to authenticate on all access points. The outbound representative object represents a domain of the computers.
6.4.1 Managing Inbound Representative Objects

Subject An Inbound Representative object represents a set of Users that are not part of the domain the Representative belongs to. You assign a security profile to this representative, and choose what access points of the local domain must be accessible to the represented users in "access-pointmanagement" mode. Thus, these users will be able to logon to access points that are not part of their domain. Before Starting Before starting, check that you meet the following requirements: You must be authorized to access the external domains in which reside the Users to be represented (see Section 4, Managing Administrators). To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Representative: Creation/Modification".
The User Security Profile that you want to assign to the external users must be created, as described in Section 5.3, Managing User Security Profiles. In "no-access-point-management" mode, a user can open an Enterprise SSO session on an access point of a foreign domain only if the representative of the user is authorized to authenticate on all access points. In the security profile of the representative, the Allow on all Access Points field must be selected, as described in Section 5.3.2.1, Authentication Parameters Configuration ("Authentication" Tab).
145
6.4.1.1 Creating/Modifying an Inbound Representative Object

Procedures Creating an Inbound Object 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Inbound object and select New | Representative.
The selection window appears.
2. 3. 4.
Click Inbound access and click OK.

The Inbound Object configuration tabs appears
In the Configuration tab, in the Representative area, type the name of the Representative you are creating. Configure the Representative object, as described in the following sections:
Define the set of Users to represent: see Section 6.4.1.2, Defining the Set of Users to Represent ("Configuration" Tab). Assign a User Security Profile to the Representative: see Section 6.4.1.3, Assigning a User Security Profile to the Inbound Representative Object ("Security Profile" Tab). Choose the Access Points that the Representative will be authorize to access: see Section 6.4.1.4, Selecting the Access Points Available to the Representative ("Access Points" Tab).
5.
Click Apply.
The Inbound Object appears in the directory tree structure.
Modifying an Inbound Object 1. In the tree structure of the Directory panel, select the Inbound Object to modify.
The Inbound Object configuration tab appears.
2.
Modify the configuration of the Representative object, as described in the following sections:
To modify the set of Users to represent: see Section 6.4.1.2, Defining the Set of Users to Represent ("Configuration" Tab). To modify the User Security Profile assigned to the Representative: Section 6.4.1.3, Assigning a User Security Profile to the Inbound Representative Object ("Security Profile" Tab).
146
Administrator Guide
To modify the selection of Access Points that the Representative is authorized to access: see Section 6.4.1.4, Selecting the Access Points Available to the Representative ("Access Points" Tab).
3.
Click Apply.
The Inbound Object is modified.
6.4.1.2 Defining the Set of Users to Represent ("Configuration" Tab)

Subject You must select the external Users that you want the Representative object to represent. Procedure In the Configuration tab, in the Represented population area, use the Add and Remove buttons to choose the Users of external domains that you want to be represented by the Representative.
147
6.4.1.3 Assigning a User Security Profile to the Inbound Representative Object ("Security Profile" Tab)
Subject You must assign a User Security Profile to the Representative object. When a represented user will authenticate on an access point which is not part of his/her domain, his/her profile will be half part of his/her domain, and half part of domain to which belong the access point. The Security and Emergency Access tabs are used to compose the part of the profile belonging to the domain of the user. The Authentication and Unlocking tabs are used to compose the part of the profile belonging to the domain welcoming the user.
Before Starting The User Security Profile to assign must be created, as described in Section 5.3, Managing User Security Profiles. Procedure 1. Click the Security Profiles tab.
The security profile tab appears.
By default, the default User Security Profile is selected (for details on how to configure the default security profiles objects, see Section 5.6, Defining Security Profiles Default Values).
2.
To assign another User Security Profile, click the

Click the Profile.
button.
button to display and if necessary modify the selected User Security
3.
Click Apply.
6.4.1.4 Selecting the Access Points Available to the Representative ("Access Points" Tab)
Subject
The Access Points tab is only available if Enterprise SSO manages Access Points.
This section describes how to authorize the represented Users to logon Access Points which are not part of their domain.
148
Administrator Guide
Procedure 1. Click the Access Points tab.

The access point tab appears.
2.
Click the Add/Remove buttons to select the Access Points that you want to be accessible to the selected Representative.
The Allow on all Access Points parameter of the User Security Profile associated with the Representative has no effect on the accessibility of Access Points to the selected Representative.
3.
Allow/Forbid If you have added a group of Access Points and you want to forbid one or more Access Point(s) of this group, use the Authorize and Forbid buttons. Modules To prevent the Representative from accessing some of the software modules installed on the Access Point (Advanced Login, E-SSO Console, SSOWatch or SSOStudio), use the Restriction button.
6.4.2 Managing Outbound Representative Objects

Subject A Representative Outbound object represents a set of access points that are not part of the domain the Representative belongs to. You decide what applications of the local domain must be available on these access points. Thus, users will be able to access applications of their local domain from access points that are not part of their domain.
149
Before Starting Before starting, check that you meet the following requirements: You must be allowed to access the external domains in which reside the Access points to be represented (see Section 4, Managing Administrators). To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Representative: Creation/Modification".
6.4.2.1 Creating/Modifying an Outbound Object

Procedures Creating an Outbound Object 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Outbound object and select New | Representative.
The selection window appears.
2. 3. 4.
Click Outbound access and click OK.

The Outbound Object configuration tabs appears
In the Configuration tab, in the Representative area, type the name of the Representative you are creating. Configure the Representative object, as described in the following sections:
Define the set of Access Points to represent: see Section 6.4.2.2, Defining the Set of Access Points to Represent ("Configuration" Tab). Choose the Applications that the Representative will be authorize to access: see Section 6.4.2.3, Selecting the Applications Available to the Representative ("Available Applications" Tab).
5.
Click Apply.
The Outbound Object appears in the directory tree structure.
150
Administrator Guide
Modifying an Outbound Object 1. In the tree structure of the Directory panel, select the Outbound Object to modify. The Outbound Object configuration tab appears. Modify the configuration of the Representative object, as described in the following sections:
To modify the set of Access Points to represent: see Section 6.4.1.2, Defining the Set of Users to Represent ("Configuration" Tab). To modify the selection of Applications that the Representative is authorized to access: see Section 6.4.1.4, Selecting the Access Points Available to the Representative ("Access Points" Tab).
2.
The Outbound Object is modified.
6.4.2.2 Defining the Set of Access Points to Represent ("Configuration" Tab)

Subject You must select the external Access Points that you want the Representative object to represent. Procedure In the Configuration tab, in the Represented population area, use the Add and Remove buttons to choose the Access Points of external domains that you want to be represented by the Representative. In "no-access-point-management" mode, the represented population is everyone or a specific domain. It is not possible to browse the sub-tree of domain-level objects.
151
6.4.2.3 Selecting the Applications Available to the Representative ("Available Applications" Tab)
Subject This section describes how to authorize the represented Access Point to access Applications which are not part of their domain. Before Starting The software corresponding to the Application object must be installed on the Access Point. Procedure 1. Click the Available Applications tab.
The Available Applications tab appears.
2. 3.
Click the Add/Remove buttons to select the Application that you want to be accessible from external Access Points. To be more specific about the list of accessible Applications, use the following buttons:
Allow/Forbid If you have added a group of Applications and you want to forbid one or more Application(s) of this group, use the Authorize and Forbid buttons. Propagation method If you want to specify an Application that uses the SSO propagation method, you must indicate a technical reference. The technical reference specified on the Application is used by default, described in Section 6.1.4, Defining the Single Sign-On Properties of an Application ("Configuration"/"SSO.
152
Administrator Guide
6.4.3 Displaying Representative Event Logs

Procedure 1. 2. In the tree structure of the Directory panel, select the wanted Representative. Click the Events tab.
3.
6.4.4 Renaming Representative Objects

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Representative: Creation/Modification".
153
Procedure 1. 2. In the tree structure of the Directory panel, right-click the Representative object to rename and select Rename. Type the new name of the object and press Enter.
6.4.5 Deleting Representative Objects

Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator". In advanced administration mode, your role must contain the following right: "Representative: Deletion".
Procedure In the Directory panel, right-click the Representative Object to delete and select Delete. The Representative Object is deleted from the directory tree structure.
6.5 Managing Clusters of Access Points

Definition A Cluster of access points is a set of computers on which the Windows sessions are synchronized by Enterprise SSO. Operations that a user performs on the Windows session (opening, closing, locking, unlocking) of a computer that belongs to the cluster are automatically and simultaneously performed on all the other computers that form the cluster. The number of workstations you can include in a cluster is not limited. In a cluster of access points, the computer on which the user performs an action is called the master computer. The same action is simultaneously performed on the other computers of the cluster, called slaves.
An Enterprise SSO Controller does not work in Cluster mode.
154
Administrator Guide
Mechanism Description When a user performs an operation (opening, closing, locking, unlocking) on a computer, this computer becomes the master computer and periodically informs the slave computers of the operation performed. This allows the management of slave computer behaviors. Session Opening When a user opens a session on a computer of the cluster, all the sessions of other computers of the cluster open with the same user account.
If a slave computer is not reachable at session opening on the master computer, the session opening operation on this slave computer will be performed as soon as the network is restored. If a slave computer restarts, and if the last operation performed on the master computer is a session opening, a session will be opened on this slave computer as soon as it is available. If the session of a slave computer is locked by another user, the session is unlocked only if the Fast User Switching (FUS) option is activated for this computer (see Section 5.3.2.3, Fast User Switching Parameters Configuration ("Unlocking" Tab). If a user performs a FUS on a computer, all the other computers of the cluster perform the FUS. If an "Excluded Account" opens a session on a computer that is part of the cluster, this computer is automatically excluded from the cluster. For more information on excluded accounts, see the Excluded accounts button in Section 5.4.2.2, Advanced Login Parameters Configuration ("Advanced Login" Tab).
Session Locking
When a computer is locked, all the other computers are locked according to their defined lock mode (see Section 6.5.1, Creating and Configuring a Cluster of Access Points). If a slave computer with an open session does not receive any information from the master for a period of 30 seconds, it is automatically locked according to its defined lock mode (see Section 6.5.1, Creating and Configuring a Cluster of Access Points).
Session Closing When the user closes a computer, all the other computers of the cluster are closed.
A slave computer can only accept orders from the master computer if they are compatible with its current session. For example, if a user locks a computer session while all the other cluster computer sessions are closed, these sessions will remain closed.
Screensaver When a computer screensaver is activated, the computer is not locked. It becomes locked at the end of the screensaver period: it then becomes the master and locks all computers of the cluster. You must configure the screensaver according to the wanted computer behavior.
155
6.5.1 Creating and Configuring a Cluster of Access Points

Subject The following procedure explains how to create a new cluster of access points, and configure it: You can authorize users to temporarily remove a computer from the cluster. You can define a locking behavior for each computer of the cluster To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Cluster: Creation/Modification".
Before Starting
Make sure that none of the computer you want to place in the cluster is an Enterprise SSO Controller. Make sure all the computers you want to gather in a cluster are connected to each other, and configured according to your needs (automatic screen-saver launching, locking). DNS resolution must work properly so that orders sent from the master can be easily transmitted to slaves. Port 3644 must be open on all computers you want to gather in a cluster. Enterprise SSO must be configured in "manage-access-point" mode. The following license keys must be installed on the Enterprise SSO Controller and Clients: "Cluster mode" and "Audit and advanced security".
Procedure 1. In the tree structure of the Directory panel, right-click the Organizational Unit that must contain your Cluster of access points and select New | Cluster of access points.
156
Administrator Guide
2. 3.
4. 5.
Fill in the Name field. Click the Add button to select the access points you want to add to the cluster. Use the Browse tab to browse the directory tree structure or use the Search tab to find the access point by typing its name. Define the cluster properties as explained in the following "Configuration" Tab Description" section. Click Apply.
The Cluster object is created and configured.
"Configuration" Tab Description
157
Allow users to temporarily withdraw a computer from the cluster check box If this check box is selected, users allowed to access one of the cluster computer will be able to temporarily exclude a computer from the cluster, from the SSOWatch application module. Option button Gives access to the Cluster Lock Mode window.
For each computer of the cluster, this window allows you to define its behavior as a slave in the following cases:
When it receives a locking order from the master computer. When it does not receive any order from the master for more than 30 seconds.
The behavior selected here only applies when the computer is a slave.
Do nothing The selected computer is not locked. Lock keyboard and mouse The selected computer is not locked, but keyboard and mouse are disabled. Pressing Ctrl+Alt+Del on this computer unlocks it. Lock session (default value) The selected computer is locked.
Remove button Removes the selected computer from the cluster. Add button Allows you to select the access points you want to add to the cluster. The Browse tab allows you to browse the directory tree structure and the Search tab allows you to find the access point by typing its name.
158
Administrator Guide
6.5.2 Displaying Cluster Event Logs ("Events" Tab)

For more details on administration roles, see Section 4., Managing Administrators.
Procedure 1. 2. 3. In the tree structure of the Directory panel, select the wanted Cluster. Click the Events tab.
6.5.3 Renaming Clusters

Subject This section describes how to rename a Cluster. Before Starting To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Cluster:Creation/Modification".
Procedure 1. 2. In the tree structure of the Directory panel, right-click the Cluster and select Rename. In the Configuration tab, type the new name of the object and press Enter.
159
6.5.4 Deleting Clusters

Subject This section describes how to delete Clusters. Before Starting To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Cluster: Deletion".
Procedure In the tree structure of the Directory panel, right-click the Cluster to delete and select Delete. The Cluster is deleted.
6.6 Selecting a Domain Controller

Subject When you modify an object in the directory, if the domain controller on which the modification is done is not the same domain controller as for the user workstation, the user will have to wait for the replication to be completed between all the domain controllers (for more information on domain controllers, see Section 1, Overview). In Enterprise SSO, this occurs for example when an administrator sets a new password to a user account. The new password is immediately replicated (this is a special feature of Active Directory replication process). But for Enterprise SSO the new password implies a new key for this user (computed from his password) used to cipher the SSO data of this user. And the SSO data modification replication follows the normal process, which can take hours to reach the user site. The following procedure explains how to select a specific domain controller to work on.
160
Administrator Guide
Procedure 1. Click File | Select another LDAP server.

The domain controller selection window appears. By default, this window proposes the list of the domain controllers from the site on which the Enterprise SSO administration controller is located.
2.
To add another domain controller, read the displayed instructions and click the Search button.
If you have enter a computer or server name in the Server or computer name text box, all the domain controllers matching the search criteria are listed. If a computer name is matching the search, all the domain controllers of the computer site are listed.
3.
Select the domain controller you want to work on and click the Select button.
The new domain controller will then be used for all the administration tasks, until you close the Enterprise SSO Console, or select another controller.
161
7. Managing Smart Cards

Subject This section describes all the administration tasks related to smart card management. It focuses for the most part on how to use the smart card administration module, which can be displayed using the Smart Card button of the navigation bar. This module allows you to assign smart cards to users, format smart cards, display information on a specific smart card and much more. As "Smart card administrator", you will assign smart cards and frequently change their states, as shown in the following diagram:
Formatting
Smart Card Locked

Unlocking Locking
Blank Smart Card
Formatting
Assignment
Assigned Smart Card

Blacklisting
Blacklisting
Formatting
Smart Card Blacklisted
Before Starting If you use a smart card to perform your administration tasks, all tasks described in this section require to be "Smart card manager" (this right is granted at card assignation time, in the Administration tab).
162
Administrator Guide
Interface Design Depending on your administration profile, you can manage smart cards through the following panels of Enterprise SSO Console interface:
In classic administration mode:

If you just have the "Smart card administrator" role, then you have only access to the Smart Card panel. If you have the "Smart card administrator" role and at least on of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator", then you have access to the Directory panel and can also use it to manage smart cards.
In advanced administration mode:

If you just have the "Token: <right name>" administration right, then you have only access to the Smart Card panel. If you have the "Token: <corresponding right >" and "Directory: Browsing" administration rights, then you have access to the Directory panel and can also use it to manage smart cards.
Depending on the panel used to manage smart cards, procedures are different. Moreover, you can carry out some tasks from one of these two panels, as described in the following table:
IF YOU WANT TO USE THE
Assign a smart card to a specific user Assign smart card to many users Format smart cards Unlock smart cards Disable/Enable smart cards of a user Send smart cards to a blacklist Force a new PIN Extend the validity of a smart card Lend a smart card Return a lending card Find the owner of a smart card Display the list of supported smart cards Manage smart cards configuration profiles Manage smart card's authentication parameter Managing smart card batch
Directory panel Smart Card panel Smart Card panel Directory or Smart Card panel Directory or Smart Card panel Directory or Smart Card panel Smart Card panel Smart Card panel Directory panel Smart Card or Directory panel Smart Card panel Smart Card panel Smart Card panel Directory panel Directory panel
163
7.1 Assigning Smart Cards to Users

You can assign smart cards in two ways: user by user or by batch. To know how to assign smart cards by batch, see Section 7.1.1, Assigning Smart Cards to Many Users. To know how to assign smart cards user by user, see Section 7.1.2, Assigning a Smart Card to a User.
7.1.1 Assigning Smart Cards to Many Users

Subject This section describes how to assign smart cards by batch. For information on how to assign smart cards user by user, see Section 7.1.2, Assigning a Smart Card to a User. Before Starting Check that you meet the following requirements: To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token: Assignment".
If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section. You must have as much as blank smart cards as the number of users requiring smart cards and at least two smart card readers.
Procedure 1. In the Smart Card panel, click the button located in the toolbar.
The user selection window appears.
164
Administrator Guide
2.
Click the Add button and in the displayed window, select the wanted users.
You can select an Organizational Unit to add all the users registered in this OU. The users are listed in the Selected users area.
3.
Click Assign.
The smart card assignment window appears.
4.
Insert the smart card of the corresponding user in a smart card reader, fill in this window as follows, and then click OK: a) b) In the Smart card area, select the smart card to assign. In the Configuration area, select a card model:
Advanced Login and Advanced LoginSmart card Storage: these models generate a card which can be used with the Enterprise SSO software modules. It is mandatory to select this card model if you want to store user's authentication data on token. For more information, see Section 7.1.3, Assigning a new Smart Card Allowing a User to log on a Workstation which is Disconnected from the Directory. It is recommended to select this card model if the card is only used with Enterprise SSO software modules, and if certificates are not used. Windows Smartlogon Compatible: (you cannot apply this model using Windows Remote Desktop). This model generates a card which can be used with standard Windows authentication. It manages a single certificate, which is the smart card authentication certificate. It is not compatible with the two Advanced Login models. Cryptoflex IK Compatible: (you cannot apply this model using Windows Remote Desktop). This configuration generates a card which can be used with standard Windows authentication, in conjunction with IK software from Schlumberger/Axalto. This configuration loads the authentication certificate and allows two further certificates to be imported from PFX/PKCS#12 files. Cards generated using this model cannot be used on workstations which do not have the IK software. It is also possible to create customized smart card models if you have specific requirements. Contact your Quest representative for further information.
165
c)
The smart card assignment properties window appears.
5.
Fill in this window and click OK.

The smart card is assigned to the user, and then the smart card allocation window appears again.
6.
Repeat Steps 4 and 5 for each selected user.
7.1.2 Assigning a Smart Card to a User

Subject This section describes how to assign smart cards to a single user. For information on how to assign smart cards by batch, see Section 7.1.1, Assigning Smart Cards to Many Users. Before Starting Check that you meet the following requirements: To perform the task described in this section, you must have at least the following administration roles:
In classic administration mode: "Smart card administrator" and at least, one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator". In advanced administration mode, your role must contain the following rights: "Token: Assignment" and "Directory: Browsing".

166
If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section. You must have at least one blank smart card and two smart card readers.
Administrator Guide
Procedure 1. 2. In the tree structure of the Directory panel, click the user for which you want to assign a smart card. In the Smart Card tab, click the Assign button.
The smart card assignment window appears.
3.
Insert the smart card of the corresponding user in a smart card reader, fill in this window as follows then click OK. a) b) In the Smart card area, select the smart card to assign. In the Configuration area, select a card model:
Advanced Login and Advanced LoginSmart card Storage: these models generate a card that can be used with the Enterprise SSO software modules. It is mandatory to select this card model if you want to store user's authentication data on token. For more information, see Section 7.1.3, Assigning a new Smart Card Allowing a User to log on a Workstation which is Disconnected from the Directory. It is recommended to select this card model if the card is only used with Enterprise SSO software modules, and if certificates are not used. Windows Smartlogon Compatible: (you cannot apply this model using Windows Remote Desktop). This model generates a card which can be used with standard Windows authentication. It manages a single certificate, which is the smart card authentication certificate. It is not compatible with the two Advanced Login models. Cryptoflex IK Compatible: (you cannot apply this model using Windows Remote Desktop). This configuration generates a card which can be used with standard Windows authentication, in conjunction with IK software from Schlumberger/Axalto. This configuration loads the authentication certificate and allows two further certificates to be imported from PFX/PKCS#12 files. Cards generated using this model cannot be used on workstations which do not have the IK software. It is also possible to create customized smart card models if you have specific requirements. Contact your Quest representative for further information.
167
c)
The smart card assignment properties window appears.
4.

The smart card is assigned to the user.
7.1.3 Assigning a new Smart Card Allowing a User to log on a Workstation which is Disconnected from the Directory
Subject The following procedure describes how to allow a user who uses his/her smart card for the first time to log on a workstation that is disconnected from the LDAP directory. Procedure 1. 2. You must apply the Advanced LoginSmart Card Storage model when you assign the smart card. (Optional) Depending on your security policy, check that Application Security Profiles associated with applications used by this user have the option Credential storage: on Token selected.
168
Administrator Guide
7.2 Formatting Smart Cards

Subject Formatting smart cards allows you to re initialize them. Indeed, when a card is assigned to a user, its data is customized depending on the directory where the user is registered. Thus, it can only be used on this directory. If you want to use the card on another directory, it must be reformatted.
Likewise, any reset of the base of smart cards from the security module, calls for all the cards to be reformatted first, otherwise they will be lost.
Restriction If you want to format a blacklisted smart card, you can only do it with Cryptoflex cards. It is impossible to format a blacklisted card used in PKCS#11. Before Starting Check that you meet the following requirements: To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token: Formatting".
If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section. You must have at least two smart card readers.
Procedure 1. In the Smart Card panel, click the button located in the toolbar.
The smart card formatting window appears.
2.
If necessary, insert the smart card to format in the smart card reader and click Format.
3.
Validate.
The smart card is formatted.
169
7.3 Forcing a New PIN

Subject You can force a new PIN to unlock the smart card of a user who has lost his/her code or exceeded the maximum number of login attempts. Before Starting Check that you meet the following requirements: To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token: Force PIN".
If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section. You must have at least two smart card readers.
Procedure 1. In the Smart Card panel, click the

The Force PIN window appears.
button located in the toolbar.
2. 3. 4.
If necessary, insert the wanted smart card in the smart card reader. Either click Generate to create a random new PIN, or enter it manually in the New PIN Code field. Click Force.
The PIN is changed.
170
Administrator Guide
7.4 Disabling Temporarily Smart Cards

When you need to momentarily deactivate a smart card (for example when a user loses is smart card), you must disable the smart card. This function deactivates a smart card but does not delete its assignment.
7.4.1 Disabling Temporarily Smart Cards from the Smart Card Panel
Subject This section describes how enable/disable smart cards from the Smart Card panel. For information on how to enable/disable smart cards from the Directory panel, see Section 7.4.2, Disabling Smart Cards of a User from the Directory Panel. Before Starting To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token: Modification".
If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section.
Procedure 1. 2. 3. In the Smart Card panel, click the Reports tab. In the displayed window, filter if needed the smart cards to display and click Apply. Select the wanted smart card and click Disable.
The smart card is disabled.
7.4.2 Disabling Smart Cards of a User from the Directory Panel

Subject This section describes how enable/disable smart cards from the Directory panel. For information on how to enable/disable smart cards from the Smart Card panel, see Section 7.4.1, Disabling Temporarily Smart Cards from the Smart Card Panel. Before Starting To perform the task described in this section, you must have at least the following administration roles:
In classic administration mode: "Smart card administrator" and at least, one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator". In advanced administration mode, your role must contain the following rights: "Token: Modification" and "Directory: Browsing".
171
Procedure 1. 2. In the tree structure of the Directory panel, click the user for which you want to unlock a smart card. In the Smart Card tab, click the Disable button.
The smart card is disabled.
7.5 Unlocking Smart Cards

If the user exceeds the maximum number of attempts authorized to enter his PIN, then his/her smart card is locked. You must then unlock his/her smart card by using an unlocking secret code that you must give to the user, so that he/her can use his/her smart card again without changing the PIN:
S ma rt c a rd o pe ra te s c o rre c tly
T he us e r e xc e e ds the ma xi m u m n u m be r o f a tte mpts a utho ri ze d fo r P IN c o de e ntry
T he us e r us e s the un lo c kin g s e c re t c o de
T he a d minis tra to r ha s e nte re d a ca rd un lo c kin g s e c re t c o de
T he c a rd P IN c o de is ma rke d a s lo c ke d in the dire c to ry
T he a d minis tra to r e nte rs a n un lo c kin g c o de o n the c o nso le
Management of the Smart Card PIN Status
The following sections describe the two ways to unlock smart cards: from the Directory panel and from the Smart Card panel.
7.5.1 Unlocking Smart Cards from the Smart Card Pane

Subject This section describes how to unlock smart cards from the Smart Card panel. For information on how to unlock smart cards from the Directory panel, see Section 7.5.2, Unlocking Smart Cards from the Directory Panel.
172
Administrator Guide
Procedure 1. In the Smart Card panel, click the Manage tab.

The smart card management tab appears.
2. 3.
In the Management of locked smart cards area, to check that the number of locked smart card is up to date, click Refresh. Click Manage.
The blocked smart card management window appears.
173
4. 5.
Select the wanted smart card and click Unblock. In the displayed window, enter the secret code that you will give to the user and validate.
The secret code appears in the Unblocking Secret column.
6.
You can now give this secret code to the user so that he/she can use it to unlock his/her smart card.
7.5.2 Unlocking Smart Cards from the Directory Panel

Subject This section describes how to unlock smart cards from the Directory panel. For information on how to unlock smart cards from the Smart Card panel, see Section 7.5.1, Unlocking Smart Cards from the Smart Card Panel. Before Starting To perform the task described in this section, you must have at least the following administration roles:
In classic administration mode: "Smart card administrator" and at least, one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator". In advanced administration mode, your role must contain the following rights: "Token: Modification" and "Directory: Browsing".
Procedure 1. 2. 3. 4. In the tree structure of the Directory panel, click the user for which you want to unlock a smart card. In the Smart Card tab, click the Unblock button. In the displayed window, enter the secret code that you will give to the user and validate. You can now give this secret code to the user so that he/she can use it to unlock his/her smart card.
7.5.3 Defining Contact Information

Subject By default, when the end user locks his/her smart card, an information message appears telling him/her to contact the administrator. You can complete this message with more details on the contact, as described in the following procedure:
174
Administrator Guide
Procedure 1. 2. 3. In the File menu, click Configuration.

The configuration window appears.
Fill in the General tab with any contact information useful to the end user (as the name, phone number or e-mail address of the administrator). Click OK.
The information message is completed with the following line: "Your contact is <information you entered in the General tab>".
7.6 Sending Smart Cards to a Blacklist

The blacklisting of a smart card is an irreversible step which indicates that the smart card is permanently lost.
A blacklisted smart card cannot be reactivated and must be reformatted before it can be used again (smart cards used in PKCS#11 cannot be reformatted after having been blacklisted; you can only reformat Cryptoflex blacklisted cards).
7.6.1 Sending Smart Cards to a Blacklist from the Smart Card Panel
Subject This section describes how to blacklist smart cards from the Smart Card panel. For information on how to blacklist smart cards from the Directory panel, see Section 7.6.2, Sending Smart Cards to a Blacklist from the Directory Panel. Before Starting To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token: Blacklist".
Procedure In the Smart Card panel, click the Reports tab. In the displayed window, filter if needed the smart cards to display and click Apply. Select the wanted smart card and click Blacklist. A confirmation window appears. Validate
The smart card is blacklisted.
175
7.6.2 Sending Smart Cards to a Blacklist from the Directory Panel

Subject This section describes how to blacklist smart cards from the Directory panel. For information on how to blacklist smart cards from the Smart Card panel, see Section 7.6.1, Sending Smart Cards to a Blacklist from the Smart Card Panel. Before Starting To perform the task described in this section, you must have at least the following administration roles:
In classic administration mode: "Smart card administrator" and at least, one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator". In advanced administration mode, your role must contain the following rights: "Token: Blacklist" and "Directory: Browsing".
Procedure 1. 2. 3. In the tree structure of the Directory panel, click the user for which you want to blacklist a smart card. Select the smart card to blacklist and click the Blacklist button.
Validate.
The smart card is revoked. You can click the Revocation tab to display more information on the date and the administrator who performed this operation.
7.7 Extending the Validity of a Smart Card

Subject Once the expiry date of a smart card has passed, the card can no longer be used. This section describes how to extend the validity of smart cards.
If you cannot extend the validity of a smart card, it must be send to a blacklist, as described in Section 7.6, Sending Smart Cards to a Blacklist.
176
Administrator Guide
Procedure 1. In the Smart Card panel, click the Manage tab.

The smart card management window appears.
2. 3.
In the Management of expired smart cards area, to check that the number of locked smart card is up to date, click Refresh. Click Manage.
The expired smart card management window appears.
4. 5.
Select the wanted smart card and click Change. In the displayed window, select the new validity date of the smart card and validate.
The new expiry date appears in the Expiry Date column.
6.
Contact the smart card owner to inform him/her that his/her smart card is active again.
177
7.8 Displaying Smart Card Properties

Subject The Smart Card panel allows you to identify a smart card and retrieve the following information: Owner. Token type (principal or temporary). Card status. Card PIN status. Token class. Token serial number. The configuration used to customize the token.
In classic administration mode: "Smart card administrator". In advanced administration mode, your role must at least contain the following right: "Token: Modification".
If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section. You must have the smart card to identify and at least two smart card readers.
Procedure 1. 2. In the Smart Card panel, click the button located in the toolbar.
The smart card properties window appears.
If necessary, insert the smart card in the smart card reader, and select the corresponding smart card reader in the list box.
The properties of the smart card appears, as in the following example:
178
Administrator Guide
button to display If you have sufficient administration rights, you can click the the Smart Card tab of the corresponding user in the Directory panel.
7.9 Displaying the List of Supported Smart Cards

Subject The different smart card types that can be supported by the solution are defined upon the installation of the Enterprise SSO controller. This information is stored in an XML configuration file.
This module is for information only. You can display the XML configuration file used to extract this information. For more details, see Section 14, Customizing Configuration Files.
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Smart card administrator". In advanced administration mode, if you use a smart card to perform your administration tasks you only need to be "Smart card manager" (this right is granted at card assignation time, in the Administration tab).
179
Procedure In the Smart Card panel, click the Information tab. The smart card information tab appears.
7.10 Managing Smart Card Configuration Profiles

You can use smart card configuration profiles to define the default values proposed upon the allocation of smart cards to users.
7.10.1 Creating / Modifying Configuration Profiles

In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token configuration: Creation/Modification".
Procedures Creating Configuration Profiles 1. 2. In the Smart Card panel, click the Configuration tab. In the Smart card type drop-down list box, select a type of smart card.
The existing smart card configuration profiles appear in the Configurations area.
180
Administrator Guide
3. 4.
Click New.
A new entry appears in the Configurations area.
Type a name for this new profile, and fill in the Global, Personalization, Temporary Card and PIN Format tabs.
These tabs allow you to set: The PIN renewal period (default value 300 days): once this time has elapsed, the user must enter a new PIN number for authentication purposes. Default PIN number: this value will be used when assigning the token. PIN number change on next login: this value is the default value used when the token is assigned with this profile. The number attempts to enter the correct PIN before the card is locked: this value is used during the customizing of the card. It cannot be changed subsequently without reformatting the token. An expiry date (number of days after the assignment) for the token: this expiry date can be changed after customization. The default values used during the assignment of a loan card (number of days before the loan card expires, behavior of the main card if it is handed over when the user has a loan card). A PIN format policy, which defines requirements. The default PIN number must comply with these requirements.
5.
Click Apply.
The new configuration profile is created.
Modifying Configuration Profiles 1. 2. In the Smart Card panel, click the Configuration tab. In the Smart card type drop-down list box, select a type of smart card.
3. 4.
Select a configuration profile, and fill in the Global, Personalization, Temporary Card and PIN Format tabs. Click Apply.
The default values proposed upon the allocation of a smart card using this configuration profile are modified.
7.10.2 Renaming Configuration Profiles

In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token configuration: Creation/Modification".
181
Procedure 1. 2. 3. 4. In the Smart Card panel, click the Configuration tab. In the Smart card type drop-down list box, select a type of smart card.
Select a configuration profile and click Rename. Type the new name of the object and press Enter.
7.10.3 Deleting Configuration Profiles

In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token configuration: Deletion".
Procedure 1. 2. 3. In the Smart Card panel, click the Configuration tab. In the Smart card type drop-down list box, select a type of smart card.
Select a configuration profile and click Remove.
7.11 Managing Loan Cards

7.11.1 Assigning a Loan Card to a User
Subject When a user has forgotten his authentication smart card, you can assign him/her a loan card. In this case, the principal card of the user is deactivated: a user can only have one token active at the same time.
If the principal smart card has just been reformatted or blacklisted, the loan card becomes the principal card.
Before Starting Check that you meet the following requirements: To perform the task described in this section, you must have at least the following administration roles:
In classic administration mode: "Smart card administrator" and at least, one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator".
182
Administrator Guide
In advanced administration mode, you role must contain the following rights: "Token: Lending" and "Directory: Browsing".
If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section. You must have at least one blank smart card and two smart card readers.
Procedure 1. 2. 3. In the tree structure of the Directory panel, click the user for which you want to loan a smart card. In the Smart Card tab, click Lend.
The smart card allocation window appears.
Fill in this window as described in Section 7.1.2, Assigning a Smart Card to a User.
The loan card appears as Enabled and the principal card state changes to Temporary replaced.
7.11.2 Returning Loan Cards

When a user retrieves his/her principal smart card, you must return the loan card and unlock the principal smart card, as described in the following procedure.
7.11.2.1 Returning Loan Cards from the Directory Panel

Before Starting To perform the task described in this section, you must have at least the following administration roles:
In classic administration mode: "Smart card administrator" and at least, one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator". In advanced administration mode, you role must contain the following rights: "Token: Lending" and "Directory: Browsing".
Procedure 1. In the tree structure of the Directory panel, click the user for which you want to return a loan card.
In the Smart Card tab, select the loan card to return and click Return.
2. 3.
Select the smart card to return and click Return.

The Format window appears.
Fill in the format window as described in Section 7.2, Formatting Smart Cards.
Once the smart card is formatted, the loan card state switches to Old card and the principal card becomes Enabled. The user can authenticate using his/her principal card again.
183
7.11.2.2 Returning a Loan Card from the Smart Card Panel

In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token: Lending".
Procedure 1. In the Smart Card panel, click the Reports tab.

The Reports tab appears.
2. 3. 4.
Set the Filter Type to temporary and click Apply.

The list of temporary smart card owners appears.
Select the smart card to return and click Return.

The Format window appears.
Fill in the format window as described in Section 7.2, Formatting Smart Cards.
Once the smart card is formatted, the loan card state switches to Old card and the principal card becomes Enabled. The user can authenticate using his/her principal card again.
184
Administrator Guide
7.12 Managing Smart Card's Authentication Parameters

Subject You can change the authentication parameters of a smart card. Through the Directory panel, you can configure dynamically: The fact that the smart card PIN number must be changed on the next login. The smart card expiry date. The principal smart card behavior, if a loan card is in use. To perform the task described in this section, you must have at least the following administration roles:
In classic administration mode: "Smart card administrator" and at least, one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator". In advanced administration mode, you role must contain the following rights: "Token: Modification" and "Directory: Browsing".
Before Starting
Procedure 1. 2. 3. In the tree structure of the Directory panel, click the user for which you want to change smart cards authentication parameters. In the Smart Card tab, select the wanted smart card. In the Management area of the Information tab, select/clear the check boxes depending on your requirements, to change the PIN on next connection, to change the smart card expiry date, and to enable/disable the automatic unlocking of principal smart cards when the user authenticates using a loan card, as in the following example:
185
The Automatically re-enable main card when next presented check box is available only if you have selected a loan card.
7.13 Managing Batches of Smart Cards

The smart card batch feature allows you to perform the following operations: Entering stocks of blank smart cards (smart card which are not assigned). Limiting smart card assignment to those which are declared in stock. Displaying the following information:
Number of smart cards kept available in stock and not assigned yet. Number of smart cards that are assigned or lent to users. Number of blacklisted smart cards.
7.13.1 Defining a Stock of Tokens

Subject This section explains how to register a stock of blank smart cards. Once you have registered a stock, you can compare it with the actual assigned/lent/blacklisted or unused tokens corresponding to the entered stock, so that it gives you the state of the stock: see Section 7.13.2, Displaying Information on Stocks.
186
Administrator Guide
Before Starting To be able to define a stock of tokens, you must have at least the following administration role:
In classic administration mode: "Security object administrator" role. In advanced administration mode, you role must contain the following rights: "Batch of cards: Creation/Modification", "Batch of cards: Deletion" and "Directory: Browsing".
If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section. A smart card can be assigned to one stock only.
Procedure 1. In the directory tree, select the tree or the container for which you want to define a stock, and click the Batches of cards tab.
The Batches of cards tab appears.
2.
Do one of the following, depending on the actions you want to perform:

To add a stock of tokens, click the Add button. To modify an existing stock of smart cards, click the smart card stock and click Edit. The detail window appears.
3.
Fill-in the window with the following instructions:

Name: the label you want to use for the stock. Class: the type of tokens that make up the stock. Number of tokens: the quantity of tokens in the stock.
187
First/Last serial number: the identification of the smart card stock. If you do not know the serial numbers, type 0000000000000000 for the first number and FFFFFFFFFFFFFFFF for the last number: in this case, there is one token stock by token type. Administrators allowed to assign tokens from this batch area: an empty list means that all the administrators are allowed to assign tokens from the batch.
7.13.2 Displaying Information on Stocks

Subject The following procedure explains how to display the list of smart card stocks that have been already defined, and how to display the following information about a stock: Name of the stock. Number of tokens in the stock. Number of assigned tokens. Number of lent tokens. Number of blacklisted tokens. Number of unused tokens.
Procedure 1. In the directory tree, select the tree or the container for which you want to define a stock, and click the Batches of Cards tab:
The Batches of Cards tab appears.
This window lists stocks of smart cards that have already been already defined.
188
Administrator Guide
2.
If you are authorized to administer several domains: in the Domain list, select the domain for which you want to display the defined stocks.
The list of stocks for the selected domain is displayed.
3.
Click the smart card stock(s) for which you want to see the state and click State.
The state window appears and displays information about the selected stock(s).
7.13.3 Forcing the Use of Smart Cards Defined in the Batch

Subject If you force the use of the tokens that are defined in the batch, the Enterprise SSO controller checks at assignation time if the token is present in the batch. If it is not, the token cannot be assigned. Before Starting To perform the task described in this section, you must be a super administrator. Procedure 1. 2. In the File menu, click Configuration. In the displayed window, click the Batches of Cards tab.
The Batches of Cards tab appears.
3.
Select the Administrator can assign tokens only from authorized batches check box to force the use of smart cards defined in the batch.
189
8. Managing SA Server Devices

Subject Enterprise SSO Console allows you to manage the Gemalto Strong Authentication Server as follows: SA Server user management: user creation and update. OATH device management: update. User-device linking management.
Enterprise SSO does not manage SA Server policies, keys and roles.
Authentication Mechanism The Gemalto Strong Authentication requires two independent ways to establish identity: A static password, which is associated with a user ID. An OTP (One-Time Password), which is obtained from the OATH device.
In SA Server, the user ID and the device are linked together for a specified user, and both are required to authenticate. From Enterprise SSO console this link between User ID and device is managed, and does not need the use of the SA Server administration portal. To each Enterprise SSO user corresponds a specified User ID, and only one device may be assigned to this user. The SA Server can be accessible using HTTPS as a security measure.
8.1 Configuring Enterprise SSO for SA Server Management

Subject This section explains how to set the SA Server connection and configuration parameters. Before Starting
190
The SA Server must be installed on a machine (to know how to install SA Server, refer to Gemalto documentation) You must have the Enterprise SSO SA Server license (SASRV).
Administrator Guide
8.1.1 Configuring SA Server Connection

Procedure 1. 2. 3. 4. 5. 6. In Enterprise SSO Console, click File/Configuration and select the SA Server Hosts tab. Fill-in the Host description area with the instructions given in the following "SA Server Hosts" Tab Description section. Click the Add to Host List button to add the server to the list of SA Server managed by Enterprise SSO. Perform step 2 and 3 again for each server you want to be connected to Enterprise SSO. Manage the host connection order by click the Up and Down button in the Hosts area. Click OK.
The SA Server(s) are connected to Enterprise SSO.
"SA Server Hosts" Tab Description
Hosts area This area displays the SA Server hosts that are connected to Enterprise SSO.
Up/Down buttons These buttons allow you to define the host connection order. If the first host does not respond, Enterprise SSO connects to the following one Edit button Edits the selected hosts for modification in the Host description area. Remove button Removes the selected host.
191
Host description area

Server URL/Port fields SA Server URL and used port. The SA Server URL must be entered with the following syntax: <SA Server host name>/<SA Server base folder> Example: 123.456.78.912/saserver If you do not enter a port number, the default one will be used. Proxy URL/Port fields Proxy URL and port, if necessary. Connect to the server using SSL check box Enable HTTPS connection (this option depends on the SA Server installation). Check Host Validity button Check the connection to the entered host and displays a confirmation message if the connection succeeds. Add to Host List button Adds the entered host URL to the host list in the Host area.
8.1.2 Configuring the SA Server Device Management

Subject Configuration parameters are available for all SA Servers declared in the SA Server Hosts tab. Procedure 1. 2. 3. In Enterprise SSO Console, click File/Configuration and select the SA Server Configuration tab. Fill-in the tab with the instructions given in the following "SA Server Configuration" Tab Description section. Click OK.
The SA Server is configured.
192
Administrator Guide
"SA Server Configuration" Tab Description
Administrator parameters area User ID and password of an SA Server administrator who is allowed to manage devices and users.
This user must be created in SA Server (at installation time for example). This user must have an "admin" role.
Security questions to answer in case of loss of device area The two questions required here are asked in case a user looses his device. Correct answers provide a list of OTP. SA Server mode area The mode in which SA Server has been installed (see Gemalto SA Server documentation for more details). Action on device formatting area Action to perform on SA Server devices when they are formatted from Enterprise SSO Console:
Initialize: the device can be used again. Revoke: the device cannot be used anymore (irreversible).
193
User ID rule field Each user to whom is assigned a SA Server device has his own user ID in SA Server. This rule allows you to choose the User ID syntax, according to the chosen LDAP parameters. Example: if the User ID rule is (givenName).(sn), the user whose givenName is "John" and whose sn is "Smith" will get "John.Smith" as associated User ID. The default rule is "displayName". It is applied even if no rule is set.
Action on device blacklisting area Action to perform on SA Server devices when they are blacklisted from Enterprise SSO Console:
Initialize: the device can be used again. Revoke: the device cannot be used anymore (irreversible).
8.2 Managing SA Server Devices

Subject In Enterprise SSO Console, you can manage SA Server devices as smart cards. The device ID associated with each SA Server device is saved in the directory, and allows Enterprise SSO Console to detect whether the device is a device registered in SA Server. Before Starting SA Server must be configured in Enterprise SSO, as explained in Section 8.1, Configuring Enterprise SSO for SA Server Management. All devices must be provisioned in SA Server by the SA Server administrator.
8.2.1 Assigning an SA Server Device to a User

Subject This section describes how to assign an SA Server OATH device to a single user. The assignment procedure is the same as the classical smart card assignment procedure, except that for SA Server devices, you must fill-in the SA Server tab, as explained in this section. Before Starting Check that you meet the following requirements: To perform the task described in this section, you must have at least the following administration roles:
In classic administration mode: "Smart card administrator" and at least, one of the following roles: "Security object administrator" or "Access administrator" or "Rights administrator".
194
Administrator Guide
In advanced administration mode, your role must contain the following rights: "Token: Assignment" and "Directory: Browsing".
If you have authenticated with a smart card, you must be a "Smart card manager" (this right is granted at card assignation time, in the Administration tab) to perform the task described in this section. The device you want to assign must have a device ID, and have previously been provisioned in SA Server. Its state must be "Initialized" in SA Server.
Procedure 1. 2. Follow the smart card assignation procedure explained in Section 7.1.2, Assigning a Smart Card to a User. Fill-in the SA Server tab with the instruction given in the following "SA Server" Tab Description section. This tab allows you to register the device as a SA Server device and to link the selected user to this device. Click OK.
A window asks you to enter the PIN.
3. 4.
Type the device PIN and click OK.

Once assigned, the device ID and the user ID are linked together. The device and the user have the state "Active".
"SA Server" Tab Description
Associated user area The User ID field is automatically fill-in according to the User ID rule defined while configuring the SA Server device management (see Section 8.1.2, Configuring the SA Server Device Management).
If the SA Server is configured in "Full DB", you must fill-in the Password and Confirm password fields for the selected user. If the SA Server is configured in "Mixed mode", the Password field is not available.
195
Answer to security questions area The questions displayed here are the one chosen while configuring the SA Server device management (see Section 8.1.2, Configuring the SA Server Device Management). You must answer these questions with the user, so that he can get OTP in case he looses his device.
In case the User ID already exists in SA Server and the answers already recorded, the fields are empty. If you fill-in again these fields, the corresponding answers will be updated in SA Server. If you let these fields empty, the answers will not be updated in SA Server.
Device ID field The device ID is read from the device. Validate check box
Check box selected: the SA Server is updated with the information entered in the tab when you click the OK button, the link between the device and the user is established in SA Server. Check box cleared: the SA Server is not updated with the information entered in the tab when you click the OK button, no link is established between the device and the user in SA Server. You can do the assignation later on: see Link User/Remove User button in Section 8.2.4, Managing the Link between User and SA Server Device.
8.2.2 Formatting an SA Server Device

The formatting procedure is detailed in Section 7.2, "Formatting Smart Cards". When a SA Server device is formatted, the action performed on the device depends on the configuration set while configuring the SA Server device management, in the Action on device formatting area (see Section 8.1.2, Configuring the SA Server Device Management): If the Revoke option is set, the device state becomes "Revoked" and cannot be used anymore. If the Initialize option is set: the device state becomes "Initialized". If a user was linked to this device, the link is removed.
8.2.3 Blacklisting an SA Server Device

The blacklisting procedure is detailed in Section 7.6, Sending Smart Cards to a Blacklist.
196
Administrator Guide
When a SA Server device is blacklisted, the action performed on the device depends on the configuration set while configuring the SA Server device management, in the Action on device blacklisting area (see Section 8.1.2, Configuring the SA Server Device Management): If the Revoke option is set, the device state becomes "Revoked" and cannot be used anymore. If the Initialize option is set: the device state becomes "Initialized". If a user was linked to this device, the link is removed.
8.2.4 Managing the Link between User and SA Server Device

In the Directory panel of Enterprise SSO Console, in the Smart Card tab, the SA Server tab allows you to manage the SA Server device of a user.
User Information area User ID/User State: information fields. Block/Unblock button:
The Block button allows you to prevent the user from authenticating. The user cannot authenticate when his state is "Block". In this case, the button becomes Unblock. The Unblock button allows you to authorize a blocked user to authenticate again.
197
Revoke button: This button allows you to revoke the user by definitively cancelling his user ID. This action is irreversible. Unlock button: This button is only available if the user is locked, which means he has reached the maximum number of allowed password attempts (this number is defined in Gemalto SA Server user settings). This button allows you to unlock the user by resetting the user password attempts.
Associated device area Device ID/Device state: information fields retrieved from the device. Device expiration check box: This check box makes available the device expiration field and allows you to update the device expiration date. OTP attempts field: This field displays the OTP attempts counter as follows: <number of OTP attempts>/<maximum attempts before lock> The maximum number of OTP attempts is defined in Gemalto SA Server OATH policy. Reset OTP attempts button: This button allows you to unlock the device in case it has reach the maximum number of OTP attempts. Block/Unblock button:
The Block button allows you to prevent the device from being used. The device cannot be used to authenticate when his state is "Block". In this case, the button becomes Unblock. The Unblock button allows you to allow a blocked device to authenticate again.
Revoke button: This button allows you to revoke the device by definitively cancelling it. This action is irreversible, the device cannot be used again. Link User/Remove User button a) b) The Link User button is displayed in the following cases: If the device-user link is not established in SA Server. In this case, this button allows you to link the device to the user in SA Server with the following window.
198
Administrator Guide
This window allows you to update in the SA Server the information entered while assigning the device to the user. The information already entered at assignment time (see Section 8.2.1, Assigning an SA Server Device to a User) is not displayed in the window:
If you fill-in again these fields, the corresponding answers will be replaced in SA Server. If you let these fields empty, the SA Server will not be updated.
c)
If the user does not exist in SA Server yet. In this case, this button allows you to create the user and link the device to the user in SA Server, with the following window:
This window allows you to enter the necessary information to link the device to the user, as described in Section 8.2.1, Assigning an SA Server Device to a User. d) The Remove User button allows you to remove the device-user link. If you remove a device-user link, you will be able to link them again later on without having to re-enter the necessary information, with the Link User button.
199
9. Managing RFID Tokens

To enable the management of RFID tokens, the RFID option must have been selected upon the installation of Enterprise SSO Console. For more details, see Enterprise SSO Advanced Installation and Configuration Guide. Workstations using RFID tokens must be equipped with a compliant RFID hardware system. For details on the supported RFID products, see Quest Enterprise SSO Release Notes.
RFID Definition RFID, which is the acronym of Radio Frequency IDentification is a technology used anywhere that a unique identification system is needed. In information systems, RFID can be used to secure equipped workstations. An RFID system consists of an antenna and a transceiver (short for transmitter-receiver), which read the radio frequency and transfer the information to an RFID token, which contains the information to be transmitted. Enterprise SSO can handle active and passive RFID tokens. For more information on supported RFID technologies, see Quest Enterprise SSO Release Notes Possible States of an RFID Token
Locked RFID Token

Unlocking Locking
Available RFID Token
Assignment
Assigned RFID Token

Blacklisting
Blacklisting
Deletion
RFID Token Blacklisted
200
Administrator Guide
Interface Design To manage RFID tokens, you will use the following administration panels: The RFID panel, which gives you an overview of the RFID tokens used in the company. You may use the intuitive filter area, useful when managing many and many tokens.
The Directory panel, which allows you to manage the RFID tokens of a specific User and to configure RFID parameters:
201
9.1 Assigning an RFID Token

Before Starting To be able to assign an RFID token, you must have either the RFID token itself or its serial number. To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Smart card administrator" and at least, one of the following profiles: "Security object administrator" or "Access administrator" or "Rights administrator". In advanced administration mode, your role must contain the following rights: "Token: Assignment" and "Directory: Browsing".
Procedure 1. Make sure that the following security profiles have one of the RFID authentication method selected:
The Access Point Security Profile associated with the Access Point equipped with an RFID hardware system (for details, see Section 5.4.2, Configuring Access Point Security Profiles). The User Security Profile associated with the User for whom you want to assign the token (for details, see Section 5.3.2, Configuring User Security Profiles).
2.
In the directory tree (Directory panel), select the User for whom you want to assign an RFID token and click the RFID tab.
The RFID tab appears.
202
Administrator Guide
3.
Click Assign.
The RFID token selection window appears.
If your workstation is not equipped with RFID hardware, the Select a present RFID option is disabled.
4.
Define the RFID token to assign using one of the following methods:
If you have the RFID token to assign, select it in the drop-down list. Else, enter its serial number.
5.
(Optional): select Expiry date to define the day and hour of the RFID token expiration.
You can change at any time this option through the RFID tab of the selected user.
6.
Click OK.
9.2 Locking and Unlocking an RFID Token

There are two ways to lock and unlock an RFID token, as detailed in the following subsections.
9.2.1 Locking and Unlocking an RFID Token from the Directory Panel
Subject This section explains how to lock and unlock an RFID token from the Directory panel. Before Starting To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following rights: "Token: Modification" and "Directory: Browsing".
203
Procedure 1. 2. Browse the directory tree to select the wanted user and click the RFID tab.
The list of RFID tokens assigned to this user appears.
Select the RFID token to lock and click the Lock button.
The state of the token changes to Locked.
3.
To unlock it, select it and click the Unlock button.

The state of the token changes to Active.
9.2.2 Locking and Unlocking an RFID Token from the RFID Panel
Subject This section explains how to lock and unlock an RFID token from the RFID panel. Before Starting To perform the task described in this section, you must have at least the following administration role:
204
Administrator Guide
Procedure 1. 2. Modify the RFID filter (optional) and click the Apply button.
A list of RFID tokens appears.
Select in the list the token to lock and click the Lock button.
The state of the token changes to Locked.
3.
To unlock it, select it and click the Unlock button.

The state of the token changes to Active.
9.3 Blacklisting and Deleting an RFID Token

There are two ways to blacklist and delete an RFID token, as detailed in the following subsections.
9.3.1 Blacklisting and Deleting an RFID Token From the Directory Panel
Subject This section explains how to blacklist and delete an RFID token from the Directory panel.
205
In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following rights: "Token: Blacklist" and "Directory: Browsing".
Procedure 1. 2. Browse the directory tree to select the wanted user and click the RFID tab.
The list of RFID tokens assigned to this user appears.
Select the RFID token to blacklist and click the Blacklist button.
The state of the token changes to History.
3.
To delete it, select it and click the Delete button.

The token disappears from the list.
206
Administrator Guide
9.3.2 Blacklisting and Deleting an RFID Token from the RFID Panel
Subject This section explains how to blacklist and delete an RFID token from the RFID panel. Before Starting To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token: Blacklist".
Procedure 1. 2. Modify the RFID filter (optional) and click the Apply button.
A list of RFID tokens appears.
Select in the list the token to blacklist and click the Blacklist button.
The state of the token changes to Blacklisted.
3.
To delete it, select it and click the Delete button.

The token disappears from the list.
207
9.4 Modifying the Detection Areas and the Grace Period

Definitions The Detection Areas The RFID tokens and the antenna/transceiver are in constant encrypted two-way wireless communication with each other. As an authorized user approaches the workstation, the token unlocks the workstation when the user enters a pre-set detection zone (the unlock area) and allows the user to enter his/her password to log on. The area starting from the sensor antenna through the limit of the lock range is called the visibility area. In this area, the Enterprise SSO controller is able to identify owners of RFID tokens. When the authorized user moves out of this area, the workstation is automatically secured (the lock area).
Unlock Area
c unlo nge k ra
Sensor/ Antenna
Session Kept Alive
Visibility Area
ge ran k loc
Able to Open/ Unlock
Session Locked/ Closed
Lock Area
The Grace Period For convenience purposes, you can define a Grace Period, in which the workstation will unlock thanks to the RFID token only. After this period, the user must provide his/her password in addition to the RFID token to log on. Before Starting To perform the tasks described in this section, you must have at least the following administration role:
In classic administration mode: "Smart card administrator". In advanced administration mode, your role must contain the following right: "Token: Modification" and "Directory: Browsing".
208
Administrator Guide
Procedures Modifying the Detection Areas 1. In the Directory panel, select the Access Point Security Profile associated with the Access Points for which you want to modify the detection areas, and click the RFID tab.
The RFID tab appears.
2.
Move the sliders to modify the values depending on your needs and click Apply.
The upper slider allows you to define the unlock range. The lower slider defines the lock range. It is not possible to set the second value lower than the first one. It is a normal behavior.
Modifying the Grace Period 1. In the Directory panel, select the User Security Profile associated with the users for whom you want to modify the grace period, and click the Security tab.
The Security tab appears.
209
2.
Modify the Grace period option.

Setting the Grace period to 0 minute is equivalent to clearing the Grace period check box.
3.
Click Apply.
9.5 Exporting a List of RFID Tokens

Subject You can export at any time a list of RFID tokens used in your company. This feature allows you to create reports for example. The generated files are created in the Comma Separated Value (CSV) format, which is particularly useful to exchange data between databases and spreadsheet software such as Microsoft Excel or Business Objects Crystal Reports. Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Smart card administrator". In advanced administration mode, if you use a smart card to perform your administration tasks you only need to be "Smart card manager" (this right is granted at card assignation time, in the Administration tab).
Procedure 1. 2. In the RFID panel, filter the entries that you want to export and click Apply.
The list of tokens appears.
Click the Export button, and select in the displayed window the save location of the file.
210
Administrator Guide
10. Managing Biometric Enrolment

Workstations using biometrics must be equipped with a compliant biometric scanner system. For details on the supported biometric products, see Quest Enterprise SSO Release Notes.
Subject Enterprise SSO Console allows you to manage biometric enrolment of users. Biometric Modes Enterprise SSO can work in three modes to authenticate users with their biometric data. You select the biometric mode from the two following directory objects: In the Access Point security profile: see Section 5.4.2.1, Security Services Configuration ("Security Services" Tab). In the User security profile configuration: see Section 5.3.2.1, Authentication Parameters Configuration ("Authentication" Tab).
Store On PC mode User biometric data and LDAP password are stored in their workstation local cache, and are protected by the Enterprise SSO Client and the administration rights set on the workstation. Users must enrol their biometric data on every workstation they use. Store On Card mode User biometric data and smart card PIN are stored on their smart card (public area), and are protected by the Enterprise SSO Client. Users enrol their biometric data once and this data is stored in their smart card.
211
Store On Server mode User biometric data enrolment is centralized by the Enterprise SSO Controller and stored in the directory. In this mode, an Enterprise SSO Controller must be available for authentication. Users enrol their biometric data once by typing their name and password before placing their finger on the biometric scanner. Then they can connect to every workstation of the Enterprise SSO forest without having to enrol their biometric data on each workstation they use. On every workstation on which the user authenticates, a local cache is created, as in the "Store on PC" mode, and the Enterprise SSO Controller retrieves biometric data from the directory to store it in this cache. Interface Design To manage biometric enrolment, you will use the following administration panels: The Biometrics panel, which displays the list of users having enrolled biometric patterns, and allows you to export it.
212
Administrator Guide
The Directory panel, which allows you to manage biometric enrolment in the user security profile, and for a specific user, you can also configure biometric parameters on computers in the access point security profile.
10.1 Defining the Biometric Enrolment Policy

You define the biometric enrolment policy in the User security profile, as explained in Section 5.3.2.5, Biometrics Parameters Configuration ("Biometrics" Tab).
10.2 Defining the Biometric Workstation Parameters

You define the biometric workstation parameters in the Access Point security profile, as explained in Section 5.4.2.4, Biometrics Parameters ("Biometrics" Tab).
10.3 Managing the User Enrolment

You can manage the user biometric data enrolment from the User object, as explained in Section 6.2.8, Displaying Users Biometric Data ("Biometrics" Tab).
213
10.4 Displaying and Exporting the Biometric Enrolment Report

Subject The Biometrics panel allows you to display and export the list of users who have enrolled biometric patterns, as explained in the following procedure. Before Starting To perform the task described in this section, you must work in advanced administration mode, and your role must contain the following right: "Bio: Is enable to allow biometrics pattern enrolment".
Procedure 1. In the Biometrics panel, click the View button.

The panel displays the list of users having enrolment their biometric data, the enrolment date and name of the user who approved the enrolment.
2.
To export the list in a .csv file, click the Export button and fill-in the Save As window.
The list displayed is saved in a .csv file.
214
Administrator Guide
11. Managing Data Privacy

Subject With Data Privacy, Enterprise SSO end users have the possibility to encrypt files on their workstations and share these files with some users. This section describes how to enable and administer this feature. Before Starting The Data Privacy component must have been selected upon the installation of Enterprise SSO Console. The File Encryption software module must have been installed on the related workstations.
For details, see Enterprise SSO Advanced Installation and Configuration Guide.
Interface To manage the Data Privacy feature, you will use the following administration panels: The Data Privacy panel, which gives you an overview of the encryption keys used in the company. You may use the intuitive filter area, useful when managing many keys.
215
The Directory panel, which allows you to manage the key of a specific User and to configure Data Privacy parameters:
Key States: key icons have different aspects depending on their states as described in the following table:
DESCRIPTION
KEY ICON
Key active. Key in the warning period. Key expired. The key will be active upon user's log on. Waiting user's logon: key in the warning period. Waiting user's logon: key will expire.
216
Administrator Guide
11.1 Generating Keys

The encryption of files is performed using strong encryption algorithms (AES and TripleDES). These algorithms change data into a form that can be read only by the intended receiver using the proper decryption key. There are several ways for generating File Encryption keys. This operation can be done directly on the user object, on a User Security Profile, or on LDAP containers, for a massive key generation.
11.1.1 Generating Keys for a Single User or a Group of Users

Before Starting To be allowed to generate keys, you must have at least the following administration role: In classic administration mode: the "File Encryption administrator" role. In advanced administration mode, your role must contain the following rights: "File Encryption Key: Generation" and "Directory: Browsing".
Procedure 1. Check the following:

The User Security Profile associated with the user or the group for whom you want to enable Data Privacy must have the option User has access to the File Encryption module selected (for details, see Section 5.3.2, Configuring User Security Profiles). The Access Point Security Profile associated with the Access Point of the wanted user/group must have the option File Encryption is authorized on this workstation selected (for details, see Section 5.4.2, Configuring Access Point Security Profiles).
2.
In the directory tree (Directory panel), select the wanted user or group and click the Data Privacy tab.
The Data Privacy tab appears.
217
3.
Click Generate:
4.

You can modify the name of the key, the validity date and the warning date after the generation of the key.
The generated key appears in the list.
11.1.2 Massive Keys Generation (Batch Mode)

Procedure 1. Check the following:

The User Security Profile associated with the user or the group for whom you want to enable Data Privacy must have the option User has access to the File Encryption module selected (for details, see Section 5.3.2, Configuring User Security Profiles). The Access Point Security Profile associated with the Access Point of the wanted user/group must have the option File Encryption is authorized on this workstation selected (for details, see Section 5.4.2, Configuring Access Point Security Profiles).
218
Administrator Guide
2.
In the Data Privacy panel, click Data Privacy | Generate keys for multiple users (menu bar).
The File Encryption key generation window appears.
3. 4.
Use the Add and Remove buttons to the wanted users and if necessary, modify the File Encryption key properties area. Then click Next. A window displaying all the selected users appears. Click Start.
11.1.3 Configuring the Automatic Generation of a Key upon User's Logon

Procedure 1. Make sure that the Access Point Security Profile associated with the Access Point of the wanted user has the options File Encryption is authorized on this workstation selected (for details, see Section 5.4.2, Configuring Access Point Security Profiles). In the User Security Profile associated with the user for whom you want to enable Key automatic generation, click the Data Privacy tab.
219
2.
3.
Select the following options:

User has access to the File Encryption module. Generate user's personal key automatically, and modify if necessary the File Encryption key properties area. Note that this option relates with all the users associated with this security profile.
4.
Click Apply.
11.2 Renewing Keys

You can manually renew a key or you can configure an automatic update of the key, on the user's logon, when the key is about to expire. This update can be the prolongation of the current key or the generation of a new one.
11.2.1 Renewing Manually a Key

11.2.1.1 Renewing Manually a Key from the Directory Panel
Subject This section explains how to renew manually a key from the Directory panel.
220
Administrator Guide
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: the "File Encryption administrator" role. In advanced administration mode, your role must contain the following rights: "File Encryption Key: Generation" and "Directory: Browsing".
Procedure 1. In the directory tree (Directory panel), select the wanted user or group and click the Data Privacy tab.
2.
Select the displayed key and click either Edit or Renew.

If you want to update the expiration date, the name of the key and the warning time, use the Edit button. If you want in addition to modify the encryption algorithm, use the Renew button.
3.
Fill in the displayed window and click OK.

For details on the significance on the different key icons, see Interface in Section 11, Managing Data Privacy.
221
11.2.1.2 Renewing Manually a Key from the Data Privacy Panel

Subject This section explains how to renew manually a key from the Data Privacy panel. Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: the "File Encryption administrator" role. In advanced administration mode, your role must contain the following rights: "File Encryption Key: Generation".
Procedure 1. 2. Modify the Data Privacy filter (optional), and click the Apply button.
A list of keys appears.
Select in the list the key to renew and click either the Edit or the Renew button.
If you want to update the expiration date, the name of the key and the warning time, use the Edit button. If you want in addition to modify the encryption algorithm, use the Renew button.
3.
Fill in the displayed window and click OK.

For details on the significance on the different key icons, see Interface in Section 11, Managing Data Privacy.
11.2.2 Configuring Automatic Updates of Keys

222
Administrator Guide
Procedure 1. In the User Security Profile associated with the user for whom you want to enable Key automatic generation, click the Data Privacy tab.
2.

User has access to the File Encryption module. Automatically update key in warning period, and modify if necessary the File Encryption key properties area. Note that this option relates with all the users associated with this security profile.
3.
Click Apply.
11.3 Allowing Users to Refresh their Keys from the Directory

Subject To limit LDAP traffic, the keys are stored in the user's cache (like the Enterprise SSO data), directly on the user's workstation. If the data between the cache and the LDAP directory are not synchronized, the File Encryption software module installed on the workstation may not work. To solve this problem, the user must refresh the cache of his/her workstation.
The File Encryption cache can become unsynchronized in the following cases: The key associated with a group of users is renewed (which means that all the users of the group need to retrieve the new key). The user switches from a workstation where the key is automatically renewed to a workstation where the key is not renewed (which means that all the files encrypted with the new key are not readable until the new key is retrieved from the directory).
The following procedure describes how to allow users to refresh their keys.
223
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: the "File Encryption administrator" role. In advanced administration mode, your role must contain the following rights: "File Encryption Key: Generation", "Directory: Browsing" and "User security profile: Creation/Modification".
Procedure 1. Make sure that the Access Point Security Profile associated with the Access Point of the wanted user has the options File Encryption is authorized on this workstation selected (for details, see Section 5.4.2, Configuring Access Point Security Profiles). In the User Security Profile associated with the user for whom you want to enable Key automatic generation, click the Data Privacy tab.
2.
3.

The user has access to the File Encryption module. The user can ask for a refresh of the keys from his desktop.
Note that this option relates to all the users associated with this security profile.
4.
Click Apply.
224
Administrator Guide
11.4 Exporting a List of Generated Keys

Subject You can export at any time a list of the keys used in your company. This feature allows you to create reports for example. The generated files are created in the Comma Separated Value (CSV) format, which is particularly useful to exchange data between databases and spreadsheet software such as Microsoft Excel or Business Objects Crystal Reports. Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: the "File Encryption administrator" role. In advanced administration mode, your role must contain the following rights: "File Encryption Key: Generation".
Procedure 1. In the Data Privacy panel, filter the entries that you want to export and click Apply.
The list of keys appears.
2.
Click the Export button, and select in the displayed window the save location of the file.
225
12. Enabling the Public Key Authentication Method

The PKA Authentication Method Quest Enterprise SSO provides smart card authentication. This authentication method is used to store the users directory credentials necessary to access the users SSO data. In addition, Enterprise SSO supports Microsoft smart card logon authentication, but this authentication method is limited to Microsoft compliant Public Key Infrastructures. The Public Key Authentication (PKA) is another authentication method supported by Enterprise SSO that can be used to grant SSO to users. The goal of Enterprise SSO PKA is to provide user authentication and SSO based on X.509 certificates: authentication and access to SSO is provided only if the users certificate is valid and if the user can prove his certificate ownership. Enterprise SSO PKA supports smart card driven certificates, the most widespread method of deploying certificates. PKA Authentication Process Once the PKA authentication method enabled, the Enterprise SSO PKA authentication process is as follows: 1. 2. Identification of the inserted smart card (this implies the use of a smart card XML description file that is properly configured). If the smart card is PKA compliant, the Enterprise SSO client reads the certificate and retrieves the users name using the attribute mapping rules (contents of the certificate on one side and users attributes in the LDAP directory on the other side). Once the user has been identified, the Enterprise SSO client prompts the user for his/her smart card PIN. Verification of the users public key certificate. Certificate enrollment: if this is the first time the user logs on his/her workstation using the PKA authentication method, the Enterprise SSO controller automatically creates in the Enterprise SSO directory an object that contains the users LDAP credentials (login name and password). To create the LDAP object, the Enterprise SSO controller does the following:
It verifies the users certificate (validity period, authorized usage, trusted certification authority, proper revocation status). If the certificate is valid, Enterprise SSO prompts the user for his LDAP credentials (login name and password).
226
3. 4. 5.
Administrator Guide
If these credentials grant access to the LDAP directory, Enterprise SSO encrypts them using the users public key certificate. Enterprise SSO then creates an LDAP object where the users encrypted LDAP credentials are stored. Access to this LDAP object is restricted to that user; moreover, that user must authenticate using that certificate to gain access to his LDAP credentials.
6. 7. 8.
Retrieving encrypted LDAP credentials from the Enterprise SSO directory. Decrypting the LDAP credentials using the users private key stored on the smart card. Using the decrypted LDAP credentials to retrieve Enterprise SSO data from the LDAP directory.
Revocation The Enterprise SSO PKA authentication process relies on a public key certificate to identify the incoming user. It is therefore necessary to ensure that any public key certificate used to authenticate a user is valid and properly trusted. This requires external PKI material such as a set of public key certificates for each Certification Authority and an access to an On-line Certificate Status Protocol responder or to a set of Certificate Revocation Lists (CRL). During the certificate enrollment, the users public key certificate is validated as follows: Its issuing Certification Authority must be identified as a trusted authority for the purpose of Enterprise SSO PKA. If a CRL or OCSP responder is defined for that issuing Certification Authority (or defined in the certificate itself), the revocation status is checked.
The revocation engine is included in the Enterprise SSO controller. Its job is to maintain the accuracy of the revocation status of all public key certificates used for Enterprise SSO PKA. For each CRL distribution point or OCSP responder defined, the revocation engine: Computes the time for next revocation update. Collects the revocation information. Checks the revocation status of all enrolled public key certificates. Checks the revocation status of the public key certificate of all trusted Certification Authority.
Anytime a users public key certificate is revoked, its status is updated in the Enterprise SSO directory and the users smart card is automatically blacklisted.
227
12.1 Configuring User and Access Point Security Profiles to Support the PKA Authentication Method
Before Starting A smart card XML description file must exist and it must contain the description of the specific type(s) of smart card that will be used for PKA authentication. Several reserved keywords are used in the XML file to specify to Enterprise SSO that this smart card will be used for that purpose. To perform the task described in this section, you must have at least the following administration role:
In classic administration mode: Security Object administrator. In advanced administration mode, your role must contain the following rights: "User security profile: Creation/Modification", "Access point security profile: Creation/Modification".
Procedure 1. 2. Import a smart card XML description file, which is properly configured, see Section 14, Customizing Configuration Files. Create (or modify) a User Security Profile with the following mandatory requirements:
The authentication method which is PKA compliant must be selected. The Password authentication method must also be selected. For more details, see Section 5.3.2, Configuring User Security Profiles.
3.
Create (or modify) an Access Point Security Profile with exactly the same mandatory requirements. For more details, see Section 5.4.2, Configuring Access Point Security Profiles.
12.2 Activating the PKA Authentication Method and Defining the Set of Authorized Certification Authorities
To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator" In advanced administration mode, your role must contain the following right: "PKA authority: Creation/Modification", "PKA authority: Deletion".
228
Administrator Guide
12.2.1 Activating the PKA Authentication Method

Procedure 1. In the Enterprise SSO Console File menu, click Configuration, and in the displayed window select the Public Key Authentication tab.
The Public Key Authentication tab only appears upon a successful extension of the Enterprise SSO directory and a successful creation of the default objects. For more information, see Enterprise SSO Advanced Installation and Configuration Guide.
2.
Select the first check box: Users can authenticate using a public key Certificate. Any valid certificate () to authenticate users.
This check box enables all the other options of the tab.
3.
Select the second check box: Users can enroll their public key Certificate. Any valid certificate () may be enrolled.
It is mandatory to select this check box with this version of Enterprise SSO.
4.
You must then configure the set of authorized certification authorities by filling in the Certification Authorities area, as described below.
229
12.2.2 Configuring the Set of Authorized Certification Authorities

Only public key certificates issued by explicitly identified certification authorities can be used for Enterprise SSO PKA. It is therefore necessary to configure the set of authorized certification authorities. You can import Certification Authorities using different methods, as described in the following sub-sections. You can combine these methods.
12.2.2.1 Importing Certification Authorities from PEM or DER Encoded Files

Procedure 1. In the Certification Authorities area, click the Import button, and use the displayed window to select a CA certificate from a DER-encoded (*.cer or *.crt) or a PEM encoded (*.pem) file.
A summary window appears.
2.
To view the detailed contents of the certificate, click Details.
230
Administrator Guide
3.
To confirm the activation of the Certification Authority as a permitted emitter of users public key certificate for Enterprise SSO PKA, click the Import button
The imported Certification Authority appears.
If the imported CA certificate contains the URL of a point of distribution of certification revocation information (available in the form of a CRL or an OCSP responder), the creation of the Certification Authority in the E-SSO directory also creates an object corresponding to each point of distribution (this is the case in our example).
12.2.2.2 Importing Certification Authorities from Windows System Storage

Procedure 1. In the Certification Authorities area, select the Import Certification Authorities from Windows system storage check box and click the Import button.
The certificate selection window appears.
231
2.
Select the certificate from the list. To display the detailed contents of the certificate, click the View Certificate button. Then, click OK button to resume the import of the certificate.
12.2.2.3 Deleting a Certification Authority

Procedure In the Certification Authorities area, select the Certification Authorities to remove and click the Delete button. The Certification Authority is removed from the list of trusted CAs.
If the removed public key certificate contains a revocation information point of distribution, the associated CRL or OCSP responder is NOT removed from Enterprise SSO PKA: the revocation status of users certificates will still be updated by the Enterprise SSO PKA revocation engine. However, the enrolment of a users certificate emitted by the removed Certification Authority will be denied
12.3 Configuring the Automatic Update of the Revocation Information

You may use Enterprise SSO PKA without checking the revocation status of users certificates. However, for obvious security reasons, this is strongly discouraged.
To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Security object administrator" In advanced administration mode, your role must contain the following right: "PKA authority: Creation/Modification", "PKA authority: Deletion".
232
Administrator Guide
12.3.1 Importing a CRL Point of Distribution

Subject In most cases, the URL of a revocation information point of distribution is included in a public key certificate. When importing the public key certificate of a Certification Authority, Enterprise SSO Console automatically imports the associated revocation information point of distribution. However, in some cases, CA certificates do not use the same CRL than users certificates. It is then necessary to manually import the URL of CRLs that publish the revocation status of these users certificates. Procedure 1. In the Revocation Information area, select the Supports CRL check box and click the Import button.
The CRL importation window appears.
2.
Fill in the URL or filename field and click OK.

This version of Enterprise SSO PKA supports HTTP (http://...), FTP (ftp://...) in addition to local files (file://...) as a valid protocol to collect CRLs. Future version may support alternative protocols such as LDAP. If the provided URL is valid, the CRL is downloaded from the Internet through the configured HTTP proxy server if required (Use this HTTP proxy field).
3.
Once a CRL has been taken into account, you may perform its explicit update. For that purpose, select the CRL in the available list and click the Update button. The CRL is then immediately downloaded and verified.
12.3.2 Importing an OCSP Responder

Subject In most cases, the URL of a revocation information point of distribution is included in a public key certificate. When importing the public key certificate of a Certification Authority, the Enterprise SSO Console automatically imports the associated revocation information point of distribution. However, in some cases, CA certificates do not use the same OCSP responder than users certificates. It is then necessary to manually import the OCSP responders that publish the revocation status of these users certificates.
233
Procedure 1. In the Revocation Information area, select the Supports OCSP check box and click the Import button.
The OCSP importation window appears.
2.
Enter in the URL or filename field the URL of the OCSP responder and select the Import URL as an OCSP responder check box.
The Certificate file field becomes available.
3. 4.
Enter the path name of a valid public key certificate used by the OCSP responder server and click OK. Once an OCSP responder has been taken into account, you may need to update its public key certificate. For that purpose, select the OCSP responder in the list, click the Certificate button and select the DER-encoded or PEMencoded file that contains the public key certificate used by the OCSP responder to sign its responses.
12.3.3 Deleting a CRL Point of Distribution or an OCSP Responder

Procedure To remove a CRL distribution point or an OCSP responder, select it from the list and click the Delete button The removed CRL or OCSP responder is removed from the Enterprise SSO PKA configuration in the domain directory and disappears from the list.
234
Administrator Guide
13. Managing Audit Events

Overview The following picture shows the streams of audit events within Enterprise SSO.
Central Audit Database
Audit Collection
Audit Consolidation
E-SSO Audit Service
Audit Analysis
E-SSO Administration Service E-SSO Security Services
Audit Cache
Local Audit Database
Audit Cache
Audit Cache
E-SSO Manager console
User Workstation
E-SSO
Audit Server
E-SSO
Administration Server
Administrator Workstation
Audit events are created on users workstations and stored locally in audit cache files. Events are then collected (on a regular basis) by an Enterprise SSO controller that provides the Enterprise SSO Audit Services. The controller stores the collected audit events in a local audit database. The Enterprise SSO Audit Services servers should then be configured to upload collected events into a consolidation central audit SQL database. Administrators using the Enterprise SSO Console retrieve the audit events stored in the central audit database. Audit Cache Mechanism All the audit events are registered in a centralized SQL database, managed by the Enterprise SSO controllers.
235
An audit cache mechanism is located on: The client workstations enabling the storage of the audit events if the workstation is disconnected from the network. The Enterprise SSO controllers enabling the storage of the audit events if the server is disconnected from the SQL database.
The Enterprise SSO controller compiles all the events associated with user authentication and administration actions in all LDAP domains, and it provides a consistent overview of the history of the accesses to all your applications.
By administration actions, we mean any operation that modifies the directory content: creation, modification, deletion and renaming of any directory object.
If the audit cache file is deleted, Enterprise SSO sends an audit event to the Enterprise SSO controller. The event indicates the name of the workstation and when the file deletion was detected. Enterprise SSO Audit Servers The Enterprise SSO audit servers: Ensure the stream of audit events by detecting audit cache file deletion. Make sure an Enterprise SSO controller is always available to Enterprise SSO Administrators. Do not generate audit events that are not relevant to the customers security policy. The administrator can apply an audit filter to an application, a computer, a user or an administration profile
13.1 Displaying Audit Events

Subject Depending on your needs, you can display audit events in the following ways: Globally, using the Audit panel, to display the whole Enterprise SSO audit events. Contextually, using the Directory panel (Events tab of a selected object), to display only the audit events associated directly or indirectly with the selected object. For example, let us consider an Application object. The Events tab of this object displays any administration action directly associated with this object (as the modification of an option or of the administrator's list for example), but also any event linked to the creation of accounts associated with this Application.
The following procedure focuses on how to display globally audit events. For details on how to display the audit records of a specific object, see Section 5.5.1.3, Displaying Password Generation Policy Event Logs and Section 6, Managing Directory Objects.
236
Administrator Guide
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Auditor". In advanced administration mode, your role must contain the following right: "Audit: Visualization".
For more information on administration role, see Section 4, Managing Administrators. Procedure 1. In the Audit panel, select the time range corresponding to the events you want to display, and click Apply.
By default, the audit report displays all the audit events of the last two days. All the audit events corresponding to the time range selected are displayed.
2.
To filter the displayed list, click the Advanced Filter button.

The Audit base filter window appears (for details on how to build a filter, see Section 13.2.1, Filtering Audit Records.
3.
To display more details about an event, double-click the corresponding line.

The Event detail window appears.
13.2 Managing Audit Filters

The audit filters allow you to filter the events: At the time of their visualization. At the time of the event creation for specific objects (administration role, user security profile, access point security profile, application). All defined audit filters will be applied before the Enterprise SSO Security Services decide whether this operation should be audited. If at least one filter indicates that the operation should be audited, then the associated audit event is created.
13.2.1 Filtering Audit Records

Subject To adapt the list of audit events in the report to your needs, you can apply a filter. Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: Security Object administrator. In advanced administration mode, your role must contain the following rights: "Audit filter: Creation/Modification" and "Audit filter: Deletion".
For more information on administration role, see Section 4, Managing Administrators.

237
Procedure 1. In the Audit panel, click Advanced Filter.

The audit database search filter window appears.
This window allows you to select the category of event to display.

CRITERION DESCRIPTION
Access point Application Audit ID Category
This criterion is used to filter certain Access Points. This criterion filters the events only concerning one or more applications. This criterion can be used to select audit events only concerning certain audit identifiers. This criterion can be used to choose the family of audit events required: SSO audit events. Authentication audit events. Access point audit events. Administration audit events.
Event code
The event code defines the audit events that must be included in the audit report.
The OR logic operator applies to the conditions of a given category and the AND logic operator applies between categories.
2. 3. 4. 5.
To add a condition on the category to display, click the Add a Condition window.
Depending on the category chosen, an audit filter selection window appears.
Follow the guidelines given in the window to choose the condition you want to apply, and click OK. In the Audit Database Search Filter window, click Apply.
The filter is instantly taken into account.
Click Close to display in the Audit panel the event records corresponding to the selected filter. To interpret audit events, see Section 13.3, Interpreting Audit Events.
238
Administrator Guide
13.2.2 Assigning an Audit Filter to Specific Objects

Subject You can apply an audit filter to the following objects: Administration role User Security Profile Access Point Security Profile Application
Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: "Auditor". In advanced administration mode, your role must contain the following rights: "Application: Audit filter assignment" and/or "Access Point security profile: Audit filter assignment" and/or "User security profile: Audit filter assignment" and/or "Administration profile: Audit filter assignment".
For more information on administration roles, see Section 4, Managing Administrators. Procedure 1. 2. 3. Select the object from the tree view of the Directory panel. Access the Audit area as explained in the appropriate section of the present guide. Assign an audit filter as explained in the following Audit Filtering Area Description section.
Audit Filtering Area Description
All events To log all the events related to the object. No events To log none events related to the object.
239
Events matching filter To only log events that match an audit filter. The Select button allows you to select an existing audit filter or to create a new one.
FIELD
DESCRIPTION
Audit Filter Delete button Edit button New button
List of available audit filters. To delete an audit filter. To edit the audit filter selected in the list. To add a new audit filter: see the following Filter Creation Window section.
240
Administrator Guide
Filter Creation Window
The filter creation window displays the following information:

INTERFACE ELEMENT DESCRIPTION
Name Description
Filter name. Filter description. Free text item that allows administrator to have more information about the content of the audit filter
Category
Category of the event, which can be: File Encryption: encryption events Admin: administration event SSO: event concerning User accounts Authentication: event concerning User authentication on Access Points and Applications System: action performed automatically by the system.
Audit successes Audit failures Events not audited Audited events Add button Remove button
Select this option to audit only successful events. Select this option to audit only failed events. List of not audited events. List of audited events. To add the selected event to the list of audited events. To remove the selected event from the list of audited events.
241
13.3 Interpreting Audit Events

This section covers the description of the audit main window, and of the Event detail window.
13.3.1 The Audit Main Window

Window Example
The Advanced Filter button allows you to filter audit records (see Section 13.2.1, Filtering Audit Records. The Export button allows you to export audit events to a formatted file (see Section 13.4, Exporting Audit Events.
Description The audit main window displays the following information:

COLUMN TITLE DESCRIPTION
Timestamp
Date and time of the event. The color of the icon indicates the event type: (green icon): normal event. (red icon): error event.
242
Administrator Guide COLUMN TITLE DESCRIPTION
Category
Category of the event, which can be: Admin: administration events. SSO: events concerning User accounts. Authentication: events concerning User authentication on Access Points and Applications. System: actions performed automatically by the system.
Event Code
The event code is built using the following values: Type of the audited object. Operation performed on this object. For a complete description on how the Event code of administration audits is generated , see Section 13.3.3, Detailed Information on Administration Audit Events.
Audit ID Application Access Point Distinguished Name of object
ID of the user who has performed the event. Name of the Application object associated with the event (blank if the Application is not concerned). Name of the Access Point associated with the event. (Administration events only). Distinguished Name of the object associated with the Admin event: For modification, renaming and deletion operations, the DN displayed is the DN of the object. For creation operations, the DN displayed is the object parent DN.
243
13.3.2 The "Event Details" Window

Window Example The following example shows the detailed information on an administration event related to the creation of a time slice.
Description The Events Details window gives you more information on a selected event. Compared with the audit main window, it contains two pieces of additional information: The error code (Error code field). The description of the event (Description field).
The other fields display the same information as the main audit window.
The User's audit ID field corresponds to the Audit ID column of the audit main window. The Event type field corresponds to the Event code column of the audit main window.
FIELD DESCRIPTION
Error code Description
This field informs you on the cause of the error This area gives more information on the event (for a detailed description of this field for Admin events, see Section 13.3.3, Detailed Information on Administration Audit Events.
244
Administrator Guide
13.3.3 Detailed Information on Administration Audit Events

Subject This section focuses on the information displayed by two specific fields of the audit windows: The Event Type field of the Event Details window (which corresponds to the Event Code column in the main audit window). The Description field of the Event Details window.
The Event Type Field The Event Type field (or Event Code in the main audit window) is built using the type of the audited object and the administration action on this object. Just combine one entry of the Object Type column with one entry of the Administration Operation column below to get the list of possible values that can appear in the Event type field of an Admin event:
The aim of the following table is to show you as many combinations as possible, but it does not pretend to be exhaustive.
Examples: The creation of a PFCP object has the following value: PFCPCreation. Account modifications have the following value: AccountModification.
The Description Field The Description field of administration audit events displays two groups of information: An optional description giving you detailed information on the audited object, as shown in the following example:
This description is available with the following objects:

Token. UserApplication access. ApplicationAccess Point access. Account's parameter. Account. Application administration profile. Access PointUser access.
For a detailed description, per object, of the displayed information, see the table below.
245
The values of the implied LDAP attributes, as shown in the following example:
Detailed Description per Object

OBJECT DESCRIPTION
Token
Token class. Token serial number. Token state. Owner (owner name and DN).
UserApplication access ApplicationAccess Point access Account's parameter
Application (name and DN). User (list of the authorized users). Application (name and DN). Access Point (name and DN). Name (name and DN of the account's parameter. User (name and DN). Login. AccountBaseID. Application (name and DN). User (name and DN). Login. AccountBaseID. Application (name and DN).
Account
Application administration profile Access PointUser access
User (name and DN). Application (name and DN). User (name and DN). Access Point (name and DN).
246
Administrator Guide
13.4 Exporting Audit Events

Subject Displayed audit events can be exported to a formatted file (CSV or XML file). Audit events export is available from the Audit module of the Enterprise SSO Console or while browsing the directory. Procedure 1. From the Audit module of the Enterprise SSO Console, in the Audit panel, or from the tree structure of the Directory panel, in the Events tab of the selected object, select the audit events you want to export. If no events are selected, all retrieved events will be exported. Click the Export button.
The export window appears.
2. 3. 4.
Select the format and the path name of the export file. Click Export.
A message confirms the completion of the export operation. Exported audit events remain in the audit database.
13.5 Archiving Audit Records

Subject The archiving functionality allows you to backup a selection of audit records in a CSV file, and delete these records from the audit database. Before Starting To perform the task described in this section, you must have at least the following administration role: In classic administration mode: Security Object administrator. In advanced administration mode, your role must contain the following right: "Audit database: Management".
For more information on administration roles, see Section 4, Managing Administrators. Procedure 1. 2. In the Audit menu, click Archive.
The Audit database export tool appears.
Follow the instructions displayed by the wizard to perform the following operations:
Step 1: select the time range of the audit records to export. Step 2: select the file that will receive the audit records.
247
Step 3: delete the exported records from the Audit database. If you do not want to delete the exported audit records from the Audit database, click Cancel at Step 3.
13.6 Retrieving User ID from Audit ID

Subject The following procedure explains how to get a User identifier from an Audit identifier. Procedure 1. In the Audit menu, click Solve Audit ID.
The Solve Audit ID window appears.
2. 3.
Type the Audit ID to solve in the field and click the Add button.
The Audit ID is added in the Audit ID list.
Select the Audit ID line in the Audit ID list and click Solve.
If you click Solve without selecting an Audit ID, the entire list of Audit ID is solved. The corresponding User name appears in the User Name column.
4.
Click the Close button to close the window.
13.7 Retrieving Event Codes

To retrieve event codes, execute the Enterprise SSO Errors program (ESSOERRORS.exe) to list the audit event encountered (For more information, see Appendix B. "Listing Audit Events and Error Codes").
248
Administrator Guide
14. Customizing Configuration Files

Subject Enterprise SSO Console uses configuration files that can be customized if the default configuration parameters do not meet your requirements. You can customize the list of supported authentication tokens and User information retrieved from the LDAP directory. Before Starting To perform the tasks described in this section, you must be a super-administrator.
14.1 Importing a List of Supported Authentication Tokens

Procedure 1. 2. In the File menu, select Configuration.
Click the Authentication tab.

The tab appears.
249
3. 4. 5.
Click the Select button, and in the displayed window, browse to the new XML configuration file. Click OK. Restart Enterprise SSO controllers and workstations to take into account the new XML file.
14.2 Adding User Attribute Information

Subject As described in Section 6.2.1, Displaying User General Information ("Information" Tab), you can display Extended User information using the Other button of the User Information tab. This section describes how to configure the information displayed by this button. Procedure 1. 2. In the File menu, select Configuration.
Click the Other User Attributes tab.

The tab appears.
250
Administrator Guide
3.
Fill in this window as follows:

In the Attribute description field, type a name for the User attribute that you want to add. In the Attribute type drop-down list, select either Integer or String depending on the type of the attribute. In the LDAP field, type the name of the corresponding LDAP attribute. Click Add. The new attribute appears in the Attributes list. At any time, you can click the Delete button to delete an entry of the attributes list.
4.
Click OK.
251
15. Creating Scripts

Enterprise SSO Console allows you to write scripts. This may help you to batch process accesses to applications and to automate accounts creation.
15.1 Using the Script Editor

Procedure 1. In the File menu, click Scripting.
The script editor interface appears.
2. 3. 4.
252
If you are working with several domains, select in the Domain drop-down list the domain where the script will be applied. Type the script (for details, see Section 15.2, Script Commands), or import a script file (for details, see Section 15.3, Importing Script Files). Click Apply to run the script.
Administrator Guide
15.2 Script Commands

15.2.1 CREATE_ROLE
Definition This command creates a role. Syntax CREATE_ROLE(Role), where Role is the name of the role.
If the Role name already exists, a warning message appears upon the execution of the script.
Example CREATE_ROLE(Vendor)
15.2.2 CREATE_ACCESS
Definition This command creates an access, which allows a user to access an application. Syntax
CREATE_ACCESS(appName,userName,userType,accountType, appProfile_Name,roleName,dynamicAccount)
Where:
ARGUMENT NAME DESCRIPTION
appName userName
Application name as it is declared in E-SSO Console. User name as it appears in E-SSO Console. The term User refers to the user himself, a group of users or an Organization Unit.
userType
User type. This argument takes one of the following values (in uppercase letters): ALL: all the users of the directory. In this case, the argument userName is not taken into account. USER: userName refers to a single user. GROUP: userName refers to a group of users. UO: userName refers to an Organization Unit.
253
Quest Enterprise SSO 8.0.3 - Enterprise SSO Console ARGUMENT NAME DESCRIPTION
accountType
Account type. This argument takes one of the following values (in uppercase letters): UNDEFINED: enter this value if the account is defined in the account base of the application. STANDARD: standard account. SHARED: account shared with several users who belong to the same group of users. PRIMARY_SHORT: primary account using a short naming format (example: jSmith). PRIMARY_NT: primary account using an NT naming format (example: DOMAIN\Smith). PRIMARY_ADSI: primary account using an ADSI naming format (example: John.Smith@acme.fr).
appProfile_Name
Name of the Application Profile associated with the application. Enter DEFAULT (in uppercase letters) to use the default Application Profile of the application. If the user may use several accounts to log on the application, enter the name of the Role associated with the wanted account. If the user has only one account, enter NOROLE. Enter TRUE to authorize the user to create as many accounts as he/she wants for the application. Else, enter FALSE.
roleName
dynamicAccount
Examples In a simple configuration, you may type the following command to allow the user jSmith to access the acmeApp application: If you want to allow jSmith to access acmeApp with the Vendor role, type: The following command allows the group of users tinyGroup who uses a shared account to access acmeApp:
CREATE_ACCESS(acmeApp,jSmith,USER,STANDARD,DEFAULT,NOROLE,FALSE)
CREATE_ACCESS(acmeApp,jSmith,USER,STANDARD,DEFAULT,Vendor,FALSE)
CREATE_ACCESS(acmeApp,tinyGroup,USER,SHARED,DEFAULT,NOROLE,FALSE)
15.2.3 CREATE_ACCOUNT
Definition This command allows you to create an account, which enables a user to log on an application. Syntax
CREATE_ACCOUNT(accountType,userName,appName,roleName, accountOwner,loginName,Password)
254
Administrator Guide
Where:
ARGUMENT NAME DESCRIPTION
accountType
Account type. This argument takes one of the following values (in uppercase letters): STANDARD: standard account. SHARED: account shared with several users who belong to the same group of users.
userName
Depending on the accountType value, userName must not refer to the same object: If accountType = STANDARD, enter the name of a user as it appears in E-SSO Console. If accountType = SHARED, enter the name of a group of users.
appName roleName
Application name as it is declared in E-SSO Console. If the user may use several accounts to log on the application, enter the name of the Role associated with the wanted account. If the user has only one account, enter NOROLE. If accountType = SHARED, enter the name of the account owner. If accountType = STANDARD, enter NOVALUE. Login name value. Password value.
accountOwner loginName Password
Example To create a standard account for jSmith and the acmeApp application, use the following command: To create a shared account for the group of users tinyGroup (which is owned by user admin) and the acmeApp application, enter the following:
CREATE_ACCOUNT(STANDARD,jSmith,acmeApp,NOROLE,NOVALUE,LoginName,Password)
CREATE_ACCOUNT(SHARED,tinyGroup,acmeApp,NOROLE,admin,LoginName,Password)
255
15.3 Importing Script Files

Before Starting A text file containing the script commands must be created and saved as a wgs file. Procedure 1. 2. In the script editor window, click Import. Select in the displayed window the wanted wgs file and click Open.
The content of the file appears in the script editor window, as in the following example:
256
Administrator Guide
A. Regular ExpressionsBasic Syntax

Subject This section lists special characters you can use to create regular expressions to configure the Emergency Access feature. For details on how to enable and configure Emergency Access, see Section 5.3.2.4, Emergency Access Parameters Configuration ("Emergency Access" Tab). Basic Syntax
CHARACTER DESCRIPTION
. [] ^
Matches any single character. Indicates a character class. Matches any character inside the brackets (for example, [abc] matches "a", "b" or "c"). If this metacharacter occurs at the start of a character class, it negates the character class. A negated character class matches any character except those inside the brackets (for example, [^abc] matches all characters except "a", "b", and "c"). If ^ is at the beginning of the regular expression, it matches the beginning of the input (for example, ^[abc] will only match input that begins with "a", "b", or "c").
? + * ??, +?, *?
In a character class, indicates a range of characters (for example, [0-9] matches any of the digits "0" through "9"). Indicates that the preceding expression is optional: it matches once or not at all (for example, [0-9][0-9]? matches "2" and "12"). Indicates that the preceding expression matches one or more times (for example, [0-9]+ matches "1", "13", "666", and so on). Indicates that the preceding expression matches zero or more times. Non-greedy versions of ?, +, and *. This match as little as possible, unlike the greedy versions which match as much as possible. Example: given the input "<abc><def>", <.*?> matches "<abc>" while <.*> matches "<abc><def>". Grouping operator. Example: (\d+,)*\d+ matches a list of numbers separated by commas (such as "1" or "1,23,456"). Indicates a match group (for example, abc{2.} matches "ab" followed by two or more "c").
() {}
257
Quest Enterprise SSO 8.0.3 - Enterprise SSO Console CHARACTER DESCRIPTION
Escape character: interpret the next character literally (for example, [0-9]+ matches one or more digits, but [0-9]\+ matches a digit followed by a plus character). Also used for abbreviations (such as \a for any alphanumeric character). If \ is followed by a number n, it matches the nth match group (starting from 0). Example: <{.*?}>.*?</\0> matches "<head>Contents</head>". Note that in C++ string literals, two backslashes must be used: "\\+", "\\a", "<{.*?}>.*?</\\0>".
$ | !
At the end of a regular expression, this character matches the end of the input. Example: [0-9]$ matches a digit at the end of the input. Alternation operator: separates two expressions, exactly one of which matches (for example, T|the matches "The" or "the"). Negation operator: the expression following ! does not match the input. Example: a!b matches "a" not followed by "b".
258
Administrator Guide
B. Listing Audit Events and Error Codes

Subject Quest Enterprise SSO provides the Errors and Events tool to list the audit events and the error codes encountered. Using the Enterprise SSO Errors program, you can: Get the list of all supported audit events. Get the description associated with a given code. Get the list of all supported error messages.
The list of audit events and error messages can be exported in a CVS or XML file. You can export the entire list or some selected lines of the list.
B.1 Listing Audit Events

Procedure 1. To open the Errors and Events tools, click Start | Programs | Quest Software | Enterprise SSO | Errors and Events.
On users workstations, this program is usually available from the following path: %CommonProgramFiles%\ Evidian\WGSS\EssoErrors.exe
2.
Click Audit Events.

The audit event list appears.
259
Window Description The Audit Events window displays the following information:
Cat. Category
Category code. Category of the event, which can be: Admin: administration event. SSO: event related to User accounts. Authentication: event related to User authentication on Access Points and Applications. System: action performed automatically by the system. File Encryption: action performed by the File Encryption software module.
Event Description CSV Separator
Event code. Event description. Format of the file in which audit events will be exported (Comma Separated Values). Field separator for CSV file. Default: #
XML
260
Format of the file in which audit events will be exported.
Administrator Guide INTERFACE ELEMENT DESCRIPTION
Syntax
Syntax of the generated XML file. You can not modify the XML syntax.
File path
Output file path name. button allows you to select in a directory an existing file or a The default file (ESSO-AuditEvents-en.csv or ESSO-AuditEvents-en.xml).
Export button
To export all the list or only selected lines of the list to the chosen formatted file.
B.2 Listing Error Codes

Procedure 1. To open the Errors and Events tool, click Start | Programs | Quest Software | Enterprise SSO | Errors and Events.
On users workstations, this program is usually available from the following path: %CommonProgramFiles%\ Evidian\WGSS\EssoErrors.exe
2.
Click Error Codes.

The error code list appears.
261
Window Description The Error Codes window displays the following information:
Error Description CSV Separator
Error code. Error description. Format of the file in which error codes will be exported (Comma Separated Values). Field separator for CSV file. Default: #
XML Syntax
Format of the file in which error codes will be exported. Syntax of the generated XML file. You can not modify the XML syntax.
File path
Output file path name. button allows you to select in a directory an existing file or The a default file (ESSO-Errors-en.csv or ESSO-Errors-en.xml).
Export button E-SSO Error Code Display as a Windows error
To export all the list or only selected lines of the list to the chosen formatted file. Specific error code you want to find. To retrieve the error message from the Windows operating system.
262
Administrator Guide
C. List of Administration Rights

The following table lists all the predefined administration profiles (in classic administration mode) and their corresponding administration rights in advanced administration mode.
SMART CARD ADMINISTRATOR AUTHORIZE PROPAGATION OF ADMINISTRATION RIGHTS 263 CLASSIC ADMINISTRATION MODE PROFILE NAME ACCESS ADMINISTRATOR RIGHTS ADMINISTRATOR
ADVANCED ADMINISTRATION MODE: RIGHT NAME
Access point security profile: Assignment Access Point security profile: Audit filter assignment Access point security profile: Creation/Modification Access point security profile: Deletion Account: Creation/Modification Account: Deletion Account: Manage parameters Administration profile: Audit filter assignment Administration profile: Creation/Modification Administration profile: Deletion Application profile: Creation/Modification
X X X X X X X X X X
SSO DATA RECOVERER
SECURITY OBJECT ADMINISTRATOR
FILE ENCRYPTION ADMINISTRATOR
AUDITOR
Quest Enterprise SSO 8.0.3 - Enterprise SSO Console CLASSIC ADMINISTRATION MODE PROFILE NAME ACCESS ADMINISTRATOR RIGHTS ADMINISTRATOR
SMART CARD ADMINISTRATOR
Application profile: Deletion Application: Audit filter assignment Application: Creation/Modification Application: Deletion Application: Manage all applications Audit database: Management Audit filter: Creation/Modification Audit filter: Deletion Audit: Visualization Authorization for application on access point: Creation/Modification Authorization for application on access point: Deletion Authorization for user on access point: Creation/Modification Authorization for user on access point: Deletion Authorization to use application: Creation/Modification Authorization to use application: Deletion Batch of cards: Creation/Modification Batch of cards: Deletion Bio: Is enable to allow biometrics pattern enrolment Cluster: Creation/Modification Cluster: Deletion
264
X X X X
X X X X X X X X X X X X X X X X X X
AUTHORIZE PROPAGATION OF ADMINISTRATION RIGHTS
SSO DATA RECOVERER
AUDITOR
Administrator Guide CLASSIC ADMINISTRATION MODE PROFILE NAME ACCESS ADMINISTRATOR RIGHTS ADMINISTRATOR
Directory: Browsing Emergency access: Answer deletion Emergency access: Challenge generation Emergency access: Reset attempt counter File Encryption Key: Generation Parameter: Creation/Modification Parameter: Deletion Password format control policy: Creation/Modification Password format control policy: Deletion Password generation policy: Creation/Modification Password generation policy: Deletion PKA authority: Creation/Modification PKA authority: Deletion Representative: Creation/Modification Representative: Deletion Roaming: Delete users sessions Schedule: Creation/Modification Schedule: Deletion Technical reference: Creation/Modification Technical reference: Deletion
X X X X
X X X
X X X X
X X X
X X X X X X X X X X
X X X X X X X X X X
X X
X X X X
AUTHORIZE PROPAGATION OF ADMINISTRATION RIGHTS 265
SSO DATA RECOVERER
AUDITOR
Quest Enterprise SSO 8.0.3 - Enterprise SSO Console CLASSIC ADMINISTRATION MODE PROFILE NAME ACCESS ADMINISTRATOR RIGHTS ADMINISTRATOR
Temporary password access: Change duration Temporary password access: Creation Temporary password access: Deletion Token configuration: Creation/Modification Token configuration: Deletion Token: Assignment Token: Blacklist Token: Force PIN Token: Formatting Token: Lending Token: Modification User administration profile: Delegation User administration profile: administration rights manager User role: Creation/Modification User role: Deletion User security profile: Assignment User security profile: Audit filter assignment User security profile: Creation/Modification User security profile: Deletion User: Modification User: Password modification X X X X X X X X X X X X X X X X X X X X X
266
AUTHORIZE PROPAGATION OF ADMINISTRATION RIGHTS
SSO DATA RECOVERER
AUDITOR
Administrator Guide
About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports smart systems management productshelping our customers solve everyday IT challenges faster and easier. Visit www.quest.com for more information.
Contacting Quest Software

Phone Email Mail 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com
Web site
Please refer to our Web site for regional and international office information.
Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at http://support.quest.com/ From SupportLink, you can do the following: Retrieve thousands of solutions from our online Knowledgebase Download the latest releases and service packs Create, update and review Support cases
View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com.
267

E-SSO 803 ConsoleAdminGuide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

E-SSO 803 ConsoleAdminGuide

Uploaded by

Copyright:

Available Formats

Enterprise Single Sign-On 8.0.

2. Authenticating to E-SSO Console and Managing Protection Modes ............ 19

3. Searching the Directory Tree ............................................................................. 25

4. Managing Administrators ................................................................................... 28

5. Managing Security Profiles ................................................................................ 40

6 Managing Directory Objects ............................................................................... 99

7. Managing Smart Cards ..................................................................................... 162

8. Managing SA Server Devices........................................................................... 190

9. Managing RFID Tokens..................................................................................... 200

10. Managing Biometric Enrolment ..................................................................... 211

11. Managing Data Privacy ................................................................................... 215

12. Enabling the Public Key Authentication Method ......................................... 226

13. Managing Audit Events................................................................................... 235

14. Customizing Configuration Files .................................................................... 249

15. Creating Scripts............................................................................................... 252

About This Guide

Intended Reader Software/Hardware Required

Supported Operating Systems

Quest Enterprise SSO 8.0.3 - Enterprise SSO Console

1.1 Enterprise SSO Concepts

Quest Enterprise SSO 8.0.3 - Enterprise SSO Console

Password Format Policy

Password Generation Policy

1.2 Enterprise SSO Controllers

Audit Master Database

Corporate LDAP Directory

Administration Audit Analysis

E-SSO Middleware Advanced Login SSO Watch Advanced Login

E-SSO Middleware SSO Studio Administration Console

Quest Enterprise SSO 8.0.3 - Enterprise SSO Console

1.2.2 Domain Controller Selection

1.3 A Multi-Domain Architecture

User Computer OU E-SSO Classes and Attributes

User Computer OU E-SSO Classes and Attributes

Audit Master Database

E-SSO Workstation Clients Running Applications (Domain 1)

1 Administration / Audit Data 2 Read / Write data

E-SSO Workstation Clients Running Applications (Domain 2)

E-SSO Security Services

E-SSO Security Services

Quest Enterprise SSO 8.0.3 - Enterprise SSO Console

Corporate Active Directory with a Multi-Domain Forest

2 Audit Master Database E-SSO Controller

E-SSO Workstation Clients Running Applications (Domain 2)

E-SSO Security Services

E-SSO Security Services

1.4 General Ergonomic Design

Quest Enterprise SSO 8.0.3 - Enterprise SSO Console

1.4.2 Directory Panel Overview

Tool bar Tabbed panel

2. Authenticating to E-SSO Console and Managing Protection Modes

2.1 Starting/Stopping the Enterprise SSO Console

2.1.1 Starting the Enterprise SSO Console

Quest Enterprise SSO 8.0.3 - Enterprise SSO Console

2.1.1.1 Starting the Enterprise SSO Console in Hardware Protection Mode

2.1.1.2 Starting the Enterprise SSO Console in Software Protection Mode

As a super-administrator, type your identifier and password.

Type your PIN (smart card) or identifier and password.

2.1.2 Stopping the Enterprise SSO Console

2.2 Managing Protection Modes

Quest Enterprise SSO 8.0.3 - Enterprise SSO Console

2.2.2 Migrating from Software Mode to Hardware Mode

Enter the information required and click OK.