In Chapter 10, OneSign in Action, watch as your OneSign Agent proxies your credentials to log you into the application you profiled in Chapter 9.
Use this Getting Started Guide to set up Imprivata OneSign for your network.
After it is set up, use the Administrator’s Guide, the APG Guide, and the Appliance Guide for reference.
Contacting Imprivata
email [email protected]
Phone Support: (781) 674-2782/ Sales: (877) OneSign (663-7446) Office address 10 Maguire Road, Building 2
Lexington, MA 02421-3120 Website http://www.imprivata.com/support
This product is distributed under licenses restricting its use, copying, distribution and decompilation.
OneSign, Imprivata, and the Imprivata logo are registered trademarks of Imprivata, Inc.and Imprivata APG is a trademark of Imprivata, Inc. in the United States and in other countries.
Adobe and Acrobat are trademarks of Adobe Systems Incorporated.
ACE/Server, RSA, RSA Security, the RSA logo & SecurID are registered trademarks of RSA Security Inc.
Secure Computing and SafeWord are registered trademarks of Secure Computing Corporation.
Citrix and MetaFrame are registered trademarks and NFuse is a trademark of Citrix Systems, Inc. in the United States and other countries.
InstallShield is a trademark of InstallShield Software Corporation.
Java, JavaScript, JavaServer Pages, JSP, and Sun ONE are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
Microsoft, Windows, Windows NT, Active Directory, Outlook, Hotmail, and/or other Microsoft products referenced herein are either trademarks or registered trademarks of Microsoft in the United States and/or other countries.
Novell and NetWare are registered trademarks of Novell, Inc. in the United States and other countries.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
UNIX is a registered trademark in the U.S. and in other countries, exclusively licensed through X/Open Company, Ltd.
XML is a trademark of the World Wide Web Consortium, registered and held by its host institutions (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, and Keio University).
DIGIPASS and VACMAN are registered trademarks of VASCO Data Security International Inc.
Other product names used herein have been used for identification purposes only and may be trademarks or registered trademarks of their respective owners.
Imprivata OneSign includes software copyrighted by MySQL AB. MySQL is a trademark of MySQL AB in the United States and other countries.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http:/
/www.openssl.org/).
This product includes software developed by ApacheSoftwareFoundation (http://www.apache.org).
STLport sources Copyright 1999,2000 Boris Fomitchev.
The source code, object code, and documentation in the com.oreilly.servlet package is copyright and owned by Jason Hunter.
Portions of this product include notices and other information provided by third-party vendors. The following copyright notices are retained when present, and conditions provided in accompanying permission notices are met:
© 1994 Hewlett-Packard Company. Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
© 1996,97 Silicon Graphics Computer Systems, Inc. Silicon Graphics makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
© 1997 Moscow Center for SPARC Technology. Moscow Center for SPARC Technology makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
© 2004 Intrinsyc Software, Inc. and its licensors. All rights reserved.
Under international copyright laws, neither the documentation nor software may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form, in whole or in part without the prior written consent of Imprivata, Inc., except as described in the license agreement.
The names of companies, products, people, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted.
DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. © 2005 Imprivata, Inc., 10 Maguire Rd, Lexington, MA, 02421
All rights reserved. Printed in the United States.
Getting Started Guide iii
Table of Contents
Contacting Imprivata ... ii
Chapter 1 - Overview of Imprivata OneSign... 1
What is OneSign?...2
Imprivata OneSign Architecture ...3
OneSign Terminology...3
Chapter 2 - Logging In to the OneSign Administrator ... 5
Enrolling the Initial Administrator ...6
Chapter 3 - Setting OneSign Properties ... 9
System Settings ...10
Server Connections ...11
OneSign Extensions ...12
Chapter 4 - Setting OneSign Policies ... 13
Chapter 5 - Creating User Accounts... 15
Notifying Users...21
Chapter 6 - Deploying an Application... 23
Chapter 7 - Generating Reports and Notifications ... 25
Setting an Event Notification...28
Chapter 8 - Installing the Imprivata OneSign Agent... 31
Installing the OneSign Agent ...32
Authenticating to Imprivata OneSign ...34
Chapter 9 - Generating an Application Profile... 37
Learning Screen Attributes ...38
Recognizing the Screen...43
Capturing Credentials ...45
Proxying Credentials...46
Deploying the Application ...47
Chapter 10 - OneSign in Action... 49
Where Do I Go From Here?...50
Table of Contents
1
Chapter
1
Imprivata OneSign Getting Started Guide
Overview of Imprivata OneSign
Before you start importing users and deploying application profiles, please read this overview chapter.
It will only take a few minutes to become familiar with OneSign. After reading this chapter, continue to the next nine brief chapters. Each one shows you an important step in administering OneSign for your enterprise. You can read all the text and follow all the procedures in under 90 minutes.
Here’s what you will do:
1. Read this Overview chapter to become familiar with the OneSign secure single sign-on system, its features, and its terminology.
2. Log into OneSign as an administrator.
3. Set the properties for the OneSign appliance.
4. Review the default security policy and its features.
5. Import users and notify yourself as a user.
6. Deploy a sample application profile.
7. Create a simple OneSign report and set a notification.
8. Install the OneSign Agent on your own workstation.
9. Use the Application Profile Generator (APG) to profile a web application.
10. See the OneSign Agent record your credentials for the application, and then test how OneSign handles your authentication to the application.
After you have performed these steps, you can discard this book - everything else you need to know is in the Imprivata OneSign Administrator’s Guide, the Imprivata APG Guide, and the Imprivata Appliance Guide.
Chapter 1 - Overview of Imprivata OneSign
What is OneSign?
The Imprivata OneSign enterprise single sign-on system is made up of the OneSign Agent and the OneSign Server.
The OneSign Agent
The OneSign Agent resides on the user’s computer. It is represented in the system tray by an Imprivata icon.
The Agent handles authentication of users locally through passwords, finger biometrics, or ID tokens with or without robust password policies. Once a user authenticates to the OneSign system, the user is automatically signed onto deployed applications as they are launched.
The OneSign Agent handles the local transaction of proxying users’
credentials to applications and domains. The OneSign Agent downloads credential and application information from the OneSign Server at login and queries the server for changes at an interval you set on the OneSign Administrator Properties page.
The OneSign Server
The OneSign Server keeps track of application profiles, users and credentials, password policies, and security policies that you set. It can generate reports as needed and you can program it to notify you in the event of certain conditions. You control OneSign settings through the intuitive OneSign Administrator.
The OneSign Server is actually a pair of rack-mountable redundant network appliances. Each appliance is connected to the network. They are connected to each other by an isolated failover connection. The appliance that handles the daily OneSign traffic is the Primary Appliance. The backup appliance is the Failover Appliance.
The primary and the failover appliances are physically identical, but only one of them handles OneSign traffic at a time. The Primary Appliance keeps the Failover Appliance constantly updated through the secure failover
connection. If the Primary Appliance fails, then the Failover Appliance immediately takes over and notifies all administrators by email that the Primary Appliance has failed. Since the Failover Appliance is an exact mirror of the Primary Appliance, users do not notice the change.
Imprivata OneSign Architecture
3 Imprivata OneSign Getting Started Guide
Imprivata OneSign Architecture
A fully-deployed OneSign system integrates:
• The OneSign Appliance
• The OneSign Agent
• Your applications and domains
OneSign System Overview
OneSign Terminology
OneSign automatically and securely connects users to applications that require authentication. Users can be enabled, imported, and locked out.
Throughout this Getting Started Guide, these terms have specific meanings:
Applications - Applications can be any resource that requires authentication.
This includes legacy, client/server and web applications, terminal emulators, Windows NT Domain, and even web sites that require authentication.
Application Credentials - Credentials used to access an application (rather than a domain). Applications that require authentication have rules to govern acceptable credentials, their use, and how to change them.
Chapter 1 - Overview of Imprivata OneSign
Application Profile Generator (APG) - OneSign needs information about how each application handles authentication and password changes. The APG is a web-based interface to automate the learning process.
Authentication - Users are authenticated when they log into OneSign. When the user authenticates, OneSign launches a secure user session. Logins to OneSign-deployed applications in that session are handled by OneSign.
Domain Credentials - Credentials used to access a domain (rather than an application). Some applications can be set to use domain credentials, or to share OneSign credentials with other applications.
Domain Synchronization - You do not create users in OneSign; you synchronize the OneSign directory with the selected user directories on your domains. When you synchronize OneSign with a directory, user accounts are both added and deleted from OneSign. Their domain accounts are
unaffected.
Enabled/Disabled - An enabled, imported user enjoys secure single sign-on.
Even when a user account exists, user access to OneSign secure single sign-on is not necessarily automatic. There may be times when you want to disable a number of user accounts, or to delay enabling them.
Failover - If the Primary Appliance goes offline for any reason, the OneSign system goes into Failover Mode. As long as the network is up and the appliance is physically intact, the Failover Appliance immediately takes over.
Locked Out - A user is locked out after attempting to access a OneSign account in violation of the rules set in the user’s security policy. Locked-out users lose access to their OneSign accounts for a period set in that policy.
Notifications - OneSign can notify administrators of system events. OneSign can track a number of specific system events. OneSign sends an email with the information or posts it to a predetermined URL. See also: Reports.
Reports - Reports are a quick way to learn about OneSign activity that occurred during a time window that you define when you run the report.
Users - Users are network users who you can include in the OneSign system. Any user known to your network can become an OneSign user.
This Getting Started Guide is a quick tour through OneSign.
For complete information on OneSign, please refer to the Administrator’s Guide. For complete information on the OneSign appliance, please refer to the Appliance Guide.
5
Chapter
2
Imprivata OneSign Getting Started Guide
Logging In to the OneSign Administrator
The rest of this Getting Started Guide uses specific OneSign terminology. If you have not read Overview of Imprivata OneSign on page 1, please do so before continuing.
Once you have installed the appliance, you must create a user account with OneSign administrator privileges. The rest of the setup procedures in the Getting Started Guide will be performed from the account that you create in this chapter.
The account that you create in this chapter requires a login to the network.
The first-time connection may be established quickly through an unsecure connection, or you can secure the connection before submitting the credentials from the Initial Administrator page.
You can:
• Make the login in clear text and establish a secure connection later.
• Log in using a guest account.
• Log in using an administrator account and change the password after you are finished.
• Upload the certificate before submitting the credentials.
Note: The OneSign Administrator requires a networked computer running Microsoft Internet Explorer 6.0 sp1 or later on Microsoft Windows 2000 or XP Professional.
Note: If you resolve hostnames, it is a good idea to be sure this OneSign server hostname is included in your DNS or WINS before continuing.
Chapter 2 - Logging In to the OneSign Administrator
Enrolling the Initial Administrator
This procedure creates the initial administrator account and the first domain and enrolls the initial administrator’s credentials.
To create the Initial Administrator account:
1. From the browser, go to:
https://<OneSign Virtual IP Address>/sso/login.html
Note: You must use the virtual IP address (VIP) or fully-qualified host name that you assigned in the installation procedure.
The Administrator Initial Setup screen appears:
OneSign Initial Administrator Screen, Showing Optional Helper Text 2. Fill in the fields on the Initial Administrator Screen. For assistance, see
the helper text in the sidebar.
Enrolling the Initial Administrator
7 Imprivata OneSign Getting Started Guide 3. Click Submit. The Imprivata OneSign Administrator Home page
appears:
OneSign Administrator Home Page
Note that there is no active session and one enrolled user. You have created the initial user account with Super Administrator privileges. This was a one-time procedure, necessary only the first one-time you start a new OneSign appliance. This user account is like any other user account with Super Administrator privileges.
Now that you have created the initial administrator account, logging in to the OneSign Administrator will be simpler. OneSign already knows your directory server type, host name, and name. From now on, administrators log in at:
https://<OneSign Virtual IP Address>/sso/login.html where they will be asked only for:
• Username
• Type of user directory
• Domain of their network user account
• Authentication
In the next chapter you will set security parameters for OneSign.
Chapter 2 - Logging In to the OneSign Administrator
9
Chapter
3
Imprivata OneSign Getting Started Guide
Setting OneSign Properties
The OneSign properties include:
• System Settings
• Server Connections
• OneSign Extensions
In this chapter you will go through these sections in turn. Some properties must be set now; but most can be safely ignored until later. All are detailed in the OneSign Administrator’s Guide.
To set the system properties:
1. Click on the Properties page. The Properties window appears, showing the System Settings tab:
OneSign Administrator Properties Page
Chapter 3 - Setting OneSign Properties
System Settings
Use the System Settings tab for monitoring system status, including audit logging and system lockdown status, management of your OneSign license and options, defining administrator privileges, and information relating to user OneSign Agents, including the Refresh Interval at which users’ OneSign Agents refresh their profiles and upload audit log information.
Explore the different parts of this section, but do not change any yet.
System Status and Audit Log
The Lock button locks the Imprivata OneSign system for security reasons.
This is a toggle button; clicking Lock replaces it with an Unlock button, and clicking Unlock replaces it with a Lock button. Ignore the Lock button for now.
This is where you can set the system logging level, and where you can see an overview of your audit logs, and archive and delete old audit logs. The OneSign Server can also post a heartbeat and current system status to a URL for monitoring.
License Info
During the installation procedure, you uploaded the OneSign license file. The License section shows how many total user accounts you have in this appliance pair, and how many are assigned to enabled users.
Administrator Privileges
OneSign permits two levels of administration; this is where you define the various administrator privileges that are available to the Administrator level (Super Administrators automatically have all privileges).
Agent Settings
In the Agent Setting section you select settings for installing user OneSign Agents and different properties of the Agents. The user’s OneSign Agent checks the server for updates at the Refresh Interval set in this section.
Password Self-Service Questions
OneSign supplies questions in three languages. You can requires users to answer a subset of these questions in order to access the password self-services. You can add more questions, or delete any unwanted questions.
Note: All of the options that you ignore in this tutorial are fully detailed in the Administrator’s Guide and in the APG Guide.
Server Connections
11 Imprivata OneSign Getting Started Guide
Server Connections
Use the Server Connections tab for setting the mail server that will handle emails from the OneSign Server to administrators and users, and setting the connection parameters for an ID token system server if you are using one.
Setting the Mail Server and Editing the Standard Messages OneSign notifies users when they can download the OneSign Agent and sends password reminders and event notifications by email from this server.
1. In the SMTP Server section, click View/Edit to open an SMTP Server form.
2. Enter the server to be used to send password reminders and event notifications and notify users for self-enrollment.
3. Click the Test button to be sure the connection is valid.
4. If credentials are required in order to send OneSign email notifications to email addresses outside of the local network, then enter a valid SMTP server account username and password combination.
5. OneSign uses a standard Notification Message to notify new users that their OneSign accounts have been created. Click the View/Edit link to customize the text of the Notification Message for your users.
Depending upon your OneSign license, you also see an option to edit either the Password Reminder or the Password Self-Services Enrollment message. You do not need to edit either of them at this time.
Setting ID Token System Server Properties
The ID Token Server is only used if users will authenticate to OneSign via ID token. If you are supporting ID token authentication, then click View/Edit to enter the server host name, port, and encryption key before continuing.
If you are not using ID token authentication, ignore this section and continue.
Saving Changes
There is a context-sensitive Save button at the bottom of the page that only appears when you have changed something on the Properties page. If you made any changes and you want to save them, click the Save button.
Chapter 3 - Setting OneSign Properties
OneSign Extensions
Extension objects permit OneSign to extend beyond its base capabilities to support external software tools. OneSign supports two extension obects:
The Carefx Extension Object is used to synchronize user identity with the Carefx Application Context Manager.
Use the OneSign Procedure Code Extension Object to manage the
Use the OneSign Procedure Code Extension Object to manage the