Defining the Application Profiles

Subject

Application profiles are security objects that define a set of rights and properties that are applied generically for one or more applications.

This section explains how to configure the application profiles for the applications for which you want to activate the SSO.

A default Application profile configuration exists in Enterprise SSO Studio: you can modify it or create a new one.

Restriction

The Application profile configuration is only available if you use Enterprise SSO Studio without Controller or Personal SSO Studio. With Controller, the Application profile configuration must be done with the administration console (see Quest ESSO Console Administrator Guide).

Procedure

1. In the Enterprise SSO Studio main window, do one of the following, depending on the action you want to perform:

 To create a new Application profile, right-click the Configuration objects

node and click New Application Profile.

 To modify an existing Application profile, right-click the Application profile you want to modify and click Properties.

The application profile properties window appears. 2. Fill-in the window as described in the following sections:

 For the Access Strategy tab, see 3.5.2.2 Access Strategy Tab of an Application Profile.

 For the Delegation tab (only if you use Enterprise SSO Studio without Controller and in LDAP storage mode), see 3.5.2.3 Delegation Tab of an Application Profile.

3. Click OK to save the configuration and close the window.

3.5.2.1 Properties Tab of an Application Profile

The Properties tab allows you to configure the following parameters:

 Application Profile name.

 Password Policy associated with the Application Profile.

For details on how to create a Password Policy, see Defining Password Format Control Policies (PFCP).

 SSOWatch Desktop options:

a) Display the applications associated with this profile in the user’s SSOWatch Account panel.

b) Automatically launch the applications associated with this profile when SSOWatch starts.

c) Test the applications associated with this profile to check if the SSO configuration works. For details on how to use the test mode, see

Section 2.9, "Testing the SSO Configuration of an Application".

This option is available with Personal SSO Studio. It is also available with Enterprise SSO Studio in the Application Profile in Quest ESSO Console.

3.5.2.2 Access Strategy Tab of an Application Profile

The Access Strategy tab allows you to configure the following parameters:

 Credential storage

Storage location of the SSO accounts used by the applications associated with the Application Profile.

If you select Store on token, ensure that the proper authentication method is supported. For more information, contact your security administrator.

 Single Sign-On Policy

a) Users must re-authenticate

Before each SSO, the user must confirm the primary password, PIN or biometric identity.

b) Users can modify account

This option is selected by default.

If unchecked, the user will not be allowed to change the password through the user account management screen.

a) Users can display password

The user may ask for the password to be displayed. If this is the case, the user will be asked to re-authenticate.

b) Users can cancel Single Sign-On

If this option is cleared, the user cannot cancel the SSO execution when he/she starts an application associated with the Application Profile:

 If the user starts an application for the first time, he/she must complete the authentication data collection dialog box.

 If the user has several accounts for an application, he/she must select an account in the account selection dialog box (the Cancel button is

If a problem occurs (for example, if the authentication data cannot be saved due to network issues), the Cancel button is available again to allow the user to log on manually or to quit the application.

Select this option to allow users to temporarily cancel the SSO execution for applications associated with the Application Profile, then select in the drop-down list the scope of this option:

 For the current session only: if the user cancels the SSO execution, he/she can then start as many application instances as required, the SSO

execution remains disabled.

The SSO is enabled again when the user quits all the application instances and restarts the application (or resets the SSO configuration or restarts SSOWatch).

 For the application (until reset): the user can disable the SSO execution either for the current SSO session (see above) or until further notice: in the latter case, to enable again the SSO execution for the suspended

applications, the user must use the appropriate contextual command from the SSOWatch Account panel (or reset the SSO configuration, or restart SSOWatch).

 For the current window only: if the user cancels the SSO execution for an application, the SSO is disabled for this application instance only.

For more details on the commands and controls that are modified by this option, see the following sections:

 Section 2.6.1, "Providing SSO Data When Launching an SSO Enabled Application for the First Time".

 Section 2.6.6, "Creating a New Account for an Application".

 Section 2.7, "Disabling/Enabling SSO for Applications".

 Account Security Options

This area only appears if you use Enterprise SSO Studio without controller and in LDAP storage mode. It allows you to select the way the secondary accounts used by the applications associated with the Application Profile are ciphered. In the drop-down list, select one of the following entries:

a) User: only the user can decipher his/her secondary accounts. This is the most secure option.

If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her secondary accounts.

b) User, administrators: the user and you can decipher his/her secondary accounts. Thus, if you force a new primary password or assign a new smart card using Quest ESSO Console, the user's secondary accounts are also recovered.

c) User, administrators and an external key: select this entry to allow an external application to decipher the user's secondary accounts using a public key. For example, you must select this entry if you want to use Quest ESSO with Web Access Manager (WAM). By selecting this entry, you allow WAM to decipher the Quest ESSO secondary accounts of the user so that WAM can perform SSO with these accounts.

3.5.2.3 Delegation Tab of an Application Profile

The Delegation tab is only available if you use Enterprise SSO Studio without Controller and in LDAP storage mode.

The Delegation tab allows you to define the methods for delegating accounts to users:

 Authorize delegation to everybody.

 Authorize delegation to a member of the same user group.

 Authorize delegation to a member of the same organizational entity.

 Advanced mode: person/group/organizational entity.

 Authorize the delegated user to change passwords: the delegated user is authorized to modify the password for the delegated account.

You can ask the person delegating the account(s) to reauthenticate on the workstation where the Studio is installed by setting the following registry key:

SOFTWARE\Enatel\SSOWatch\CommonConfig\ReauthOnDelegate DWORD 1.

3.6 Defining Application and Technical Definition