Enterprise SSO Administrator's Guidesupport-public.cfm.quest.com/44012_Enterprise_SSO_Administrator's... · ESSO Enterprise Studio 17 Enterprise SSO Plug-ins 18 The SSO Engine 18

Enterprise SSO 9.0.2

Administrator Guide

1

Copyright 2017 One Identity LLC.

ALL RIGHTS RESERVED.This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC .The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. One Identity do not make any commitment to update the information contained in this document.If you have any questions regarding your potential use of this material, contact:One Identity LLC.Attn: LEGAL Dept4 Polaris WayAliso Viejo, CA 92656Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.

PatentsOne Identity is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at http://www.OneIdentity.com/legal/patents.aspx.

TrademarksOne Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at www.OneIdentity.com/legal. All other trademarks are the property of their respective owners.

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

Enterprise SSO 9.0.2 Administrator Guide 2

http://www.oneidentity.com/

http://www.oneidentity.com/legal/patents.aspx

http://www.oneidentity.com/legal

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Enterprise SSO Administrator GuideUpdated - December 2017Version - 9.0.2


Preface

Subject This guide explains how to use the Enterprise SSO Configuration Editor, which enables you to describe the applications for which Enterprise SSO will implement Single Sign-On (SSO).

Audience This guide is intended for:

l System Integrators.

l Administrators.

Required Software EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes.

Typographical Conventions

Bold Indicates:

l Interface objects, such as menu names, buttons, icons and labels.

l File, folder and path names.

l Keywords to which particular attention must be paid.

Italics - Indicates references to other guides.

Code - Indicates portions of program codes, command lines or messages displayed in command windows.

CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules).

< > Identifies parameters to be supplied by the user.

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

Documentation support

The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain

Enterprise SSO 9.0.2 Administrator Guide

Preface4

pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website.


Preface5

Contents

Preface 4

Overview 13

Enterprise SSO Principles 13

Application Modeling 13

Application Access Profiles 14

Password Format Control Policies (PFCP) 14

Application Behavior 14

Window Types 15

LDAP Directories 16

The Access Collector Mode 16

The Components 17

ESSO Enterprise Studio 17

Enterprise SSO Plug-ins 18

The SSO Engine 18

Enterprise SSO 19

Overview 19

Enterprise SSO Interface 20

Enterprise SSO Icon 20

Enterprise SSO Pop-up Menu 21

The Enterprise SSO Window 23

The "Account" Panel 23

The "Home" Panel 24

Creating a Cloud E-SSO Account 25

Starting/Exiting Enterprise SSO 26

Starting Enterprise SSO 27

E-SSO connected to the Enterprise 27

E-SSO connected to the Cloud 28

Exiting Enterprise SSO 29

Suspending/Activating Enterprise SSO 30

Resetting the Enterprise SSO Configuration 30

Managing User Accounts 31


Providing SSO Data When Launching an SSO Enabled Application for the First Time 32

Displaying your Enterprise SSO User Accounts 33

Displaying the Properties of a User Account 34

Changing the Login Name and/or Password of a User Account 35

Updating the Password of a User Account upon Application Request 36

Creating a New Account for an Application 37

Deleting a User Account 38

Displaying the User Account Password 39

Delegating a User Account 40

Delegating a User Account With the Wizard 40

Delegating a User Account Manually 42

Removing a User Account Delegation 43

Disabling/Enabling SSO for Applications 44

Requesting an Access to an Application Through the Request Manager Portal 45

Testing the SSO Configuration of an Application 46

Starting Personal SSO Studio 47

Starting an Application 48

Creating a Shortcut for an Application 48

Removing the Icon from the Notification Area 49

Configuration Editor: ESSO Enterprise Studio 50

Interface Overview 52

Starting and Stopping ESSO Enterprise Studio 56

Configuring General SSO Parameters 58

Defining PFCP and Application Profiles 59

Defining Password Format Control Policies (PFCP) 60

The "Password Management Policy" Tab 61

The "Password Format Policy" Tab 62

Defining the Application Profiles 63

Properties Tab of an Application Profile 64

Access Strategy Tab of an Application Profile 65

Delegation Tab of an Application Profile 67

Defining Application and Technical Definition Objects 68

Creating/Modifying Application Objects and Technical Definitions 68

Creating a New Application Object or Technical Definition 69


Modifying an Application Object or Technical Definition Configuration 69

Filling-in the Application Properties Window 70

"Properties" Tab of an Application Object 70

"Properties" Tab of a Technical Definition Object 72

"Account Base" tab of an Application Object 73

The "Launcher" Tab 75

The "QRentry keyboard" Tab 77

The "Parameters" Tab 77

The "Application Profile" Tab 81

Defining Advanced Access Rights 82

Defining Window Objects 84

The "General" Tab 84

The "Options" Tab 88

The Detection Criteria Area 88

The Execution options Area 91

The Advanced Options area 92

The "Detection" and "Actions" Tabs 94

Testing the SSO 94

Backuping Objects 95

Exporting/Importing Objects using the Graphical Interface 96

Importing Objects using Command Line Arguments (without Controller) 97

Managing Objects in the Tree 99

Copying/Cutting/Pasting Objects 99

Renaming an Object 100

Deleting an Object from the Tree 100

Saving Object Configurations 100

Saving Object Configurations in LDAP Storage Mode (with Controller) 101

Saving Object Configurations in Local Storage Mode 101

Managing Configuration Updates 102

Refreshing the Tree 103

The Generic Plug-in 104

Window Detection 106

Simple Detection 107

Simple Detection of a Window or a Java Applet 107

Simple Detection of a Web Page 109


Advanced Detection 110

The Enable Variable URL Detection option 110

The Look for text option 112

The Advanced button 113

Restrictions 114

User Interface 114

The Target button 115

Validation Actions 116

Generic Plug-in Actions 116

StandardLogin – Connection 117

Window Description 117

Defining Additional Fields (Optional) 118

Enterprise SSO Behavior 119

BadPassword 119



NewPassword 121



ConfirmPassword 123



BadNewPassword 125



Special Cases 126

NotesLogin (Lotus Notes Plug-in) 126

Lotus Notes Identifier Format 127


Configuring the Field Containing the Lotus Notes Login 129


HTTP Authentication (Internet Explorer Plug-in) 129



HTTP Authentication with Google Chrome 132


The Google Chrome Extension 135

Installing the Chrome Extension 135

Global Installation 136

Local Installation 136

Configuring the Technical Definitions and Windows 137

The Microsoft Internet Explorer Plugin 138

HTML/Internet Explorer Detection 139

Variable URLs 140

Advanced Detection 141

User Interface 141

Selecting a Field in an HTML Form 142

Custom SSO Parameters 143

Submitting an HTML Form 143

Simple Submit / Button Click 144

Click a Link 144

HTML/Internet Explorer Actions 145

HTMLLogin – Connection 145

Configuration. 145

Actions 146

HTMLBadPassword 146

Configuration 147

Actions 148

HTMLNewPassword 148

Configuration 149

Actions 149

HTMLBadNewPassword 150

Configuration 150

Actions 151

The SAP R/3 Plug-in 152

SAPLogin and SAPExpired Window Types 152

SAPLogin (SAP R/3 Login) 152

SAPExpired (SAP R/3 Password Expiry) 153

Basic Principles of the SAP R/3 Plug-in 153

Configuration Guide 154


Configuring an SAP R/3 Application 154

Configuring the SAPGUI Scripting Window 154

The Detection Tab 154

The Actions Tab 156

Terminal Type Applications 159

Terminal 159

Microsoft TelnetW2KXP 160

Banners 161

The HLLAPI Plug-in 164

Configuring the HLLAPI Plug-in 164

Configuring the HLLAPI Plug-in for a Single Application 165

Configuring the HLLAPI Plug-in for Different Types of Applications 165

HLLAPI Plug-in Registry Keys 166

Enabling SSO for HLLAPI Applications 169

The Detection Tab 170

The Actions Tab 173

HLLAPI Application Keys 175

Advanced Configuration 182

Custom Scripts Plug-ins 182

Basic Concepts 183

Scripting Logic 183

Data "Buffer" 184

The Actions Tab 184

Script Editor 186

Script Editor Toolbar 187

Script Editor Actions 187

Extension DLL 200

Function Prototyping 201

SSOWatchSSOData Structure 201

Return Code 202

OLE/Automation Interface 204

Definition of Enterprise SSO OLE/Automation Interface 204

The ISSOEngine Interface 205

GetApplication2 205


GetSSOEngineState 206

Interface ISSOApplication 207

Properties 207

The LoginId Property 207

The Password Property 208

Methods 209

The GetSSOParameter Method 209

The GetUserApplicationPassword Method 210

The GetNewPassword Method 210

The get_IsExpired Method 211

Code Example 212

Return Codes 212

Cache Tuning and Asynchronous Update of the Application Data 214

Cache and Application Update Mechanism 214

Cache Mechanism 214

Asynchronous Update Mechanism 216

Cache and Update Timing Parameters 217

Integrating Care-FX with Enterprise SSO 220

Authentication Description 220

Logging On 220

Logging Out 221

Configuring the Implementation 221

Activating the FCC Notification 221

Integrating the COM Interface 222

About us 223

Contacting us 223

Technical support resources 223


1

Overview

In this section:

l Enterprise SSO Principles

l The Access Collector Mode

l The Components

Enterprise SSO Principles

This section presents Enterprise SSO basic concepts.

In this section:

l Application Modeling

l Application Access Profiles

l Password Format Control Policies (PFCP)

l Application Behavior

l Window Types

l LDAP Directories

Application Modeling

ESSO Enterprise Studio, the Enterprise SSO configuration editor is used to describe the applications for which Enterprise SSO will enable Single Sign-On (SSO).

An application is defined by:

l A set of associated user accounts (referred to as the link to the security system).

l A set of windows or HTML pages.

The application windows or HTML pages that refer to the authentication management tool must be described in Enterprise SSO using the configuration editor tools.


Overview13

This description allows to recognize the window or HTML page whenever it is displayed to the user. Enterprise SSO intercepts these pages and implements SSO.

In addition to the elements that allow window/page detection, the description contains the actions that the SSO engine has to perform.

Each window is defined by a type that characterizes the target application technology and the actions that the SSO engine will perform. Indeed, the events that refer to the user’s authentication in an application can be of different kinds: authentication, password update request, etc.

Enterprise SSO manages the different events relating to the application behavior.

Application Access Profiles

Application profiles include the parameters of one or more applications that can then be defined differently, depending on the users that access them.

These profiles are used to assign applications to users.

An application access profile is includes by the following parameters:

l The password format managed by the application.

l The Enterprise SSO options.

l The SSO policy: requirement for reauthentication, the user’s ability to modify SSO data, hide/show password, etc.

l Delegation parameters.

Password Format Control Policies (PFCP)

A PFCP defines:

l The format of the passwords managed by an application: characters that are allowed/forbidden, length, authorized repetitions.

l Whether a password is to be randomly generated (following the format required), or asked to the user.

The PFCP is applied only when E-SSO detects a password update is requested by the application (example: see Updating the Password of a User Account upon Application Request). When the password is changed manually or when the account data is collected for the first time, the PFCP is not applied.

Application Behavior

A user authenticates to a secure application as follows:


Overview14

l He tries to log on to the application.

l If the security data provided is correct, the user is authenticated by the application and can work normally.

l If the data is incorrect, the application will display a message or re-display the authentication window, informing the user that he has made a mistake during the authentication process. The user is prompted to try again until validation by the application.

Once connected, the user can change the password, either at will or at the application’s request:

l The user enters a new password and (sometimes) confirms it.

l Either the new password is accepted by the application and the user can continue to work normally, or the application informs the user that the new password has been rejected.

The following schema illustrates the diagram of an application behavior.

Enterprise SSO manages the application behavior regarding to the user authentication we have just described. This behavior is configured by choosing a type for the defined windows.

Window Types

A window type indicates the SSO engine behavior and the technology of the managed application.

An application’s behavior includes:


Overview15

l Detecting the connection step (Login).

l Detecting a wrong password/username (BadPassword).

l Detecting a new password request (NewPassword).

l Detecting an incorrect new password (BadNewPassword).

l Confirming this new password (ConfirmPassword).

The technologies managed by Enterprise SSO are:

l Microsoft Win32 standard Windows.

l HTML pages in Internet Explorer.

l Windows of type "Terminal in text mode".

l Some particular cases or optimizations of standard types.

LDAP Directories

Several types of LDAP directories are supported for user security data storage.

NOTE:

l For more information on the supported LDAP directory versions, see Evidian EAM Release Notes.

l For a description of the procedures for modifying your LDAP directory, see Evidian EAM Installation Guide

The Access Collector Mode

The Access Collector mode is an option of Enterprise SSO; which automatically collects all user accounts and stores them in the users' directory. This mode only works if the workstations are configured as "without Controller".

The goal of this feature is to report to the administrators all the accounts used to access the applications of the enterprise, so that they can create an access policy adjusted to the needs. Only one account can be collected for one application (multi-account is not supported).

Mechanism

When a user launches an application that is detected by Enterprise SSO, the latter starts the account collect.

l If the account was already collected, nothing happens and the SSO is not performed.


Overview16

l If a BadPassword window is detected in the collect context, the collected account is deleted or a new account is collected. The account is not deleted if the BadPassword occurs at any other moment.

Once the account is collected, the SSO is deactivated for the application.

Enterprise SSO Behavior

The SSO is only performed if there is no collected account for the detected application login window.

The passwords entered by the users are never sent to the directory: they are only kept temporarily in memory for SSO purposes.

Users are not allowed to stop or suspend Enterprise SSO, they have no access to the Personal SSO Studio and cannot manage their accounts through the user Account panel.

Updating the configuration

Only the Application, Technical definition and Parameter objects are retrieved from the directory. They are retrieved in an asynchronous way to avoid the update during the user authentication.

All users can access all the applications downloaded by the workstation.

The Components

Enterprise SSO is built with the components described in this section.

In this section:

l ESSO Enterprise Studio

l Enterprise SSO Plug-ins

l The SSO Engine

ESSO Enterprise Studio

ESSO Enterprise Studio is the Enterprise SSO configuration editor. It allows the creation of Enterprise SSO configuration files and the management of the Enterprise SSO LDAP objects.

This program is designed to be used by people who define and setup SSO.

SSO Studio can be used in Enterprise or Personal mode, to modify the corresponding configuration files:


Overview17

l The Enterprise configuration file is common to a group of users and is usually saved in an LDAP directory or in a simple file. When a simple file is used, the configuration can be stored in a central location for an easier deployment.

l The Personal configuration file is specific to one user, and is saved in the person’s personal profile (Windows profile or the person’s LDAP attributes).

SSO configuration is easily performed through "drag and drop".

Enterprise SSO Plug-ins

Enterprise SSO plug-ins are extensions of the Enterprise SSO and of the Enterprise SSO configuration editor; they add SSO management methods for different types of applications.

Besides the management of standard Windows applications, several plug-ins are available:

l Internet Explorer, enabling SSO in HTTP/HTML applications running under Internet Explorer 4 or later.

l Google Chrome.

l Lotus Notes.

l Microsoft TelnetW2KXP.

l SAP R/3.

l HLLAPI.

l Custom Scripts, to enable SSO in Windows/HTML applications not managed by the standard window types.

NOTE: For more information on the supported versions, see Evidian EAM Release Notes.

The SSO Engine

The administration module of the SSO engine enables to manage:

l Enterprise SSO: you can activate, suspend or update the E-SSO configuration to take the modifications into account.

l The user accounts: you can visualize or update you user accounts.


Overview18

2

Enterprise SSO

This section describes the Enterprise SSO interface and how to use it.

In this section:

l Overview

l Enterprise SSO Interface

l Creating a Cloud E-SSO Account

l Starting/Exiting Enterprise SSO

l Suspending/Activating Enterprise SSO

l Resetting the Enterprise SSO Configuration

l Managing User Accounts

l Disabling/Enabling SSO for Applications

l Requesting an Access to an Application Through the Request Manager Portal

l Testing the SSO Configuration of an Application

l Starting Personal SSO Studio

l Starting an Application

l Creating a Shortcut for an Application

l Removing the Icon from the Notification Area

Overview

Enterprise SSO Definition

Enterprise SSO is in charge of the following SSO operations:

l It retrieves SSO data for the E-SSO middleware, which runs on the workstation, and provides this information to the application login windows.

l It offers self administration features, for example to allow you to register yourself to applications or change your passwords.


Enterprise SSO19

l In Access Collector mode, it starts the account collect when the user launches an application and deactivates the SSO once the account is collected.

Enterprise SSO Configuration

The Enterprise SSO configuration stores the SSO data. It can be defined by two kinds of users:

l The EAM security administrators, through ESSO Enterprise Studio. This tool allows administrators to create and modify the Enterprise SSO configuration common to many end-users.

l The end-users, through Personal SSO Studio if the component is installed on the workstation. This tool allows you to define your personal SSO data used to log on your personal applications.

Enterprise SSO Interface

This section gives an overview of the Enterprise SSO interface. Depending on the E-SSO version installed on your station (connected to the Enterprise or the Cloud), some elements of the graphical interface may differ. When you are connected to the:

l Enterprise, a check appears.

l Cloud, a cloud appears.

In this section:

l Enterprise SSO Icon

l Enterprise SSO Pop-up Menu

l The Enterprise SSO Window

Enterprise SSO Icon

The Enterprise SSO icon is displayed in the Windows notification area.

Depending on the Enterprise SSO state, this icon can have several states:


Enterprise SSO20

Icons Description

Enterprise Cloud

Enterprise SSO is activated: the SSO feature is enabled (whenever it detects a configured application login window, Enterprise SSO automatically provides the required SSO data).

Enterprise SSO is suspended: the SSO feature is disabled.

Enterprise SSO is locked: when the Enterprise SSO detects a configured application login window, or when you want to display the user accounts associated with applications (see Displaying your Enterprise SSO User Accounts), Enterprise SSO may ask you to reauthenticate. Upon a successful authentication, Enterprise SSO state switches to activated.

Table 1: Enterprise SSO Icons

Enterprise SSO Pop-up Menu

The Enterprise SSO pop-up menu appears when you right-click the Enterprise SSO icon. It enables you to control Enterprise SSO:

IMPORTANT: Depending on your Enterprise SSO configuration, some menu commands may not appear, as detailed in the following table.Replace this text with a notation that requires the reader's attention.

The following table describes the Enterprise SSO pop-up menu.


Enterprise SSO21

Menu Command Description

About Enterprise SSO

Displays the Enterprise SSO version and the storage mode of the Enterprise SSO configuration file:

l LDAP: centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.

l File: the configuration is saved in a file in the Windows registry.

l Self Registration: a centralized configuration is defined in the LDAP directory, to collect all the accounts used for the applications of the enterprise (for more information, see The Access Collector Mode).

Account delegation

Enables you to delegate one or several of your accounts to specific users of your choice during a specific length of time.

Open ESSO Enter-prise Studio

Opens the SSO Account panel; which allows you to manage your user accounts.

NOTE: This menu command is bold, which means that this is a default command: double-click the Enterprise SSO icon to run it.Replace this text with a description of a feature that is noteworthy.

Add application Starts Enterprise SSO Wizard, which is the easiest way to set up your personal Enterprise SSO configuration. For an example of how to use the Enterprise SSO Wizard, see Evidian EAM in a Nutshell.

NOTE: This menu command does not appear if Personal SSO Studio is not installed on the workstation, or if Enterprise SSO is used in Access Collector or Cloud mode.

Open ESSO Enter-prise Studio

Starts Personal SSO Studio, the editor tool of your personal Enterprise SSO configuration. For details on how to use ESSO Enterprise Studio, see Configuration Editor: ESSO Enterprise Studio.

NOTE: This menu command does not appear if Personal SSO Studio is not installed on the workstation, or if Enterprise SSO is used in Access Collector or Cloud mode.

Suspend, Activate Manages the states of Enterprise SSO.

Table 2: Enterprise SSO pop-up menu


Enterprise SSO22

Menu Command Description

NOTE: Depending on your configuration, this menu command may not appear (unavailable in Access Collector mode).

Reset Config-uration

Stops and restarts Enterprise SSO to take into account modifications of the Enterprise SSO configuration.In Access Collector mode, this command only synchronizes SSO Account data.

Exit Enterprise SSO

Closes Enterprise SSO.

NOTE: Depending on your configuration, this menu command may not appear (unavailable in Access Collector mode).

The Enterprise SSO Window

The Enterprise SSO window appears when you click Open in the pop-up menu, or just by double-clicking the Enterprise SSO icon. It is composed of the following panels:

l The Account panel ( button).

l The Home panel ( button).

In this section:

l The "Account" Panel

l The "Home" Panel

The "Account" Panel

When you open the Enterprise SSO window, the Account panel appears. It lists your user accounts managed by Enterprise SSO. From this panel, you can modify several user account parameters, as described in Managing User Accounts.


Enterprise SSO23

The "Home" Panel

From the Home panel, you can perform the following tasks:

Manage the states of Enterprise SSO (Area 1), as described in the following sections:

l Suspending/Activating Enterprise SSO.

l Resetting the Enterprise SSO Configuration.

l Exiting Enterprise SSO.

If you are using several user accounts for a same application, select the Current role (Area 2) that will be valid only for the current Windows session and/or until Enterprise SSO is reinitialized.


Enterprise SSO24

Creating a Cloud E-SSO Account

Subject

To execute Cloud E-SSO, you must have a corresponding account.

Procedure

1. Click the Enterprise SSO tile.

The authentication window appears.

2. Click I want to register.

The register form appears.

3. Enter your first name, last name and email address, then click Next.

IMPORTANT: The email address must be unique, valid and accessible.

A confirmation code is sent to the email address provided for validation.


Enterprise SSO25

4. Enter the confirmation code and click Next.

The password creation window appears.

5. Enter and confirm your password by following the imposed policy, then click Next.

Your account has been created, you can now authenticate to access Cloud E-SSO (see E-SSO connected to the Cloud).

Starting/Exiting Enterprise SSO

This section describes how to start and exit Enterprise SSO.

In this section:


Enterprise SSO26

l Starting Enterprise SSO

l Exiting Enterprise SSO

Starting Enterprise SSO

Subject

Usually, Enterprise SSO starts automatically when you log on. You must start it manually in the following cases:

l If Enterprise SSO has not been configured to start automatically.

l If you manually exit Enterprise SSO and want to restart it.

Depending on the E-SSO version installed on your station, connected to your enterprise (see E-SSO connected to the Enterprise) or to the Cloud (see E-SSO connected to the Cloud); the E-SSO start will be different.

E-SSO connected to the Enterprise

Procedure

1. To manually start Enterprise SSO, do one of the following:

l Click the Enterprise SSO tile.

l Use the command line: the following table lists the command line arguments that you can use to start Enterprise SSO (ssoengine.exe):

l /notrayicon : starts Enterprise SSO without displaying the icon located in Windows notification area.

l /nosplashscreen : starts Enterprise SSO without displaying the welcome window (splash screen).

l The configuration file to be used can be added as a parameter to the SSOEngine.exe program (no option). Example: C:\Configs SSOWatch\SSOConfig2.sso


Enterprise SSO27

2. Enter your identifier and password to authenticate.

The Enterprise SSO window appears.

A welcome message appears in a balloon help on the bottom right-hand side of your screen.

NOTE: This is configurable in the EAM Console by creating one message per user.

If you are using a roaming session, a balloon help appears telling you when your session expires. You can display it at all times by passing the cursor over the Enterprise SSO icon in the notification area.

E-SSO connected to the Cloud

Before starting

To use Cloud E-SSO, you must own a Cloud E-SSO account. If it is not the case, when starting Cloud E-SSO, click the I want to register link and go to Creating a Cloud E-SSO Account.

Procedure

1. To start Cloud Enterprise SSO manually, click the Enterprise SSO tile ( ).

IMPORTANT: If the Cloud server was not provided during installation, you must enter the DNS name of this server.


Enterprise SSO28

2. Enter your email and password to authenticate.

IMPORTANT:If you have forgotten your password, click I have forgotten my password. You must provide your email to receive the confirmation code to provide for the reset.

3. If the Cloud server is not reachable, click the Servers button to check or change the Cloud server.

IMPORTANT: If the certification authority was not defined during the installation, you must accept the proposed certificate by clicking Yes, always.


NOTE: This is configurable in the EAM Console by creating one message per user.

Exiting Enterprise SSO

Procedure

To exit Enterprise SSO, right-click the Enterprise SSO icon and select Exit Enterprise SSO.

The Enterprise SSO icon disappears. The SSO feature is disabled.

NOTE: Depending on your configuration, this menu command may not be available (unavailable in Access Collector mode).


Enterprise SSO29

Suspending/Activating Enterprise SSO

Subject

l By default, Enterprise SSO is automatically activated when you log on. You must suspend it manually, as described in the following procedure.

NOTE: In Access Collector mode, this feature is deactivated.

Procedure

l To suspend Enterprise SSO, right-click the Enterprise SSO icon and select Suspend.

The Enterprise SSO icon state changes, as described in The Enterprise SSO Window. While it is suspended, no single sign-on is performed.

NOTE:

l Depending on your configuration, this menu command may not be available.

l Enterprise SSO automatically suspends itself when the smart card or USB token used for authentication is removed.

l To resume Enterprise SSO, right-click the Enterprise SSO icon and select Activate.

The Enterprise SSO icon state changes, as described in Enterprise SSO Icon. The SSO feature is enabled.

Resetting the Enterprise SSO Configuration

Subject

By default, if the Enterprise SSO configuration changes, a notification message automatically appears asking you if you want to take the modifications into account, as shown in the following illustration:


Enterprise SSO30

You can take manually the modifications of the Enterprise SSO configuration file into account, using the Reset Configuration command, as described in the following procedure.

In Access Collector mode, this command only synchronizes SSO Account data.

NOTE: In Access Collector mode, Enterprise SSO automatically reloads the SSO configuration every 6 hours: this allows taking into account modifications in the SSO data updated by the asynchronous update. You can change this value (in hours) in the following registry key/GPO: HKLM\Software\Enatel\SSOWatch\CommonConfig\AutomaticRefresh

Procedure

l In the Windows notification area, right-click the Enterprise SSO icon and select Reset Configuration.

Managing User Accounts

This section describes how to manage your Enterprise SSO user accounts from the Enterprise SSO Account panel.

In this section:

l Providing SSO Data When Launching an SSO Enabled Application for the First Time

l Displaying your Enterprise SSO User Accounts

l Displaying the Properties of a User Account

l Changing the Login Name and/or Password of a User Account

l Updating the Password of a User Account upon Application Request

l Creating a New Account for an Application

l Deleting a User Account

l Displaying the User Account Password

l Delegating a User Account


Enterprise SSO31

Providing SSO Data When Launching an SSO Enabled Application for the First Time

At the first launch of an SSO enabled application, when the application requests the user’s authentication, the Enterprise SSO collect window appears in the foreground (the application is temporarily unavailable) and requests the user name and password for the application.

Simply provide your usual user name for this application, your password (and confirm it to avoid mistype errors), and validate by clicking the OK button.

This data will be stored in a secure way by Enterprise SSO so that it can reuse it afterwards, without requesting any new data. Single Sign-On is now enabled for this application.

Depending on your configuration:

NOTE: The dialog box may not appear if you start another application instance (without exiting the first one). In this case, exit all the application instances and restart the application.

The following controls can be available:

l The Cancel button: if available, click this button to cancel the authentication data collection. You can then log on manually or exit the application.For more information on the actions of this button, see Generic Plug-in Actions.

l The Disable SSO for this application check box. If you select this option and click OK, the authentication data collection execution is canceled until further notice for the application. To reactivate the collection, see Disabling/Enabling SSO for Applications.

l The I don’t have any account for this application link may appear. Click this link to request an access to the application through the Request Manager portal.

For more information on how to enable/disable these controls and this link, see Access Strategy Tab of an Application Profile or Evidian EAM Console - Guide de l'administrateur.


Enterprise SSO32

Displaying your Enterprise SSO User Accounts

Subject

This section describes how to display the user accounts that are defined in your Enterprise SSO configuration.

Procedure

l To display the list of your Enterprise SSO user accounts, double-click the Enterprise SSO icon located in the Windows notification area.


Window description

The Account panel displays one line per user account. For each account, the following information is available:

Column Name Description

Application Name of the application, as defined in.

l EAM console for the applications.

l Personal SSO Studio for the personal applications.

For accounts that are not associated with an application, <None> is displayed.

Login Name

Login name of the user account. If you have not used this application yet, <not registered> is displayed (the login name and password of the account have never been collected).

Note: You can hide applications for which the user is not registered. To do so, right-click any application and select Hide applications without credential.

Account By default, Standard Account is displayed. If you are using several user accounts for a same application, this column displays the name of the account. For more information, see Creating a New Account for an Application.

Table 3: Account panel information


Enterprise SSO33

Displaying the Properties of a User Account

Restriction

In Access Collector mode, this feature is deactivated.

Procedure

l In the Account panel, select the wanted user account and click the button or right-click the wanted user account and click Properties.

The following window appears:

Window description

The Information Tab

Depending on your user account properties, you may be allowed to modify your user account security data. For more details, see Changing the Login Name and/or Password of a User Account.

The Properties Tab

The Properties tab is a read-only tab. It displays the account properties and application properties available for the selected user account.

The Delegation Tab


Enterprise SSO34

Depending on your EAM configuration, the Delegation tab may not appear. It allows you to delegate your user account to other users.

Changing the Login Name and/or Password of a User Account

Restriction

Depending on your Enterprise SSO configuration, this command may be disabled for some or all the listed user accounts (unavailable in Access Collector mode).

For information on how to enable/disable this command, see Access Strategy Tab of an Application Profile.

Procedure

1. In the Account panel, select a user account and click the button or right-click the wanted user account and click Change Password.


2. Modify the wanted fields and click OK.

The modification is taken immediately into account.

NOTE: You can also modify the login name and/or password of a user account from the Account details window, which is described in Displaying the Properties of a User Account.


Enterprise SSO35

Updating the Password of a User Account upon Application Request

Subject

When an SSO enabled application requests a password update, this request is intercepted by Enterprise SSO, which displays the Password Change window.

To check the validity of your new password, execute the following procedure:

Procedure

1. Click the Show Password Format Control Policy link.

The following area appears:

2. Type in a new password (and confirm it to avoid mistype errors) and validate it by clicking the OK button.

Enterprise SSO updates and stores the data in the security database, so that it can reuse afterwards, without requesting any new data.


Enterprise SSO36

Creating a New Account for an Application

Restriction

Depending on your Enterprise SSO configuration, this command may be disabled for some or all the listed applications (unavailable in Access Collector mode).

NOTE: For information on how to enable/disable this command, see The "Application Profile" Tab.

Procedure

1. In the Account panel, select an application and click the button or right-click the wanted user account and click New account.


2. In the Account field, either type the name of a new account, or, if you want to use an additional account that you have already created, select it in the drop-down list.

3. Click OK.

The new account appears in the Account panel.

Going Further

If you have several accounts for an application, the following window appears by default when Enterprise SSO detects the authentication window of the application:


Enterprise SSO37

This window allows you to select an account to log on to the application.

IMPORTANT: If you select:

l Disable SSO for this application: the SSO is disabled for the selected account for the current SSO session. For more information on this key, see Disabling/En-abling SSO for Applications.

l Set current role: Enterprise SSO will always use the selected account and this window will no longer appear. To redisplay this window, in the Home panel, select No selected role in the Current role drop-down list (see The "Home" Panel).

NOTE: You can also log on to the application with one of the accounts by double-clicking the desired account in the Enterprise SSO Window.

Deleting a User Account

Subject

This section describes how to delete one or more accounts associated with an application.


Procedure


Enterprise SSO38

1. In the Account panel, select an application and click the button or right-click the wanted user account and click Delete.

A warning message appears.

2. Read this message carefully. If you agree, click YES.

The account is deleted.

NOTE: If many accounts are associated with an application, the account line will be deleted. If you delete the last account, <not registered> will be displayed instead of the login name.

Displaying the User Account Password

Restriction


NOTE: For information on how to enable/disable this command, see Access Strategy Tab of an Application Profile.

Procedure

1. In the Account panel, select a user account and click the button or right-click the wanted user account and click Show Password.

The EAM re-authentication window appears.

2. Log on using your Windows user account.



Enterprise SSO39

3. Click Close.

Delegating a User Account

Subject

You can delegate one or several user accounts by using the Wizard, the EAM Portal (see Evidian EAM Portal - Guide de l’utilisateur) or by doing it manually.

Restriction


NOTE: For information on how to enable/disable this command, see Delegation Tab of an Application Profile.

In this section:

l Delegating a User Account With the Wizard

l Delegating a User Account Manually

l Removing a User Account Delegation

Delegating a User Account With the Wizard

Use the Account Delegation Wizard to delegate one or several user accounts quickly and simply. To do so, follow this procedure:

1. Right-click the Enterprise SSO icon.

The Enterprise SSO pop-up menu appears.


Enterprise SSO40

2. Select Account delegation.

3. Re-authenticate if needed.

The Account Delegation Wizard appears.

4. Click Next.

The Account delegation window appears.

5. Select the account(s) you want to delegate by selecting the corresponding check box(es) or click the Select all button to select all the accounts.


Enterprise SSO41

6. Select a start and an expiration date and click the Next button.

The User Selection window appears.

7. In the Username field, enter the name of the user or part of it and click the Search button.

The list of users found in the directory is displayed.

8. Select the user(s) to whom you want to delegate the account by selecting the corresponding check box(es) and click the Next button.

Your selected account(s) has/have been delegated to the selected user(s).

Delegating a User Account Manually

1. In the Account panel, select one or several user accounts and click the button or right-click the wanted user account and click Delegate.

2. Re-authenticate if needed.

The Account Delegation window appears.


Enterprise SSO42

3. In the User name field, type the name or a part of the user name and click Search.

The list of users found in the directory is displayed.

4. Select the user to whom you want to delegate the account.

5. Select a start and an expiration date and click the Delegate button.

The account is delegated to the selected user from the start date to the expiration date.

Removing a User Account Delegation

1. Right-click the Enterprise SSO icon.

The Enterprise SSO pop-up menu appears.

2. Select Account delegation.

The Account Delegation Wizard appears.

3. Select Manage existing account delegations and click Next.

The Account Delegation List window appears.


Enterprise SSO43

4. Select an account delegation and click the Remove button.

The account is not delegated anymore.

Disabling/Enabling SSO for Applications

Subject

By default, SSO is enabled for all the applications listed in the Enterprise SSO Account panel.

You can disable SSO for an application in a permanent way, or only for the current SSO session, as explained in the following procedure.

In Access Collector mode, the SSO is automatically disabled for the applications for which the account has been collected.

IMPORTANT: Depending on your configuration, the commands of the following procedure may be disabled. For more information, see Access Strategy Tab of an Application Profile, or Evidian EAM Console - Guide de l'administrateur.

Procedures

Disabling SSO for an Application


Enterprise SSO44

l To disable SSO for an application during the SSO session:

In the Account panel, right-click the wanted application and select Disable the application.

The SSO is disabled for the application during the SSO session. At SSO Engine restart or reset, the SSO will be re-enabled.

l To permanently disable SSO for an application:

a. Set the following registry key to DWORD 1:Software\Enatel\SSOWatch\CommonConfig\StoreIfApplicationIsDisabled

b. In the Account panel, right-click the wanted application and select Disable the application.

The SSO is permanently disabled for the application: the application stays disabled even if the Enterprise SSO is restarted.

Enabling SSO for an Application

l In the Account panel, right-click the wanted application and select Enable the application.

NOTE: If you have several disabled applications and want to enable all of them at the same time, select Enable all applications.

Requesting an Access to an Application Through the Request Manager Portal

Subject

When Enterprise SSO is integrated with Identity & Access Manager, you can request an access to an SSO enabled application in the following cases:

l Upon first start of this application (that is when Enterprise SSO has not registered any credentials for this application), as detailed in Providing SSO Data When Launching an SSO Enabled Application for the First Time.

l At any time from the Enterprise SSO Account panel, as detailed in the following procedure.


Enterprise SSO45

Restrictions

l You have access to the Request Manager portal.

l The administrator has enabled the Request Access command for the selected application.

Procedure

1. In the Account panel, right-click the wanted application and select Request Access.

The Request Manager portal appears.

2. Log on to the portal and send a request to access the application.

Testing the SSO Configuration of an Application

Subject

The Enterprise SSO engine includes a test tool, which allows you to check if an application is correctly configured. It tests the following elements:

l Main window or Web page detection.

l URL detection if applicable.

l Advanced detection parameters (variable URLs, Look for text option, list of constraints).

Before starting

You have configured the Application Profile associated with the application to test: the test tool is launched by clicking Test application on the shortcut menu that appears when you right-click an application displayed in the Account panel. This command is available only if the Application Profile associated with the selected application is correctly configured, as detailed in:

l Properties Tab of an Application Profile, for your Personal SSO Studio configuration.

l Evidian EAM Console - Guide de l'administrateur, for corporate applications.

l You have checked that the application to test is not started.

Procedure


Enterprise SSO46

1. In the Account panel, right-click the application to test and select Test application.

2. Complete the window.

Additional Information

l The Window configuration information area displays by default information on the window selected in the drop-down list (window title and URL configuration if any). You can change this information by selecting another window using the target button. This feature is useful to check if an SSO configuration works with a new version of an application for example.

l When the main window detection succeeds, the Enterprise SSO engine does the following tests:

l It checks the variable URLs and Look for text parameters if any. The test stops at the first detected invalid parameter. You can bypass the test of these parameters by selecting the Bypass the advanced detection control check box.

l Then, it checks the list of constraints if any. The test does not stop, even if an error occurs.

l Finally, the engine tests the detection of the configured fields. The test stops at the first detected invalid field. If the field detection succeeds, you can select the Perform SSO check box. This immediately starts the real SSO process.

l The Export button allows you to save in a plain text file the information displayed in the Live report area.

Starting Personal SSO Studio

Subject

Personal SSO Studio is your personal configuration editor. It allows you to describe personal applications for which you want to enable SSO.

In Access Collector mode, the access to Personal SSO Studio is forbidden.

Procedure

l To start Personal SSO Studio from the Account panel, right-click any application and select Open SSO Studio.

NOTE: You can also open Personal SSO Studio from the Start menu.

This menu command is disabled if Personal SSO Studio is not installed on the workstation, or if Enterprise SSO is used in Access Collector mode.


Enterprise SSO47

Starting an Application

Subject

To start an application from the Account panel, execute the following procedure.


Procedure

l In the Account panel, right-click the wanted application and select Start application.

The application starts and Enterprise SSO performs SSO.

Creating a Shortcut for an Application

Subject

You can create shortcuts for applications from the Account panel, as described in the following procedure.


Procedure

l In the Account panel, right-click the wanted application and select Create Shortcut.

A shortcut for the selected application is created on your Windows desktop.


Enterprise SSO48

Removing the Icon from the Notification Area

Subject

Once Enterprise SSO is started, an icon appears in the Windows notification area. In some cases, it is preferable to remove this icon:

l To prevent the user from displaying the application list.

l In a Citrix Metaframe/Windows Terminal Server environment, when published applications are used in conjunction with Enterprise SSO, an icon representing Enterprise SSO running on the server appears on the client PC notification area (in addition to any local Enterprise SSO which may be running).

Procedure

l To remove the icon, do one of the following:

NOTE: The first key has precedence over the second; the /notrayicon command line has precedence over the Registry.

l In the Enterprise SSO command line (see Starting Enterprise SSO), add the /notrayicon parameter .

l In the Registry, create a non-null DWORD type entry called NoTrayIcon in one of these keys:

l HKLM\SOFTWARE\Policies\Enatel\SSOWatch\CommonConfig

l HKLM\SOFTWARE\Enatel\SSOWatch\CommonConfig


Enterprise SSO49

3

Configuration Editor: ESSO Enterprise Studio

Subject

ESSO Enterprise Studio is the Enterprise SSO configuration editor. It allows you to describe the applications for which you want Enterprise SSO to enable Single Sign-On or account collect (in Access Collector mode), but which could not be configured through the Enterprise SSO Wizard (as explained in the One Identity EAM in a Nutshell).

Additionally, for those applications that have been configured using Enterprise SSO Wizard, ESSO Enterprise Studio enables you to modify or enhance their configuration.

If Enterprise SSO is used in Access Collector mode, ESSO Enterprise Studio allows the administrator to configure all the enterprise applications for the users, so that users' account can be automatically collected in the users' directory.

ESSO Enterprise Studio provides a graphical interface for defining these elements. It is dedicated to application administrators, or to "super-users" who have access to all necessary parameters.

Application Definition

An application is defined by:

l Its properties, such as acceptable password formats, its behavior as seen by the Enterprise SSO, the account(s) that the user will use to connect to the application.

l The windows displayed to the user and regarding to authentication or password management. These windows may be HTML pages from a web application.

ESSO Enterprise Studio

The two following ESSO Enterprise Studio configurations are available:

l ESSO Enterprise Studio: the application configuration is shared by a number of users.

l Personal SSO Studio: the application configuration is dedicated to a single user. It is automatically accessible when opening Personal SSO Studio.

Personal SSO Studio is not available in Access Collector mode.


Configuration Editor: ESSO Enterprise Studio50

Storage Modes

The SSO Studio configuration can be stored in the Windows registry (file storage mode) or in the LDAP directory (LDAP storage mode).

NOTE: The storage mode is defined during the installation phase.

l In LDAP storage mode, a centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.

NOTE: The Access Collector mode works only in LDAP storage mode.

l In local storage mode (file storage mode), the configuration is saved in a file in the Windows registry.In Enterprise mode, the administrator can create as many configurations as he wants, and each configuration is saved in a file.

Operating Modes

ESSO can be installed in two different modes: With and without Controller (for more details, see One Identity EAM Installation Guide).

l Without Controller, the configuration of applications can be entirely done with SSO Studio.

NOTE: The Access Collector mode works only without Controller.

l With Controller (Client/Server) mode, the configuration of applications is only partly done with ESSO Enterprise Studio: the technical definition of applications can be done with ESSO Enterprise Studio, but the application definition must be finished from the EAM administration console (see One Identity EAM Console - Guide de l'administrateur).

In this section:

l Interface Overview

l Starting and Stopping ESSO Enterprise Studio

l Creating or Opening a Configuration

l Configuring General SSO Parameters

l Defining PFCP and Application Profiles

l Defining Application and Technical Definition Objects

l Defining Window Objects

l Testing the SSO

l Backuping Objects

l Managing Objects in the Tree



l Saving Object Configurations

l Managing Configuration Updates

l Refreshing the Tree

Interface Overview

Main Window Interface

ESSO Enterprise Studio presents target application parameters as SSO objects organized in a tree structure.

ESSO Enterprise Studio enables you to create, modify or delete objects and to store them in an LDAP directory (LDAP mode) or in an Enterprise SSO configuration file (local storage mode). It is a "single-document" application (only one configuration can be edited at a time):

l In ESSO Enterprise Studio used in LDAP storage mode, the displayed tree corresponds to the associated LDAP directory defined at initialization time.

The following screenshot illustrates an interface example of ESSO Enterprise Studio used in LDAP storage with Controller.



In LDAP mode, the objects can be created anywhere the administrator has object-creation rights.

The LDAP administrator is responsible for ensuring that the structure has a branch reserved for the management of EAM objects.

As the objects are created directly in the LDAP directory, the directory must be accessible when ESSO Enterprise Studio is being used.

l In ESSO Enterprise Studio used in local storage mode, or in Personal SSO Studio, the tree displayed is not linked to an LDAP directory.

The following screenshot illustrates an interface example of Personal SSO Studio.



In local storage mode, the configuration is defined with a root node called Local Enterprise SSO Configuration, to which two other nodes are attached: Applications and Configuration Objects, used for EAM object declarations.

Main Window Areas

The ESSO Enterprise Studio main window is composed of:

l A menu bar.

l A toolbar offering shortcuts to some menu bar options, as described in the following table. The toolbar appearance depends on the SSO Studio mode used (Without and with Controller, LDAP/File storage, Personal/Enterprise).

ESSO Enterprise Studio Mode

Button Description

Common buttons

(ESSO Enterprise Studio only)Creates a new SSO configuration.




Button Description

(ESSO Enterprise Studio only)Opens an existing SSO configuration.

Cuts the selected item.

Copies the selected item.

Pastes the selected item.

Displays the properties of the selected item.

(LDAP storage mode only) Refreshes the displayed LDAP directory.

Deletes the selected item.

Renames the selected item.

Without Controller buttons

Creates a new Application.

Creates a new Window object.

Creates a new Application profile.

Creates a new PFCP.

(ESSO Enterprise Studio only)Opens the SSO Settings by Population window, which allows you to define the population allowed to access the application.

Saves the configuration.




Button Description

With Controller buttons

Creates a new Technical Definition.

Saves the Directory modifications.

Tests the selected SSO.

Adds the selected item to the test list.

removes the selected item from the test list.

l A workspace showing a tree structure that allows you to select elements and to perform actions directly by double-clicking the objects or using a popup menu for each object.

Starting and Stopping ESSO Enterprise Studio

This section explains how to start and stop ESSO Enterprise Studio or Personal SSO Studio.

In this section:

l Starting SSO Studio

l Stopping ESSO Enterprise Studio

Starting SSO Studio

Subject

The following procedure explains how to start ESSO Enterprise Studio or Personal SSO Studio.

Procedures

Starting SSO Studio Using the Windows Taskbar

1. In the Windows taskbar, execute one of the following procedures, depending on the ESSO Enterprise Studio operating mode you want to open:



a. For ESSO Enterprise Studio: Start/All apps/One Identity EAM/ESSO Enterprise Studio

b. For Personal SSO Studio: Start/All apps/One Identity EAM/Personal SSO Studio

An authentication window appears.

2. Fill-in the authentication window and click OK.

ESSO Enterprise Studio appears.

Starting ESSO Enterprise Studio Using Command Lines

The following table lists the command line arguments that you can use to start ESSO Enterprise Studio (builder.exe):

l /user : starts Personal SSO Studio.

l /wizard : starts the Enterprise SSO wizard.

Stopping ESSO Enterprise Studio

Subject

The following procedure explains how to stop ESSO Enterprise Studio or Personal SSO Studio.

Procedure

l In the File menu, click Exit.

Creating or Opening a Configuration

Subject

With ESSO Enterprise Studio used in local storage mode, you can create as many configurations as you wish (each configuration is saved in a different file).

This section explains how to create a new configuration, or open an existing one.

NOTE: In local storage mode, the configuration file to be used can be specified during installation. For more information, see One Identity EAM Installation Guide



Restriction

The feature described in this section is only available in ESSO Enterprise Studio used in local storage mode.

Procedure

To open an existing configuration:

1. In the File menu, click Open.

The Explorer window appears.

2. Select the configuration you want to open and click OK.

The selected configuration appears in ESSO Enterprise Studio main window.

3. To create a new configuration, in the File menu, click New.

ESSO Enterprise Studio displays the default configuration.

Configuring General SSO Parameters

Subject

The following procedure explains how to define the general SSO configuration parameters.

Restriction

The configuration described in this section is only available in ESSO Enterprise Studio used in local storage mode without Controller.

Procedure

1. In the Edit menu, click Configuration.




l The Performance tuning area allows you to set the window detection timing.

l The Security Parameters area allows you to define permissions.

2. Fill-in the window and click OK to save the configuration and close the window.

Defining PFCP and Application Profiles

If you use ESSO Enterprise Studio without Controller or Personal SSO Studio, you can define the following properties:

l The Password Format Control Policies: PFCP.

l The Application profiles.

NOTE: With Controller, this configuration can be performed with the EAM administration console (see One Identity EAM Console - Guide de l'administrateur.

In this section:

l Defining Password Format Control Policies (PFCP)

l Defining the Application Profiles



Defining Password Format Control Policies (PFCP)

Subject

This section explains how to create or modify a PFCP for the applications for which you want to activate the SSO.

A default PFCP configuration exists in ESSO Enterprise Studio: you can modify it or create a new one.

Restriction

The PFCP configuration is only available if you use ESSO Enterprise Studio without Controller mode or Personal SSO Studio.With Controller, the PFCP configuration must be done with the administration console (see One Identity EAM Console - Guide de l'administrateur).

Procedure

1. In the ESSO Enterprise Studio main window, do one of the following:

l To create a new PFCP, right-click the Configuration objects node and click New PFCP.

l To modify an existing PFCP, right-click the PFCP you want to modify and click Properties.

l The PFCP Properties window appears. Fill-in the window as described in the following sections:

l For basic parameter definition, fill-in the Password Management Policy tab: see The "Password Management Policy" Tab.

l For advanced parameter definition, fill-in the Password Format Policy tab: see The "Password Format Policy" Tab.

2. Click OK to save the configuration and close the window.

In this section:

l The "Password Management Policy" Tab

l The "Password Format Policy" Tab



The "Password Management Policy" Tab

The Password Management Policy tab allows you to define the following PFCP elements:

l Password PolicyThe PFCP name.

l New Password generation policyThe behavior required when the user is prompted for password change: automated password generation or user prompted for a password compatible with the PFCP.

l Advanced

l An "invalid password" string: if the security system is provided with this string for SSO use, Enterprise SSO prompts the user for a new password.

l The period for which a password is valid.

l The number of old passwords retained.



The "Password Format Policy" Tab

The Password Format Policy tab allows you to define the advanced parameters:

l Password FormatDefines the number of upper-case letters, lowercase letters, numbers, special characters and the list of special characters authorized in the passwords as well as their position within the password.

The following special characters are allowed:

& ~ " # ' { ( [

- | ` £ _ \ @ )

° ] = + } $ % *

, ? ; . : / !

IMPORTANT: Accented characters are forbidden.

l The Special character list field enables you to specify which of these characters must appear in the password.

l Forbidden charactersList of forbidden characters in the password.



l AdvancedSpecifies the maximum number of occurrences of a given character in a password.

l Test Password GenerationThis button allows you to see an example of a password generated using the rules you have configured.

Defining the Application Profiles

Subject

Application profiles are security objects that define a set of rights and properties that are applied generically for one or more applications.

This section explains how to configure the application profiles for the applications for which you want to activate the SSO.

A default Application profile configuration exists in ESSO Enterprise Studio: you can modify it or create a new one.

Restriction

The Application profile configuration is only available if you use ESSO Enterprise Studio without Controller or Personal SSO Studio. With Controller, the Application profile configuration must be done with the administration console (see One Identity EAM Console - Guide de l'administrateur).

Procedure


l To create a new Application profile, right-click the Configuration objects node and click New Application Profile.

l To modify an existing Application profile, right-click the Application profile you want to modify and click Properties.

The application profile properties window appears.

2. Fill-in the window as described in the following sections:

l For the Properties tab, see Properties Tab of an Application Profile.

l For the Access Strategy tab, see Access Strategy Tab of an Application Profile.

l For the Delegation tab (only if you use ESSO Enterprise Studio without Controller and in LDAP storage mode), see Delegation Tab of an Application Profile.

3. Click OK to save the configuration and close the window.

In this section:



l Properties Tab of an Application Profile

l Access Strategy Tab of an Application Profile

l Delegation Tab of an Application Profile

Properties Tab of an Application Profile

The Properties tab allows you to configure the following parameters:

l Application Profile name.

l Password Policy associated with this Application Profile.

For details on how to create a Password Policy, see Defining Password Format Control Policies (PFCP).

Enterprise SSO Desktop options:

l Display the applications associated with this profile in the user’s Enterprise SSO Account panel.

l Automatically launch the applications associated with this profile when Enterprise SSO starts.

Test the applications associated with this profile to check if the SSO configuration works. For details on how to use the test mode, see Testing the SSO Configuration of an Application.

NOTE: This option is available with Personal SSO Studio. It is also available with ESSO Enterprise Studio in the Application Profile in EAM Console.



Access Strategy Tab of an Application Profile

The Access Strategy tab allows you to configure the following parameters:

l Credential storageStorage location of the SSO accounts used by the applications associated with the Application Profile.

IMPORTANT: If you select Store on token, check that the proper authen-tication method is supported. For more information, contact your security administrator.

l Single Sign-On Policy

l Users must re-authenticateBefore each SSO, the user must confirm his primary password, PIN or biometric identity.

l Users can modify accountThis option is selected by default. If unchecked, the user will not be allowed to change the password through the user account management screen.

l Users can display password The user can ask for the password to be displayed. If this is the case, he will be asked to re-authenticate.

l User can cancel Single Sign-On

l If this option is cleared, the user cannot cancel the SSO execution when he/she starts an application associated with the security profile:

l If the user starts an application for the first time, he must complete the authentication data collection dialog box.



l If the user has several accounts for an application, he must select an account in the account selection dialog box (the Cancel button is unavailable).

NOTE: If a problem occurs (for example, if the authentication data cannot be saved due to network issues), the Cancel button is available again to allow the user to log on manually or to quit the application.

l Select this option to allow users to temporarily cancel the SSO execution for applications associated with the security profile, then select in the drop-down list the scope of this option:

l For the current session only: if the user cancels the SSO execution for an application, he can then start as many application instances as required, the SSO execution remains disabled.The SSO is enabled again when the user quits all the application instances and restarts the application (or resets the configuration or restarts Enterprise SSO).

l For the application (until reset): the user can disable the SSO execution: either for the current SSO session (see above) or until further notice. In this latter case, to enable again the SSO execution for the suspended applications, the user must use the appropriate contextual command from the Enterprise SSO Account panel (or reset the configuration, or restart Enterprise SSO).

l For the current window only: if the user cancels the SSO execution for an application, the SSO is disabled for this application instance only.

NOTE:

For more details on the commands and controls that are modified by this option, see the following sections:

l Providing SSO Data When Launching an SSO Enabled Application for the First Time.

l Creating a New Account for an Application.

l Disabling/Enabling SSO for Applications.

l Account Security Options

This area only appears if you use ESSO Enterprise Studio without Controller and in LDAP storage mode. It allows you to select the way the secondary accounts used by the applications associated with the Application Profile are ciphered. In the drop down list, select one of the following entries:

l User: only the user can decipher his/her secondary accounts. This is the most secure option.

IMPORTANT: If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her secondary accountsReplace this text with a notation that requires the reader's attention.



l User, administrators: the user and you can decipher his secondary accounts. Thus, if you force a new primary password or assign a new smart card using the EAM Console, the user's secondary accounts are recovered.

l User, administrators and external key: select this entry to allow an external application to decipher the user's secondary accounts using a public key For example, you must select this entry if you want to use EAM with Web Access Manager (WAM). By selecting this entry, you allow WAM to decipher the EAM secondary accounts of the user so that WAM can perform SSO with these accounts. For more information, see Mobile E-SSO Installation and Configuration Guide.

Delegation Tab of an Application Profile

The Delegation tab is only available if you use ESSO Enterprise Studio without Controller and in LDAP storage mode.

The Delegation tab allows you to define the methods for delegating accounts to another user:

l Authorize delegation to everybody.

l Authorize delegation to a member of the same user group.

l Authorize delegation to a member of the same organizational entity.

l Advanced mode: person/group/organizational entity.

l Authorize the delegated user to change passwords: the delegated user is authorized to modify the password for the delegated account.

You can ask the person delegating the account(s) to reauthenticate on the workstation where the Studio is installed by setting the following registry key: SOFTWARE\Enatel\SSOWatch\CommonConfig\ReauthOnDelegate DWORD 1.



Defining Application and Technical Definition Objects

This section explains how to create and define Application and Technical definition objects.

l Without Controller, SSO Studio allows you to entirely configure Application objects.

An application object implies the definition of:

l An application name as shown in ESSO Enterprise Studio and in Enterprise SSO, and some options regarding the access rights for this object.

l Parameters that associate this application with the SSO data in the security system.

l Access strategy (in registry or personal configuration modes), or assignment to user groups (in LDAP mode); the application profile should be defined for each association to a user group.

ESSO Enterprise Studio allows you to create application objects with some predefined parameters for SAP and Windows applications: see Creating a New Application Object or Technical Definition.

l With Controller, ESSO Enterprise Studio allows you to configure Technical Definitions.A Technical definition object is a technical description of an application, and particularly to produce single sign-on in a EAM environment. The application configuration must then be completed in the administration console (see One Identity EAM Console - Guide de l'administrateur).

In this section:

l Creating/Modifying Application Objects and Technical Definitions

l Filling-in the Application Properties Window

l Defining Advanced Access Rights

Creating/Modifying Application Objects and Technical Definitions

In this section:

l Creating a New Application Object or Technical Definition

l Modifying an Application Object or Technical Definition Configuration



Creating a New Application Object or Technical Definition

Subject

For Application objects, ESSO Enterprise Studio allows you to use templates to create SAP and Windows application objects.

The Template Application item allows you to create an Application object with a number of pre-defined parameters. They are used for specific authentication scenarios. The predefined template applications are:

l SAP, for SAP R/3 application authentication (for more details, see The SAP R/3 Plug-in).

l Windows, for authentication to an external LDAP directory.

Template applications are managed in the same way as Application objects. They enable the Single Sign-On feature for specific authentication procedures. An application template has a number of predefined parameters.

The following procedure explains how to create a new technical definition or application (with or without template).

Procedure


l To create a new application or technical definition: Right-click the node where you want to create a new Application or Technical Definition and click New Application or New Technical Definition.

l To create a new application using a template: Click the node where you want to create a new template application and in the Edit menu, click New Template-based Application/SAP or Windows.

The Application properties window appears.

2. Fill-in the Application properties window (or modify it in case of template application) as described in Filling-in the Application Properties Window.

Modifying an Application Object or Technical Definition Configuration

Subject

The following procedure explains how to modify the properties of an existing Application Object or Technical Definition.



Procedure

1. In the ESSO Enterprise Studio main window, right-click the Application or Technical Definition you want to modify and click Properties.

The Application properties window appears.

2. Fill-in the Application properties window as described in Filling-in the Application Properties Window.

l For Application objects, fill-in the following tabs:

l Properties: see "Properties" Tab of an Application Object.

l Account base: see "Account Base" tab of an Application Object.

l Launcher: see The "Launcher" Tab.

l Parameters: see The "Parameters" Tab.

l Application Profile: see The "Application Profile" Tab.

l For Technical Definition objects, fill-in the following tabs:

l Properties: see "Properties" Tab of a Technical Definition Object.

l Launcher: see The "Launcher" Tab.

l Parameters: see The "Parameters" Tab.

Filling-in the Application Properties Window

In this section:

l "Properties" Tab of an Application Object

l "Properties" Tab of a Technical Definition Object

l "Account Base" tab of an Application Object

l The "Launcher" Tab

l The "QRentry keyboard" Tab

l The "Parameters" Tab

l The "Application Profile" Tab

"Properties" Tab of an Application Object

The Properties tab described in this section only appears if you use ESSO Enterprise Studio without Controller, or Personal SSO Studio.



The Properties tab of an Application Object allows you to define the basic parameters of an Application.

l Application Name and Account label

l Application name: this field will be displayed in the objects tree of ESSO Enterprise Studio and in the data collection and account management dialog boxes of Enterprise SSO.

l Account label: fill-in this field for this label to be suggested when the account is first created and at first collection. This field will be displayed in Enterprise SSO as well as in all the SSO data collection windows and in the user account management window.

l Session management Indicates whether all the application’s windows depend on the same application instance.

l OLE/AutomationGrants OLE/Automation access to this application (and all the associated security objects) through the OLE/Automation interface of Enterprise SSO. For greater security, you can enter a password. This password will have to be provided by the OLE client. See OLE/Automation Interface.

l Options

l Enable this application (this option is selected by default) If this option is cleared, Enterprise SSO will ignore this application. This is used to temporarily disable an application without deleting it from the configuration file.

l Try previous password when "bad password" windows detectedIf this option is selected, the fields are filled with the last valid password at



"bad password" detection (this can be useful if the password change is not immediately taken into account by the application).

l User must provide credentialsThis check box only appears in Access Collector mode.If this check box is cleared, the user will be able to cancel the collect (or the BadPassword) window that appears when he launches an application.

"Properties" Tab of a Technical Definition Object

The Properties tab described in this section only appears if you use ESSO Enterprise Studio with Controller.

The Properties tab of a Technical Definition object allows you to define the basic parameters of a Technical definition.

l IdentificationThe Technical Definition name. This field will be displayed in the objects tree of ESSO Enterprise Studio.

l Session management Indicates whether all the application’s windows depend on the same application instance.

l Try previous password when "bad password" windows detectedIf this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not immediately taken into account by the application).



"Account Base" tab of an Application Object

The Account Base tab only appears if you use ESSO Enterprise Studio without Controller or Personal SSO Studio.

The Account base tab allows you to define the Account Base associated with an application. An Account is a username/password pair that allows connection to an application. There is also an account parameter that can store complementary authentication data; for instance: a Windows Domain name is a complementary parameter of a Windows account.

The account name is internal to Enterprise SSO: it is used to store and retrieve security data and to give a user-friendly name to this data. A user-friendly name is particularly useful when using multiple accounts: you can give names such as: "Notes Admin" or "Notes User" if a Notes user is also the administrator.

NOTE: Accounts are shared: by applications as well as Enterprise SSO configurations, since they refer to objects stored in the security system storage and which is bound to the user.

l For simple cases, one single account is associated with an application: it is called a Standard account.

l For particular cases, it is possible to use the Windows username and password to perform SSO on an application. An example is the Windows Terminal Server login. To use this security credential in SSO, you must associate the Primary Authentication Identifier with the application (select the corresponding check box). The Windows username can be sent to the application in different forms:



l Short name: username only.

l Windows 2000 (and later): username including the Windows domain, for instance: [email protected].

l NT4: username preceded by NETBIOS domain, for instance: EVIDIAN\jsmith.

l Share Account Base with Another Application: for this, indicate in an application that you consider as account reference, the applications authorized to use this reference base.

You can also share an account base between two Applications using command line arguments. This feature may allow you to create batch files to automate this task.

NOTE: You can combine this feature with the possibility of importing objects using command lines. This is described in Importing Objects using Command Line Arguments (without Controller).

Before starting

l The Applications must be created.

l Close the ESSO Enterprise Studio graphical interface.

Procedure

To share an Account base, at the Windows prompt, type the following command:<SSOWatch Installation Directory>/SSOBuilder.exe [/login <name>][/password] /share <Master Application> <Slave Application>

NOTE: Arguments between square brackets [ ] are optional.

Explanations in the following table:

Argument name Values

<Enterprise SSO installation folder>

C:\Program Files\Evidian\WG SSOWatch\SSOBuilder.exe" by default.

/login <name> and /password <password>

Login name and password of the EAM administrator

Note:

Use the DOMAIN\login format.

If the login name and password of the administrator are not specified, the ESSO Enterprise Studio authentication window will appear.

The administrator account used to run the import must own sufficient rights.



Argument name Values

/share<MasterApplication><SlaveApplication>

<MasterApplication>: name of the Application owning the Account base to share.

<SlaveApplication>: name of the Application that will use the Account base.

NOTE: This parameter works only with Application objects..

Example

The following command allows you to share the Account Base AB1 owned by APP1 with APP2:"C:\Program Files\Evidian\WG SSOWatch\SSOBuilder.exe" /login DOMAIN\WGAdmin /password AdminPWD /share APP1 APP2

External Names: this button only appears if you use ESSO Enterprise Studio without Controller and in LDAP storage mode. It allows you to define a mapping between the EAM application that you are configuring and the name of an external application that must be identified by EAM. This option is particularly useful to integrate Web Access Manager with EAM. For example, if you are defining an application called MyHTMLApplication that already uses Web Access Manager Account Bases, click this button and in the displayed window, enter the names of the Web Access Manager Account Bases defined for this application. This way, EAM will be able to use these Web Access Manager Account Bases to perform SSO with this application. For more information, see Mobile E-SSO Installation and Configuration Guide.

NOTE: Each external application name must be unique in the directory.

The "Launcher" Tab

The Launcher tab is used to define how Enterprise SSO can start an application.



This window allows you to define the following parameters:

l Change Icon buttonThe icon associated with the application, which will be displayed in Enterprise SSO.

l Application description for userThe application description, which will be displayed in Enterprise SSO.

l TargetThe command line or URL (for web applications), which opens the application.

l Start in folderThe directory where the command line should start.

l Command line parametersThe SSO parameters to be sent to the command line, if necessary.The Insert button inserts in the command line the item selected in the drop down list (identifier/password).

l Authentication methods required if automatic start is used

Since Enterprise SSO can launch applications during session opening, this option enables you to control which applications are launched regarding the authentication method used to log on.

Select the check box and in the drop down list, select the authentication methods required to launch the applications.



The "QRentry keyboard" Tab

The QRentry keyboard tab enables you to configure the behavior of the key of the QRentry keyboard to perform an SSO in a Store application (Android only). For more information on Store applications, refer to the QRentry - Guide de l’utilisateur.

This window allows you to define the following parameters:

l Application package identifier fieldEnter the Store application name that you retrieved beforehand in QRentry, as described in QRentry - Guide de l’utilisateur.

l SSO data validation methodSelect the credentials validation method:

l Tap a specific validation button: QRentry fills-in the fields and activates the next field in the application (example: Next, Connection, Cancel etc.).

l Tap the Enter button: QRentry fills-in the fields and activates the Enter button of the keyboard.

l Do nothing: QRentry fills-in the fields, the user must validate.

The "Parameters" Tab

Parameters Tab of an Application Object (without Controller)



Subject

The Parameters tab allows you to add a list of additional authentication parameters (such as Windows Domains or Languages for example). These parameters will enable you to define more fields than simply the couple of fields user name/password of the target application authentication window.



Window description

l Add button: click this button to add a parameter. The following window appears:

l To add an existing parameter, select it and click OK.

NOTE: The Windows Domain parameter must be used only with Applic-ations that may use Authentication Manager.

l To create a new parameter, type its name in the Name field and click Add.

l To delete or rename an existing parameter, select it and click Delete or Rename.

l To define an External Name for a parameter, select the wanted parameter and click External Name. For more information, seeManaging External Names hereunder.

l Delete button: select a parameter and click Delete.

l Properties button:Select a parameter, then click this button to define the properties of the selected parameter.



The properties to defines are the following:

l Description: mandatory description of the parameter for a better understanding.

l Parameter type is associated with the value that can be provided to the user.

Default: the value of the parameter is collected for each SSO account and can be modified by the user.

l Global: the value of the parameter is the same for all SSO accounts and is not suggested to the user.

l Rule: the value is dynamically defined as a user data function, and cannot be changed.

l Value: this is the default value assigned to the parameter; if nothing is entered here, it will be requested at first authentication (data collection) as a function of the parameter type defined previously.

If you have selected Rule in the Parameter type area, between parentheses, retrieve the exact LDAP attribute name (using an LDAP browser) and type it in the Value field. For example, type (mail) to indicate that the parameter value is the user's mail address.

NOTE: If you want to add several LDAP attributes, type them one after another, without a comma. Example: (mail)(dn).

You can be more specific about the parameter value by using the following rules:To keep only the first n characters of the LDAP value, use the (attLDAP,n) syntax.Three functions are used to process LDAP values: UPPER, LOWER and CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case.

Managing External Names

This window appears when you click the External Name button. It allows you to define a mapping between the parameter that you are configuring in EAM and the name of an external parameter (created using another SSO tool) that must be identified by EAM.



NOTE: This option is particularly useful to integrate User Provisioning or Web Access Manager with EAM. For more information, see Mobile E-SSO Installation and Configuration Guide.

Parameters Tab of a Technical Definition Object (With Controller)

Subject

The Parameters tab allows you to add a list of additional authentication parameters (as Windows Domains or Languages for example). These parameters will enable you to define more fields than simply the couple of fields name/password of the target application authentication window.

IMPORTANT: The list of authentication parameters for the technical definition must be compatible with the parameters defined at application level.The creation of an application is described in the Evidian EAM Console - Guide de l'administrateur.

Window description

l Add button: click this button to add a parameter:

To add an existing parameter, select it and click OK.

The parameter called Windows Domain (which is created upon the installation of ESSO), must be used only without Controller.

NOTE: To create or modify the parameters present in the list, use the EAM Console. For more information, see Evidian EAM Console - Guide de l'administrateur

l Delete button: select a parameter a click Delete.

l Properties button: this button is always disabled.

The "Application Profile" Tab

By default, every user is authorized to access the application with an application profile. The Application Profile tab allows you to define the application profile, with an access right granted to all the users by default.

IMPORTANT: In LDAP storage mode and Personal mode, only one profile may be assigned per application.



To:

l Allow the user to dynamically create new accounts from Enterprise SSO, select the User can create additional accounts check box.

l Allow the user to access the application on QRentry, select the This application is available on QRentry check box.

l Add a logo to the application for QRentry, click the Set logo button and select a logo.

IMPORTANT: The logo must be <30 Ko and in PNG format.

For more information on QRentry, refer to the QRentry - Guide de l’utilisateur.

Defining Advanced Access Rights

Subject

ESSO Enterprise Studio allows you to define advanced management of access rights, as explained in the following procedure.

Restriction

The feature is only available in ESSO Enterprise Studio used without Controller and LDAP storage mode.



Procedure

1. In the ESSO Enterprise Studio main window, right-click the application for which you want to define advanced access permissions and click SSO Settings by population.

The SSO Settings by population window appears.

2. Fill-in the window as described in Window description.

Window description

The SSO settings by population window allows you to define the population (user, organizational group or units) that accesses the application. It is necessary to assign an application profile to each one.

If several profiles are associated with a user, priority is given to the profile:

1. User.

2. Group.

NOTE: If there are several groups, the notion of priority indicated on the interface is applied. It is dedicated only to groups (with 0 as the highest priority level).

3. Organizational Unit.



Defining Window Objects

Subject

Since window objects are subordinated to Application or Technical definition objects, the window objects can only exist if they are associated with an application object.

Procedure

1. In the ESSO Enterprise Studio main window, right-click the application for which you want to define a window object and click New Window.

The Window Properties window appears.

2. Fill-in the Window Properties window as described in the following sections:

l The General tab is described in The "General" Tab.

l The Options tab is described in The "Options" Tab.

l The Detection and Actions tabs are described in the sections of this guide that are related to the "plug-in types", as their content depends on the selected window type.

In this section:

l The "General" Tab

l The "Options" Tab

l The "Detection" and "Actions" Tabs

The "General" Tab

The General tab allows you to give a name to the window object and to set its type (the type cannot be modified once the window has been created).



l Window NameBy default, this field is automatically filled-in with the name of the selected Window Type. It is recommended to enter a name clearer than the default name.

l Window TypeDisplayed Window types are loaded from the different Enterprise SSO plug-ins. The following table shows the window types provided by the different plug-ins and their associated technology:

The Window Type Description area displays the description of the selected window type.

Window Type Technology

Behavior Description

Generic windows

StandardLogin Win32/Java Login

BadPassword Win32/Java BadPassword

NewPassword Win32/Java NewPassword

BadNewPassword Win32/Java BadNewPassword





ConfirmPassword Win32/Java ConfirmPassword

Terminal Terminal All

HTML Pages (reserved for old versions. Do not use to detect new windows)

IELogin Win32 Login + BadPassword

HTTP authentication window

HTMLLogin HTML/IE Login Authentication in HTML pages

HTMLBadPassword HTML/IE BadPassword

HTMLNewPassword HTML/IE NewPassword + ConfirmPassword

HTMLBadNewPassword

HTML/IE BadNewPassword

Customizable window types

CustomScript

Win32

All

Graphical scripts enabling customized SSO creation.

CustomScriptHTML

HTML/IE

All

Graphical scripts allowing customized SSO creation for web applications in Internet Explorer.

Microsoft applications

MSTelnet Terminal All Not supported.

MSTelnetW2KXP Terminal All Telnet Microsoft for Windows 2000 and XP

Lotus Notes windows

NotesLogin Win32 Login Lotus 4.x and





5.x authentication

SAP windows

SAPLogin Win32 Login SAP R/3 Authentication SAPExpired Win32 NewPassword

SAPGUI Scripting Win32 Login Authentication for SAP R/3 version 6.20

Plugin HLL API windows

HLLAPI Login Win32 Login

HLLAPI Bad Password Win32 BadPassword

HLLAPI New Password Win32 NewPassword + LoginNewPassword

HLLAPI Confirm Password

Win32 ConfirmPassword

HLLAPI Bad New Password

Win32 BadNewPassword

HLLAPI Standard Win32



The "Options" Tab

The Options tab allows you to define the following elements:

l Specific detection conditions to trigger the SSO when the window appears (Detection criteria area).

l Enterprise SSO execution options to carry out SSO (Execution Options area).

l Advanced SSO options (Advanced options area).

In this section:

l The Detection Criteria Area

l The Execution options Area

l The Advanced Options area

The Detection Criteria Area

Use language criteria

This option allows you to trigger the SSO only if the selected language is one of the input languages installed on the computer. This option can be useful to optimize response times.



NOTE:

l To display the input languages installed on the computer, from the Windows Control Pane, double-click Regional and Language Options and in the Languages tab, click Details.

l Click the Configure button to select the wanted system languages.

l Select Show local language variants to display the speech communities of each language.

Use SSO State criteria

This option allows you to trigger the SSO only if the selected SSO states are met.

NOTE: This option is particularly useful for the Customizable Window Type (Custom Script and Custom Script HTML types).

Click the Configure button to select the conditions of the window activation depending on the state of the application. The following table lists the available options:

Option name Description

The window is always detected

This option is selected by default: the window is always detected and processed by Enterprise SSO, without any condition.

SSO has not been performed

Select this option to trigger Enterprise SSO only if the SSO operation has not been performed. With this option, Enterprise SSO can perform SSO upon the first detection of the window, then, as long as the application runs, this window is no longer detected.

SSO has been performed and the password is valid

The window is detected and processed by Enterprise SSO only if the SSO operation has been performed with a valid password.

SSO has been performed and the password has expired and must be changed

This option depends on the password validity period parameter (defined in the PFCP properties window). This window is detected and processed only if the SSO operation has been performed and that the password validity period has expired.

The password has been refused and resyn-chronized (BadPassword)

These options can be particularly useful for applications that use several authentication windows that you have defined using custom scripts. For example, if you have to define the following windows for the same application:A custom BadPass-word window.A custom NewPassword window, which contains only a field for the old password and a field for the new



Option name Description

password.A custom ConfirmPassword window, which contains only one field to confirm the new password.A custom BadNewPassword window, which appears when the user enters a wrong new password.To avoid inopportune detection and processing of these windows by Enterprise SSO, select for each window, the appropriate option in the Application State Conditions window.

A new password has been provided but not confirmed

The new password has been confirmed

A new password has been refused (after a rollback)

Example of use with the "SSO has been performed and the password has expired and must be changed" option

To display automatically the change password window of an application, do the following:

NOTE: We consider in the following example that the change password window appears when you click a button.

Procedure

1. In ESSO Enterprise Studio, create the Application object (for details, see Defining Application and Technical Definition Objects).

2. From this object, define the Login and Change Password windows (for details, see Defining Window Objects).

3. Define the Password Expire window, with the following guidelines:

l In the General tab, select Custom script (Window type).

l In the Options tab, select Use SSO state criteria, then click the Configure button and select SSO has been performed and the password has expired and must be changed.

l Detection tab: drag and drop the target button to the window where the Change Password button is located.

l Fill-in the Actions tab as follows:



NOTE: The Password Expire window is a virtual window, which allows you to display automatically the Change Password window when the password has expired.

The Execution options Area

Activate window masking

This option allows you to hide the window of an application with an Enterprise SSO window displaying a customizable text. You can use this option if you do not want that the user to see his login/password for example.

Consider the reappearance of the window as meaning 'bad password'

Select this option for login windows that are displayed at least twice in case of bad login/password values: the application rejecting the authentication redisplays its connection window, which is considered by E-SSO as a bad password window; this prompts a login/password collect window.

NOTE: To benefit from this bad password feature on an E-SSO window of type CustomScript, you must declare a special event in the script.

User the timer associated with this field as follows: if the authentication window reappears before x seconds, this window is then considered as a bad password window.



This is the case for the authentication window used by Internet Explorer to log on to restricted areas.

Redetect the window after

Select this option to reactivate the window detection after a certain delay (seconds).

The Advanced Options area

Select the check boxes to activate the following actions:

Do not disable the window during SSO and Do not disable the window when asking for user input

Select these options so that the user can interact with the window detected during SSO.

IMPORTANT: This is only relevant for IE, Firefox and Chrome.

Use alternative field detection method...

Select this option so that:



l The window definition for IE 6, 7 and 8 is the same for all three of them.

l If the web page is modified, SSO is still executed.

NOTE: If this option slows down the window detection then you must select one window for each IE version.

You must start the configuration over again if you select this option.

Try to use for Firefox...

NOTE: This option may not work with all web pages.

Select this option so that the window definition for IE is also applied to Firefox.

NOTE: If this option does not work, you must create a specific window definition for Firefox.

You must start the configuration over again if you select this option.

Enterprise SSO for mobiles: this is a basic authentication dialog

Select this option if you are using this window for QRentry E-SSO and that this window is an HTTP authentication window.

NOTE: For more information on QRentry, refer to the QRentry - Guide de l’utilisateur.

Don’t cache value

Select this option to force E-SSO to update continuously the information of the application.

Make this definition compatible with all Internet Explorer versions

Forces the compatibility of the technical definition with all the versions of Internet Explorer.

Wait for an URL change before performing SSO again

Select this check box to not perform SSO again as long as the URL of the page is identical.

System information

Select one or more check boxes to refine the SSO detection of windows by process architecture and/or Operating System:

l Perform SSO only if the process is:

l a 32 bits process.

l a 64 bits process.



l Perform SSO only if the operating system is:

l Windows XP/2003

l Windows 7/2008

l Windows 8/2012

l Windows 10

IMPORTANT: By default, all the check boxes are selected.

The "Detection" and "Actions" Tabs

The Detection and Actions tabs are described in the sections of this guide that are related to the "plug-in types", as their content depends on the selected window type.

Testing the SSO

Subject

ESSO Enterprise Studio allows you to test the SSO configuration you have created.

Restriction

This feature is available only if you use ESSO Enterprise Studio with Controller.

This feature is not available with Personal SSO Studio.

Procedure

1. In the ESSO Enterprise Studio main window, right-click the Technical definitions you want to add to the test list and click Add to Test List.

NOTE: To remove a technical definition from the list, right-click the object and select Remove from Test List.

A small check appears in the Technical definition icon.

2. Right-click one of the selected items and click Test.

A confirmation window appears, to inform you that Enterprise SSO is about to be started in test mode.

3. Click OK.

The Enterprise SSO Account panel displays only the selected technical definitions: you can start the applications corresponding to these technical definitions to test the



windows detection and the collection of the security data, without any modifications in the directory.

4. To disable the test mode, right-click one of the tested items and click on Test again.


5. Select one of the following options:

l Reset SSOEngine configuration: resets the SSO Engine.

l Stop test mode: test mode is stopped but the technical definitions that are tested are still available in ESSO Enterprise Studio.

l Stop test mode and restart SSOEngine: test mode is stopped and the SSO Engine is reset.

Backuping Objects

Before starting

The backup of the EAM Services solution is done at the same time as the backup of the directory that hosts EAM.

Therefore there is no backup of the EAM solution alone, however you can backup the objects created in EAM such as: user/group/OU.

Subject

The Import/Export feature allows you to backup and therefore reuse SSO configurations.

Description

When testing SSO configurations: if the Application and Window objects that you have created in your test environment are working, use the import/export feature to exploit them in the live environment.

You can export/import the following objects:



l An Application (without Controller) or an External Reference (with Controller) and its associated windows.

l Windows, PFCPs (without Controller) or Application Profiles (without Controller).

NOTE: Each exported object is saved in an .SSE (Enterprise SSO Export) file.

In this section:

l Exporting/Importing Objects using the Graphical Interface

l Importing Objects using Command Line Arguments (without Controller)

Exporting/Importing Objects using the Graphical Interface

Exporting procedure

To export an object, do the following:

1. In the ESSO Enterprise Studio main window, right-click the object you want to export and click Export.


2. Choose a saving location for the object and click OK.

Importing procedure

To import an object, do the following:

1. In the ESSO Enterprise Studio main window, right-click the node where you want to import the file and click Import.

NOTE: To import a window, select the application that will receive this window.


2. Select the object to import and click OK.

The object appears in the tree, at the selected location.



Importing Objects using Command Line Arguments (without Controller)

Subject

You can import .SSE files using command line arguments/ This feature can allow you to create batch files to automate the import of several objects from your test environment to the live environment.

IMPORTANT: This feature is more powerful than the import of objects using the graphical interface. You can use it to define accesses to applications in addition to the import operation.

Before starting

l Export the wanted objects using the graphical interface, as described in Exporting/Importing Objects using the Graphical Interface.

NOTE: For more details on the objects that you can import, see Backuping Objects.

l Close the ESSO Enterprise Studio graphical interface.

l You can combine this feature with the possibility to share account base using command lines, which is described in "Account Base" tab of an Application Object.

Procedure

To import an object, at the Windows prompt, type the following command:<Installation directory of Enterprise SSO>/SSOBuilder.exe [/login <name>][/password <password>] /import <filename.sse> /location <Organization DN> [/access <group>] [/profile <profile>]

Arguments between square brackets [ ] are optional.

Explanations in the following table:

Argument name Value

<SSOWatch installation folder>

"C:\Program Files\Evidian\WG SSOWatch\SSOBuilder.exe" by default.

/login <name> and /password <password>

Login name and password of the EAM administrator.Note:Use the DOMAIN\login format.



Argument name Value

If the login name and password of the administrator are not specified, the ESSO Enterprise Studio authentication window will appear.The administrator account used to run the import must own sufficient rights.

/import <filename.sse>

Full path name of the .SSE file, which contains the object(s) to import.Note: if the object to import is associated with another ESSO object (an Application associated with a PFCP for example), and if the name of this object (PFCP) is used by other objects, the first name found is used. If no object is found, the default object is used.

/location <Organization DN>

Distinguished Name of the organization where the object will be created.

/access <group>

Name of the group of users for whom you want to specify an access to the imported Application.Note:You can use either the format "Group Name" or "Group DN".If you do not specify this argument, check the access configuration using ESSO Enterprise Studio.This argument works only with Application objects.

/profile <profile>

Name of the Application Profile that will be associated with the imported Application. Note:You can use either the format "Group Name" or "Group DN".If you do not specify this argument, the default Application profile will be used.This argument works only with Application objects.

Examples

The following command allows you to import MyExportedFile.sse into the Applications container."C:\Program Files\Evidian\WG SSOWatch\SSOBuilder.exe" /login DOMAIN\WGAdmin /password AdminPWD /import C:\MyExportedFile.sse /location OU=Applications,OU=Organization,DC=domain,DC=acme, DC=com

You have created the APP application, for which the access is restricted to the group of users GROOP. To import this application and keep the restricted access to GROOP, use the following command:



"C:\Program Files\Evidian\WG SSOWatch\SSOBuilder.exe" /login DOMAIN\WGAdmin /password AdminPWD /import C:\MyExportedAPP.sse /location OU=Applications,OU=Organization,DC=domain,DC=acme,DC=com /access GROOP

Managing Objects in the Tree

This section explains how to copy, cut, paste, rename and delete objects of the tree.

In this section:

l Copying/Cutting/Pasting Objects

l Renaming an Object

l Deleting an Object from the Tree

Copying/Cutting/Pasting Objects

Subject

You can perform basic operations with tree objects, as explained in the following procedure.

Procedure

1. In the ESSO Enterprise Studio main window, right-click the object you want to copy and click one of the following commands:

l Copy, to duplicate the selected object.

l Cut, to copy the object and remove it from its current location (the object will not be removed if it is not pasted afterwards).

2. In the tree, right-click the node where you want to paste the copied object and click Paste.

The object appears in the tree at the selected location.



Renaming an Object

Procedure

1. In the ESSO Enterprise Studio main window, right-click the object you want to rename and click Rename.

The object name is selected.

2. Type the name you want to display for the object and press the ENTER key.

The object is renamed.

Deleting an Object from the Tree

Subject

If you use ESSO Enterprise Studio in LDAP mode, the tree displayed corresponds to the LDAP directory. If you delete an object from the tree, it will not be deleted from the LDAP directory as long as you have not updated it (see Refreshing the Tree).

Procedure

1. In the ESSO Enterprise Studio main window, right-click the object you want to delete and click Delete.

A confirmation window appears.

2. Click OK.

The object is deleted from the tree.

Saving Object Configurations

This section explains how to save the object configurations. In ESSO Enterprise Studio used in:

l Local storage mode, Enterprise and Personal configurations are stored differently:

l Enterprise mode: you can create as many configurations as you wish, and each configuration is saved in a file.



l Personal mode: a single and unique configuration is dedicated to you. It is automatically accessible when opening Personal SSO Studio, and is stored in the security database defined during the installation phase (LDAP directory or Windows Registry).

l LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.

In this section:

l Saving Object Configurations in LDAP Storage Mode (with Controller)

l Saving Object Configurations in Local Storage Mode

Saving Object Configurations in LDAP Storage Mode (with Controller)

Subject

In LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.

l Without Controller, the configuration is immediately and automatically saved in the LDAP directory.

l With Controller, you must save the directory modifications, as explained in the following procedure.

Procedure

In ESSO Enterprise Studio (used in LDAP storage and with Controller), in the File menu, click Update directory.

The LDAP directory is updated with the configurations defined in ESSO Enterprise Studio.

Saving Object Configurations in Local Storage Mode

Subject

In local storage mode, the storage operation depends on the ESSO Enterprise Studio version used:

l With Personal SSO Studio, a single and unique configuration is dedicated to each user. It is accessible automatically when opening Personal SSO Studio.



l With ESSO Enterprise Studio, you can save as many configurations as wanted: each configuration is saved in a file.

Procedure

l In Personal SSO Studio (local storage mode), click File/Save.

The configuration is saved in the Windows Registry.

l In ESSO Enterprise Studio (local storage mode), click File/Save.


Name the configuration and select the location where you want to save the configuration.

The configuration is saved in an .SSO file in the selected location.

Managing Configuration Updates

Subject

To optimize network traffic, you can use the update management feature: by default: by default, the EAM workstations retrieve the whole SSO configuration periodically. The update management feature allows you to post an update, which generates a unique identifier. The workstations retrieve the application data and this identifier. As long as the identifier is unchanged between the directory and the cache of the workstations, the workstations do not update their SSO configuration.

Restriction

The feature described in this section is only available in ESSO Enterprise Studio used in LDAP storage mode and without Controller.

Procedure

l To enable the update management feature: In the File menu of ESSO Enterprise Studio, select Manage Updates and click Disable Update Management.

l To post an update, which generates a unique identifier: In the File menu of ESSO Enterprise Studio, select Manage Updates and click Post an Update.

NOTE: When a workstation runs an update, it retrieves the entire configuration (and not only the configuration corresponding to the last posted update). So this feature does not avoid workstations retrieving the applications configured by administrators after the last posted update if the data on the workstation is older than the last posted update.



Refreshing the Tree

Subject

Refreshing the tree means updating it so that it displays the current corresponding LDAP directory.

IMPORTANT: If you have performed modifications in the tree and have not saved them, refreshing the tree will cancel all your unsaved modifications.

Restriction

This feature is only available in ESSO Enterprise Studio used in LDAP storage mode.

Procedure

In ESSO Enterprise Studio main window, in the Edit menu, click Refresh.

The displayed tree is updated with the current LDAP directory.



4

The Generic Plug-in

Subject

The "generic plug-in" allows you to define SSO or account collect (in Access Collector mode) configurations by detecting windows used by the following types of applications:

l All Microsoft Windows applications.

l Web applications (Internet Explorer, Firefox or Chrome).

l Java applications or applets.

IMPORTANT: The configuration of SSO for Java requires advanced skills. To deliver SSO access to Java applications, integration service is required. Please [email protected] at One Identity services..

The window objects that allow you to perform the SSO belong to the Generic Windows, as shown in the following figure:


The Generic Plug-in104

IMPORTANT: These window types allow you to detect any Microsoft Windows applic-ations, including any HTML pages displayed by web browsers such as Internet Explorer, Firefox or Chrome.Do not use the Microsoft Internet Explorer plug-in (HTML Pages) to define new windows.

Before starting

If you want to detect a Java application, make sure the following components are properly installed on your workstation:

l A supported Java version (for more details about the supported JRE versions, see Evidian EAM Release Notes).

l The Evidian SSOJava Plug-in, which must imperatively be installed after the JRE (for more information, see Evidian EAM Installation Guide.

In this section:

l Window Detection

l User Interface

l Generic Plug-in Actions

l Special Cases



Window Detection

When you create a Window in the configuration editor, you have to define the window that must be detected by Enterprise SSO. You must carry out this operation through the Detection tabbed panel:

To define the window detection, you must do the following:

1. Select the window that must be detected by Enterprise SSO, using the target button. For more details, see Simple Detection.

2. If necessary, modify the detection parameters for the selected window by filling in the Parameters of the selected window area.

l Upon the detection of the window (Step 1), the Detect by Window Class and Detect by Window Title options are selected. These options are usually sufficient to enable the detection of the window by Enterprise SSO.

l If these options are not sufficient, you can use advanced detection parameters, by looking for additional texts in the window (Look for text option), and/or by adding constraints on the detection process (Advanced button). For more details on these detection parameters, see Advanced Detection.

In this section:



l Simple Detection

l Advanced Detection

l Restrictions

Simple Detection

Depending on the type of window to detect, the selection area of the Detection tabbed panel is different:

l To detect the window of an application, you drag and drop the target button onto the title bar of the window that you want to detect. For more details, see Simple Detection of a Window or a Java Applet.

l To detect a Java applet, you drag and drop the target button onto the entire login area of the Java login page. For more details, see Simple Detection of a Window or a Java Applet.

l To detect a web page, you drag and drop the target button onto the web page that you want to detect. For more details, see Simple Detection of a Web Page.

In this section:

l Simple Detection of a Window or a Java Applet

l Simple Detection of a Web Page

Simple Detection of a Window or a Java Applet

To detect a window, Enterprise SSO first looks for its title (for standard or Java applications) or its login area (for Java applets). It can then look for the presence of an additional text in the window.

To automatically configure the necessary basic data, do one of the following:

l For standard or Java application windows, drag and drop the target button located in the top right of the Detection tabbed panel onto the title bar of the window that you want to detect. The data from the last targeted window is displayed in the configuration window, as shown in the following figure.

l For standard or Java application windows, drag and drop the target button located in the top right of the Detection tabbed panel onto the title bar of the window that you want to detect. The data from the last targeted window is displayed in the configuration window, as shown in the following figure:



The Detection tab now shows a tree structure for the targeted window, as well as its parent windows, if any; each window is represented on two lines differentiated by the icon on the left of the line:

Icon Description

Real characteristics of the targeted window (real title and class).

Data used to detect the targeted window (detection method, modified title).

At this point, the "simple" detection parameters of the selected window are automatically configured as follows:

l Detect by Window Class.

l If the window has a title, Detect by Window Title (not case sensitive).

If you want to modify these configuration parameters, make selections in the bottom half of the property page; if a targeted window has parent windows, you can modify the configuration for any intermediate window.

The following table lists the available title detection methods (not case sensitive):



Method Description

Is equal to The window title must be equal to the given character string.

Starts with The window title must start with the given character string.

Contains The window title must contain the given character string.

Ends with The window title must end with the given character string.

Example

Let us assume that the application authentication window has a title similar to: Enter the password for FirstName LastName.

A potential problem appears with this title because FirstName and LastName can differ from each user who will try to authenticate to this application.

In this case, the text must be edited and reduced to Enter the password for, and the window detection method must be selected: Starts with or Contains.

Simple Detection of a Web Page

IMPORTANT: If you are using different web browsers at the same time (Internet Explorer and Firefox for example), you must create two different windows: one window for the web page displayed in Internet Explorer, and another one for the web page displayed in Firefox.If the title of the web page is different depending on the language used, you must also create as many different windows as there are different titles.

Description

To detect a web page, Enterprise SSO first looks for its URL. It can then look for the presence of additional text or field in the web page.

To automatically configure the necessary basic data, drag and drop the target button located in the top right of the Detection tabbed panel onto the web page that you want to detect. The data from the last targeted window is displayed in the configuration window, as shown in the following screenshot:



The Detection tab now shows the URL of the web page (Web page area). At this point, you can adjust the detection parameters of the selected web page by defining a variable URL (Variable URL area) or by detecting a field in the web page (Parameter of the web page area) for example. For more details, see Advanced Detection.

NOTE: SSO is triggered when all the required fields are displayed, even if the web page is not entirely loaded.

Advanced Detection

In this section:

l The Enable Variable URL Detection option

l The Look for text option

l The Advanced button

The Enable Variable URL Detection option

Restriction

This option is only available upon the detection of a web page URL.



Description

Some websites are provided by clusters of HTTP servers (for instance Hotmail) or use the URL to keep session data (for instance Yahoo! Mail). This leads to URLs with variable parts.

To configure the detection of a web page that uses a variable URL, select Enable variable URL detection and click the Configure button.

NOTE: If a variable URL detection has already been configured and you select a new URL with the Get URL button, Enterprise SSO checks the compatibility of the new URL with the old URL variable schema. If the schema cannot be matched, confirm-ation is requested before the old URL variable schema is destroyed.Replace this text with a description of a feature that is noteworthy.

The variable URL configuration window looks like this:

The selected URL is displayed in the text field.

To setup the variable parts, there are two solutions:

l Use the generic characters: select (with the mouse or the keyboard arrows and the SHIFT key) a part of the URL (1). The tool bar is updated and shows only the generic characters that match the selection. In the tool bar, select the wanted generic character (2).

Generic characters are represented as follows:

l Replaces any character (one or more). Corresponds to .+ in a regular expression.

l Replaces alphanumeric characters (one or more): lower case letters, upper case letters and digits. Corresponds to [a-zA-Z0-9_]+ in a regular expression.

l Replaces letters (one or more): lower or upper case. Corresponds to [azA-Z_]+ in a regular expression.

l Replaces digits (one or more). Corresponds to [0-9]+ in a regular expression.



If you select a generic character, you can restore the original text with the Revert action.

IMPORTANT: A variable URL must never begin with a generic character.

Example:

In the previous window, an Outlook URL is displayed. Variable parts are 12 and 1398851398 numbers after "rpsnv=" and after "&ct=".

You only need to select 12 and click (in the toolbar), then select 1398851398 and click again on . The field is displayed like this:

l Create your own regular expression: select the I write my own regular expression check box (3) and enter your regular expression in the text field.

Example:

The Look for text option

There are cases where detection based on a window class and title is not enough to distinguish multiple windows. For example, assuming you need to configure a detection method that distinguishes between two authentication windows that are both standard dialog boxes (class "#32770") and have the same title (for example, Enter password). Such a case requires that you configure an advanced detection method.

This method performs a search for a specific text in the window’s fields (Windows controls).

To configure advanced detection, select in the window list the window that must be detected, and select fill-in the Look for text area.

Two search methods exist:

l In the whole window: the text is searched in all the window fields.

l In Field: allows you to specify a field where the search will be carried out for a finer search. This field can be configured with the small target button by dragging and dropping it onto the target field. The field content will be automatically pasted in the look for text field.

The search comparison is of type contains and is not case sensitive.

l If the selected Windows control field identifier is 0xFFFF, the search is automatically extended to all the window control fields. This identifier is a special one and is used for generic static texts, it can also appear more than once in a window.

l Not supported by Microsoft Edge.



The Advanced button

You can define a list of constraints to redefine the advanced detection parameters, using the Advanced button. This button allows you to add constraints on windows that are detected by Enterprise SSO, to enable or disable the Single Sign-On, as described in the following procedure:

1. In the Detection tabbed panel, click the Advanced button.


2. Click the Add button.


3. Fill-in this window with the following guidelines:

l The fields are already filled in by default with the values of the selected target window.



l Use the target button only if the target window is not the wanted one.

l If you select only the Signature check box, the SSO will be disabled, as this parameter changes.

l If you select several check boxes to define the constraint, the application containing the window to detect must meet all the parameters defined by these check boxes.

4. Click OK.

The constraint is added to the constraint list.

IMPORTANT: Remember that Enterprise SSO detects the window if only one of the listed constraints is verified

Restrictions

To authenticate to an application, Enterprise SSO implements the user’s sign-on for him. Therefore, Enterprise SSO considers that an application is valid as soon as the user is able to enter the information requested by the application.

Consequently, Enterprise SSO only detects windows that are:

l Visible.

l Not minimized.

l "Active" in the Windows sense, i.e. they can accept user inputs.

Therefore, Enterprise SSO cannot perform SSO for minimized or hidden windows.

User Interface

In this section, we introduce the tools and elements of the user interface that allow you to configure windows of type Windows.

The tools are:

l The target button that allows you to select a Windows control (field or button).

l The optional parameter list that allows you to enter SSO data other than user name/password.

l The actions list to be performed after the fields have been filled.

In this section:

l The Target button

l Validation Actions



The Target button

You can use the following target button to select a window control field of type Windows

(text field, button, etc.) with the target button.

This target can be used in two ways:

l By performing a drag and drop onto the target control field: click the target and keep the mouse button down; the mouse cursor changes to a target; drag it to the target control field and release the mouse button.

Once the mouse button has been released, the field is updated with the control field information (and the intermediate windows/control fields if they exist):

The information displayed gives the control field identifier (in hexadecimal), its class and the text found when the control field was detected.

A new window can be opened by clicking the target button:

l By directly clicking the target button to display all the control fields in the window.

In the Control Detection window, a new target icon allows you to select the desired control field (with drag and drop). This window allows you to see the selected control field’s details and the different levels of nested windows between the control field and the base window. This is useful for example to select control fields with the same name in windows containing multi-frames. You can click on a control field to highlight the corresponding field in the window.



Only the path from the base window to the target is displayed. To see all the other control fields/windows, you must select the Display all window details check box.

You can also receive the control by its position by selecting the Identify the control by its position in the control hierarchy check box.

NOTE: You must re-select the windows to activate this mode

You can force the use of Accessibility API to manage field detection by selecting the Activate Accessibility usage check box The tree is then updated with the controls retrieved from the accessibility API. You can then select the desired field.

You can force the text conversion for sites requiring a specific character format. Select one of the elements form the drop down list:

l No modification: the text is sent as it is.

l Convert to lowercase: the text is converted into lower case letters.

l Convert to uppercase: the text is converted into upper case letters.

l Convert to capitalized: the first letter of the first word is converted into upper case letters.

Validation Actions

When the fields have been filled by Enterprise SSO, you must validate the window with the Enter key or by clicking the OK button (for example). In most of the windows of type Windows, you have the following choices:

Generic Plug-in Actions

In this section:

l StandardLogin – Connection

l BadPassword

l NewPassword

l ConfirmPassword

l BadNewPassword



StandardLogin – Connection

This type of window is the most frequent one; it performs the login for most of the applications of type Win32, Web and Java.

In this section:

l Window Description

l Defining Additional Fields (Optional)

l Enterprise SSO Behavior

Window Description

This property page enables you to specify:

l The field that will receive the user identifier (or username) that allows the user to connect to the application.

The path of the field in the application appears next to the identifier.



l The field that will receive the password associated with the username.

l The Do not prompt for user account check box: when you select this check box, if a user reconnects to an application and has several accounts, it is the active account that is automatically used.

l Additional authentication parameters, if needed. For more details, see Defining Additional Fields (Optional).

l The window validation method.

Defining Additional Fields (Optional)

Subject

This section focuses on the Additional fields customization area of the Actions tab of the StandardLogin window type. This area allows you to define more fields than simply the couple of fields user name/password of the target application authentication window.

Before starting

The definition of additional fields is only possible if additional parameters are defined in the Application object associated with this window For more details, see The "Parameters" Tab.

Procedure

1. Click the Customize button.




This window allows you to associate a Parameter with an authentication field of the target application.

2. Select the wanted parameter in the list.

NOTE: The Description field is in "read-only" mode. It displays the value of the Description field filled-in upon the creation of the parameter at Application level.

1. Use the target button to select in the target application the wanted authentication field.

2. Click Insert.

The parameter appears in the window.

3. If necessary, repeat the operation with other parameters.

4. Click OK.


In Enterprise SSO, the following actions are performed after the window has been detected:

l The username and password associated with the application are retrieved from the security system:

l If required, the user will be prompted to choose one of his accounts.

l If the selected (or single) account has no data, Enterprise SSO will ask the user for the associated password and will save it in the security database (collect).

l Data is sent to the window.

l Optional parameters associated with the selected account are retrieved from the security system: if one parameter value is unknown in the security system, it is collected.

l Parameters are sent.

l The window is validated.

l BadPassword and NewPassword window types are activated.

If the user clicks on Cancel, SSO is deactivated for the concerned application. To replay SSO, the application must be reactivated in Enterprise SSO.

BadPassword

Detects that the login previously submitted to the application by the SSO engine has been rejected by the application. The login must therefore be recollected and submitted to the



application. This window is triggered only if the SSO has already been performed on the application.

In this section:



Window Description


l The validation method after the password has been updated in the security database (with a new authentication if needed).

l The cancellation method of the window if the password update fails in the security database.

l The field that will receive the user identifier (or username) if the user is prompted to re-authenticate.

l The field that will receive the user password if the user is prompted to reauthenticate in the same window.

l The optional parameters, if re-authentication is proposed in the same application window. For more details, see Defining Additional Fields (Optional).




Full Version Behavior


l The user is warned that the password stored in the security system is not the right one for this application; he is prompted to enter the right password (the user can also change the identifier if he has misspelled it in the collect window).

l If the user cancels the window or if an error occurs, the window is canceled according to the selected method.

NOTE: If the user clicks on Cancel and no method is indicated, SSO is deactiv-ated for the concerned application. To replay SSO, the application must be reactivated in Enterprise SSO

l If the new username/password pair is validated by the user and the security database is updated successfully:

l The specified username, password and optional parameters are sent to the application.

l The window is validated according to the specified method.

Access Collector Mode Behavior

l If you configure a BadPassword window without specifying a login or password field, the detection of the window deletes the collected account. At the next login window detection, a new collect will be performed.

l If you configure a BadPassword with sending of a login or a password, a BadPassword window will appear to collect the right account. If the user cancels this window, then the account is deleted and the collect will be restarted at the next user connection.

NewPassword

Detects that a new password is requested by the application. This window is triggered only if the SSO has already been performed on the application.

In Access Collector mode, the NewPassword window type is not available.

In this section:





Window Description

This property window allows you to enter:

l The field that will receive the old password (optional).

l The field that will receive the new password (optional).

l The field that will receive the new password as a confirmation (optional).

l The window validation method if the password has been successfully updated in the security database.

l The cancellation method in case of failure or if the user cancels the window.



l If specified, the old password is sent (if the application can have many sessions at the same time and if several accounts are used, Enterprise SSO will ask the user to choose the relevant session).

l The application asks the user for a new password or computes it itself (according to the PFCP associated with the application).



l If the password is confirmed, the new password is saved in the security database.

l In case of failure, the window is canceled.

l In case of success, or without confirmation:

l The new password is sent (if requested).

l The new password is sent again (if confirmation is needed).


l BadNewPassword and ConfirmPassword window types are activated.

If the user clicks on Cancel, SSO is canceled for the concerned application. To replay SSO, the application must be relaunched.

Observation

As previously explained, the new password will be saved in the security database only after it has been confirmed:

l Either in the same window (New password and Confirm password fields set).

l Or in another window (NewPassword or ConfirmPassword) if the New password field has been set.

ConfirmPassword

Confirms a new password if it has not been done in the NewPassword window type. Default operation: a new password has been provided but not confirmed.

In Access Collector mode, the ConfirmPassword window type is not available.

In this section:





Window Description

This window allows you to configure "Confirm New Password" window management:

l The field that will receive the old password (optional).

l The field that will receive the new password as a confirmation.

l The window validation method if the password has been successfully updated in the security database.




l The old password is sent (if requested).

l The password is updated in the security database.

l In case of failure, the window is canceled.

l In case of success, the window is validated and the ConfirmPassword and BadNewPassword window types are disabled.



BadNewPasswordDetects that the new password submitted to the application is rejected. This window restores the old password and asks the user to re-enter a new password. If the PFCP et PGP are configured correctly, this window should not appear. Default operation: a new password has been submitted but not confirmed or a new password has been confirmed.

In Access Collector mode, the BadNewPassword window type is not available.

In this section:



Window Description

This window type allows you to configure the BadNewPassword window type behavior by specifying the window validation method.





l The old password becomes the current password.

l NewPassword window types are reactivated.


Special Cases

"Standard" window types do not allow you to manage all kinds of applications, therefore, Enterprise SSO provides some tools that allow you to manage these cases: Custom Scripts and the OLE/Automation Interface. However, for well-known and commonly used applications, specific window types are provided to speed up configuration and optimize SSO processing.

In this section:

l NotesLogin (Lotus Notes Plug-in)

l HTTP Authentication (Internet Explorer Plug-in)

NotesLogin (Lotus Notes Plug-in)

The Lotus Notes plug-in has a window type that manages Lotus Notes 4.x, 5.x and 6.5 authentication windows, but it is generally used for all the applications that always display the login and ask for the password to be entered.

A NotesLogin window type automatically selects the user account according to the account name displayed in the window. If the user owns:

l Only one Lotus Notes account, the account will have to match the requested account name; otherwise SSO will not be performed.

l Several accounts: Enterprise SSO will choose the user account corresponding to the requested account name. If none matches the requested account name, SSO will not be performed.

In this section:

l Lotus Notes Identifier Format




l Configuring the Field Containing the Lotus Notes Login


Lotus Notes Identifier Format

The Lotus Notes identifier (or username) can be stored in the Enterprise SSO security database using Lotus Notes formats (username, account name, Lotus Notes canonic name).



Window Description

This tabbed panel is pre-configured and should not be modified. However, if the SSO Engine actions does not work with the pre-configured parameters, drag and drop the target buttons onto the target fields of the Lotus Notes login window, and if required, modify the pre-configured parameters.



Configuring the Field Containing the Lotus Notes Login

The first field is the one that contains the Lotus Notes username (Enter the password of…). The field must be selected using the target button.

In the field where the complete Lotus username is shown, ensure that all entries are

deleted, and that only the symbol remains.

Select the password field using the target button.

Clear the automatic window validation field.

NOTE: When only one Notes account is accessed from the workstation, you can check the automatic window validation field. We recommend you to activate this option only in Personal configuration mode.



l The Lotus Notes identifier is retrieved from the field as shown above.

l A search is conducted for the account name in all the accounts associated with the application (beginning with full names):

l If necessary, the user will have to choose between the accounts that match (or those that have no data associated with them).

l If a single account matches (or has no data), Enterprise SSO will prompt the user for the associated password and will save it in the security database (collect).

l The password is sent to the password field.

l The window is validated; if the automatic validation option has not been selected in the configuration.

l BadPassword and NewPassword window types are activated.

HTTP Authentication (Internet Explorer Plug-in)

When you connect to some websites, an HTTP authentication window is displayed. Under Windows XP, this window looks like this:



This window can be managed using the StandardLogin window type. However, if the password entered is not correct, the same window is displayed again with the same username that was previously entered in the User name field (The first time this window is displayed, no username is displayed). This window type has been created to manage such a case (StandardLogin and BadPassword mix).

NOTE: This window is quite different for each of the Microsoft operating systems other than Windows XP. If you have a heterogeneous computer installation, you will have to define several windows of this type in your configuration.

The Netscape 4.7 HTTP authentication window is managed by the StandardLogin window type.

In this section:



Window Description

The configuration page looks like this:



As for StandardLogin, you have to set the identifier and password fields with the target button.

For the identifier field, be sure to select the field within the drop down list and not the list itself.

Internet Explorer allows you to save passwords. However, you may prefer to use Enterprise SSO. So clear the Remember my password check box and select the check box with the target tool.

Once the SSO data has been sent to the fields, you can validate the window.


SSO actions for this window type correspond to StandardLogin and BadPassword window types:

l The content of the Identifier field is retrieved: if it is empty, it is a StandardLogin behavior:





l If the selected (or single) account has no data, Enterprise SSO will ask the user for the associated password and will save it in the security database (collect).

l Data is sent to the window.

l Clear the Remember my password check box.


l BadPassword window type is activated.

l If the identifier is not empty, it is a BadPassword behavior:



l Username, password and optional fields are provided for the application.


l NewPassword window types are activated.

HTTP Authentication with Google Chrome

Subject

Creating an authentication window for Google Chrome is different due to its limitations. Indeed, when HTTP authentication windows of type "popup" appear in Google Chrome as follows:

the URL and the fields of this popup window are not detected automatically.

Procedure



1. Create a StandardLogin window type.

2. In the Detection tab, drag & drop the target icon onto the authentication window.

The name of the authentication window appears in the URL field.

3. In the Parameter of the web page area, select the Look for text check box and click the target.

The Control Detection window appears.

4. In the list of controls, select the server name and click the OK button.



5. Select the Actions tab and use the same control detection method for the following fields:

l Identifier.

l Password.

l Press the button.

6. Click OK.

You StandardLogin window for Google Chrome has been created.



5

The Google Chrome Extension

Description

The Chrome extension manages SSO in the HTML document windows of the Google Chrome browser. It works with HTML document forms.

The Chrome extension provides the same window types as the generic plug-in. For more information, see The Generic Plug-in.

In this section:

l Installing the Chrome Extension

l Configuring the Technical Definitions and Windows

Installing the Chrome Extension

Prerequisites

l For the Chrome extension to work properly, the Microsoft Visual C++ 2012 (32-bit) redistributable must be installed on each workstation where the extension is installed.

l The Google Chrome Web browser must be installed on the workstation(s).

Description

The Chrome extension can be installed in two ways:

l Globally, through GPO: see Global Installation.

l Locally, from the Chrome Web Store on each workstation: see Local Installation.

IMPORTANT: At the end of the installation, restart Google Chrome and Enterprise SSO.

In this section:


The Google Chrome Extension135

l Global Installation

l Local Installation

Global Installation

Description

If you have a group strategy (GPO), you can install the Chrome extension globally.

Procedure

Follow the instructions described in the following URL to set the Google Chrome registry key: http://dev.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist

NOTE: The extension identifier is mheiphfcfdhlkecdhpgblhpemkecaheh

The extension is installed when Google Chrome is started.

Local Installation

Description

You can install the Chrome extension independently on each workstation via the Chrome Web Store.

Procedure

1. Open your Google Chrome browser and enter the following URL:https://chrome.google.com/webstore/detail/enterprise-sso/mheiphfcfdhlkecdhpgblhpemkecaheh

2. Click on Add to Chrome.

3. Confirm the installation by clicking on Add extension.

The extension is installed.

NOTE: To check the extension installation, you can go to the Chrome extensions menu (chrome://extensions).



Configuring the Technical Definitions and Windows

The technical definitions and windows configuration for Google Chrome must be performed in Internet Explorer (see Defining Application and Technical Definition Objects and Defining Window Objects).

Once the configuration is performed, if the user starts Google Chrome to access a URL and a corresponding technical definition is configured in Enterprise SSO, then SSO will be performed in Google Chrome.



6

The Microsoft Internet Explorer Plugin

Before starting

l This plug-in is deprecated. To create new windows allowing SSO with Internet Explorer, Firefox or Chrome, use the Generic plug-in (The Generic Plug-in) and/or the Chrome extension (The Google Chrome Extension).

l Use the Microsoft Internet Explorer plug-in only to modify SSO configurations already using windows defined through this plug-in.

l To migrate windows created with the Microsoft Internet Explorer plug-in to the Generic Plug-in, create the same windows using the Generic plug-in.

Description

The Microsoft Internet Explorer plug-in manages SSO in HTML documents in Microsoft Internet Explorer 5.5 and 6.0. It works with HTML document forms.

The Internet Explorer plug-in provides several window types detailed in the following table:

Window Type Description

IELogin HTTP, Firewall or Proxy connection windows.

HTMLLogin Web/HTML application connection window.

HTMLBadPassword

HTML page which indicates that the password entered in the HTMLLogin window is not correct, this allows SSO data collect mode.The right username and password may be entered again this time.

HTMLNewPassword HTML page which prompts for a new password (and generally for a confirmation).


The Microsoft Internet Explorer Plugin138


HTMLBadNewPassword Window type used to handle new password refusals in HTML pages.

In this section:

l HTML/Internet Explorer Detection

l User Interface

l HTML/Internet Explorer Actions

HTML/Internet Explorer Detection

The detection of HTML pages is URL-based.

Start Internet Explorer.

NOTE: For Windows 2003 servers, check that the Internet Explorer option Enable third-party browser extensions (in Internet options>Advanced>Browser) is selected.

The HTML Detection property page looks like this:

To fill-in the URL field, use the Get URL button. The following window appears:



The list of open HTML documents in Internet Explorer windows (and frames) is displayed.

The list of HTML forms (and their associated fields) is displayed for information only.

The Internet Explorer button allows you to launch Internet Explorer if it is not already running (same as launching it from the Start menu).

To select an URL, just select the line that shows the URL, or one of its elements. The selected URL is shown in bold.

The HTML page display is dynamically updated as you open new HTML windows or navigate within Internet Explorer The Refresh button allows you to force the display and remove windows which are no longer displayed.

NOTE: If only one HTML document is opened, its URL will automatically be pasted in the URL field if it was empty.

In this section:

l Variable URLs

l Advanced Detection

Variable URLs

For more information, see The Enable Variable URL Detection option.



Advanced Detection

Advanced detection in an Internet Explorer HTML page is based on text search.

The dialog box that allows you to configure the advanced detection parameter:

You can enter a text using the keyboard or select it with your mouse in an HTML page and click the Capture button: the text is pasted in the field.

There are two search methods:

l Text must be Present: if the text is found on the page, detection is successful.

l Text must be Absent: if the text is found on the page, detection fails.

User Interface

In this section, we introduce the tools and elements of the user interface that are used to configure HTML/Internet Explorer window types.

These tools are:

l The HTML form selection tool which allows the association of an SSO parameter (username, password, optional parameter) with an HTML form field.

l The custom parameters list which allows the setting up of additional parameters (other than username and password) which will be sent to the application to perform SSO.

l The HTML form submission-method selection tool (same icon ).

In this section:

l Selecting a Field in an HTML Form

l Custom SSO Parameters



l Submitting an HTML Form

Selecting a Field in an HTML Form

The field selection window for an HTML form is as follows:

This window displays, in a list, all the forms (and their fields) contained in the HTML page selected in the detection page.

The fields are displayed in order and an icon distinguishes the clear text fields from the

fields containing a password . The associated text is the field’s internal name (HTML).



The forms are differentiated by their names. If several forms have the same name (or are unnamed), the position is displayed in brackets: this is the position in the page compared to all forms with the same name.

NOTE: If you do not want to use this field, validate by clicking the Clear button

Custom SSO Parameters

The following window allows you to enter and configure optional parameters that will be sent to the target application:

To customize an optional field, proceed as follows:

Procedure

1. Select the parameter in the list.

2. Fill-in Associated Field by using the target to select the target control field.

3. Click the Insert button to customize the optional field.

4. Validate by clicking OK.

Submitting an HTML Form

The window for setting up the HTML form submission method is the following:



This window offers two submit methods:

l Simple submit or submit by clicking a Button.

l Advanced submit by clicking a link.

In this section:

l Simple Submit / Button Click

l Click a Link

Simple Submit / Button Click

l To submit a form by simulating the Enter key, simply select the form.

l To submit the form by clicking a button, select the desired button.

l To check that it is actually the desired button, you can make it flash in the HTML page using the Highlight button.

Click a Link

This method is used to submit a form by clicking a text or an image starting a JavaScript script.

Such a link is recognized by its URL starting with javascript:



HTML/Internet Explorer Actions

In this section:

l HTMLLogin – Connection

l HTMLBadPassword

l HTMLNewPassword

l HTMLBadNewPassword

HTMLLogin – Connection

In this section:

l Configuration.

l Actions

Configuration.




l The field that will receive the user identifier (or username) that allows the user to connect to the application.

l The field that will receive the password associated with the username.

l Optional parameters, if needed.

l The form-submit method.

Actions




l If the selected (or single) account has no security data in the security system, Enterprise SSO will prompt the user for this data and will save them in the security system (collect).

l Data is sent to the form fields of the HTML page.

l Optional parameters associated with the selected account are retrieved from the security system: if any parameter value is unknown, it is requested from the user and then stored in the security system.

l Parameters are sent.

l The form is submitted.

l BadPassword (HTML) and NewPassword (HTML) window types are activated.

HTMLBadPassword

In this section:

l Configuration

l Actions



Configuration


l The validation method after the password has been updated in the security database (with a new authentication if needed).

l The HTML field that will receive the user identifier (or username) if the user is prompted to re-authenticate.



l The HTML field that will receive the user password if the user is prompted to reauthenticate in the same window.

l The optional parameters, if re-authentication is proposed in the same application window.

Actions

In Enterprise SSO, the following actions are performed after the HTML page has been detected:



l The specified username, password and optional HTML parameters are sent to the application.

l The HTML form is validated according to the specified method.

HTMLNewPassword

In this section:

l Configuration

l Actions



Configuration

This property page allows you to enter:

l The HTML field that will receive the user identifier (or username).

l (Optional) The HTML field that will receive the old password.

l (Optional) The HTML field that will receive the new password.

l (Optional) The HTML field that will receive the new password as confirmation.

l The HTML form-submit method if the password has been successfully updated in the security database.


Actions


l If specified, the user identifier and the old password are sent (if the application can have many simultaneous sessions and if several accounts are used, Enterprise SSO will ask the user to choose the relevant session).





l In case of failure, the submission is canceled.





HTMLBadNewPassword

In this section:

l Configuration

l Actions

Configuration




l The validation method after a new password has been refused.

l (Optional) The HTML field that will receive the user identifier (or username) if the user is prompted to re-authenticate.

l (Optional) The HTML field that will receive the old password.

l (Optional) The HTML field that will receive the new password.

l (Optional) The HTML field that will receive the new password as confirmation.

Actions


l The old password becomes the current password.

l If specified, the user identifier and the old password are sent (if the application can have many simultaneous sessions and if several accounts are used, Enterprise SSO will ask the user to choose the relevant session).



l In case of failure, the submission is canceled.





l NewPassword window types are activated.



7

The SAP R/3 Plug-in

This section describes the Enterprise SSO SAP R/3 plug-in for Enterprise SSO.

The SAP R/3 plug-in provides different types of windows for the management of SSO, depending on the version of SAP R/3 clients and servers. To identify the window corresponding to each version of the SAP R/3 components, see Evidian EAM Release Notes.

NOTE: The SAPLogin and SAPExpired window types defined in version 3.71 of Enter-prise SSO are still available, to ensure the continuity of deployed configurations. However, we recommend that these are ported to SAPGUI Scripting window types.

In this section:

l SAPLogin and SAPExpired Window Types

l Basic Principles of the SAP R/3 Plug-in

l Configuration Guide

SAPLogin and SAPExpired Window Types

In this section:

l SAPLogin (SAP R/3 Login)

l SAPExpired (SAP R/3 Password Expiry)

SAPLogin (SAP R/3 Login)

This window type manages SAP R/3 4.5 connection. It includes bad password management (BadPassword).

NOTE: With version 4.6, only authentication is managed: due to technology modific-ation, Enterprise SSO does not detect bad passwords anymore.


The SAP R/3 Plug-in152

To configure a window type SAPLogin, you have to specify the following parameters:

NOTE: This window is pre-selected and should normally not be modified.

l Fields

l SAP Main Field is where SSO data should be sent. Field selection can be

done with the target .

l SAP Status bar is the field where errors are displayed. Field selection can be

done with the target (target button).

l Error text is the message displayed by SAP R/3 in case of error. This allows Enterprise SSO to deal with bad passwords (SAP R/3 4.5 only).

l Window parameters

Language and Client Name parameters can be associated with parameters stored in the security database.

l Window Validation

The authentication window is validated with the Enter key.

SAPExpired (SAP R/3 Password Expiry)

This window type manages SAP R/3 4.5 password expiry.

NOTE: In Access Collector mode, the SAPExpired window type is not available.

In the configuration window, fill in the SAP main field with the button.

Basic Principles of the SAP R/3 Plug-in

Prerequisites

l SAPGUI 6.20 Scripting must be activated on the SAP R/3 server, with the following parameter:

l Sapgui/user_scripting = TRUE

l SAPGUI Scripting must be activated on the SAP R/3 client.

l The connection description in the SAPLogon must not use the slow connection parameter.

l SAPGUI Scripting works only with the new SAP R/3 visual design.



Configuration Guide

In this section:

l Configuring an SAP R/3 Application

l Configuring the SAPGUI Scripting Window

Configuring an SAP R/3 Application

An application should be configured with the Enterprise SSO configuration editor. For SAP R/3 applications, use the SAP application model in ESSO Enterprise Studio.

Configuring an Application for SAPGUI Scripting

If you use SAPGUI Scripting window types, the OLE/automation option in the configuration is not required. It should, therefore, be left inactivated.

Configuring the SAPGUI Scripting Window

In this section:

l The Detection Tab

l The Actions Tab

The Detection Tab

The detection of SAP R/3 connections is based on their connection servers or server groups:



To specify an SAP R/3 server or group of servers, use the following options:

l Name (mandatory): server name (SAP R/3 hostname) or server group name for which SSO is to be performed.

l SAP system name: SAP R/3 name of the system in 3 characters (database ID).

l Direct server connectionDetect the System Number: provide the SAP R/3 System Number if the target server is running more than one copies of SAP R/3.

l Group with load balancingMessage Server: enter the SAP R/3 message server name as it is configured in the SAPLogon module if there are a several SAP R/3 groups with the same name but with different messages servers.



The Actions Tab

Description of the SAP R/3 parameters

At authentication time, Enterprise SSO can fill the language and client name fields as defined in the SAP R/3 application model. These parameters must be declared in the Parameters tab of the application object.

l Automatic validation of the credentials: the user does not have to validate the credentials sent by E-SSO to start an SAP session. The Auto validate login page check box is selected by default.

l Changing the SAP R/3 user’s password: by default, Enterprise SSO manages the authentication process, and the user cannot change his or her SAP R/3 password at this stage but must use the password change transaction once connected. To avoid the complexity inherent in this procedure, activating this option will result in Enterprise SSO asking the user if a change of password should be made during connection to SAP R/3; Enterprise SSO will then manage all the password change processes as required.

l Automatic validation of the connection notification: the SAPGUI Scripting technology causes a message to appear, notifying the user that a script is connecting to SAPLogon. By activating this option, and by declaring the notification window title (by default this is saplogon), Enterprise SSO will automatically validate the notification



as required. The notification will still appear in non-Enterprise SSO connections, and therefore for other scripts.

l To define error messages, click the Errors button:

Error messages are detected by Enterprise SSO so that it can react when there is a password desynchronization problem, when there is a password change, or if the new password is refused by the SAP R/3 system. In addition to the pre-configured error messages, you can declare your own specific messages:

l By content: enter a message and assign a meaning to it. Enterprise SSO will look for the message in the status bar or error dialog box. In this case, it is the message string that is looked for. It is dependent, therefore, on the language of the SAP R/3 client.

l By reference: if you also specify the SAP R/3 ABAP reference of the message, Enterprise SSO will look for the reference of the message, and not its content. Thus, it becomes independent from the client language. In this case, the content of the message field is simply for informative purpose.

NOTE: The list of message references can be found using the transaction SE16, table T100.

Authentication steps:

l Connection refused: the SAP R/3 system has refused the connection. The user may be locked, or the server unavailable.

l Invalid password: the user password is incorrect. A new password is requested through Enterprise SSO’s data collection windows.



l New password refused: the user has just changed the password, but the SAP R/3 system does not accept it. A new password is requested through Enterprise SSO’s data collection windows.



8

Terminal Type Applications

Terminal type windows manage SSO in text fields emulating a line mode terminal. The terminal must be displayed in a text-edit control field.

NOTE: Some emulator windows may not meet this requirement. In this case, the use of other methods like OLE/Automation interface access is necessary.

The way this window type works is slightly different from the way other window types work, since the SSO events correspond to the display of messages; in addition, all the SSO states are managed in the same window.

Once the connection has been set up, SSO is disabled for this window.

Two window types offer the management of terminals:

l Terminal (from Standard plug-in).

l MSTelnetW2KXP (from Microsoft applications plug-in).

NOTE: Enterprise SSO also works with PUTTY.

The detection of these window types is the same as for the Windows type.

However, the Actions part covers all standard window types: it is used to manage the opening of a full session (including bad and new passwords management) running in text mode and in a single Windows control field (usually an Edit field). It simulates the user keyboard entries and controls the state of the connection status by detecting text banners.

In this section:

l Terminal

l Microsoft TelnetW2KXP

l Banners

Terminal

This window type has been created to manage the terminal connections in Edit fields, especially the Windows remote access pre- and post- dial-up terminals.

Its configuration window is the following:


Terminal Type Applications159

The Host Control field must contain the whole text used for connection. Using the target icon, click the terminal window; this will copy the text across.

The behavior regarding the text banners is defined by clicking on the Banners button (see Banners).

If you have difficulties or if you want to optimize the processing, you can also set up the timing between two searches for banners.

Once SSO has been performed, or in case of failure, it is possible to click a button to close the window. Using the target icon, click the terminal window; this will copy the button across.

Microsoft TelnetW2KXP

Two window types are available for managing the Microsoft TelnetW2KXP application:


MSTelnetW2KXP Telnet Microsoft for Windows 2000 and XP OS

MSTelnet Obsolete for compatibility purpose



Its configuration window is the following:

If you have difficulties or if you want to optimize the processing, you can also change the performance-tuning parameters:

l The timer between the detection of two banners.

l The timeout canceling the SSO for the window.

Banners

The banners configuration window is the following:



This window allows you to specify SSO events (the detection of text in a new text line) and the behavior to be associated with them.

The possible behaviors are:

Event Description

Identifier The text indicates a username request.

Password The text indicates a password request.

Custom Parameter An additional parameter is requested.

Connection OK The text indicates that the connection is successful. It stops the SSO.

Enter new password The text indicates that a new password is requested.

Confirm new password The text indicates that the same new password must be confirmed.

Bad password The text indicates that there is a wrong password in the security database.

Connection refused The text indicates that the connection failed. It stops the SSO.



Event Description

Do not press Enter key if the value is greater than...

Defines the number of characters above which the Enter key is not sent.

If the value is 0, the Enter key is never sent.

To add an event, you must:

l Indicate the text to look for in the Banner field.

l Select the associated event.

l Click the Add button.

To edit an event, you must:

l Select it in the list.

l Click the Edit button: it will disappear, and the information is displayed in the bottom fields.

l Edit the information.

l Click the Add button: the information is then added at the bottom of the list.

To delete an event, you must:

l Select it in the list, click the Delete button.



9

The HLLAPI Plug-in

Subject

This section describes how to enable SSO or account collect (in Access Collector mode) for applications using HLLAPI.

HLLAPI Definition

The HLLAPI (High Level Language Application Program Interface) is an IBM API that allows a PC application to communicate with a mainframe computer. HLLAPI requires a PC to run a 3270 emulation software and then defines an interface between a PC application and the emulation software.

IMPORTANT: In the next sections, the term "HLLAPI applications" designates the applications that are using HLLAPI.

In this section:

l Configuring the HLLAPI Plug-in

l Enabling SSO for HLLAPI Applications

l HLLAPI Application Keys

Configuring the HLLAPI Plug-in

If the default configuration parameters used to implement the HLLAPI plug-in are not working with your HLLAPI application, or if you want to configure Single Sign-On for different types of HLLAPI applications installed on the same workstation, you must modify keys and values in the Windows Registry to fit your requirements.

IMPORTANT: Modifying the Windows Registry may damage your Windows system. It is strongly recommended to be accommodated with the Registry Editor to modify keys and values

In this section:


The HLLAPI Plug-in164

l Configuring the HLLAPI Plug-in for a Single Application

l Configuring the HLLAPI Plug-in for Different Types of Applications

l HLLAPI Plug-in Registry Keys

Configuring the HLLAPI Plug-in for a Single Application

1. Start the Registry Editor and add the HLLAPI key in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch

2. Add the values detailed in HLLAPI Plug-in Registry Keys depending on your requirements.

NOTE: It is not mandatory to set all the values listed in "HLLAPI Plug-in Registry Keys". If a value is not set, the default value data is used.

Configuring the HLLAPI Plug-in for Different Types of Applications

1. Start the Registry Editor and add the HLLAPI key in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch

2. Create the following value:

Value name EnableMultiEmulator

Description Enables/disables the management of different types of HLLAPI applications on the same workstation.

Type REG_DWORD

Value data 0: disabled.

1: enabled.

Location HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HllAPI



3. Add as many sub-keys as there are types of applications in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HLLAPI.

Example: to add Attachmate EXTRA! and Rumba terminal emulation applications, you can create the following sub-keys:

HKLM\SOFTWARE\Enatel\SSOWatch\HLLAPI\Attachmate EXTRA!

HKLM\SOFTWARE\Enatel\SSOWatch\HLLAPI\Rumba

4. Add in each sub-key the values detailed in HLLAPI Plug-in Registry Keys depending on your requirements.

Example:[HKLM\SOFTWARE\Enatel\SSOWatch\HLLAPI\Attachmate EXTRA!]

"HllLibrary"="C:\\Program Files\\Attachmate\\E!E2K\\ehlapi32.dll"

"HllEntryPoint"="hllapi"

"HLLAPI-32bit"=dword:00000000

HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HLLAPI\Rumba

"HllEntryPoint"="hllapi"

"HllLibrary"="D:\\Program Files\\NetManage\\RUMBA\\System\\ehlapi32.Dll"

"HLLAPI-32bit"=dword:00000001

"IgnoreWindowsHandle"=dword:00000001

"UseTitleInDetection"=dword:00000001

HLLAPI Plug-in Registry Keys

NOTE: If the EnableMultiEmulator key is set to 1 (see Configuring the HLLAPI Plug-in for Different Types of Applications), the registry keys listed in this section that are located directly under HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI are ignored.

Value name EnableMultiEmulator

Description Enables/disables the management of different types of HLLAPI applications on the same workstation.

Type REG_DWORD

Value data 0: disabled.

1: enabled.



Location HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HllAPI

Value name HllLibrary

Description DLL file that must be used by the HLLAPI plug-in.

IMPORTANT: If the EnableMultiEmulator key is set to 1, this value must be set (no default value allowed).Replace this text with a notation that requires the reader's attention.

Type REG_SZ

Value data Pathname of the .DLL file.

Default value: PCSHLL32.dll

Location Single application: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HllAPI

Multi applications: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HllAPI\<App. Name>, where <App. Name> is the name of the HLLAPI application.

Value name HllEntryPoint

Description Name of the HLLAPI function in the DLL file.

IMPORTANT: EnableMultiEmulator key is set to 1, this value must be set (no default value allowed).

Type REG_SZ

Value data Default value: hllapi





Value name HLLAPI-32bit

Description Specifies that the HLLAPI application is a 32-bit application.

IMPORTANT: If the EnableMultiEmulator key is set to 1, this value must be set (no default value allowed).

Type REG_DWORD

Value data 1 (default): 32-bit application

0: 16-bit application



Value name IgnoreWindowsHandle

Description Allows Enterprise SSO to support HLLAPI libraries which are not able to return Windows handle properly.

Type REG_DWORD

Value data 1: enabled.

0 (default): disabled.



Value name UseTitleInDetection

Description Allows the Enterprise SSO engine to detect the title of the HLLAPI application.

Type REG_DWORD



Value data 1 (default): enabled (displays the Title check button in the Detection tab. For more details, see The Detection Tab).

0: disabled.



Enabling SSO for HLLAPI Applications

Subject

To enable SSO for HLLAPI applications, you must declare the application in the Enterprise SSO configuration and define the window types that must be detected by Enterprise SSO, as described in the following procedure.

Before starting

l Your emulation software must be configured to establish connections through HLLAPI.

l Check that the global configuration parameters used to implement the HLLAPI plug-in are correctly set (as described in Configuring the HLLAPI Plug-in ).

Procedure

1. In ESSO Enterprise Studio, create a new Application.

The Application object appears under the Applications node.

2. Right-click the Application object and select New Window.

The Window Properties window appears.

3. Fill-in the General tab with the following guideline: in the Window Type drop down list, define one of the following screens:

l HLLAPI Login: login screen of the HLLAPI application.

l HLLAPI Bad Password: screen indicating a wrong password/username.

l HLLAPI New Password: screen requesting a new password (this screen can be a specific screen or the login screen. Not available in Access Collector mode).



l HLLAPI Standard: screen that does not need any authentication data (not available in Access Collector mode).

l HLLAPI Confirm Password: new password confirmation screen (not available in Access Collector mode).

l HLLAPI Bad New Password: screen indicating that the new password in not correct (not available in Access Collector mode).

4. If necessary, fill-in the Options tab.

IMPORTANT: If you are defining an HLLAPI New Password screen, and if the new password must be provided in the login screen, then select Use Manual SSO State Conditions, click Configure and select SSO has been done. Password has expired and must be changed.

5. Fill-in the Detection tab: see The Detection Tab.

6. Fill-in the Actions tab: see The Actions Tab.

7. Click the OK button.

The Window object appears under the Application object.

8. To define other HLLAPI window types, restart from Step 2.

In this section:

l The Detection Tab

l The Actions Tab

The Detection Tab

Subject

The section gives information on how to fill-in the Detection tab for HLLAPI window types. This tab allows you to define the screen requirements to enable SSO.



Description

l The Connection Type area:

This area allows you to specify the communication standard used by the application.

IMPORTANT: If the connection type information is not available at HLLAPI level, Enter-prise SSO does not take into account this parameter.If you do not know the connec-tion type, select or clear all check boxes.

l The Strings to Detect area:

You must fill-in this area to define the strings that Enterprise SSO must detect to enable SSO. Read carefully the following guidelines:

l Enter the name of a string to detect.

l Absence of: select this check box to specify that the string must not appear in the application window.

l Position area: fill in this area to specify the position of the string to detect in the application window:

l Select Check Position.

l Define the row and column numbers of the string.

l Select Relative Coordinates if you want to specify a position relative to the position of the cursor.



l Click the Title check button to enter a part of the title of the window to be detected so that SSO is performed on the emulator.

NOTE:

l This button is displayed only if the UseTitleInDetection key has been positioned. For more information, see Configuring the HLLAPI Plug-in .

l Not all emulators enable you to retrieve the title name of the window.

l Click Add.

Example

In this example, Enterprise SSO enables SSO if:

l The Account Name string is located in the application window on the same row as the cursor (relative coordinates) and 14 columns before.

l The Password string does not appear in the application window.



The Actions Tab

Subject

The section gives information on how to fill-in the Actions tab for HLLAPI window types. This tab allows you to define the authentication data that Enterprise SSO must send to the terminal emulator.

Description

l The SSO Steps area:

This area allows you to sort and modify the actions that must be performed by Enterprise SSO in the terminal emulator window.

l The Actions area:

This area allows you to define the data that Enterprise SSO must send to the terminal emulator. Fill-in the window as follows:

l Send SSO parameter: select this option if you want to send an SSO parameter, and select in the drop down list the wanted entry.

l Send Key: select this option if you want to send a "common" key (as <enter> for example), and select the wanted key in the drop down list.



l Send if previous parameter shorter than: (activated only when the <tab> key is selected) when you select this check box, a tab is sent if the parameter is smaller than the number of characters you enter in the text field.

l Send Text: select this option either if you want to send a key that does not appear in the Send Key drop down list, or if you want to enter another text to send. Enter the text in the corresponding field.

NOTE: For more information on the list of keys that are compatible with many emulator software applications, see HLLAPI Application Keys .

l Once by instance: (appears only with the HLLAPI Standard window type). Select this check box if you want to specify that Enterprise SSO must carry out the actions listed in the SSO Steps area only one time per session instance. You can use this option to send further actions upon the detection of HLLAPI screens other than the HLLAPI screen types listed in the General tab.

l The Other button: if the actions listed above do not meet your requirements, you can define extended actions, by clicking the Other button.


Fill-in this window as follows:

l Sleep: select this option to suspend Enterprise SSO for a specified time before processing the next displayed action in the SSO Steps area.

l Exit DLL: select this option to call a function in an external DLL. If the function is found in the DLL, the indicator turns green.

NOTE: When SSO is implemented, the DLL is searched in the directory defined in the %PATH% environment variable of the user who is logged on If it is not found, the DLL is searched in the same directory as the one used during the configuration process.For more details on external DLL, see Extension DLL.



l Set cursor: select and define this option to set the cursor in a specific area of a window.

l Do not prompt for user account: when you select this check box, if a user reconnects to an application and has several accounts, it is the active account that is automatically used.

HLLAPI Application Keys

The following table lists the keys that are compatible with many emulator software applications.

Mnemonic Meaning 3270 5250 VT

@B Left Tab Yes Yes No

@C Clear Yes Yes No

@D Delete Yes Yes No

@E Enter Yes Yes No

@F Erase EOF Yes Yes No

@H Help No Yes No

@I Insert Yes Yes No

@J Jump (SetFocus) Yes Yes No

@L Cursor Left Yes Yes Yes

@N New Line Yes Yes Yes

@O Space Yes Yes Yes

@P Print Yes Yes Yes

@R Reset Yes Yes No

@T Right Tab Yes Yes Yes

@U Cursor Up Yes Yes Yes

@V Cursor Down Yes Yes Yes

@X* DBCS (Reserved) Yes Yes No

@Y Caps Lock (No action) Yes Yes No

@Z Cursor Right Yes Yes Yes




@0 Home Yes Yes No

@1 PF1/F1 Yes Yes No





@6 PF6/F6 Yes Yes Yes




@a PF10/F10 Yes Yes Yes

@b PF11/F11 Yes Yes Yes

@c PF12/F12 Yes Yes Yes

@d PF13 Yes Yes Yes

@e PF14 Yes Yes Yes

@f PF15 Yes Yes Yes

@g PF16 Yes Yes Yes

@h PF17 Yes Yes Yes

@i PF18 Yes Yes Yes

@j PF19 Yes Yes Yes

@k PF20 Yes Yes Yes

@l PF21 Yes Yes No

@m PF22 Yes Yes No

@n PF23 Yes Yes No

@o PF24 Yes Yes No

@q End Yes Yes No

@s ScrLk (No action) Yes Yes Yes

@t Num Lock (No action) Yes Yes Yes

@u Page Up No Yes No




@v Page Down No Yes No

@x PA1 Yes Yes No

@y PA2 Yes Yes No

@z PA3 Yes Yes No

@A@C Test No Yes No

@A@D Word Delete Yes Yes No

@A@E Field Exit Yes Yes No

@A@F Erase Input Yes Yes No

@A@H System Request Yes Yes No

@A@I Insert Toggle Yes Yes No

@A@J Cursor Select Yes Yes No

@A@L Cursor Left Fast Yes Yes No

@A@Q Attention Yes Yes No

@A@R Device Cancel(Cancels Print Presentation Space)

Yes Yes No

@A@T Print Presentation Space Yes Yes Yes

@A@U Cursor Up Fast Yes Yes No

@A@V Cursor Down Fast Yes Yes No

@A@Z Cursor Right Fast Yes Yes No

@A@9 Reverse Video Yes Yes No

@A@b Underscore Yes No No

@A@c Reset Reverse Video Yes No No

@A@d Red Yes No No

@A@e Pink Yes No No

@A@f Green Yes No No

@A@g Yellow Yes No No

@A@h Blue Yes No No

@A@i Turquoise Yes No No

@A@j White Yes No No




@A@l Reset Host Colors Yes No No

@A@t Print (Personal Computer) Yes Yes No

@A@y Forward Word Tab Yes Yes No

@A@z Backward Word Tab Yes Yes No

@A@− Field − No Yes No

@A@+ Field + No Yes No

@A@< Record Backspace No Yes No

@S@E Print Presentation Space on Host No Yes No

@S@x Dup Yes Yes No

@S@y Field Mark Yes Yes No

@X@1 Display SO/SI Yes Yes No

@X@5 Generate SO/SI No Yes No

@X@6 Display Attribute No Yes No

@X@7 Forward Character No Yes No

@X@c Split vertical bar (¦) No Yes No

@M@0 VT Numeric Pad 0 No No Yes










@M@- VT Numeric Pad - No No Yes

@M@, VT Numeric Pad , No No Yes

@M@. VT Numeric Pad . No No Yes

@M@e VT Numeric Pad Enter No No Yes




@M@f VT Edit Find No No Yes

@M@i VT Edit Insert No No Yes

@M@r VT Edit Remove No No Yes

@M@s VT Edit Select No No Yes

@M@p VT Edit Previous Screen No No Yes

@M@n VT Edit Next Screen No No Yes

@M@a VT PF1 No No Yes

@M@b VT PF2 No No Yes

@M@c VT PF3 No No Yes

@M@d VT PF4 No No Yes

@M@h VT HOld Screen No No Yes

@M@(space) Control Code NUL No No Yes

@M@A Control Code SOH No No Yes

@M@B Control Code STX No No Yes

@M@C Control Code ETX No No Yes

@M@D Control Code EOT No No Yes

@M@E Control Code ENQ No No Yes

@M@F Control Code ACK No No Yes

@M@G Control Code BEL No No Yes

@M@H Control Code BS No No Yes

@M@I Control Code HT No No Yes

@M@J Control Code LF No No Yes

@M@K Control Code VT No No Yes

@M@L Control Code FF No No Yes

@M@M Control Code CR No No Yes

@M@N Control Code SO No No Yes

@M@O Control Code SI No No Yes

@M@P Control Code DLE No No Yes

@M@Q Control Code DC1 No No Yes




@M@R Control Code DC2 No No Yes

@M@S Control Code DC3 No No Yes

@M@T Control Code DC4 No No Yes

@M@U Control Code NAK No No Yes

@M@V Control Code SYN No No Yes

@M@W Control Code ETB No No Yes

@M@X Control Code CAN No No Yes

@M@Y Control Code EM No No Yes

@M@Z Control Code SUB No No Yes

@M@u Control Code ESC No No Yes

@M@v Control Code FS No No Yes

@M@w Control Code GS No No Yes

@M@x Control Code RS No No Yes

@M@y Control Code US No No Yes

@M@z Control Code DEL No No Yes

@Q@A VT User Defined Key 6 No No Yes

@Q@B VT User Defined Key 7 No No Yes

@Q@C VT User Defined Key 8 No No Yes

@Q@D VT User Defined Key 9 No No Yes

@Q@E VT User Defined Key 10 No No Yes

@Q@F VT User Defined Key 11 No No Yes

@Q@G VT User Defined Key 12 No No Yes

@Q@H VT User Defined Key 13 No No Yes

@Q@I VT User Defined Key 14 No No Yes

@Q@J VT User Defined Key 15 No No Yes

@Q@K VT User Defined Key 16 No No Yes

@Q@L VT User Defined Key 17 No No Yes

@Q@M VT User Defined Key 18 No No Yes

@Q@N VT User Defined Key 19 No No Yes




@Q@0 VT User Defined Key 20 No No Yes

@Q@a VT Backtab No No Yes

@Q@r VT Clear Page No No Yes

@Q@s VT Edit No No Yes

@@ @ Yes Yes Yes

@$ Alternate Cursor (The Presentation Manager Interface only)

Yes Yes Yes

@< Backspace Yes Yes Yes



10

Advanced Configuration

The window types provided with Enterprise SSO allow you to enable SSO or account collect (in Access Collector mode) for a wide range of applications. But there are some applications that cannot be managed with these standard types. In this case, Enterprise SSO proposes two solutions:

l Custom Scripts (Custom Scripts and Custom Scripts HTML that allow you to define precisely the actions to be performed in a Windows window or in an HTML page; it is even possible to call a function from an external DLL.

l The OLE/Automation interface that offers to benefit from the Enterprise SSO security data access management: with this approach: it is possible to entirely redefine the methods of detection and actions while keeping the same account management, collection, secure-storage mechanisms, etc.

In this section:

l Custom Scripts Plug-ins

l Extension DLL

Custom Scripts Plug-ins

The Custom Script and Custom Script HTML plug-ins open Enterprise SSO to some applications neither managed by the standard nor dedicated plug-ins. It offers a "scripting logic" while keeping the same simple and user-friendly configuration interface offered by ESSO Enterprise Studio and enables you to call a function from an external DLL.

IMPORTANT:

l The Custom Script HTML plug-in is deprecated. Use only the Custom Script plug-in to create new scripts.

l You must use the Custom Script HTML plug-in only to modify windows defined through this plug-in.

l To migrate windows created with the Custom Script HTML plugin, create the same windows using the Custom Script plug-in.


Advanced Configuration182

They use the same detection mechanisms already used for this kind of window in the Standard plug-in. The detection property page is the same.

However, you can select the combo box by passing the cursor over the text area or by clicking the button displaying all the different choices.

The difference is in the Actions tabbed panel of the Windows Properties window that allows you to create a logically ordered list of specific actions.

The main behavior of the window: Login, Bad Password, New Password or New Password Confirmation window is automatically deduced from the configured actions, except for Bad Password, which must be manually specified.

In this section:

l Basic Concepts

l The Actions Tab

l Script Editor

Basic Concepts

In this section:

l Scripting Logic

l Data "Buffer"

Scripting Logic

Actions are executed one after the other Their execution is based on a True or False state, which is transmitted to each action, and sometimes modified by some of them. An action is executed only if its state (Condition) corresponds to the current state, or if no state is specified for this action (No condition).

The initial state of an action is True.

The following table summarizes the behavior by indicating whether an action is performed based on its execution condition and the current state. The symbol ü means that the action is performed.

State Condition

True False

None ü ü

True ü

False ü



This logic allows you to manage simple actions of If…Then…Else… type.

Data "Buffer"

All the actions include a context that contains the following data:

l The current state: this can be modified by any action, thus affecting the execution of the next actions.

l The Handle of the currently processed window.

l A memory Buffer allowing data to be passed between actions.

l The identifier of the connected application user.

l The associated password.

l The value of the last recovered SSO parameter (other than the identifier and the password).

l The account associated with the application in the security database.

l A pointer to custom user data.

The context data is maintained in a data buffer that is initialized before each Script execution in the following way:

l The current state is set to True.

l The window Handle is initialized with the Handle of the currently processed window.

l The memory buffer is empty.

l The identifier, password, and account name are initialized with current values. If the window has the "Bad password" value, the user is requested to provide the correct password during this step.

l The pointer to custom user data is set to NULL.

The Actions Tab

By default, the Actions tabbed page is empty. The following figure shows an example of a filled-in Actions tabbed page.



The list of actions to be performed is displayed in a read-only state, and a check box allows you to specify whether or not this window manages bad passwords. To build or edit a script, you must use the Script Editor.



Script Editor

The Script Editor window is made up of four elements:

l A toolbar.

l An actions list.

l A dynamic panel allowing you to edit selected action parameters.

l The OK and Cancel buttons.

The actions list has three columns:

l The actions.

l The execution condition (or state).

l The action parameters.

In this section:

l Script Editor Toolbar

l Script Editor Actions



Script Editor Toolbar

The toolbar allows you to create new actions, modify their execution conditions, and move actions.

Button Description

Create a new action placed after the first selected action

Delete one (or several) action(s)

Move up one (or several) action(s)

Move down one (or several) action(s)

Modify the execution condition to Always execute

Modify the execution condition to Execute if True

Modify the execution condition to Execute if False

Script Editor Actions

The action creation icon in the toolbar displays a menu with a list of all the available actions. The table below summarizes the available actions, showing the correspondence between the two types of plug-ins (Custom Script and Custom Script HTML).

Icon Custom Script Custom Script HTML

Send Key/String Send String to Form Field

Send SSO parameter Send SSO Parameter to a field

Send Command Message Not available

Send a JavaScript (not supported by Microsoft Edge).

Send a JavaScript (not supported by Microsoft Edge).



Icon Custom Script Custom Script HTML

Get Control Text (not supported by Microsoft Edge).

Get Field Text (not supported by Microsoft Edge).

Get SSO parameter Get SSO parameter

Click Button Send an HTML event

Select Item in list Select Item in an HTML list

Call External Function Call External Function

Sleep Sleep

Compare Compare

Return Return

Special Event Special Event

Create a Label Create a Label

Jump to Label (Goto) Jump to Label (Goto)

Display a message box Display a message box

Input box Input box

Check certificate Check certificate

Change SSO State -

Copy buffer to param -

The rest of this subsection describes the different actions; each action description is introduced by a table summarizing its main characteristics:

l The action’s name and its icon.

l Properties associated with the action.

l Information as to whether or not the action modifies the buffer and/or state.



[Icon] Action name

Modify state

Modify buffer

Action description.

Send Key/String (Custom Script only)

Modify state

Modify buffer

This action allows you to send characters (keyboard keys or strings) to a target window (the window being the primary, active window) or to a target control (field or button) in a window.

In the Target area, it is strongly recommended to select Send to the Control (use the target icon button to select the control field). If it is not possible, that is if the window has no control fields or buttons it is better to select Send to the Window rather than Focused Window. Then, if necessary, modify the sending method (it is recommended to use the Automatic method. If it does not work, try another method depending on your application).

In the Send Key/String area, define the characters you want to send in the target window:

l Select Key to send keyboard keys, as Enter, Tab, SHIFT+Tab, Space, Escape for example.

NOTE: To send an additional key, select None, Shift, Alt, or Ctrl from the Additional key drop down list.

l Select String and fill-in the field to send a specific string.

l Select Buffer to send the memory buffer content.



Send String to Form Field (Custom Script HTML only)

Modify state

Modify buffer

This action allows you to send strings to a target form field in an HTML page.

In the Target area, use the HTML target button to fill-in the field (the HTML page containing the target form field must be displayed).

In the Send Key/String area, define the string you want to send in the target HTML form field:

l Select Buffer content to send the memory buffer content.

l Select String and fill-in the field to send a specific string.

Send SSO Parameter (Custom Script only)

Modify state

Modify buffer

This action allows you to send an SSO parameter of a user account to a target window (the window being the primary, active window) or to a target control (field or button) in a window.

For details on the Target area, please see the Send Key/String action above.

In the Parameter to Send area, define the SSO parameter you want to send:

l Identifier: the user identifier for the current application.

l Password: the associated password of the user identifier.

l New Password: a new password. In this case, the window is considered to be a NewPassword window type.

l Confirm Password: the confirmation of the new password. In this case, the window is considered to be a Confirm-



Send SSO Parameter (Custom Script only)

Password window type.

l Custom Parameter: to activate this option, you must define a parameter at Application level (for details, see The "Parameters" Tab)

l String format: enables to modify the letter case of the SSO parameter to send. Available formats:

l No modification.

l Convert to lowercase.

l Convert to uppercase.

l Convert to capitalized.

l Do not prompt for user account: you can select this option if the user has several accounts.

The transmitted SSO parameter is copied to the memory buffer.

Send Command Message (Custom Script only)

Modify state

Modify buffer

Read carefully the instructions written in the Send command message are

IMPORTANT: The Send Command Message action works only for:

l 32 bits applications running on a 32 bits OS.

l 64 bits applications running on a 64 bits OS.Replace this text with a notation that requires the reader's attention.



Send a JavaScript

Modify state

This action enables you to send a JavaScript if the address bar is displayed in Internet Explorer, Firefox and Chrome.

Send an HTML event (Custom Script HTML only)

Modify state

Sends an event (navigation, button click, item to be checked or execution of a JavaScript) to the active HTML browser.

IMPORTANT: This action is particularly useful if you want to execute JavaScript code.

Get Control Text (Custom Script only)

Modify state

Modify buffer

This action reads the text contained in a targeted control field. The recovered text is also copied to the memory buffer.



Get SSO Parameter (Custom Script and Custom Script HTML)

Modify state

Modify buffer

This action retrieves the value of an SSO parameter from a user account (identifier, password…) and copies it to the memory buffer. For a description of the options, see the Send SSO Parameter action above.

The Perform SSO as a different user action authorizes the SSO execution of a second user for the same application. When you select this check box, Enterprise SSO requests a second user to authenticate during SSO.

IMPORTANT: The second user must have a valid account for the application.

Click Button (Custom Script only)

Modify state

This action allows you to simulate a mouse click on:

l A targeted button or on a targeted check box;

l Any specific field in the window.

IMPORTANT: Select the Perform double click check box if you want to enable double click to select the value of a field.

NOTE: If you have targeted a check box, do not forget to select Change the button state and click either Check or Uncheck depending on your needsReplace this text with a description of a feature that is noteworthy.



Select Item in List (Custom Script) or Select Item in an HTML List (Custom Script HTML)

Depending on the selected Selection Mode, the interface of this window is slightly different:

By Item Number:

By Parameter:

By Item Label:

Modify state

This action allows you to select an element from a list. The list must be targeted with the target icon. The supported list types are:

l ListBox.

l ComboBox.

l ComboBoxEx32.

The selection can be performed by:

l Item Number: the element number (position) to select, 0 being the first.



Select Item in List (Custom Script) or Select Item in an HTML List (Custom Script HTML)

l Parameter: the parameter is defined at Application level (for details, see The "Parameters" Tab.

l Item Label: a text string to look for in an item.

Call External function (Custom Script and Custom Script HTML)

Modify state

Modify buffer

This action allows you to call a function in an external DLL.

Click the Search button to choose the DLL.

Enter the function name in the Function field. If the function is found in the DLL, the indicator turns green, otherwise, it remains red.

When SSO is implemented, the DLL will first be searched in the PATH associated with the connected user’s environment and if it is not found, it will be searched in the same directory as the one used during the configuration process.

For more details on how to write external functions, see Extension DLL.

Sleep (Custom Script and Custom Script HTML)

Modify state

This action suspends Enterprise SSO for the time specified (in



Sleep (Custom Script and Custom Script HTML)

milliseconds). Two buttons (500 ms and 1000 ms) allow you to quickly configure the most common wait times.

Compare (Custom Script and Custom Script HTML)

Modify state

This action compares the memory buffer contents with a given character string. The comparison is case sensitive.

The state is then modified, depending on the result of this comparison: True if the string is found, False otherwise.

You can compare the result with a regular expression and by selecting the This is a regular expression check box.

IMPORTANT: this action must be preceded by the Get SSO parameter => Identifier action or the Get Control Text action.

NOTE:

l You can use http://rubular.com to edit and test regular expressions.

l If you enter:

l %LOGIN%, you are comparing the buffer with the login.

l %ROLE%, you are comparing the buffer with the role specified in Enterprise SSO.



Check certificate (Custom Script and Custom Script HTML)

Modify state

This action enables you to check the SSL certificate of a web server before performing the SSO. The check is done by comparing the web server certificate with a local certificate.

You must provide the following information:

l The web server where to download the certificate from.

l The location of the local certificate.

Return (Custom Script and Custom Script HTML)

Modify state

This action stops the script and returns one of the following statuses:

l OK: no problem.

l SSO Done: the identifier and/or password or parameters have been successfully sent to the application. This stop code should be used in all the custom scripts that use the Send SSO Parameter function (identifier, password).

l Disable the Window: Enterprise SSO ignores the window.

l Disable the Application: Enterprise SSO ignores the applic-ation.



Special Event (Custom Script and Custom Script HTML)

Modify state

This action allows you to trigger one of the events listed in the Special Event area.

NOTE: the Resynchronize user password event allows you to display the Enterprise SSO Change Password window, which allows you to change also the user's password.

Create a Label (Custom Script and Custom Script HTML)

Modify state

This action allows you to create a label in the custom script, to manage conditional operations. You must use this action if you want to use the Jump to Label (Goto) action.

Jump to label (Goto) (Custom Script and Custom Script HTML)

Modify state

This action is only available if you have already defined a Create a Label action. It allows you to define a jump in your custom script. It is strongly recommended to use this action in association with a condition (True/False), to avoid infinite loops.



Display a message box (Custom Script and Custom Script HTML)

Modify state

This action allows you to display a message box in order to ask a question to the user. Use the available options to define the content of your message box.

In the message box value, to add a:

l New line, enter \n.

l Tabulation, enter \t.

If the user can click No or Cancel, the state is set to False.

Select Buffer content to enable the user to see the content of the buffer. This feature enables the user to see his login and password.

The user's answer can be saved in an SSO parameter. When SSO is performed in a Yes/no box type and the user answers, this answer is then saved and the question will not be asked again. However, if the value of the saved parameter differs, then the question is asked again.

NOTE: you can use this action to check if a window is detected or to check that the return code of an external function is OK, in order to adjust a Custom Script.

Input box (Custom Script and Custom Script HTML)

Modify state

Modify buffer



Input box (Custom Script and Custom Script HTML)

This action allows you to define an input box. Select Allow value selection from list or combobox if you prefer to display a list of items the user can select rather than a standard input field where he can enter any text.

Change SSO State (Custom Script only)

Modify state

This action allows you to force the modification of the current SSO state.

Example: if you select no SSO done, then the following actions will be played regarding this state.

Copy buffer to param (Custom Script only)

Modify state

This action allows you to force the filling of the current buffer with the content of the parameter selected in the drop down list.

Extension DLL

The DLL enables you to perform the integration of an application with the SSO where the other methods have failed. This means creating a specific SSO agent for a specific application; which requires programing skills.

An Enterprise SSO extension library sample can be found in the Enterprise SSO package (CustomDllSample).

To be included in an Enterprise SSO script, an external function must respect the following rules:



l It must publish a C interface.

l It must accept a single parameter that is a pointer to a SSOWatchSSOData data structure.

l It must return a specific return code.

l It must be able to read and modify the memory buffer.

l It must be able to read and modify the current state.

l It must not modify other fields that are read-only in the SSOWatchSSOData structure but it can read them.

l All these elements are defined in the C/C++ header files SSOWatchSSOData.h and SSOWatchWindows.h.

In this section:

l Function Prototyping

l SSOWatchSSOData Structure

l Return Code

Function Prototyping

An external function must use the prototype: extern « C » DWORD (*)(SSOWatchSSOData *)

SSOWatchSSOData Structure

The following structure defines the SSOWatchSSOData structure provided as a parameter to the external function. This structure contains the data that is carried from one action to another:struct SSOWatchSSOData

{

int m_nVersion; // R

BOOL m_bState; // RW

HWND m_hWnd; // R

TCHAR m_szBuffer[SSOWATCHSSODATA_BUFFERLEN+1];// RW

TCHAR m_szIdentifier[SSOWATCHSSODATA_IDLEN+1];// R

TCHAR m_szPassword[SSOWATCHSSODATA_PWDLEN+1]; // R

TCHAR m_szParam[SSOWATCHSSODATA_PARAMLEN+1]; // R

LPCTSTR m_szCredential; // R

void *m_UserData; // RW



void *m_pInternal; // --

void *m_pInternalCred; // --

void *m_pIternalInstance; // --

};

The version number (m_nVersion) indicates the version of this structure which can change between versions of Enterprise SSO. It must be compared to SSOWATCHSSODATA_VERSION.

The (m_bState) state indicates the state of the last action (TRUE or FALSE) and can be modified to change the execution of the next actions.

m_hWnd contains the handle of the currently processed window, it can be used to call Win 32 functions that need a window handle as a parameter; but it should not be modified.

m_szBuffer is the memory buffer: it can be modified if required.

m_szCredential, m_szIdentifier and m_szPassword respectively contain the name of the service associated with the application being processed, and the identifier and password of the user for this service. These parameters should not be modified. m_szParam contains the last SSO Parameter retrieved with the Get SSO action. None of these fields should be modified.

m_szCredential contains a string in the form: Account="…"

m_UserData is a pointer to custom user data. It is not used by Enterprise SSO (except of course by external functions) and it remains valid during the entire execution of the same script.

NOTE: The members: m_pInternal, m_pInternalCred et m_pInternalInstance must not be modified. They are reserved for internal use by Enterprise SSO.ce this text with a description of a feature that is noteworthy.

Return Code

The function must return a code that is a combination of one of the values in the following table together with the code SSORET_STOP if the script must be stopped.

Code Description

SSORET_OK The function ended with no error.

SSORET_SSODONE The function ended with no error and SSO has been performed.

SSORET_PASSWORDERROR An error occurred during password management.

SSORET_NOREGISTRATION The user is not registered for the application.



Code Description

SSORET_PARAMETERERROR An error occurred during the recovery of an SSO parameter.

SSORET_WRONGWINDOWSEQUENCE

This window should not have been processed in this order (for example, bad password window found before the logon window).

SSORET_SSOALREADYDONE SSO has already been performed for this window.

SSORET_WAITFORPASSWORDCHANGE The application is waiting for a confirmation of password update.

SSORET_PASSWORDCHANGED The password has been changed.

SSORET_REMOTEERROR An error occurred during access to the security database.

SSORET_WINDOWERROR

An error occurred while the current window was being processed. This window will be disabled.

SSORET_APPLICATIONERROR

An error occurred while the current application was being processed. The entire application will be disabled.

SSORET_USERCANCELLED_INSTANCE User has disabled SSO for this application instance.

SSORET_USERCANCELLED_APPLICATION

User has disabled SSO for this application.



11

OLE/Automation Interface

For some specific applications like line terminal emulators, or applications that cannot be configured with any of the Enterprise SSO window types, Enterprise SSO provides an OLE/Automation interface.

Enterprise SSO behaves like a COM server and accepts calls from several clients. These clients connect with the COM protocol using high-level programming languages like Visual Basic, or any language that supports this kind of programming interface (which is the case of most terminal emulators like: Hummingbird Exceed, AttachMate Extra, …). You may also use this interface from any C/C++ program.

Clients connecting to Enterprise SSO use the active Enterprise SSO configuration and benefit from Enterprise SSO application behavior management and password policies.

By default, access to Enterprise SSO objects using OLE/Automation interface is forbidden. You have to explicitly authorize this action in the general options of the application object.

For security reasons, you must specify a password in the configuration to protect access.

In this section:

l Definition of Enterprise SSO OLE/Automation Interface

l The ISSOEngine Interface

l Interface ISSOApplication

l Code Example

l Return Codes

Definition of Enterprise SSO OLE/Automation Interface

The OLE/Automation interface provides two types of objects:

l An object that represents Enterprise SSO: this object is the connection point to this interface. Through this object you can access Application objects.


OLE/Automation Interface204

l Application objects that give access to the application’s security information: login identifier, password, optional parameters. Application objects can manage the synchronization of these parameters.

The ISSOEngine Interface

ISSOEngine provides the GetApplication2 and the GetSSOEngineState functions.

IMPORTANT: The GetApplication function is obsolete and should not be used.

In this section:

l GetApplication2

l GetSSOEngineState

GetApplication2

Description

The function returns an interface pointer to ISSOApplication, unless the application is not found in the Enterprise SSO configuration or the challenge is not matched or this application is not configured to allow OLE/Automation access its security information.

When more than one account is associated with an application, Enterprise SSO asks the user to choose which account Enterprise SSO must use during this session. This choice will be kept until the interface pointer to ISSOApplication is released. The only way to change account is to use GetApplication2 again.

Prototypes

l C/C++:HRESULT GetApplication2(/*[in]*/ BSTR strAppName,

/*[in]*/ BSTR strChallenge,

/*[in]*/ LONG hWnd,

/*[out]*/ IDispatch *pIDispatch)

l Visual Basic:

GetApplication2(strAppName as String,

strChallenge as String,

hWnd as Long) as Objetct



Parameters

l strAppName is the name of the application as defined in the active configuration of Enterprise SSO (for security purposes, this string is case sensitive).

l strChallenge is the password used to protect the OLE link. This password must match the password defined in the applications settings of the Enterprise SSO configuration.

l hWnd is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when Enterprise SSO asks for security information, so that Enterprise SSO windows does not appear under the application window (in the background). If this information is not available or you do not know how to get it, provide the value 0.

Return Value

Returns a pointer to the ISSOApplication interface.

Example

Dim oSSO, oApp As Object

Set oSSO = CreateObject (“SSOEngine.SSOEngine”)

Set oApp = oSSO.GetApplication2 ("MyApplication","Password",0)

GetSSOEngineState

Description

This function returns values corresponding to the state of Enterprise SSO.

Prototypes

l C/C++:

HRESULT GetSSOEngineState(/*[out]*/ LONG *plSSOEngineState)

l Visual Basic:

Get SSOEngineState () as Long

Parameters

No parameters.

Return Value

Returns the state of Enterprise SSO, as described in the following table:



Return Value Engine State

0 Started

2 Stopped

4 Suspended

Interface ISSOApplication

Once the ISSOApplication interface pointer has been obtained, the following methods (or functions) and properties (or parameters) are available:

Methods Properties

GetSSOParameter LoginID

GetNewPassword Password

GetUserApplicationPassword

Get_IsExpired

In this section:

l Properties

l Methods

Properties

In this section:

l The LoginId Property

l The Password Property

The LoginId Property

Description

Read-only property that returns the account name associated with the application.



Prototypes

l C/C++:

HRESULT get_LoginId([in] LONG hWnd, [out] BSTR *pVal)

l Visual Basic:

app.LoginId(hWnd As Long) As String

Parameters

hWnd is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when Enterprise SSO asks for security information, so that Enterprise SSO windows does not appear under the application window (in the background). If this information is not available or you do not know how to get it, provide the value 0.

Return Value

Name of the account associated with the application.

The Password Property

Description

Read/Write property for retrieving or setting the application password.

Prototypes

l C/C++:

HRESULT get_Password(/*[in]*/ LONG hWnd, /*[out]*/ BSTR *pVal)

HRESULT put_Password(/*[in]*/ LONG hWnd)

Visual Basic:app.Password(hWnd As Long) As String

Parameters


Return Value

Password of the application.



Methods

In this section:

The GetSSOParameter Method

The GetUserApplicationPassword Method

The GetNewPassword Method

The get_IsExpired Method

The GetSSOParameter Method

Description

Method that returns an SSO parameter which name is in strParameterName. The strParameterDesc parameter is a user-friendly description if Enterprise SSO needs to prompt the user for the parameter value.

Prototypes

C/C++:HRESULT GetSSOParameter(/*[in]*/ LONG hWnd,

/*[in]*/ BSTR strParameterName,

/*[in]*/ BSTR strParameterDesc,

/*[out]*/ BSTR *pVal)

Visual Basic:app.GetSSOParameter(hWnd As Long,

strParameterName As String,

strParameterDesc As String) As String

Parameters


strParameterName is the name of the SSO parameter to retrieve.

strParameterDesc is a user-friendly description (or a label) if Enterprise SSO needs to prompt the user for the parameter value.

Return Value

Returns the SSO parameter.



The GetUserApplicationPassword Method

Description

This method collects the password of the running application by asking the user to enter it. This method returns the password as a string.

Prototype

C/C++:HRESULT GetUserApplicationPassword(/*[in]*/ LONG hWnd,

/*[out]*/ BSTR *pVal)

Visual Basic:GetUserApplicationPassword(hWnd As Long) As String

Parameters


Return Value

Returns the password as a string.

The GetNewPassword Method

Description

Prompts the user for a new password (or creates a new one automatically, following the password policy) for the running application.

IMPORTANT: You must call the Password property when you use this method to save the new password.

Prototypes

l C/C++:

HRESULT GetNewPassword(/*[in]*/ LONG hWnd,

/*[out]*/ BSTR *pstrPassword)

l Visual Basic:

app.GetNewPassword(hWnd As Long) As String



Parameters


Return Value

Returns a new password for the running application.

Example

NewPassword$ = oApp.GetNewPassword(0) // Asks for a new password.

oApp.Password(0) = NewPassword$ // Saves the new password.

The get_IsExpired Method

Description

This method allows you to know if the password has expired. It must be used after the GetNewPassword method.

Prototypes

C/C++:HRESULT get_IsExpired(/*[in]*/ LONG hWnd,

/*[out]*/ BOOL *pbExpired)

Visual Basic:app.IsExpired(hWnd As Long) As Long

Parameter


Return Value

Returns True if the password has expired.



Code Example

To use these interfaces, you must first connect to Enterprise SSO by creating an "SSOEngine.SSOEngine" object:Dim oSSO, oAppSet oSSO = CreateObject("SSOEngine.SSOEngine")

This returns an interface pointer to ISSOEngine that allows you to call the GetApplication2 method:Set oApp = oSSO.GetApplication2(" NomApp ", " password ", 0)

Then you can use the security information:Wscript.Echo " Login: " & oApp.LoginId(0)Wscript.Echo " Password: " & oApp.Password(0)

Once you have finished with the objects, you must free them (otherwise, Enterprise SSO will not be stopped safely):Set oApp = NothingSet oSSO = Nothing

Return Codes

Return codes are HRESULT with the FACILITY_ITF feature.

Define Value Meaning

SSOAPI_OK 0 OK

SSOAPI_INVALID_SERVICE 1 Account or Service empty.

SSOAPI_ACCESS_DENIED 2 No Account exists.

SSOAPI_SUBAPI_ERROR 3 Generic error from User Provisioning underlying API.

SSOAPI_INVALID_SERVICE_TYPE 4 Invalid Service Type (User Provisioning only).

SSOAPI_UNKNOWN_ERROR 5 Unknown error.

SSOAPI_MEMORY_FAILED 6 Out of memory.

SSOAPI_INVALID_PASSWD

7

Invalid password: this return code is managed by the OLE/Automation API.



Define Value Meaning

SSOAPI_UNKNOWN_PARAMETER 8 Unknown parameter.

SSOAPI_INVALID_PARAM_NAME 9 Invalid parameter name.

SSOAPI_INVALID_FLAG 10 Internal.

SSOAPI_SERVICE_NOT_FOUND

11

Service not found for the system type provided. Similar to ACCESS_DENIED.

SSOAPI_SERVER_ERROR 12 Error while accessing the security server.

SSOAPI_PASSWD_NOT_CHANGED_YET

13 The password change is not taken into account yet.

SSOAPI_NOMOREAPP 14 No more applications in the application list.

SSOAPI_NOTREADY 15 Not ready (for example: smart card removed).

SSOAPI_UNKNOWN_APPLICATION 16 Unknown application.

SSOAPI_CANCELLED_BYUSER 17 Application instance disabled by the user.

SSOAPI_CANCELLED_BYUSER_APPLICATION

18 Application disabled by the user.

SSOAPI_DISABLED_APPLICATION 19 Application already disabled by the user.



12

Cache Tuning and Asynchronous Update of the Application Data

You can enable the use of the cache and asynchronous updates though the User Profile with EAM Console. For more information, see Evidian EAM Console - Guide de l'administrateur.

The following sub-sections give information on how to tune the cache (when enabled) and configure asynchronous updates on your EAM workstations.

In this section:

l Cache and Application Update Mechanism

l Cache and Update Timing Parameters

Cache and Application Update Mechanism

In this section:

Cache Mechanism

Asynchronous Update Mechanism

Cache Mechanism

Subject

Since LDAP directory servers can be unavailable (offline work on a laptop, failure of the servers or network), the SSO engine can create a cache when it works in LDAP storage mode.

The cache is created on the user's workstation upon user authentication. It contains the following data:


Cache Tuning and Asynchronous Update of the Application Data214

l User data:

l Technical definitions of the declared applications: application objects, window types, default PFCP, default Application profile.

l User Accounts.

l User Profile: configured using EAM Console.

l Access Point data:

l Installation mode.

l Target base.

l Authentication type.

l Authentication method.

l Application data:

l Applications.

l Technical definitions.

l Application parameters.

l Application profiles.

l Password format control policies.

l Password change policies.

l Time-slices (only with Controller).

Location

This cache is located in the following registry key: HKLM\Software\Enatel\WiseGuard\Framework\Cache\CacheDir

Offline Work

When servers are unavailable, queries are made on the cache. Queries that modify the cache are recorded so they can be replayed when a server becomes available.

Online Work

The cache is also used to reduce the number of queries between Enterprise SSO and LDAP directory servers. So even if the LDAP directory servers are available, the cache is used and works as a buffer:

l When Enterprise SSO starts or is reset, the cache is synchronized with the server data.

NOTE:

l To force the synchronization, restart Enterprise SSO.

l You can disable the synchronization of the User Account data by setting a non null value in HKLM\Software\Enatel\WiseGuard\Framework\Authentication\CacheSynchroWithAuth



l Once stored in the cache, the data is considered valid for a configurable period of time, and no query is sent to the server during this period (for more details, see Cache and Update Timing Parameters).

l If the data is not found in the cache, or needs to be refreshed, the server is queried.

l All modifications to the data (creation, changes, deletion) are immediately copied to the server (if possible) and in the cache.

Asynchronous Update Mechanism

Subject

The asynchronous update of the application data on the workstations (LDAP storage mode only) avoids the update during the user’s authentication. Thus, the network and the directory are not massively loaded during critical hours (for instance, at 9am) and user’s authentication duration decreases.

Parameters

The registry key values detailed in Cache and Update Timing Parameters allow you to:

l Activate asynchronous update.

l Set a random latency period before the first update, to avoid an overload during the deployment.

l Set time slices, during which workstations are allowed to perform an asynchronous update.

Mechanism

When the workstation is starting up, it checks if application data in the cache is available. Indeed asynchronous update may have been bypassed if the workstation was off for too long or during each defined time-slice.

If data is not up to date:

l If time slices are defined:

l If current time is in time-slice, update is performed.

l If current time is not in time-slice, the update will be performed at next time-slice, by choosing a random time in it.

l If no time slice is defined, update is performed.

At the time of asynchronous update, the directory may be unavailable. In this case update is retried later when the directory is available and according to possible time-slice.



Cache and Update Timing Parameters

Full version Parameters

You can modify the cache and application data update timing parameters by editing values located in the following registry keys:

l HKLM\Software\Policies\Enatel\WiseGuard\Framework\Cache

l HKLM\Software\Enatel\WiseGuard\Framework\Cache

IMPORTANT: The second key must be set on every computer, while the first key (Policies) can be set with centralized parameters. For more details, see Evidian EAM Installation Guide

The cache timings can be set with these values:

Value Default Min Description

DirectoryPingPeriod

30 1 Time in seconds between two LDAP directory connection checks.

PerformanceCacheDelay

10

0

Duration of cache data validity. Time in seconds.

NOTE: The data linked to the User Profile is refreshed when the cache data validity expires.

CacheDir Cache directory.

AccessPointCache(EAM with Controller only)

1

Cache availability on Access Points:

0: Off.

1: On.

UserCache(EAM with Controller only)

1

User cache availability.

0: Off.

1: On+AccessPoint Cache=1

ApplicationDataUpdatePeriod

Period (in days) between two updates of the application data on the workstation (for asynchronous update).

Note: only applies for applications of the workstation's domain.

ApplicationDataUpdateLatency

0

If activated, the workstation chooses a random latency period before updating its application data, between zero and the update period (and



Value Default Min Description

during chosen time-slice if defined).

0: Off.

non null: On.

Note: If multiple workstations are installed simultaneously (and during time-slice if defined), the application data is downloaded from all these workstations. This value avoids an overload during the deployment, and creates an interval between the updates.

ApplicationDataUpdateBeginTime

Starting time (in minutes) of the time-slice during which the update of the application data on the workstation is allowed.Must be less than or equal to 1440.Example: 1260 (9 pm).

ApplicationDataUpdateEndTime

Ending time (in minutes) of the time-slice during which the update of the application data on the workstation is allowed.Must be less than or equal to 1440.Example: 300 (5 am).

IMPORTANT: If you are using Group Policies (see Evidian EAM Installation Guide), read this:

The PerformanceCacheDelay value is overwritten by the Group Policy WGSS => Network cache: PerformanceCacheDelay. If you change the Group Policy, the information is propagated by Microsoft and the delay depends on your servers' topology (server replication time).

Access Collector Mode Parameters

The following registry keys allow you to configure the asynchronous directory update of collected accounts, for Enterprise SSO used in Access Collector mode:

l HKLM\Software\Enatel\WiseGuard\Framework\Cache\SelfRegistrationUpdatePeriod

Delay (in minutes) between two updates of the collected SSO accounts from the workstation cache into the directory, in an asynchronous way.

If this value is set to 0 or not defined, the update is done automatically each time an account is collected.

l HKLM\Software\Enatel\WiseGuard\Framework\Authentication\ CacheSynchroWithAuth

In case of a roaming context (shared workstations, Citrix systems), this option forces a synchronous update of the cache at logon:



l 0: Off.

l ≠ 0: On.



Integrating Care-FX with Enterprise SSO

Integrating Care-FX with enterprise SSO enables you to authenticate to Care-FX with the Fast User Switching method (FUS) without having to provide any credentials.

In this section:

l Authentication Description

l Configuring the Implementation

Authentication Description

When the FUS method is activated, each time a user logs:

l On: E-SSO is started.

l Out: E-SSO is stopped.

In this section:

l Logging On

l Logging Out

Logging On

1. E-SSO starts and sends a logon notification.

2. FCC asks E-SSO to retrieve the user identity.

The user identity is retrieved through a COM interface.

NOTE: This COM interface is self-registering during E-SSO installation.


Integrating Care-FX with Enterprise SSO220

Logging Out

When E-SSO stops, it sends a logout notification.

Configuring the Implementation

In this section:

l Activating the FCC Notification

l Integrating the COM Interface

Activating the FCC Notification

To activate the FCC Notification, execute the following procedure.

Set the two following registry values:

l CareFxIntegration:

l Key: Software\Enatel\SSOWatch\CareFx\CareFxIntegration

l Type: DWORD.

l Value: 0 = no FCC notification. >0 = send FCC notifications.

l fccsyncPath:

l Key: Software\\Enatel\SSOWatch\CareFx\fccsyncPath

l Type: String.

l Value: complete path to fccsync.

NOTE: Both registry values can be set through policies.



Integrating the COM Interface

To integrate the COM interface with FCC Notification, execute the following procedure.

Add the following registry key:

l Key: Software\CareFx\SSO interface\SSOImplementation

l Type: String.

l Value: CfxQEIntf.SSOQuest.

IMPORTANT: After E-SSO installation, you must obtain the following registry value: HKEY_CLASSES_ROOT\CfxQEIntf.SSOQuest.



About us

About us

Contacting us

For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx or call +1-800-306-9329.

Technical support resources

Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at https://support.oneidentity.com/.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

l Submit and manage a Service Request

l View Knowledge Base articles

l Sign up for product notifications

l Download software and technical documentation

l View how-to-videos

l Engage in community discussions

l Chat with support engineers online

l View services to assist you with your product


About us223

https://www.oneidentity.com/company/contact-us.aspx

https://support.oneidentity.com/

Documents

Enterprise SSO Administrator's Guidesupport-public.cfm.quest.com/44012_Enterprise_SSO_Administrator's... · ESSO Enterprise Studio 17 Enterprise SSO Plug-ins 18 The SSO Engine 18