Filling-in the Application Properties Window

The Properties tab described in this section only appears if you use Enterprise SSO Studio without Controller, or Personal SSO Studio.

The Properties tab of an Application Object allows you to define the basic parameters of an Application.

 Application Name

This field will be shown in the objects tree of Enterprise SSO Studio and in the data collection and account management dialog boxes of SSOWatch.

 Session management (advanced)

Indicates whether all the application’s windows depend on the same application instance.

 OLE/Automation

Grants OLE/Automation access to this application (and all the associated security objects). For further security, you can enter a password for which OLE clients will be prompted. For more information, see Section 10.,

"OLE/Automation Interface".

 Options

a) Enable this application (this option is selected by default)

If this option is cleared, SSOWatch will ignore this application. This is used to temporarily disable an application without deleting it from the

configuration file.

b) Try previous password when "bad password" windows detected If this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not immediately taken into account by the application).

c) User must provide credentials

This check box only appears in Access Collector mode.

If this check box is cleared, the user will be able to cancel the collect (or the bad password) window that appears when he/she launches an application.

3.6.2.2 "Properties" Tab of a Technical Definition Object

The Properties tab described in this section only appears if you use Enterprise SSO Studio with Controller.

The Properties tab of a Technical Definition object allows you to define the basic parameters of a Technical definition.

 Identification

The Technical reference name. This field will be shown in the objects tree of Enterprise SSO Studio.

 Session management

Indicates whether all the application’s windows depend on the same application instance.

 Try previous password when "bad password" windows detected

If this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not

immediately taken into account by the application).

3.6.2.3 "Account Base" tab of an Application Object

The Account Base tab only appears if you use Enterprise SSO Studio without Controller or Personal SSO Studio.

The Account Base tab allows you to define the Account Base associated with an application. An Account is a username/password pair that allows connection to an application. There is also an account parameter that can store complementary

authentication data; for instance, a Windows Domain name is a complementary parameter of a Windows account.

The account name is internal to SSOWatch: it is used to store and retrieve security data and to give a user-friendly name to this data. A user-friendly name is particularly useful when using multiple accounts: you can give names like "Notes Admin" or "Notes User" if a Notes user is also the administrator.

Accounts are global: they are shared by applications and by SSOWatch

configurations, because they refer to objects stored in the security system storage and which are bound to the user.

 In most cases, one single account is associated with an application. It is called a Standard account.

 In some cases, it is possible to use the Windows username and password to perform SSO to an application. An example is the Windows Terminal Server login. To use this security credential in SSO, you must associate the Primary Authentication Identifier with the application (check the corresponding option). The Windows username can be used in different formats:

 Short name: username only.

 Windows 2000 (and later): Username including the Windows domain, for instance: [email protected].

 NT 4: Username preceded by NETBIOS domain, for instance: QUEST\jsmith.

 Share Account Base with Another Application: for this, indicate in an application that you consider as account reference, the applications authorized to use this reference base.

 You can also share an account base between two Applications using command line arguments. This feature may allow you to create batch files to automate this task.

 You can combine this feature with the possibility of importing objects using command lines, which is described in 3.9.2 Importing Objects using Command Line Arguments (without Controller)

Before Starting

 The Applications must be created.

 Close the Enterprise SSO Studio graphical interface.

Procedure

 To share an Account base, at the Windows prompt, type the following command:

<SSOWatch installation folder> [/login <name>]

[/password <password>] /share <MasterApplication> <SlaveApplication>

Arguments into square brackets [ ] are optional.

Where:

ARGUMENT NAME VALUE

<SSOWatch installation folder>

"C:\Program Files\Quest Software\QESSO Client\SSOBuilder.exe " by default.

/login <name> and /password

<password>

Login name and password of the Quest ESSO administrator.

Note:

Use the format DOMAIN\login.

If the login name and password of the administrator are not specified, the Enterprise SSO Studio authentication window will appear.

The administrator account used to run the import must have

/share

<MasterApplication> <SlaveApplication>

<MasterApplication>: name of the Application owning the Account base to share.

<SlaveApplication>: name of the Application that will use the Account base.

Note: This parameter works only with Application objects.

Example

The following command allows you to share the Account Base AB1 owned by APP1 with APP2:

"C:\Program Files\Quest Software\QESSO Client\SSOBuilder.exe" /login DOMAIN\WGAdmin /password AdminPWD /share APP1 APP2

External Names: this button only appears if you use Enterprise SSO Studio without Controller and LDAP storage mode. It allows you to define a mapping between the Quest

ESSO application that you are configuring and the name of an external application that must be identified by Quest ESSO. This option is particularly useful to integrate Web Access Manager with Quest ESSO. For example, if you are defining an application called MyHTMLApplication that already uses Web Access Manager Account Bases, click this button and in the displayed window, enter the names of the Web Access Manager Account Bases defined for this application. By this way, Quest ESSO will be able to use these Web Access Manager Account Bases to perform SSO with this application.

Each external application name must be unique in the directory.

3.6.2.4 "Launcher" Tab

The Launcher tab is used to define how SSOWatch may start an application.

This window allows you to define the following parameters:

 Change Icon button

The icon associated with the application, which will be displayed in SSOWatch.

 Application description for user

The application description, which will be displayed in SSOWatch.

 Target

The command line or URL (for web applications), which opens the application.

 Start in folder

The directory where the command line should start.

 Command line parameters

The SSO parameters to be sent to the command line, if necessary. The Insert button insert in the command line the item selected in the list (identifier/password).

 Authentication methods required if automatic start is used check box and drop down list

Since SSOWatch can launch applications during session opening, this option enables you to control which applications are launched regarding the

authentication method used to log on.

Select the check box and in the drop down list, select the authentication methods required to launch the applications.

3.6.2.5 "Parameters" Tab

Parameters Tab of an Application Object (without Controller)

Subject

The Parameters tab allows you to add a list of additional authentication parameters (as Windows Domains or Languages for example). These parameters will enable you to define more fields than simply the couple of fields user name/password of the target application authentication window.

Window Description

a) To add an existing parameter, select it and click OK.

The parameter Windows Domain must be used only with Applications that may use Advanced Login.

b) To create a new parameter, type its name in the Name field and click Add. c) To delete or rename an existing parameter, select it and click Delete or

Rename.

 To define an External Name for a parameter, select the wanted parameter and click External Name. For more information, see "Managing External Names" below.

 Delete button: select a parameter and click Delete.

 Properties button:

Select a parameter then click this button to define the properties of the selected parameter.

a) Description: mandatory description of the parameter for a better understanding.

b) Parametertype:

 Default: the value of the parameter is collected for each SSO account and can be modified by the user.

 Global: the value of the parameter is the same for all SSO accounts and is not proposed to the user.

c) Value: this is the default value assigned to the parameter. If nothing is entered here, it will be requested at first authentication (data collection) as a function of the parameter type defined previously.

If you have selected Rule in the Parameter type area, between parentheses, get the exact LDAP attribute name (using an LDAP browser) and type it in the Value field. For example, type (mail) to indicate that the parameter value is the user's mail address.

If you want to add several LDAP attributes, type them one after another, without comma. Example: (mail)(dn).

You can be more specific about the parameter value by using the following rules:

 To keep only the first n characters of the LDAP value, use the syntax (attLDAP,n).

Three functions are used to handle LDAP values: UPPER, LOWER and CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case.

Managing External Names

This window appears when you click the External Name button. It allows you to define a mapping between the parameter that you are configuring within Quest ESSO and the name of an external parameter (created using another SSO tool) that must be identified by Quest ESSO.

This option is particularly useful to integrate User Provisioning or Web Access Manager with Quest ESSO.

’Parameters’ Tab of a Technical Definition Object (With Controller)

The Parameters tab allows you to add a list of additional authentication parameters (as Windows Domains or Languages for example). These parameters will enable you to define more fields than simply the couple of fields name/password of the target application

authentication window.

 The list of authentication parameters for the technical reference must be coherent with the parameters defined at the application level.

 The creation of an application is described in Quest ESSO Console Administrator Guide.

Window Description

 Add button: click this button to add a parameter:

a) To add an existing parameter, select it and click OK.

The parameter called Windows Domain (which is created upon the installation of Quest ESSO), must be used only without Controller.

 To create a new parameter, type its name in the Name field and click Add.

 To delete or rename an existing parameter, select it and click Delete or

Rename.

b) To define an External Name for a parameter, select the wanted parameter and click External Name. For more information, see "Managing External Names" below.

3.6.2.6 "Application Profile" Tab

By default, every user is authorized to access the application. The Application Profile tab allows you to define the application profile, with an access right granted to all the users by default.

In LDAP storage mode and Personal mode, only one profile may be assigned per application

To allow the user to dynamically create new accounts from SSOWatch, select User can create additional accounts.

In document Enterprise Single Sign-On SSOWatch Administrator Guide (Page 50-60)