Embed Size (px)
DESCRIPTION
The PortalGuard Software is an easy to deploy Risk-based Authentication Platform which is focused on enhancing usability, while maintaining a balance between security, auditing and compliance for your web, desktop and mobile applications. Developed and supported by authentication experts PortalGuard is easy to deploy, enterprise ready and Tailored for an exact fit to your requirements.
Citation preview
Thick Client Single Sign On
Installation and Administration Guide
PistolStar, Inc. www.pistolstar.com 603.547.1200
PortalGuard, Installation and Administration Guide
Copyright and Disclaimer PistolStar, Inc. makes no representation or warranties with respect to this manual, except as
specifically stated in the applicable user agreement or warranty notice, with respect to any
hardware, firmware, or software described in this manual. PistolStar, Inc. specifically disclaims
any expressed or implied warranties of merchantability, title, or fitness for a particular purpose.
Furthermore, PistolStar, Inc. reserves the right to make revisions or changes to any and all parts of
the manual, hardware, firmware, or software at any time without obligation to notify any person or
entity of the changes.
Copyright 1999 - 2011 PistolStar, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system,
transmitted, or translated into any language without the prior written permission of PistolStar, Inc.
Trademarks PortalGuard is a trademark of PistolStar, Inc.
WebSphere Application Server and WebSphere Portal Server are trademarks of International
Business Machines Corporation in the United States, other countries, or both.
Microsoft, Windows, and Windows XP are trademarks of Microsoft Corporation in the United
States, other countries, or both.
PortalGuard, Installation and Administration Guide, Revision 1.9
April 13, 2011
PistolStar, Inc.
PO Box 1226
Amherst, NH 03031
603.547.1200
www.pistolstar.com
PortalGuard
PortalGuard, Installation and Administration Guide
Contents
1 INTRODUCTION ................................................................................................................................................... 5 ABOUT PISTOLSTAR ................................................................................................................................................... 5
SINGLE SIGN-ON OVERVIEW ...................................................................................................................................... 5
Features .................................................................................................................................................................. 5
How It Works ........................................................................................................................................................ 5
SINGLE SIGN-ON ADMIN OVERVIEW .......................................................................................................................... 6
Single Application Instance ................................................................................................................................... 6
Administrator Dialog ............................................................................................................................................. 6
Template Discovery ............................................................................................................................................... 7
SINGLE SIGN-ON USER OVERVIEW ............................................................................................................................ 8
Single Application Instance ................................................................................................................................... 8
User Dialog ............................................................................................................................................................ 8
Enrollment ............................................................................................................................................................. 9
5
1 Introduction
About PortalGuard The PortalGuard Software is an easy to deploy Risk-based Authentication Platform which is
focused on enhancing usability, while maintaining a balance between security, auditing and
compliance for your web, desktop and mobile applications. Developed and supported by
authentication experts PortalGuard is easy to deploy, enterprise ready and Tailored for an exact
fit to your requirements.
Single Sign-On Overview This guide describes how to install and configure PortalGuard’s Thick Client Single Sign-On
(SSO).
There are two applications which manage the state of SSO. The first is a user application that
only allows the user to view the applications and usernames of the applications that will be
hooked with the SSO functionality.
The second application is an Administrative application and allows the administrator to enable
the discovery of new password dialog templates and to choose which applications are enabled for
SSO.
Each of these applications starts and can be accessed from the Windows System Tray. The tray
icon can either be double clicked with the left mouse button or the right mouse can be clicked on
the icon to open the SSO application.
Features Key Features Include:
Automatic Discovery of Password Dialogs –SSO can easily be configured to discover new
password dialogs for use in SSO
Enable / Disable Applications- SSO can be configured to omit or enable the SSO process on an
application by application basis.
How It Works PortalGuard’s Thick Client SSO works by hooking Windows so that if an application’s window
is activated and it matches the data stored for that application and credentials have been enrolled
6
then SSO will post a message to the application with the window’s fields filled in with the
credentials.
If a window is activated that does not have matching credentials the user will be presented with a
popup window that gives them the choices to remember the credentials, don’t remember the
credentials or never remember the credentials.
The application runs in the background and can be accessed using the SSO tray icon.
Figure 1
Single Sign-On Admin Overview
Single Application Instance Only one instance of the SSO admin or user application can be launched in a Windows user’s
desktop. If another instance of either the user or admin application is launched the following
popup is presented.
Figure 2
This popup can only be dismissed by clicking the “X” or OK which causes that instance of the
SSO application to be terminated.
Administrator Dialog The application’s user interface is accessed by either double clicking on the icon, or right
clicking on the icon which will cause the following menu to appear
Figure 3
7
From this menu the Administrator can choose to Exit the application which will cause the SSO
components to be unloaded or Open the application dialog in which case a dialog similar to the
following will appear:
Figure 4
The SSO Administrator dialog controls which applications are enabled for SSO and whether or
not the discovery of new SSO templates is turned on or off.
Applications that are checked are “SSO Enabled” and when SSO users launch an enabled
application the SSO functionality described in the SSO User section will be active.
The administrator checks or unchecks to enable or disable applications and then clicks the apply
button. Any changes made will be written to the template database. The next time an application
is launched it will receive the updated data.
Template Discovery
If the “Enable Discovery of Templates” option is checked the following logic will apply to both
the user and admin SSO applications.
8
When Windows activates a new window the SSO application will look at the Meta information
about the window to attempt to determine if it is a candidate for SSO logic. It does this by
looking at the class types of the windows. If it finds a dialog type then it will look for controls in
the dialog that have Username or Password in either their captions. If a “Username” caption is
found, the algorithm will find the next visible control and use that control’s Id as a candidate for
the username field. The algorithm then looks for a “Password” caption in the dialog and, like the
username, will look for the next visible control to use it as a candidate for the password field.
The algorithm then looks for a button control with a control Id of one and if found will then
consider the dialog as a candidate for SSO.
If the candidate dialogs password control does not have a style that matches ES_PASSWORD
then the dialog will assume that keyboard hooking will be necessary in order to obtain the
password.
Single Sign-On User Overview
Single Application Instance Only one instance of the SSO user or admin application can be launched in a Windows user’s
desktop. If another instance of either the user or admin application is launched the following
popup is presented:
Figure 5
This popup can only be dismissed by clicking the “X” or OK which causes that instance of the
SSO application is terminated
User Dialog
The SSO User application runs in the Windows System Tray. Its dialog can be launched by
either double clicking with the left mouse button on the icon or using the right mouse button to
launch the context menu. In this case the user is given the choice of either opening the dialog or
exiting the application. The user can dismiss the menu by clicking the mouse outside of the user
application menu.
When the user double clicks or choses open a dialog similar to the following will appear:
9
`
Figure 6
This dialog shows the Active Applications and Usernames that are SSO enabled. The user has
only one option and that is to close the dialog. When Close or “X” is chosen the dialog closes
and is accessible again using the tray icon.
Enrollment
Enrollment for a user can occur in two ways. The first is when the administrator has discovered
and enabled a template for an application. When the user enters their credentials and clicks the
OK or whatever button is used to continue the login process, the user is presented a dialog with
the “Save Credentials” dialog which looks like the following:
Figure 7
Here the user is presented with 3 choices.
Yes will save the credentials for use in future SSO with the current application and
dialog.
10
No will cause the application to never again ask the user to “Save Credentials” for this
application and dialog.
Cancel will not save the credentials but the user will continue to be prompted in the
future when the same application and dialog are presented.
The second method of enrolling appears to be exactly the same from the user’s perspective. In
this case, the administrator has enabled “Discover Templates”. This has the effect of every
window that is activated for the user will be checked by the template discovery algorithm. If a
new template is found, the same “Save Credentials” dialog as before will appear, but when the
user choses “Yes” both the newly discovered template and the credentials will be saved.
11
