Enterprise Single Sign-On SSOWatch Administrator Guide

168 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

SSOWatch Administrator Guide

8.0.6

Enterprise Single Sign-On

(2)

ALL RIGHTS RESERVED.

This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.

DISCLAIMER

The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY

EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR

PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.

Trademarks

Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother,

DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse,

PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners.

World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com

Please refer to our website for regional and international office information.

This documentation is also available online at http://documents.quest.com. This site provides robust search capabilities that allow you to search across all related documents.

Quest Enterprise SSO Version 8.0.6

(3)

About This Guide ... 7

Overview ... 7

Conventions ... 7

1 Overview ... 8

1.1 SSOWatch module of Quest ESSO: Basic Principles ... 8

1.1.1 Application Modeling ... 8

1.1.2 Application Access Profiles ... 8

1.1.3 Password Format Control Policies (PFCP) ... 9

1.1.4 Application Behavior ... 9

1.1.5 Window Types ... 10

1.1.6 LDAP Directories ... 10

1.2 The Access Collector Mode ... 10

1.3 SSOWatch Components ... 11

1.3.1 Enterprise SSO Studio ... 11

1.3.2 Quest Enterprise SSO Plug-ins ... 12

2 SSOWatch ... 13

2.1 Overview ... 13

2.2 The SSOWatch Interface... 13

2.2.1 QESSO SSOWatch icon ... 13

2.2.2 SSOWatch Pop-up Menu ... 14

2.2.3 The SSOWatch window ... 16

2.3 Starting/Quitting SSOWatch ... 17

2.3.1 Starting SSOWatch... 17

2.3.2 Quitting SSOWatch... 18

2.4 Suspending/Activating SSOWatch ... 18

2.5 Resetting SSOWatch Configuration ... 19

2.6 Managing User Accounts ... 19

2.6.1 Providing SSO Data When Launching an SSO Enabled Application for the First Time ... 20

2.6.2 Displaying your SSOWatch User Accounts ... 21

2.6.3 Displaying the Properties of a User Account ... 21

2.6.4 Changing the Login Name and/or Password of a User Account ... 22

2.6.5 Changing an Expired Primary Password ... 23

2.6.6 Creating a New Account for an Application ... 24

2.6.7 Deleting a User Account ... 26

2.6.8 Displaying User Account Password ... 26

2.6.9 Delegating a User Account ... 27

2.7 Disabling/Enabling SSO for Applications ... 30

2.8 Requesting an Access to an Application Through the Request Manager Portal ... 31

2.9 Testing the SSO Configuration of an Application ... 32

2.10 Starting Personal SSO Studio ... 33

2.11 Starting an Application... 33

2.12 Creating a Shortcut for an Application ... 34

(4)

3.1 Interface Overview ... 36

3.2 Starting and Stopping Enterprise SSO Studio ... 39

3.2.1 Starting Enterprise SSO Studio ... 39

3.2.2 Stopping Enterprise SSO Studio ... 40

3.3 Creating or Opening a Configuration ... 40

3.4 Configuring General SSO Parameters ... 40

3.5 Defining PFCP and Application Profiles ... 41

Defining Password Format Control Policies (PFCP) ... 41

3.5.2 Defining the Application Profiles ... 44

3.6 Defining Application and Technical Definition Objects ... 48

3.6.1 Creating/Modifying Application Objects and Technical Definitions ... 49

3.6.2 Filling-in the Application Properties Window ... 50

3.6.3 Defining Advanced Access Rights ... 60

3.7 Defining Window Objects ... 61

3.7.1 "General" Tab ... 62

3.7.2 "Options" Tab ... 64

3.7.3 "Detection" and "Actions" Tabs ... 69

3.8 Testing the SSO ... 69

3.9 Exporting or Importing Objects ... 70

3.9.1 Exporting/Importing Objects using the Graphical Interface ... 70

3.9.2 Importing Objects using Command Line Arguments (without Controller) ... 70

3.10 Managing Objects in the Tree ... 72

3.10.1 Copying/Cutting/Pasting Objects ... 72

3.10.2 Renaming an Object ... 73

3.10.3 Deleting an Object from the Tree ... 73

3.11 Saving Object Configurations ... 73

3.11.1 Saving Object Configurations in LDAP Storage Mode (with Controller) ... 74

3.11.2 Saving Object Configurations in Local Storage Mode ... 74

3.12 Managing Configuration Updates ... 75

3.13 Refreshing the Tree ... 75

4 The Generic Plug-in ... 76

4.1 Window Detection ... 77 4.1.1 Simple Detection ... 78 4.1.2 Advanced Detection ... 81 4.1.3 Restrictions ... 84 4.2 User Interface ... 85 4.2.1 Target ... 85 4.2.2 Validation Actions ... 86

4.3 Generic Plug-in Actions ... 86

4.3.1 StandardLogin – Connection ... 86 4.3.2 BadPassword ... 89 4.3.3 NewPassword ... 91 4.3.4 ConfirmPassword ... 92 4.3.5 BadNewPassword ... 93 4.4 Special Cases ... 94

4.4.1 NotesLogin (Lotus Notes Plug-in) ... 94

(5)

5 The Microsoft Internet Explorer Plugin... 99

5.1 HTML/Internet Explorer Detection ... 99

5.1.1 Variable URLs ... 101

5.1.2 Advanced Detection ... 101

5.2 User Interface ... 102

5.2.1 Selecting a Field in an HTML Form ... 102

5.2.2 Custom SSO Parameters ... 103

5.2.3 Submitting an HTML Form ... 103

5.3 HTML/Internet Explorer Actions ... 105

5.3.1 HTMLLogin – Connection ... 105

5.3.2 HTMLBadPassword ... 106

5.3.3 HTMLNewPassword ... 107

5.3.4 HTMLBadNewPassword – New Password Refused ... 108

6 The SAP R/3 Plug-in ... 110

6.1 SAPLogin and SAPExpired Window Types ... 110

6.1.1 SAPLogin (SAP R/3 Login) ... 110

6.1.2 SAPExpired (SAP R/3 Password Expiry) ... 111

6.2 Basic Principles of the SAP R/3 Plug-in ... 111

6.3 Configuration Guide ... 111

6.3.1 Configuring an SAP R/3 Application... 111

6.3.2 Configuring the SAPGUI Scripting Window ... 111

7 Terminal Type Applications ... 115

7.1 Terminal ... 115

7.2 Microsoft Telnet ... 116

7.3 Banners ... 117

8 The HLLAPI Plug-in ... 119

8.1 Configuring the HLLAPI Plug-in ... 119

8.1.1 Configuring the HLLAPI Plug-in for a Single Application ... 119

8.1.2 Configuring the HLLAPI Plug-in for Different Types of Applications ... 120

8.1.3 HLLAPI Plug-in Registry Keys ... 120

8.2 Enabling SSO for HLLAPI Applications ... 123

8.2.1 The Detection Tab ... 124

8.2.2 The Actions Tab ... 126

8.3 HLLAPI Applications Keys ... 127

9 Advanced Configuration ... 134

9.1 Custom Scripts Plug-ins ... 134

9.1.1 Basic Concepts ... 135

9.1.2 The Actions Tab ... 136

9.1.3 Script Editor ... 137 Extension DLL ... 149 Function Prototyping ... 149 SSOWatchSSOData Structure ... 149 Return Code ... 150 10 OLE/Automation Interface ... 152

10.1 Definition of SSOWatch OLE/Automation Interface ... 152

(6)

10.2.2.GetSSOEngineState ... 154

10.3 The ISSOApplication Interface ... 154

Properties ... 155

Methods ... 156

Code Example ... 158

Return Codes ... 159

Appendix A: Cache Tuning and Asynchronous Update of the Application Data ... 160

A.1 Cache and Application Update Mechanism ... 160

A.1.1 Cache Mechanism... 160

A.1.2 Asynchronous Update Mechanism ... 161

A.2 Cache and Update Timing Parameters ... 162

Appendix B: Integrating Care-FX with SSOWatch ... 165

B.1 Authentication Description ... 165

B.1.1 Logging On ... 165

B.1.2 Logging Out ... 166

B.2 Configuring the Implementation ... 166

B.2.1 Activating the FCC Notification ... 166

Integrating the COM Interface ... 166

About Quest Software, Inc. ... 168

Contacting Quest Software... 168

(7)

About This Guide

Overview

This document explains how to use Quest Enterprise SSO Configuration Editor to describe the applications for which SSOWatch module of Quest ESSO (QESSO SSOWatch) will implement Single Sign-On. It is intended for system integrators, administrators,

consultants, analysts, and any other IT professionals using the product.

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons.

Bolded text Interface elements that appear in Quest products, such as menus and commands.

Italic text Used for comments.

Bold Italic text Introduces a series of procedures.

Blue text Indicates a cross-reference. When viewed in Adobe® Acrobat®, this format

can be used as a hyperlink.

Used to highlight additional information pertinent to the process being described.

Used to provide Best Practice information. A best practice details the recommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them at the same time.

| A pipe sign between elements means that you must select the elements in that particular sequence.

(8)

1 Overview

1.1 SSOWatch module of Quest ESSO: Basic

Principles

This section presents Quest ESSO SSOWatch basic concepts.

1.1.1 Application Modeling

Enterprise SSO Studio, the Enterprise SSO configuration editor is used to describe the applications for which SSOWatch will enable Single Sign-On.

An application is defined by:

 A set of associated user accounts (referred to as the link to the security system).

 A set of Windows or HTML pages.

The application Windows or HTML pages that refer to the authentication management tool must be described in SSOWatch using the configuration editor.

This description allows SSOWatch to recognize the windows or HTML pages whenever they are displayed to the user. SSOWatch intercepts these pages and implements SSO. In addition to the elements that allow window/page detection, the description contains the actions that the SSO engine has to perform.

Each window is defined by a type that characterizes the target application technology and the actions that SSOWatch will perform. The events that refer to the user’s authentication in an application can be of different kinds: authentication, password update request, etc. SSOWatch manages the different events relating to the specific characteristics and behavior of each application (application behavior).

1.1.2 Application Access Profiles

Application profiles define the parameters of one or more applications that can then be defined differently, depending on the users that access them.

Application profiles are used to assign applications to users.

(9)

 The password format managed by the application.

 The SSOWatch options.

 The SSO policy. Such options are: requirement for re-authentication, the user’s ability to modify SSO data, hide/show password, etc.

 Delegation parameters.

1.1.3 Password Format Control Policies (PFCP)

A PFCP defines:

 The format of the passwords managed by an application: characters that are allowed or forbidden, length, authorized/unauthorized repetitions of a same character.

 Whether a password is to be randomly generated (following the format required), or requested from the user.

1.1.4 Application Behavior

A user authenticates to a secure application as follows:

 The user tries to log on to the application.

 If the security data provided are correct, the user is authenticated by the application and can work normally.

 If the data are incorrect, the application will display a message or re-display the authentication window, informing the user that he or she made a mistake during the authentication process. The user is prompted to try again.

Once connected, the user can change the password, either at will or at the application’s request:

 The user enters a new password and (sometimes) confirms it.

 If the new password is accepted by the application, the user will continue working normally. If not, the application will inform the user that the new password has been rejected.

SSOWatch manages the application behavior with regard to the user authentication we have just described. This behavior is configured by choosing a type for the defined windows.

(10)

1.1.5 Window Types

A window type indicates the SSO engine behavior and the technology of the managed application.

An application’s behavior Includes:

 Detecting the connection step (Login).

 Detecting a wrong password/username (BadPassword).

 Detecting a new password request (NewPassword).

 Detecting an incorrect new password (BadNewPassword).

 Confirming this new password (ConfirmPassword). The technologies managed by SSOWatch are:

 Microsoft Win32 standard Windows.

 HTML pages in Internet Explorer.

 Windows of type "Terminal in text mode".

 Some particular cases or optimizations of standard types.

1.1.6 LDAP Directories

Several types of LDAP directories are supported for user security data storage.

You can refer to the following guides:

 For more information on the supported LDAP directory versions, see Release Notes.

 For a description of the procedures for modifying an LDAP directory, see Quest ESSO Installation Guide.

1.2 The Access Collector Mode

The Access Collector mode is an option of SSOWatch which automatically collects all user accounts and stores them in the users' directory.

This mode only works if the workstations are configured as "without Controller". The goal of this feature is to report to the administrators all the accounts used for the applications of the enterprise, so that they can create an appropriate access policy. Only one account can be collected for one application (multi-account is not supported).

Mechanism

When an end-user launches an application that is detected by SSOWatch, SSOWatch starts the account collect.

 If the account was already collected, nothing happens and the SSO is not performed.

(11)

 If a BadPassword window is detected in the collect context, the collected account is deleted or a new account is collected. The account will not be deleted if the BadPassword occurs at any other moment.

Once the account is collected, the SSO is deactivated for the application.

SSOWatch Behavior

The SSO is only performed if there is no collected account for the detected application login screen.

The passwords entered by users are never sent to the directory: they are only temporary kept in memory for SSO purposes.

Users are not allowed to stop or suspend SSOWatch, they have no access to the Personal SSO Studio and cannot manage their accounts through the user Account panel.

Configuration Update

Only the Application, Technical definition and Parameter objects are retrieved from the directory, in an asynchronous way to avoid the update during the user authentication. All users can access all the applications downloaded by the workstation.

1.3 SSOWatch Components

SSOWatch provides the link between the security system and the applications by recovering security information (login/password) and sending it to the applications. It also manages the collection of this security data and the password format control policies.

The collection (or self-learning) mode consists in asking the user to enter any security information that may not yet exist in the Quest ESSO security base, and to save it. SSOWatch is made up of the components described in this section.

1.3.1 Enterprise SSO Studio

Enterprise SSO Studio is the Quest Enterprise SSO configuration editor. It allows the creation of Quest Enterprise SSO configuration files, and the management of the Quest Enterprise SSO LDAP objects.

This program is designed to be used by people who define and setup SSO.

Quest Enterprise SSO Studio can be used in Enterprise or Personal mode, so as to modify the corresponding configuration files:

 The Enterprise configuration file is common to a group of users, and is usually saved in an LDAP directory in object format. When a simple file is used, the configuration may be stored in a central location for ease of deployment and use.

(12)

SSO configuration is easily performed through "drag and drop"-oriented configuration procedures.

1.3.2 Quest Enterprise SSO Plug-ins

Quest Enterprise SSO plug-ins are extensions of the SSOWatch and of the Enterprise SSO configuration editor. They add SSO management methods for specific kinds of applications.

Besides the management of standard Windows applications, of the following plug-ins are available as standard in SSOWatch:

 Internet Explorer, enabling SSO in HTTP/HTML applications running under Internet Explorer 4 or later.

 Lotus Notes.

 Microsoft Telnet.

 SAP R/3.

 HLLAPI.

 Custom Scripts, to enable SSO in Windows/HTML applications not managed by the standard window types.

(13)

2 SSOWatch

This section describes the SSOWatch interface and how to use it.

2.1 Overview

SSOWatch Definition

SSOWatch is in charge of the following SSO functionalities:

 It retrieves for the IAM middleware, which runs on the workstation, SSO data and provides this information to the application login windows.

 It offers self-administration functions to allow you to register yourself to applications or change your passwords for example.

 In Access Collector mode, it starts the account collect when the user launches an application and deactivates the SSO once the account is collected.

The SSOWatch Configuration

The SSOWatch configuration stores the SSO data. It can be defined by two kinds of users:

 The Quest ESSO security administrators, through Enterprise SSO Studio. This tool allows administrators to create and modify the SSOWatch configuration common to many end-users.

 By end-users, through Personal SSO Studio if the component is installed on the workstation. This tool allows you to define your personal SSO data used to log on your personal applications.

2.2 The SSOWatch Interface

This section gives an overview of the SSOWatch interface.

2.2.1 QESSO SSOWatch icon

The QESSO SSOWatch icon is displayed in the Windows notification area, as shown in the following illustration:

(14)

ICON DESCRIPTION

SSOWatch is activated: the SSO feature is enabled (whenever it detects a configured application login window, SSOWatch automatically provides the required SSO data)

SSOWatch is suspended: the SSO feature is disabled.

SSOWatch is locked: when the SSOWatch detects a configured application login window, or when you want to display the user accounts associated with applications (see 2.6.2 Displaying your SSOWatch User Accounts), SSOWatch may ask you to re-authenticate. Upon a successful authentication, SSOWatch state switches to activated.

2.2.2 SSOWatch Pop-up Menu

The SSOWatch Pop-up Menu appears when you right-click the QESSO SSOWatch icon. It provides the means to control SSOWatch:

Depending on your SSOWatch configuration, some menu commands may not appear, as detailed in the following table.

(15)

MENU COMMAND

DESCRIPTION

About QESSO SSOWatch

Displays the QESSO SSOWatch version and the storage mode of the SSOWatch configuration file:

LDAP: centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.

File: the configuration is saved in a file in the Windows registry.

Self Registration: indicates that SSOWatch is used in Access Collector mode: centralized configuration is defined in the LDAP directory, to collect all the accounts used for the applications of the enterprise (for more information, see Section 1.2, "The Access Collector Mode").

Account delegation

Enables you to delegate one or several of your accounts to specific users of your choice during a specific length of time.

Open QESSO Studio

Opens the SSO Account panel; which allows you to manage your user accounts.

This menu command is bold, which means that this is the default command: double-click the QESSO SSOWatch icon to run it.

Add application

Starts Enterprise SSO Wizard, which is the easiest way to set up your personal SSOWatch configuration.

This menu command does not appear if Personal SSO Studio is not installed on the workstation, or if SSOWatch is used in Access Collector mode.

Open QESSO Studio

Starts Personal SSO Studio, the editor tool of your personal SSOWatch configuration. For details on how to use Enterprise SSO Studio, see Section 3., "Configuration Editor: Enterprise SSO Studio".

This menu command does not appear if Personal SSO Studio is not installed on the workstation, or if SSOWatch is used in Access Collector mode.

Suspend, Activate

Manages the states of SSOWatch.

Depending on your configuration, this menu command may not appear (unavailable in Access Collector mode).

(16)

MENU COMMAND

DESCRIPTION

Reset

Configuration

Stops and restarts SSOWatch to take into account modifications of the SSOWatch configuration.

In Access Collector mode, this command only synchronizes SSO Account data.

Exit QESSO SSOWatch

Quits SSOWatch.

Depending on your configuration, this menu command may not appear (unavailable in Access Collector mode).

2.2.3 The SSOWatch window

The SSOWatch window appears when you click Open in the pop-up menu, or just by double-clicking the QESSO SSOWatch icon. It is composed of the following panels:

 The Account panel ( button).

 The Home panel ( button).

2.2.3.1 The "Account" Panel

When you open the SSOWatch window, the Account panel appears. It lists your user accounts managed by SSOWatch. From this panel, you can modify several user account parameters, as described in 2.6 Managing User Accounts.

2.2.3.2 The "Home" Panel

(17)

 Manage the states of SSOWatch (Area 1), as described in the following sections:

2.4, "Suspending/Activating Enterprise SSO".

2.5 Resetting SSOWatch Configuration.

2.3 Starting/Quitting SSOWatch.

If you are using several user accounts for a same application, select the current Role (Area 2 - for details, see Section 2.6.6, "Creating a New Account for an Application").

2.3 Starting/Quitting SSOWatch

This section explains how to start and quit the SSOWatch.

2.3.1 Starting SSOWatch

Subject

Usually, SSOWatch starts automatically when you log on.

You may need to start SSOWatch manually in the following cases:

 If SSOWatch has not been configured to start automatically.

 If you manually quit SSOWatch and want to restart it.

Procedure

1. To manually start SSOWatch, do one of the following:

(18)

c) Use the command line: the following table lists the command line

arguments that you may use to start SSOWatch engine (ssoengine.exe):

 /notrayicon: starts SSOWatch but does not display the icon located in Windows system tray.

 /nosplashscreen: starts SSOWatch but does not display the splash screen.

 The configuration file to be used can be added as a parameter in the SSOEngine.exe program (no option).

Example:

SSOEngine.exe "C:\Configs SSOWatch\SSOConfig2.sso"

An authentication window appears.

2. Fill in the ID and Password fields to authenticate yourself. The SSOWatch window appears.

A welcome message appears in a balloon help on the bottom right-hand side of your screen.

This is configurable in the Quest ESSO Console by creating one message per user

If you are using a roaming session, a balloon help appears telling you when your session expires. You can display it at all times by passing the cursor over the QESSO SSOWatch icon.

2.3.2 Quitting SSOWatch

Procedure

 To exit SSOWatch, right-click the QESSO SSOWatch icon and select Exit QESSO SSOWatch.

The QESSO SSOWatch icon disappears. The SSO feature is disabled.

Depending on your configuration, this menu command may not be available (unavailable in Access Collector mode).

2.4 Suspending/Activating SSOWatch

Subject

By default, SSOWatch is automatically activated when you log on. You may need to suspend it manually, as described in the following procedure.

In Access Collector mode, this functionality is deactivated.

Procedure

 To suspend SSOWatch, right-click the QESSO SSOWatch icon and select

Suspend.

The QESSO SSOWatch icon state changes, as described in 2.2.1 QESSO SSOWatch icon. While suspended, no automatic sign-on is made.

(19)

 Depending on your configuration, this menu command may not be available.

 SSOWatch automatically suspends itself when the smartcard or USB key used for authentication is removed.

 To resume SSOWatch, right-click the QESSO SSOWatch icon and select

Activate.

The QESSO SSOWatch icon state changes, as described in 2.2.1 QESSO SSOWatch icon. The SSO feature is enabled.

2.5 Resetting SSOWatch Configuration

Subject

By default, if the SSOWatch configuration changes, a notification message automatically appears asking you if you want to take the modifications into account, as shown in the following illustration:

You can take manually the modifications of the SSOWatch configuration file, using the Reset Configuration command, as described in the following procedure.

In Access Collector mode, this command only synchronizes SSO Account data.

In Access Collector mode, SSOWatch automatically reloads the SSO configuration every 6 hours: this allows taking into account changes in the SSO data updated by the asynchronous update. You can change this value (in hour) in the following registry key/GPO:

HKLM\Software\Enatel\SSOWatch\CommonConfig\AutomaticRefresh

Procedure

 In the Windows notification area, right-click the QESSO SSOWatch icon and select Reset Configuration.

2.6 Managing User Accounts

This section describes how to manage your SSOWatch user accounts from the SSOWatch Account panel.

(20)

2.6.1 Providing SSO Data When Launching an SSO Enabled

Application for the First Time

At the first launch of an SSO enabled application, when the application requests the user’s authentication, the SSOWatch collect window appears in foreground (the application is temporarily unavailable) and requests the user name and password for the application:

Simply provide your usual user name for this application, your password (and confirm it to avoid mistype errors), and validate by clicking the OK button.

This data will be stored in a secured way by SSOWatch so it will be able to reuse it afterwards, without requesting any new data. It has enabled the Single Sign-On function for this application.

Depending on your configuration, the following controls can be available:

 The Cancel button: if available, click this button to cancel the authentication data collection. You can then log on manually or quit the application. Note that depending on your configuration, the dialog box may not appear if you start another application instance (without quitting the first one). In this case, quit all the application instances and restart the application.

 The Disable SSO for this application check box. If you select this option and click OK, the authentication data collection execution is cancelled until further notice for the application. To enable again the collection, see 2.7

Disabling/Enabling SSO for Applications.

For more information on how to enable/disable these controls, see Section 3.5.2.2,

"Access Strategy Tab of an Application Profile", or the Quest ESSO Console Administrator Guide.

 The link I don’t have any account for this application may appear. Click this link to request an access to the application through the Request Manager portal. For more information on how to enable/disable this link, see Quest ESSO Console Administrator Guide.

(21)

2.6.2 Displaying your SSOWatch User Accounts

Subject

This section describes how to display the user accounts that are defined in your SSOWatch configuration.

Procedure

 To display the list of your SSOWatch user accounts, double-click the QESSO SSOWatch icon located in the Windows notification area.

The SSOWatch window appears.

Window Description

The Account panel displays one line per user account. For each account, the following information is available:

COLUMN NAME

DESCRIPTION

Application Name of the application, as defined in Enterprise SSO Studio. For accounts that are not associated with an application, <None> is displayed.

Login Name Login name of the user account. If you have not yet used this application, <not registered> is displayed (the login name and password of the account has never been collected).

You can hide applications for which the user is not registered. To do so, right-click any application and select Hide

applications without credential.

Account By default, Standard Account is displayed. If you are using

several user accounts for a same application, this column displays the name of the account. For more information, see

2.6.6 Creating a New Account for an Application

2.6.3 Displaying the Properties of a User Account

Before Starting

In Access Collector mode, this functionality is deactivated.

Procedure

 In the Account panel, select the wanted user account and click the button or right-click the wanted user account and click Properties.

(22)

Window Description The Information Tab

Depending on your user account properties, you may be allowed to modify your user account security data. For more details, see 2.6.4 Changing the Login Name and/or Password of a User Account.

The Properties Tab

Read-only tab, which displays the account properties and application properties available for the selected user account.

The Delegation Tab

Depending on your Quest ESSO configuration, the Delegation tab may not appear. It allows you to delegate your user account to other users.

2.6.4 Changing the Login Name and/or Password of a User

Account

Restriction

Depending on your SSOWatch configuration, this command may be disabled for some or all the listed user accounts (unavailable in Access Collector mode).

For information on how to enable/disable this command, see Section 3.5.2.2, "Access Strategy Tab of an Application Profile".

Procedure

1. From the Account panel, select a user account and click the button or right-click the wanted user account and click Change Password.

(23)

The following window appears:

2. Modify the wanted fields and click OK.

The modification is taken immediately into account.

You can also modify the login name and/or password of a user account from the Account details window, which is described in 2.6.3 Displaying the Properties of a User Account.

2.6.5 Changing an Expired Primary Password

Subject

If you are using an authentication method that does not require the provision of the Primary Password, such as smart cards or biometric devices, you can choose your new Primary Password.

Procedure

1. When your Primary Password is expired, the Security Data Collection window appears.

(24)

2. To change your Primary Password, do one of the following:

To use your own password, type in your chosen password in the Password and

Confirmation fields.

To generate a random password, select the Generate my password check box. 3. Click the OK button.

Your Primary Password has been changed.

If you are offline when your Primary Password is about to expire, you will be asked to change it the next time you log on.

2.6.6 Creating a New Account for an Application

Restriction

Depending on your SSOWatch configuration, this command may be disabled for some or all the listed applications (unavailable in Access Collector mode).

For information on how to enable/disable this command, see Section 3.6.2.6, ""Application Profile" Tab".

Procedure

1. From the Account panel, select an application and click the button or right-click the wanted user account and right-click New account.

(25)

2. Fill in this window with the following recommendation: in the Account field, either type the name of a new account, or, if you want to use an additional account that you have already created, select it in the drop-down list.

3. Click OK.

The new account appears in the Account panel.

Going Further

If you have several accounts for an application, the following window appears by default when SSOWatch detects the authentication window of the application:

(26)

If you select Set current role, SSOWatch will always use the selected account, and this window will no longer appear. To display this window again, in the Home panel, select No selected role in the Current role drop-down list.

You can also log on to the application with one of the accounts by double-clicking the desired account in the SSOWatch window

2.6.7 Deleting a User Account

Subject

This section describes how to delete one or more accounts associated with an application.

In Access Collector mode, this functionality is deactivated.

Procedure

1. From the Account panel, select an application and click the button or right-click the wanted user account and right-click Delete.

A warning message appears.

2. Read this message carefully. If you agree, click YES. The account is deleted.

If many accounts are associated with an application, the account line will be deleted. If you delete the last account, <not registered> will be displayed in place of the login name.

2.6.8 Displaying User Account Password

Restriction

Depending on your SSOWatch configuration, this command may be disabled for some or all the listed user accounts (unavailable in Access Collector mode).

For information on how to enable/disable this command, see Section 3.5.2.2, "Access Strategy Tab of an Application Profile".

Procedure

1. From the Account panel, select a user account and click the button or right-click the wanted user account and right-click Show password.

The re-authentication window appears. 2. Log on using your Windows user account.

(27)

3. Click Close.

2.6.9 Delegating a User Account

Subject

You can delegate one or several user accounts by using the Wizard, the Self Service Admin Portal (see Self Service Admin Portal User Guide) or by doing it manually.

Restriction

Depending on your SSOWatch configuration, this command may be disabled for some or all the listed user accounts (unavailable in Access Collector mode).

For information on how to enable/disable this command, see Section 3.5.2.3, "Delegation Tab of an Application Profile"

2.6.9.1 Delegating a User Account With the Wizard

Use the Account Delegation Wizard to delegate one or several user accounts quickly and simply. To do so, follow this procedure:

Procedure

1. Right-click the QESSO SSOWatch icon. The SSOWatch Pop-up Menu appears. 2. Select Account delegation.

3. Reauthenticate yourself is needed.

(28)

4. Click the Next button.

The Account delegation window appears.

5. Select the account(s) you want to delegate by ticking the corresponding check boxe(s) or click the Select all button to select all the accounts.

6. Select a start and an expiration date and click the Next button. The Account Delegation window appears.

(29)

7. Select the user(s) to whom you want to delegate the account and click the Next

button.

Your selected account(s) has/have been delegated to the selected user(s).

2.6.9.2 Delegating a User Account Manually

Procedure

1. From the Account panel, select one or several user accounts and click the button or right-click the wanted user account and click Delegate.

2. Reauthenticate yourself is needed.

(30)

3. In the User name field, type the name or a part of the user name and click

Search.

The list of users that have been found in the directory appears. 4. Select the user to whom you want to delegate the account. 5. Select a start and an expiration date and click Delegate.

The account is delegated to the selected user from the start date until the expiration date.

2.6.9.3 Removing a User Account Delegation

Procedure

1. Right-click the QESSO SSOWatch icon. The SSOWatch Pop-up Menu appears. 2. Select Account delegation.

The Account Delegation wizard appears.

3. Select Manage existing account delegations and click the Next button. The Account delegation list window appears.

4. Select an account delegation and click the Remove button. The account is not delegated anymore.

2.7 Disabling/Enabling SSO for Applications

Subject

By default, SSO is enabled for all the applications listed in the SSOWatch Account panel. You can disable SSO for an application in a permanent way, or only for the current SSO session, as explained in the following procedure.

(31)

In Access Collector mode, the SSO is automatically disabled for the applications for which the account has been collected.

Depending on your configuration, the commands of the following procedure may be disabled. For more information, see Section 3.5.2.2, "Access Strategy Tab of an Application Profile", or the Quest ESSO Console Administrator Guide.

Procedures

Disabling SSO for an Application

 To disable SSO for an application during the SSO session:

In the Account panel, right-click the wanted application and select Disable the application.

The SSO is disabled for the application during the SSO session. At SSOWatch engine restart, the SSO will be enabled again.

 To permanently disable SSO for an application: a) Set the following registry key to DWORD 1:

Software\Enatel\SSOWatch\CommonConfig\StoreIfApplicationIsDisabled

b) In the Account panel, right-click the wanted application and select Disable the application.

The SSO is permanently disabled for the application: the application stays disabled even if the SSOWatch Engine is restarted.

Enabling SSO for an Application

 In the Account panel, right-click the wanted application and select Enable the application. If you have several disabled applications and want to enable all of them at the same time, select Enable all applications.

2.8 Requesting an Access to an Application

Through the Request Manager Portal

Subject

When SSOWatch is integrated with Identity & Access Manager, you can request an access to an SSO enabled application in the following cases:

 Upon the first start of this application (that is when SSOWatch has not registered any credentials for this application), as detailed in 2.6.1 Providing SSO Data When Launching an SSO Enabled Application for the First Time.

 At any time from the SSOWatch Account panel, as detailed in the following procedure.

Restrictions

(32)

 The administrator has enabled the Request Access command for the selected application.

Procedure

1. In the Account panel, right-click the wanted application and select Request Access.

The Request Manager portal appears.

2. Log on to the portal and send a request to access the application.

2.9 Testing the SSO Configuration of an

Application

Subject

The SSOWatch engine includes a test tool, which allows you to check if an application is correctly configured. It tests the following:

 Main window or Web page detection.

 URL detection if applicable.

 Advanced detection parameters (variable URLs, Look for text option, list of constraints).

Before Starting

 You have configured the Application Profile associated with the application to test: the test tool is launched by clicking Test application on the shortcut menu that appears when you right-click an application displayed in the Account panel. This command is available only if the Application Profile associated with the selected application is correctly configured, as detailed in:

Section 3.5.2.1, "Properties Tab of an Application Profile", for your Personal SSO Studio configuration.

Quest ESSO Console Administrator Guide, for corporate applications.

 You have checked that the application to test is not started.

Procedure

1. From the Account panel, right-click the application to test and select Test application.

2. Complete the window.

Additional Information

 The Window configuration information area displays by default information on the window selected in the drop-down list (window title and URL configuration if any). You can change this information by selecting another window using the target button. This feature is useful to check if an SSO configuration works with a new version of an application for example.

 When the main window detection succeeds, the SSOWatch engine does the following tests:

 It checks the variable URLs and Look for text parameters if any. The test stops on the first detected invalid parameter. You can bypass the test of

(33)

these parameters by selecting the Bypass the advanced detection control check box.

 Then, it checks the list of constraints if any. The test does not stop, even if an error occurs.

 Finally, the engine tests the detection of the configured fields. The test stops on the first detected invalid field. If the field detection succeeds, you can select the Perform SSO check box. This starts immediately the real SSO process.

 The Export button allows you to save in a plain text file the information displayed in the Live report area.

2.10 Starting Personal SSO Studio

Subject

Personal SSO Studio is your personal configuration editor, which allows you to describe personal applications for which you want to enable Single Sign-On.

In Access Collector mode, the access to Personal SSO Studio is forbidden.

Procedure

 To start Personal SSO Studio from the Account panel, right-click any application and select Open SSO Studio.

 You can also open Personal SSO Studio from the Start menu.

 This menu command is disabled if Personal SSO Studio is not installed on the workstation, or if SSOWatch is used in Access Collector mode.

2.11 Starting an Application

Subject

To start an application from the Account panel, follow the procedure below.

In Access Collector mode, this functionality is deactivated.

Procedure

 In the Account panel, right-click the wanted application and select Start Application.

The application starts and SSOWatch performs SSO.

You can also log on to the application with one of the accounts by double-clicking the desired account in the SSOWatch window.

(34)

2.12 Creating a Shortcut for an Application

Subject

You can create shortcuts for applications from the Account panel, as described in the following procedure.

In Access Collector mode, this functionality is deactivated.

Procedure

 In the Account panel, right-click the wanted application and select Create Shortcut.

A shortcut for the selected application is created on your Windows desktop.

2.13 Removing the Icon from the Notification Area

Subject

Once SSOWatch is started, an icon appears in the Windows notification area. In certain cases, it is preferable to remove this icon:

 To prevent the user from seeing the application list.

 In a Citrix Metaframe/Windows Terminal Server environment, when published applications are used in conjunction with SSOWatch, an icon representing SSOWatch running on the server appears on the client PC notification area (in addition to any local SSOWatch which may be running).

Procedure

 To remove the icon, do one of the following:

The first key has precedence over the second. The /notrayicon command line has precedence over the Registry.

a) In the SSOWatch command line (see 2.3.1 Starting SSOWatch), add the parameter /notrayicon.

b) In the Registry, create a non-null DWORD type entry called NoTrayIcon in one of these keys:

 HKLM\SOFTWARE\Policies\Enatel\SSOWatch\CommonConfig

(35)

3 Configuration Editor: Quest

Enterprise SSO Studio

Subject

Enterprise SSO Studio is the SSOWatch configuration editor. It allows you to describe the applications for which you want SSOWatch to enable Single Sign-On or account collect (in Access Collector mode), but which could not be configured through the Enterprise SSO Wizard.

Additionally, for those applications that have been configured using Enterprise SSO Wizard, Enterprise SSO Studio enables you to modify or enhance their configuration. In case SSOWatch used in Access Collector mode, Enterprise SSO Studio allows the administrator to configure all the enterprise applications for the users, so that users' account can be automatically collected in the users' directory.

Enterprise SSO Studio provides an easy-to-use graphic interface for defining configuration parameters. It is dedicated to application administrators, or to "super-users" who have access to all necessary parameters.

The defined application parameters result in the creation of a unique SSOWatch

configuration file. You can define as many applications as needed; SSOWatch manages each application totally independently of others.

Application Definition

An application is defined by:

 Its properties, such as acceptable password formats, its behavior as seen by the SSOWatch, the accounts that the user will use to connect to the application.

 The windows displayed to the user and relating to authentication or password management. These windows may be HTML pages from a web application.

Quest Enterprise SSO Studio Types

The two following Quest Enterprise SSO Studio types are available:

 Enterprise SSO Studio: the application configuration is shared by a number of users.

 Personal SSO Studio: the application configuration is dedicated to a single user. It is automatically accessible on opening Personal SSO Studio.

(36)

Storage Modes

The SSO Studio (Enterprise or Personal) configuration can be stored in the Windows registry (file storage mode) or in the LDAP directory (LDAP storage mode).

The storage mode is defined during the installation phase.

 In LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.

The Access Collector mode works only in LDAP storage mode

 In local storage mode, the configuration is saved in a file in the Windows registry. In Enterprise mode, the administrator may create as many configurations as he or she wishes, and each configuration is saved in a file.

Operating Modes

Quest ESSO can be installed in two different modes: With and without Controller (for more details, see Quest ESSO Installation Guide).

 Without Controller, the configuration of applications can entirely be done with Enterprise SSO Studio.

The Access Collector mode works only without Controller

 With Controller (Client/Server) mode, the configuration of applications is only partly done with SSO Studio: the technical definition of applications can be done with SSO Studio, but the application definition must be terminated from the Quest ESSO administration console (see Quest ESSO Console Administrator's Guide).

3.1 Interface Overview

Main Window Interface

Enterprise SSO Studio presents target application parameters as SSO objects organized into a tree structure.

Enterprise SSO Studio enables you to create, modify or delete objects and to store them in an LDAP directory (LDAP mode) or in a SSOWatch configuration file (local storage mode). It is a "single-document" application, which means that only one configuration can be edited at a time.

 In Enterprise SSO Studio used in LDAP storage mode, the displayed tree corresponds to the associated LDAP directory defined at initialization time, as illustrated in the following example figure (interface example of Enterprise SSO Studio used in LDAP storage and with Controller).

(37)

The objects may be created anywhere the administrator has object-creation rights.

The LDAP administrator is responsible for ensuring that the structure has a branch reserved for the management of Quest ESSO objects.

As the objects will be created directly in the LDAP directory, the directory must be accessible when Enterprise SSO Studio is being used.

 In Enterprise SSO Studio used in local storage mode, or in Personal SSO Studio, the tree displayed is not linked to an LDAP directory, as illustrated in the following example figure (example interface of Personal SSO Studio).

In local storage mode, the configuration is defined with a root node called Local SSOWatch Configuration, to which two other nodes are attached. These are called Applications and Configuration Objects, and are used for Quest ESSO object declarations.

Main Window Areas

(38)

 A toolbar offering shortcuts to some menu bar options, as described in the following table. The toolbar appearance depends on the SSO Studio mode used (Without and with Controller, LDAP/File storage, Personal/Enterprise).

ENTERPRISE SSO STUDIO MODE BUTTON DESCRIPTION Common buttons

(Enterprise SSO Studio only) Creates a new SSO configuration. (Enterprise SSO Studio only)

Opens an existing SSO configuration. Cuts the selected item.

Copies the selected item.

Pastes the selected item.

Displays the properties of the selected item.

(LDAP storage mode only) Refreshes the displayed LDAP directory.

Deletes the selected item.

Renames the selected item.

Without Controller buttons

Creates a new Application.

Creates a new Window object.

Creates a new Application profile.

Creates a new PFCP.

(Enterprise SSO Studio only) Opens the SSO Settings by

Population window, which allows you to define the population allowed to access the application.

Saves the configuration.

With Controller buttons

(39)

ENTERPRISE SSO STUDIO MODE

BUTTON DESCRIPTION

Saves the Directory modifications.

Tests the selected SSO.

Adds the selected item to the test list

Removes the selected item from the test list.

 A workspace showing a tree structure that allows you to select elements and to perform actions directly by double-clicking the objects or using a popup menu.

3.2 Starting and Stopping Enterprise SSO Studio

This section explains how to start and stop Enterprise SSO Studio or Personal SSO Studio.

3.2.1 Starting Enterprise SSO Studio

Subject

The following procedure explains how to start Enterprise SSO Studio or Personal SSO Studio.

Procedure

Starting Enterprise SSO Studio Using the Windows Taskbar

1. In the Windows taskbar, click one of the following, depending on the Enterprise SSO Studio operating mode you want to open:

 For Enterprise SSO Studio:

Start | Programs | Quest Software | Enterprise SSO | Enterprise SSO Studio

 For Personal SSO Studio:

Start | Programs | Quest Software | Enterprise SSO | Personal SSOStudio

An authentication window appears.

2. Fill-in the authentication window and click OK. Enterprise SSO Studio appears.

Starting Enterprise SSO Studio Using Command Line Arguments

 The following table lists the command line arguments that you may use to start Enterprise SSO Studio (builder.exe):

(40)

 /wizard: starts the Enterprise SSO wizard.

3.2.2 Stopping Enterprise SSO Studio

Subject

The following procedure explains how to stop Enterprise SSO Studio or Personal SSO Studio.

Procedure

 In the File menu, click Exit.

3.3 Creating or Opening a Configuration

Subject

In Enterprise SSO Studio used in local storage mode, you can create as many configurations as you wish (each configuration is saved in a different).

This section explains how to create a new configuration, or open an existing one.

In local storage mode, the configuration file to be used may be specified during installation. For more information, see Quest ESSO Installation Guide.

Restriction

The functionality described in this section is only available in Enterprise SSO Studio used in local storage mode.

Procedure

 To open an existing configuration: a) In the File menu, click Open. The Explorer window appears.

b) Select the configuration you want to open and click OK.

The selected configuration appears in Enterprise SSO Studio main window.

 To create a new configuration: In the File menu, click New.

Enterprise SSO Studio displays the default configuration.

3.4 Configuring General SSO Parameters

Subject

(41)

Restriction

The configuration described in this section is only available in Enterprise SSO Studio used in local storage mode.

Procedure

1. In the Edit menu, click Configuration: The following window appears:

 The Performance tuning area allows you to set the window detection timing.

 The Security Parameters area allows you to define permissions.

2. Fill-in the window and click OK to save the configuration and close the window.

3.5 Defining PFCP and Application Profiles

If you use Enterprise SSO Studio without Controller or Personal SSO Studio, you can define the following configuration properties:

 The Password Format Control Policies (PFCP).

 The Application profiles.

With Controller, this configuration can be performed with the Quest ESSO administration console (see Quest ESSO Console Administrator Guide).

Defining Password Format Control Policies (PFCP)

Subject

This section explains how to create or modify a PFCP for the applications for which you want to activate the SSO.

A default PFCP configuration exists in Enterprise SSO Studio: you can modify it or create a new one.

(42)

Restriction

The PFCP configuration is only available if you use Enterprise SSO Studio without

Controller mode or Personal SSO Studio. With Controller, the PFCP configuration must be done with the administration console (see Quest ESSO Console Administrator Guide).

Procedure

1. In the Enterprise SSO Studio main window, do one of the following, depending on the action you want to perform:

 To create a new PFCP, right-click the Configuration objects node and click New PFCP.

 To modify an existing PFCP, right-click the PFCP you want to modify and click Properties.

The password policy properties window appears.

2. Fill-in the window as described in the following sections:

 For basic parameter definition, fill-in the "Password Management Policy" tab: see 3.5.1.1 "Password Management Policy" Tab - Description.

 For advanced parameter definition, fill-in the "Password Format Policy" tab: see 3.5.1.2 "Password Format Policy" Tab - Description.

3. Click OK to save the configuration and close the window.

3.5.1.1 "Password Management Policy" Tab - Description

The Password Management Policy tab allows you to define the following PFCP elements:

Password Policy

The PFCP name.

(43)

The behavior required when the user is prompted for password change:

Automated password generation or user prompts for a password compatible with the PFCP.

Advanced

a) The "invalid password" string is the string or text that the application sends to indicate that the password is not valid. If the security system is provided with this string for SSO use, it prompts the user for a new password. b) The period for which a password is valid.

c) The number of old passwords retained.

3.5.1.2 "Password Format Policy" Tab - Description

The Password Format Policy tab allows you to define the following elements:

Password Format

Defines how a valid password is created: minimum and maximum password lengths, and the minimum and maximum number of upper-case letters, lower-case letters (excluding accented characters), numbers, or special characters that should make up a valid password.

The special characters supported by SSOWatch are listed in the following table:

& ~ " # ' { ( [

(44)

° ] = + } $ % *

, ? ; . : / !

Accented characters are not allowed.

Forbidden characters

List of forbidden characters.

Advanced

Specifies the maximum number of occurrences of a given character in a password.

Test Password Generation button

This button allows you to see an example of a password generated using the rules you have configured.

3.5.2 Defining the Application Profiles

Subject

Application profiles are security objects that define a set of rights and properties that are applied generically for one or more applications.

This section explains how to configure the application profiles for the applications for which you want to activate the SSO.

A default Application profile configuration exists in Enterprise SSO Studio: you can modify it or create a new one.

Restriction

The Application profile configuration is only available if you use Enterprise SSO Studio without Controller or Personal SSO Studio. With Controller, the Application profile configuration must be done with the administration console (see Quest ESSO Console Administrator Guide).

Procedure

1. In the Enterprise SSO Studio main window, do one of the following, depending on the action you want to perform:

 To create a new Application profile, right-click the Configuration objects

node and click New Application Profile.

 To modify an existing Application profile, right-click the Application profile you want to modify and click Properties.

The application profile properties window appears. 2. Fill-in the window as described in the following sections:

(45)

 For the Access Strategy tab, see 3.5.2.2 Access Strategy Tab of an Application Profile.

 For the Delegation tab (only if you use Enterprise SSO Studio without Controller and in LDAP storage mode), see 3.5.2.3 Delegation Tab of an Application Profile.

3. Click OK to save the configuration and close the window.

3.5.2.1 Properties Tab of an Application Profile

The Properties tab allows you to configure the following parameters:

Application Profile name.

Password Policy associated with the Application Profile.

For details on how to create a Password Policy, see Defining Password Format Control Policies (PFCP).

SSOWatch Desktop options:

a) Display the applications associated with this profile in the user’s SSOWatch Account panel.

b) Automatically launch the applications associated with this profile when SSOWatch starts.

c) Test the applications associated with this profile to check if the SSO configuration works. For details on how to use the test mode, see

Section 2.9, "Testing the SSO Configuration of an Application".

This option is available with Personal SSO Studio. It is also available with Enterprise SSO Studio in the Application Profile in Quest ESSO Console.

(46)

3.5.2.2 Access Strategy Tab of an Application Profile

The Access Strategy tab allows you to configure the following parameters:

Credential storage

Storage location of the SSO accounts used by the applications associated with the Application Profile.

If you select Store on token, ensure that the proper authentication method is supported. For more information, contact your security administrator.

Single Sign-On Policy

a) Users must re-authenticate

Before each SSO, the user must confirm the primary password, PIN or biometric identity.

b) Users can modify account

This option is selected by default.

If unchecked, the user will not be allowed to change the password through the user account management screen.

a) Users can display password

The user may ask for the password to be displayed. If this is the case, the user will be asked to re-authenticate.

b) Users can cancel Single Sign-On

If this option is cleared, the user cannot cancel the SSO execution when he/she starts an application associated with the Application Profile:

 If the user starts an application for the first time, he/she must complete the authentication data collection dialog box.

 If the user has several accounts for an application, he/she must select an account in the account selection dialog box (the Cancel button is

(47)

If a problem occurs (for example, if the authentication data cannot be saved due to network issues), the Cancel button is available again to allow the user to log on manually or to quit the application.

Select this option to allow users to temporarily cancel the SSO execution for applications associated with the Application Profile, then select in the drop-down list the scope of this option:

 For the current session only: if the user cancels the SSO execution, he/she can then start as many application instances as required, the SSO

execution remains disabled.

The SSO is enabled again when the user quits all the application instances and restarts the application (or resets the SSO configuration or restarts SSOWatch).

 For the application (until reset): the user can disable the SSO execution either for the current SSO session (see above) or until further notice: in the latter case, to enable again the SSO execution for the suspended

applications, the user must use the appropriate contextual command from the SSOWatch Account panel (or reset the SSO configuration, or restart SSOWatch).

 For the current window only: if the user cancels the SSO execution for an application, the SSO is disabled for this application instance only.

For more details on the commands and controls that are modified by this option, see the following sections:

Section 2.6.1, "Providing SSO Data When Launching an SSO Enabled Application for the First Time".

Section 2.6.6, "Creating a New Account for an Application".

Section 2.7, "Disabling/Enabling SSO for Applications".

Account Security Options

This area only appears if you use Enterprise SSO Studio without controller and in LDAP storage mode. It allows you to select the way the secondary accounts used by the applications associated with the Application Profile are ciphered. In the drop-down list, select one of the following entries:

a) User: only the user can decipher his/her secondary accounts. This is the most secure option.

If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her secondary accounts.

b) User, administrators: the user and you can decipher his/her secondary accounts. Thus, if you force a new primary password or assign a new smart card using Quest ESSO Console, the user's secondary accounts are also recovered.

c) User, administrators and an external key: select this entry to allow an external application to decipher the user's secondary accounts using a public key. For example, you must select this entry if you want to use Quest ESSO with Web Access Manager (WAM). By selecting this entry, you allow WAM to decipher the Quest ESSO secondary accounts of the user so that WAM can perform SSO with these accounts.

Figure

Updating...

Related subjects :