Beruflich Dokumente
Kultur Dokumente
3
Administrator Guide
SSOWatch
Copyright 1998-2009 Quest Software and/or its Licensors ALL RIGHTS RESERVED.
This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.
DISCLAIMER
The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.
Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners. World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com Please refer to our website for regional and international office information. Quest Enterprise SSO Updated January 2010 Software version 8.0.3
CONTENTS
About This Guide ...................................................................................................... 5
Access Management ......................................................................................................... 5 Conventions ............................................................................................................... 6
1. Overview................................................................................................................. 7
1.1 SSOWatch Basic Principles ........................................................................................ 7 1.1.1 Application Modeling ........................................................................................ 7 1.1.2 Application Access Profiles .............................................................................. 7 1.1.3 Password Format Control Policies (PFCP) ...................................................... 8 1.1.4 Application Behavior ......................................................................................... 8 1.1.5 Window Types .................................................................................................. 9 1.1.6 LDAP Directories .............................................................................................. 9 1.2 The Access Collector Mode ........................................................................................ 9 1.3 SSOWatch Components ........................................................................................... 10 1.3.1 SSOWatch Engine.......................................................................................... 10 1.3.2 SSOStudio ...................................................................................................... 11 1.3.3 SSOWatch Plug-ins ........................................................................................ 11
4.4 Special Cases............................................................................................................ 94 4.4.1 NotesLogin (Lotus Notes Plug-in) .................................................................. 94 4.4.2 HTTP Authentication (Internet Explorer Plug-in)............................................ 96
iii
iv
Administrator Guide
Intended Reader
Software/Hardware Required
Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and crossreferences.
ELEMENT CONVENTION
Select Bolded text Italic text Bold Italic text Blue text
This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.
+ |
A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.
Administrator Guide
1. Overview
1.1 SSOWatch Basic Principles
This section presents SSOWatch basic concepts.
The application Windows or HTML pages that refer to the authentication management tool must be described in SSOWatch using the configuration editor. This description allows SSOWatch to recognize the windows or HTML pages whenever they are displayed to the user. SSOWatch intercepts these pages and implements SSO. In addition to the elements that allow window/page detection, the description contains the actions that the SSO engine has to perform. Each window is defined by a type that characterizes the target application technology and the actions that the SSOWatch engine will perform. The events that refer to the users authentication in an application can be of different kinds: authentication, password update request, etc. SSOWatch manages the different events relating to the specific characteristics and behavior of each application (application behavior).
An application access profile is defined by the following parameters: The password format managed by the application. The SSOWatch options. The SSO policy. Such options are: requirement for re-authentication, the users ability to modify SSO data, hide/show password, etc. Delegation parameters.
Once connected, the user can change the password, either at will or at the applications request: The user enters a new password and (sometimes) confirms it. If the new password is accepted by the application, the user will continue working normally. If not, the application will inform the user that the new password has been rejected.
Start
Login
New Password
Bad Password
8
Administrator Guide
SSOWatch manages the application behavior with regard to the user authentication we have just described. This behavior is configured by choosing a type for the defined windows.
The technologies managed by SSOWatch are: Microsoft Win32 standard Windows. HTML pages in Internet Explorer. Windows of type "Terminal in text mode". Some particular cases or optimizations of standard types.
Mechanism When an end-user launches an application that is detected by SSOWatch Engine, SSOWatch starts the account collect. If the account was already collected, nothing happens, and the SSO is not performed. If a BadPassword window is detected in the collect context, the collected account is deleted or a new account is collected. The account will not be deleted if the BadPassword occurs at any other moment.
Once the account is collected, the SSO is deactivated for the application. SSOWatch Behavior The SSO is only performed if there is no collected account for the detected application login screen. The passwords entered by users are never sent to the directory: they are only temporary kept in memory for SSO purposes. Users are not allowed to stop or suspend SSOEngine, they have no access to SSOStudio Personal and cannot manage their accounts through the user account panel. Configuration Update Only the Application, Technical definition and Parameter objects are retrieved from the directory, in an asynchronous way to avoid the update during the users authentication. All users can access all the applications downloaded by the workstation.
10
Administrator Guide
1.3.2 SSOStudio
SSOStudio is the SSOWatch configuration editor. It allows the creation of SSOWatch configuration files, and the management of the SSOWatch LDAP objects. This program is designed to be used by people who define and setup SSO. SSOStudio can be used in Enterprise or Personal mode, so as to modify the corresponding configuration files: The Enterprise configuration file is common to a group of users, and is usually saved in an LDAP directory in object format. When a simple file is used, the configuration may be stored in a central location for ease of deployment and use. The Personal configuration file is specific to one person, and is saved with that persons personal profile (Windows profile or the persons LDAP attributes).
SSO configuration is easily performed through "drag and drop"-oriented configuration procedures.
11
2. SSOWatch Engine
This section describes the SSOWatch Engine interface, and how to use it.
2.1 Overview
SSOWatch Engine Definition SSOWatch Engine is one of the components that are part of the SSOWatch software module. It is in charge of the following SSO functionalities: It retrieves for the IAM middleware, which runs on the workstation, SSO data and provides this information to the application login windows. It offers self administration functions to allow you to register yourself to applications or change your passwords for example. In Access Collector mode, it starts the account collect when the user launches an application and deactivates the SSO once the account is collected.
The SSOWatch configuration The SSOWatch configuration stores the SSO data. It can be defined by two kinds of users: The Enterprise SSO (E-SSO) security administrators, through SSOStudio Enterprise. This tool allows administrators to create and modify the SSOWatch configuration common to many end-users. By end-users, through SSOStudio Personal if the component is installed on the workstation. This tool allows you to define your personal SSO data used to log on your personal applications.
12
Administrator Guide
Depending on the SSOWatch Engine state, this icon can have several appearances:
ICON DESCRIPTION
SSOWatch Engine is activated: the SSO feature is enabled (whenever it detects a configured application login window, SSOWatch Engine automatically provides the required SSO data) SSOWatch Engine is suspended: the SSO feature is disabled. SSOWatch Engine is locked: when the SSOWatch Engine detects a configured application login window, or when you want to display the user accounts associated with applications (see Section 2.6.1, Displaying your SSOWatch User Accounts), SSOWatch Engine may ask you to re-authenticate. Upon a successful authentication, the SSOWatch engine state switches to activated.
Depending on your SSOWatch configuration, some menu commands may not appear, as detailed in the following table.
13
About SSOWatch
Displays the SSOWatch Engine version and the storage mode of the SSOWatch configuration file: LDAP: centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users. File: the configuration is saved in a file in the Windows registry. Self Registration: indicates that SSOWatch is used in Access Collector mode: centralized configuration is defined in the LDAP directory, to collect all the accounts used for the applications of the enterprise (for more information, see Section 1.2, The Access Collector Mode).
Emergency Access
Start the Reset Password feature, which allows you to reset by yourself your primary password. For details, see Appendices Enterprise SSO Advanced Login for Windows User Guide. This menu command does not appear if the Emergency Access feature is not implemented.
Biometric Enrollment
Starts the E-SSO biometrics scan wizard; which allows you to enroll or modify your fingerprints (for details, see Appendices Enterprise SSO Advanced Login for Windows User Guide). You will have to reauthenticate yourself if you want to use this feature. This menu command does not appear if the Biometric Enrollment feature is not implemented.
Excludes the computer you are working on from the cluster. It stays excluded even when you restart the computer. Useful for maintenance operations, the PC is rebooted independently from the others. Click Activate cluster mode to include the computer in the cluster, This menu command only appears if the Administrator has activated it.
Open
Opens the SSOEngine Account panel; which allows you to manage your user accounts. This menu command is bold, which means that this is the default command: double-click the SSOWatch Engine icon to run it.
Add application
Starts SSOWatch Wizard, which is the easiest way to set up your personal SSOWatch configuration. For an example of use of SSOWatch Wizard, see Appendix Enterprise SSOGetting Started with SSOWatch. This menu command does not appear if SSOStudio Personal is not installed on the workstation, or if SSOWatch is used in Access Collector mode.
14
Open SSOStudio
Starts SSOStudio Personal, the editor tool of your personal SSOWatch configuration. For details on how to use SSOStudio, see Section 3, Configuration Editor: SSOStudio. This menu command does not appear if SSOStudio Personal is not installed on the workstation, or if SSOWatch is used in Access Collector mode.
Suspend, Activate
Manages the states of the SSOWatch Engine. Depending on your configuration, this menu command may not appear (unavailable in Access Collector mode).
Reset Configuration
Stops and restarts SSOWatch Engine to take into account modifications of the SSOWatch configuration. In Access Collector mode, this command only synchronizes SSO Account data.
Exit SSOWatch
Quits SSOWatch Engine. Depending on your configuration, this menu command may not appear (unavailable in Access Collector mode).
15
If you are using several user accounts for a same application, select the current Role (Area 2for details, see Section 2.6.5, Creating a New Account for an Application).
16
Administrator Guide
In the Start menu, click Programs | Quest Software | Enterprise SSO | SSOWatch. Use command line: the following table lists the command line arguments that you may use to start SSOWatch (ssoengine.exe):
BINARY ARGUMENTS
ssoengine.exe
/notrayicon: starts SSOWatch but does not display the icon located in Windows system tray. /nosplashscreen: starts SSOWatch but does not display the splash screen. The configuration file to be used can be added as a parameter in the SSOEngine.exe program (no option). Example: SSOEngine.exe "C:\Configs SSOWatch\SSOConfig2.sso"
2.
17
2.
3.
18
Administrator Guide
Procedure To suspend SSOWatch Engine, right-click the SSOWatch Engine icon and select Suspend.
The SSOWatch Engine icon state changes, as described in Section 2.2.1, SSOWatch Engine Icon. While suspended, no automatic sign-on is made. Depending on your configuration, this menu command may not be available. SSOWatch Engine automatically suspends itself when the smartcard or USB key used for authentication is removed.
To resume SSOWatch Engine, right-click the SSOWatch Engine icon and select Activate.
The SSOWatch Engine icon state changes, as described in Section 2.2.1, SSOWatch Engine Icon.. The SSO feature is enabled.
You can take manually the modifications of the SSOWatch Engine configuration file, using the Reset Configuration command, as described in the following procedure.
19
In Access Collector mode, this command only synchronizes SSO Account data.
In Access Collector mode, SSOWatch Engine automatically reloads the SSO configuration every 6 hours: this allows taking into account changes in the SSO data updated by the asynchronous update. You can change this value (in hour) in the following registry key/GPO: HKLM\Software\Enatel\SSOWatch\CommonConfig\AutomaticRefresh
Procedure In the Windows notification area, right-click the SSOWatch Engine icon and select Reset Configuration.
20
Administrator Guide
Window Description The Account panel displays one line per user account. For each account, the following information is available:
COLUMN NAME DESCRIPTION
Name of the application, as defined in SSOStudio. For accounts that are not associated with an application, <None> is displayed. Login name of the user account. If you have not yet used this application, <not registered> is displayed (the login name and password of the account has never been collected). You can hide applications for which the user is not registered. To do so, right-click any application and select Hide applications without credential.
Account
By default, Standard Account is displayed. If you are using several user accounts for a same application, this column displays the name of the account. For more information, see Section 2.6.5, Creating a New Account for an Application
Procedure In the Account panel, select the wanted user account and click the right-click the wanted user account and click Properties. The following window appears: button or
21
Window Description The Information Tab Depending on your user account properties, you may be allowed to modify your user account security data. For more details, see Section 2.6.3, Changing the Login Name and/or Password of a User Account. The Properties Tab The Properties tab is a read-only tab. It displays the account properties and application properties available for the selected user account. The Delegation Tab Depending on your E-SSO configuration, the Delegation tab may not appear. It allows you to delegate your user account to other users.
Procedure 1. From the Account panel, select a user account and click the button or right-click the wanted user account and click Change Password.
The following window appears:
22
Administrator Guide
2.
2.
3.
23
Procedure 1. From the Account panel, select an application and click the click the wanted user account and click New account.
The following window appears:
button or right-
2.
3.
Fill in this window with the following recommendation: in the Account field, either type the name of a new account, or, if you want to use an additional account that you have already created, select it in the drop-down list. Click OK.
The new account appears in the Account panel.
24
Administrator Guide
Going Further If you have several accounts for an application, the following window appears by default when SSOWatch detects the authentication window of the application:
Procedure 1. From the Account panel, select an application and click the click the wanted user account and click Delete.
A warning message appears.
button or right-
2.
Procedure 1. From the Account panel, select a user account and click the button or right-click the wanted user account and click Show password.
The re-authentication window appears.
2.
3.
Click Close.
26
Administrator Guide
Procedure 1. From the Account panel, select a user account and click the right-click the wanted user account and click Delegate.
The Account Delegation window appears.
button or
2.
In the User name field, type the name or a part of the user name and click Search.
The list of users that have been found in the directory appears.
3. 4.
Select the user to whom you want to delegate the account. Select a start and an expiration date and click Delegate.
The account is delegated to the selected user from the start date until the expiration date.
27
Procedures Disabling SSO for an Application To disable SSO for an application during the SSO session: In the Account panel, right-click the wanted application and select Disable the application.
The SSO is disabled for the application during the SSO session. At SSOEngine restart, the SSO will be enabled again.
To permanently disable SSO for an application: a) Set the following registry key to DWORD 1: Software\Enatel\SSOWatch\CommonConfig\StoreIfApplicationIsDis abled In the Account panel, right-click the wanted application and select Disable the application.
The SSO is permanently disabled for the application: the application stays disabled even if the SSOEngine is restarted.
b)
Enabling SSO for an Application In the Account panel, right-click the wanted application and select Enable the application.
If you have several disabled applications and want to enable all of them at the same time, select Enable all applications.
28
Administrator Guide
Procedure In the Account panel, right-click the wanted application and select Start Application. The application starts and SSOWatch Engine performs SSO.
You can also log on to the application with one of the accounts by double-clicking the desired account in the SSOWatch Window.
Procedure In the Account panel, right-click the wanted application and select Create Shortcut. A shortcut for the selected application is created on your Windows desktop.
29
In the SSOWatch Engine command line (see Section 2.3.1, Starting SSOWatch Engine), add the parameter /notrayicon. In the Registry, create a non-null DWORD type entry called NoTrayIcon in one of these keys:
HKLM\SOFTWARE\Policies\Enatel\SSOWatch\CommonConfig HKLM\SOFTWARE\Enatel\SSOWatch\CommonConfig
30
Administrator Guide
SSOStudio Types The two following SSOStudio types are available: SSOStudio Enterprise: the application configuration is shared by a number of users. SSOStudio Personal: the application configuration is dedicated to a single user. It is automatically accessible on opening SSOStudio Personal. SSOStudio Personal is not available in Access Collector mode.
31
Storage Modes The SSOStudio (Enterprise or Personal) configuration can be stored in the Windows registry (file storage mode) or in the LDAP directory (LDAP storage mode).
The storage mode is defined during the installation phase.
In LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.
The Access Collector mode works only in LDAP storage mode.
In local storage mode, the configuration is saved in a file in the Windows registry. In Enterprise mode, the administrator may create as many configurations as he or she wishes, and each configuration is saved in a file.
Operating Modes Enterprise SSO can be installed in two different modes: Standalone mode and Console mode. In Standalone mode, the configuration of applications can entirely be done with SSOStudio.
The Access Collector mode works only in standalone mode.
In Console (Client/Server) mode, the configuration of applications is only partly done with SSOStudio: the technical definition of applications can be done with SSOStudio, but the application definition must be terminated from the Enterprise SSO administration console (see Appendix Enterprise SSO Console Administrator Guide).
32
Administrator Guide
The objects may be created anywhere the administrator has object-creation rights. The LDAP administrator is responsible for ensuring that the structure has a branch reserved for the management of Enterprise SSO objects. As the objects will be created directly in the LDAP directory, the directory must be accessible when SSOStudio is being used. In SSOStudio Enterprise used in local storage mode, or in SSOStudio Personal, the tree displayed is not linked to an LDAP directory, as illustrated in the following example figure (example interface of SSOStudio Personal).
In local storage mode, the configuration is defined with a root node called Local SSOWatch Configuration, to which two other nodes are attached. These are called Applications and Configuration Objects, and are used for E-SSO object declarations.
33
Main Window Areas The SSOStudio main window is composed of: A menu bar. A toolbar offering shortcuts to some menu bar options, as described in the following table. The toolbar appearance depends on the SSOStudio mode used (Standalone/Console, LDAP/File storage, Personal/Enterprise).
BUTTON DESCRIPTION
SSOSTUDIO MODE
Common buttons
(SSOStudio Enterprise only) Creates a new SSO configuration. (SSOStudio Enterprise only) Opens an existing SSO configuration. Cuts the selected item. Copies the selected item. Pastes the selected item. Displays the properties of the selected item. (LDAP storage mode only) Refreshes the displayed LDAP directory. Deletes the selected item. Renames the selected item.
Creates a new Application. Creates a new Window object. Creates a new Application profile. Creates a new PFCP. (SSOStudio Enterprise only) Opens the SSO Settings by Population window, which allows you to define the population allowed to access the application. Saves the configuration.
Creates a new Technical Definition. Saves the Directory modifications. Tests the selected SSO.
34
Adds the selected item to the test list Removes the selected item from the test list.
A workspace showing a tree structure that allows you to select elements and to perform actions directly by double-clicking the objects or using a popup menu.
2.
Starting SSOStudio Using Command Line Arguments 3. The following table lists the command line arguments that you may use to start SSOStudio (builder.exe):
ARGUMENTS
BINARY
ssobuilder.exe
35
Restriction The functionality described in this section is only available in SSOStudio Enterprise used in local storage mode. Procedure To open an existing configuration: a) b) In the File menu, click Open.
The Explorer window appears.
36
Administrator Guide
The Performance tuning area allows you to set the window detection timing. The Security Parameters area allows you to define permissions.
2.
Fill-in the window and click OK to save the configuration and close the window.
37
2.
3.
38
Administrator Guide
The Password Management Policy tab allows you to define the following PFCP elements: Password Policy The PFCP name. New Password generation policy The behavior required when the user is prompted for password change: Automated password generation or user prompts for a password compatible with the PFCP. Advanced
The "invalid password" string is the string or text that the application sends to indicate that the password is not valid. If the security system is provided with this string for SSO use, it prompts the user for a new password. The period for which a password is valid. The number of old passwords retained.
39
The Password Format Policy tab allows you to define the following elements: Password Format Defines how a valid password is created: minimum and maximum password lengths, and the minimum and maximum number of upper-case letters, lowercase letters (excluding accented characters), numbers, or special characters that should make up a valid password. The special characters supported by SSOWatch are listed in the following table:
& , ~ | ] ? " ` = ; # + . ' _ } : { \ $ / ( @ % ! [ ) *
40
Administrator Guide
Advanced Specifies the maximum number of occurrences of a given character in a password. Test Password Generation button This button allows you to see an example of a password generated using the rules you have configured.
2.
3.
41
The Properties tab allows you to manage the following parameters: Application Profile The name of the Application profile. Password Policy The PFCP to be applied to this application profile SSOWatch Desktop options This area allows you to define the application visibility:
Whether the application must be added to the users SSOWatch dashboard. Whether the application is to be launched simultaneously with SSOWatch.
42
Administrator Guide
The Access Strategy tab allows you to manage the following parameters: Credential storage By default, data is stored in the directory; for architecture with tokens, data may be stored in tokens. Single Sign-On Policy a) Users must re-authenticate Before each SSO, the user must confirm the primary password, PIN or biometric identity. Users can modify account Data may be modified. If unchecked, the user will not be allowed to change the password through the user account management screen. (This option is selected by default). Users can display password The password may be displayed. The user may ask for the password to be displayed. If this is the case, the user will be asked to re-authenticate. Users can cancel Single Sign-On This configures the options availabe to the user when performing data collection, or choosing between multiple accounts through the SSO engine. All of these screens have OK and Cancel buttons, as well as the option Disable SSO for this application. Select this check box to allow users to cancel the SSO authentication process with the Applications associated with the Security Profile:
For the current session only: The user can cancel the SSO authentication process for the whole current session.
43
b)
c)
d)
For the application (until reset): The user can cancel the SSO authentication process for the current application. For the current window only: The user can cancel the SSO windows, but SSOWatch continues to detect windows associated with the application.
Clear this check box to prevent the users from cancelling SSO windows: the user cannot Cancel (button grayed out). However, if an error occurs (for instance, when the password is saved in a remote system), the Cancel button will be reactivated. Account Security Options This area only appears if you use SSOStudio Enterprise in standalone and LDAP storage mode. It allows you to select the way the Accounts are ciphered. In the drop-down list, select one of the following entries: a) User: if you select this entry, only the user can decipher his account. This is the most secure option.
If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her secondary accounts.
b)
User, administrators: if you force a new primary password or assign a new smart card using Token Manager, the user's secondary accounts are also recovered. User, administrators and an external key: select this entry to allow an external application to decipher the user's secondary accounts using a public key. For example, you must select this entry if you want to use Enterprise SSO with Web Access Manager. By selecting this entry, you allow Web Access Manager to decipher the Enterprise SSO secondary accounts of the user so that Web Access Manager can perform SSO with these accounts.
c)
44
Administrator Guide
The Delegation tab allows you to define the methods for delegating accounts to users: Authorize delegation to everybody. Authorize delegation to a member of the same user group. Authorize delegation to a member of the same organizational entity. Advanced mode: person/group/organizational entity. Authorize the delegated user to change passwords: the delegated user is authorized to modify the password for the delegated account.
45
SSOStudio allows you to create application objects with some pre-defined parameters for SAP and Windows applications: see Section 3.6.1.1, Creating a New Application Object or Technical Definition. In Console mode, SSOStudio allows you to configure Technical Definitions. A Technical definition object is a technical description of an application that allows you to use an application, and particularly to produce single sign-on in a Enterprise SSO environment. The application configuration must then be completed in the administration console (see Appendix Enterprise SSO Console Administrator Guide).
Template applications are managed in the same way as Application objects. They enable the single sign-on function for specific authentication procedures. A template application has a number of predefined parameters. The following procedure explains how to create a new technical definition or application (with or without template). Procedure 1. In the SSOStudio main window, do one of the following, depending on the action you want to perform:
To create a new application or technical definition: Right-click the node where you want to create a new Application or Technical Definition and click New Application or New Technical Definition. To create a new application using a template: Click the node where you want to create a new template application and in the Edit menu, click New Template-based Application/SAP or Windows. The Application properties window appears.
2.
Fill-in the Application properties window (or modify it in case of template application) as described in Section 3.6.2, Filling-in the Application Properties Window.
46
Administrator Guide
2.
Fill-in the Application properties window as described in Section 3.6.2, Fillingin the Application Properties Window. a) For Application objects, fill-in the following tabs:
Properties: see Section 3.6.2.1, "Properties" Tab of an Application Object. Account base: see Section 3.6.2.3, "Account Base" tab of an Application Object. Launcher: see Section 3.6.2.4, "Launcher" Tab. Parameters: see Section 3.6.2.5, "Parameters" Tab. Application Profile: see Section 3.6.2.6, "Application Profile" Tab.
b)
47
The Properties tab of an Application Object allows you to define the basic parameters of an Application. Application Name This field will be shown in the objects tree of SSOStudio and in the data collection and account management dialog boxes of SSOWatch Engine. Session management Indicates whether all the applications windows depend on the same application instance. OLE/Automation Grants OLE/Automation access to this application (and all the associated security objects). For further security, you can enter a password for which OLE clients will be prompted. For more information, see Section 10., "OLE/Automation Interface". Options
Enable this application (this option is selected by default) If this option is cleared, SSOWatch Engine will ignore this application. This is used to temporarily disable an application without deleting it from the configuration file.
48
Administrator Guide
Try previous password when "bad password" windows detected If this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not immediately taken into account by the application). User must provide credentials This check box only appears in Access Collector mode. If this check box is cleared, the user will be able to cancel the collect (or the bad password) window that appears when he/she launches an application.
The Properties tab of a Technical Definition object allows you to define the basic parameters of a Technical definition. Identification The Technical reference name. This field will be shown in the objects tree of SSOStudio. Session management Indicates whether all the applications windows depend on the same application instance. Try previous password when "bad password" windows detected If this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not immediately taken into account by the application).
49
The Account base tab allows you to define the Account Base associated with an application. An Account is a username/password pair that allows connection to an application. There is also an account parameter that can store complementary authentication data; for instance, a Windows Domain name is a complementary parameter of a Windows account. The account name is internal to SSOWatch: it is used to store and retrieve security data and to give a user-friendly name to this data. A user-friendly name is particularly useful when using multiple accounts: you can give names like "Notes Admin" or "Notes User" if a Notes user is also the administrator.
Accounts are global: they are shared by applications and by SSOWatch configurations, because they refer to objects stored in the security system storage and which are bound to the user.
In most cases, one single account is associated with an application. It is called a Standard account. In some cases, it is possible to use the Windows username and password to perform SSO to an application. An example is the Windows Terminal Server login. To use this security credential in SSO, you must associate the Primary Authentication Identifier with the application (check the corresponding option). The Windows username can be used in different formats:
Short name: username only.
50
Administrator Guide
Windows 2000 (and later): Username including the Windows domain, for instance: jsmith@quest.com. NT 4: Username preceded by NETBIOS domain, for instance: QUEST\jsmith.
Share Account Base with Another Application: for this, indicate in an application that you consider as account reference, the applications authorized to use this reference base.
You can also share an account base between two Applications using command line arguments. This feature may allow you to create batch files to automate this task. You can combine this feature with the possibility of importing objects using command lines, which is described in Section 3.9.2, Importing Objects using Command Line Arguments (Standalone Mode only).
Before Starting The Applications must be created. Close the SSOStudio graphical interface.
Procedure To share an Account base, at the Windows prompt, type the following command:
<SSOWatch installation folder> [/login <name>] [/password <password>] /share <MasterApplication> <SlaveApplication> Arguments into square brackets [ ] are optional.
Where:
ARGUMENT NAME VALUE
"C:\Program Files\Quest Software\E-SSO\SSOBuilder.exe" by default. Login name and password of the E-SSO administrator. Use the format DOMAIN\login. If the login name and password of the administrator are not specified, the SSOStudio authentication window will appear. The administrator account used to run the import must have
<MasterApplication>: name of the Application owning the Account base to share. <SlaveApplication>: name of the Application that will use the Account base. This parameter works only with Application objects.
51
Example: The following command allows you to share the Account Base AB1 owned by APP1 with APP2:
"C:\Program Files\Quest Software\E-SSO\SSOBuilder.exe" /login DOMAIN\WGAdmin /password AdminPWD /share APP1 APP2
External Names: this button only appears if you use SSOStudio Enterprise in standalone and LDAP storage mode. It allows you to define a mapping between the Enterprise SSO application that you are configuring and the name of an external application that must be identified by Enterprise SSO. This option is particularly useful to integrate Web Access Manager with Enterprise SSO. For example, if you are defining an application called MyHTMLApplication that already uses Web Access Manager Account Bases, click this button and in the displayed window, enter the names of the Web Access Manager Account Bases defined for this application. By this way, Enterprise SSO will be able to use these Web Access Manager Account Bases to perform SSO with this application.
Each external application name must be unique in the directory.
52
Administrator Guide
This window allows you to define the following parameters: Change Icon button The icon associated with the application, which will be displayed in SSOWatch Engine. Application description for user The application description, which will be displayed in SSOWatch Engine. Target The command line or URL (for web applications), which opens the application. Start in folder The directory where the command line should start. Command line parameters The SSO parameters to be sent to the command line, if necessary. The Insert button insert in the command line the item selected in the list (identifier/password).
53
Window Description Add button: click this button to add a parameter. The following window appears:
To add an existing parameter, select it and click OK. In standalone mode, the parameter Windows Domain must be used only with Applications that may use Enterprise SSO Advanced Login. To create a new parameter, type its name in the Name field and click Add. To delete or rename an existing parameter, select it and click Delete or Rename. To define an External Name for a parameter, select the wanted parameter and click External Name. For more information, see Managing External Names below.
Delete button: select a parameter and click Delete. Properties button: Select a parameter then click this button to define the properties of the selected parameter.
54
Administrator Guide
a) b)
Description: mandatory description of the parameter for a better understanding. Parameter type:
Default: the value of the parameter is collected for each SSO account and can be modified by the user. Global: the value of the parameter is the same for all SSO accounts and is not proposed to the user. Rule: the value is dynamically defined as a user data function, and cannot be changed.
c)
Value: this is the default value assigned to the parameter. If nothing is entered here, it will be requested at first authentication (data collection) as a function of the parameter type defined previously. If you have selected Rule in the Parameter type area, between parentheses, get the exact LDAP attribute name (using an LDAP browser) and type it in the Value field. For example, type (mail) to indicate that the parameter value is the user's mail address.
If you want to add several LDAP attributes, type them one after another, without comma. Example: (mail)(dn). You can be more specific about the parameter value by using the following rules: To keep only the first n characters of the LDAP value, use the syntax (attLDAP,n). Three functions are used to handle LDAP values: UPPER, LOWER and CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case.
This window appears when you click the External Name button. It allows you to define a mapping between the parameter that you are configuring within Enterprise SSO and the name of an external parameter (created using another SSO tool) that must be identified by Enterprise SSO.
This option is particularly useful to integrate User Provisioning or Web Access Manager with Enterprise SSO.
55
"Parameters" Tab of a Technical Definition Object (Console Mode only) Subject The Parameters tab allows you to add a list of additional authentication parameters (as Windows Domains or Languages for example). These parameters will enable you to define more fields than simply the couple of fields name/password of the target application authentication window.
The list of authentication parameters for the technical reference must be coherent with the parameters defined at the application level. The creation of an application is described in Appendix Enterprise SSO Console Administrator Guide.
56
Administrator Guide
Delete button: select a parameter and click Delete. Properties button: this button is always disabled.
57
To allow the user to dynamically create new accounts from SSOWatch Engine module, select User can create additional accounts.
2.
58
Administrator Guide
Window Description
The SSO settings by population window allows you to define the population (user, organizational group or units) that you want to access the application. It is necessary to assign an application profile to each one. If several profiles are associated with a user, priority is given to the profile: 1. 2. User. Group. If there are several groups, the notion of priority indicated on the interface is applied. This is dedicated only to groups (with 0 as the highest priority level). Organizational Unit.
3.
59
2.
Fill-in the Window Properties window tabs as described in the following sections:
For the General tab, see Section 3.7.1, "General" Tab. For the Options tab, see Section 3.7.2, "Options" Tab. The Detection and Actions tabs are described in the sections of this guide that are related to the "plug-in types", as their content depends on the selected window type.
60
Administrator Guide
Window Name By default, this field is automatically filled in with the name of the selected Window Type. It is recommended to enter a name clearer than the default name. Window Type Displayed Window types are loaded from the different SSOWatch plug-ins. The following table shows the window types provided by the different plug-ins and their associated technology: The Window Type Description area displays the description of the selected window type.
WINDOW TYPE
TECHNOLOGY
BEHAVIOR
DESCRIPTION
Generic Windows StandardLogin BadPassword NewPassword BadNewPassword ConfirmPassword Terminal Win32/Java Win32/Java Win32/Java Win32/Java Win32/Java Terminal Login BadPassword NewPassword BadNewPassword ConfirmPassword All
HTML Pages (reserved for old versions. Do not use to detect new windows) IELogin HTMLLogin HTMLBadPassword HTMLNewPassword HTMLBadNewPassword Customizable Window Types CustomScript Win32 All Graphic scripts enabling customized SSO creation Graphical scripts allowing customized SSO creation for web applications under Internet Explorer. Win32 HTML/IE HTML/IE HTML/IE HTML/IE Login + BadPassword Login BadPassword NewPassword + ConfirmPassword BadNewPassword HTTP authentication window Authentication in HTML pages
CustomScriptHTML
HTML/IE
All
Microsoft Applications MSTelnet MSTelnetW2KXP Terminal Terminal All All Not supported. Telnet Microsoft for Windows 2000 and XP
61
Quest Enterprise SSO 8.0.3 SSOWatch WINDOW TYPE TECHNOLOGY BEHAVIOR DESCRIPTION
Lotus Notes Windows NotesLogin SAP Windows SAPLogin SAPExpired SAPGUI Scripting Plugin HLL API Windows HLLAPI Login HLLAPI Bad Password HLLAPI New Password HLLAPI Confirm Password HLLAPI Bad New Password HLLAPI Standard Win32 Win32 Win32 Win32 Win32 Win32 Login BadPassword NewPassword + LoginNewPassword ConfirmPassword BadNewPassword Win32 Win32 Win32 Login NewPassword Login Authentication for SAP R/3 version 6.20 SAP R/3 Authentication Win32 Login Lotus 4.x and 5.x authentication
62
Administrator Guide
The Options tab allows you to define the following properties: Specific detection conditions to trigger the single sign-on when the window appears (Detection criteria area). SSOWatch Engine execution options to carry out SSO (Execution Options area). Advanced SSO options (Advanced options area).
3. 4.
Click the Configure button to select the wanted system languages. Select Show local language variants to display the speech communities of each language.
Use SSO State criteria This option allows you to trigger the single sign-on only if the selected SSO states are met.
This option is particularly useful for the Customizable Window Type (Custom Script type).
Click the Configure button to select the conditions of the window activation depending on the state of the application. For details, see table below:
OPTION NAME DESCRIPTION
This option is selected by default: the window is always detected and processed by SSOWatch Engine, without any condition. Select this option to trigger SSOWatch Engine only if the SSO operation has not been done. With this option, SSOWatch Engine can perform SSO upon the first detection of the window, then, as long as the application runs, this window is no longer detected. The window is detected and processed by SSOWatch Engine only if the SSO operation has been done with a valid password. This option depends on the password validity period parameter (defined in the PFCP properties window). This window is detected and processed only if the SSO operation has been done and that the password validity period has expired. These options can be particularly useful for applications that use several authentication windows that you have defined using custom scripts. For example, if you have to define the following windows for the same application: A custom bad password window. A custom new password window, which contains only a field for the old password and a field for the new password. A custom password confirmation window, which contains a field to confirm the new password. A custom bad new password window, which appears when the user enters a wrong new password. To avoid inopportune detection and processing of these windows by SSOWatch Engine, select for each window, the appropriate option in the Application State Conditions window.
SSO has been performed and the password is valid SSO has been performed and the password has expired and must be changed
The password has been refused and resynchronized (BadPassword) A new password has been provided but not confirmed The new password has been confirmed A new password has been refused (after a rollback)
64
Administrator Guide
Example of use with the "SSO has been performed and the password has expired and must be changed" option. To display automatically the change password window of an application, do the following:
We consider in the following example that the change password window appears when you click a button.
Procedure 1. 2. 3. In SSOStudio, create the Application object (for details, see Section 3.6, Defining Application and Technical Definition Objects. From this object, define the Login and Change Password windows (for details, see Section 3.7, Defining Window Objects. Define the Password Expire window , with the following guidelines:
In the General tab, select Custom script (Window type). In the Options tab, select Use SSO state criteria, then click the Configure button and select SSO has been performed and the password has expired and must be changed. Detection tab: drag and drop the target button to the window where the Change Password button is located. Fill in the Actions tab as follows:
The Password Expire window is a virtual window, which allows you to display automatically the Change Password window when the password has expired.
65
66
Administrator Guide
Do not disable the window during SSO and Do not disable the window when asking for user input Select these options so that the user can interact with the window detected during SSO.
This is only relevant for IE and Firefox.
Use alternative field detection method. Activate this if the contents of the web page are not always identical. This can be slower than the default method. Select this option so that: The window definition for IE 6, 7 and 8 is the same for the three of them. If the web page is modified, SSO is still executed.
If this option slows down the window detection then you must select one window for each IE version. You must start the configuration over again if you select this option.
Try to use for Firefox. If this definition is for Internet Explorer, it will also be used for Firefox. Note: this option may not work with all web pages. Select this option so that the window definition for IE is also applied to Firefox.
If this option does not work, you must create a specific window definition for Firefox. You must start the configuration over again if you select this option.
67
2.
3.
Click OK.
The selected applications appear in the SSOWatch Engine list, which displays the result of the test.
68
Administrator Guide
2.
Importing Procedure To import an object, do the following: 1. In the SSOStudio main window, right-click the node where you want to import the file.
To import a window, select the application that will receive this window. The Explorer window appears.
2.
3.9.2 Importing Objects using Command Line Arguments (Standalone Mode only)
Subject You can import .SSE files using command line arguments. This feature may allow you to create batch files to automate the import of several objects from your test environment to the live environment.
This feature is more powerful than the import of objects using the graphical interface. You can use it to define accesses to applications in addition to the import operation.
Before Starting Export the wanted objects using the graphical interface, as described in Section 3.9.1, Exporting/Importing Objects using the Graphical Interface.
For details on the objects that you can import, see Section 3.9, Exporting or Importing Objects.
Close the SSOStudio graphical interface. Note that you can combine this feature with the possibility of sharing account base using command lines, which is described in Section 3.6.2.3, "Account Base" tab of an Application Object
69
Procedure To import an object, at the Windows prompt, type the following command:
<SSOWatch installation folder> [/login <name>] [/password <password>] /import <filename.sse> /location <Organization DN> [/access <group>] [/profile <profile>] Arguments into square brackets [ ] are optional.
Where:
ARGUMENT NAME VALUE
"C:\Program Files\Quest Software\E-SSO\SSOBuilder.exe" by default. Login name and password of the Enterprise SSO administrator. Use the format DOMAIN\login. If the login name and password of the administrator are not specified, the SSOStudio authentication window will appear. The administrator account used to run the import must have sufficient rights.
/import <filename.sse>
Full path name of the .sse file, which contains the object(s) to import. If the object to import is associated with another ESSO object (an Application associated with a PFCP for example), and if the name of this object (PFCP) is used by other objects, the first name found is used. If no object is found, the default object is used.
Distinguished Name of the organization where the object will be created. Name of the group of users for whom you want to specify an access to the imported Application. You can use either the format "Group Name" or "Group DN". If you do not specify this argument, check the access configuration using SSOStudio. This argument works only with Application objects.
/profile <profile>
Name of the Application Profile that will be associated with the imported Application. You can use either the format "Group Name" or "Group DN". If you do not specify this argument, the default Application profile will be used. This argument works only with Application objects.
70
Administrator Guide
Examples The following command allows you to import MyExportedFile.sse into the Applications container.
"C:\Program Files\Quest Software\E-SSO\SSOBuilder.exe" / login DOMAIN\WGAdmin /password AdminPWD /import C:\MyExportedFile.sse / location OU=Applications,OU=Organization,DC=domain,DC=acme,DC=com
You have created the APP application, for which the access is restricted to the group of users GROOP. To import this application and keep the restricted access to GROOP, use the following command:
"C:\Program Files\Quest Software\E-SSO\SSOBuilder.exe" / login DOMAIN\WGAdmin /password AdminPWD /import C:\MyExportedAPP.sse / location OU=Applications,OU=Organization,DC=domain,DC=acme,DC=com /access GROOP
2.
In the tree, right-click the node where you want to paste the copied object and click Paste.
The object appears in the tree at the selected location.
2.
Type the name you want to see appear for the object and press the Enter key.
The object name is renamed.
71
2.
Click OK.
The object is deleted from the tree.
In LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users.
3.11.1 Saving Object Configurations in LDAP Storage Mode (Console Mode Only)
Subject In LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users. In standalone mode, the configuration is immediately and automatically saved in the LDAP directory. In Console mode, you must save the directory modifications, as explained in the following procedure.
Procedure In SSOStudio (used in LDAP storage and Console mode), in the File menu, click Update directory. The LDAP directory is updated with the configurations defined in SSOStudio.
72
Administrator Guide
Give a name to the configuration and select the location where you want to save the configuration.
The configuration is saved in a .sso file in the selected location.
Restriction This functionality is available only if you use SSOStudio Enterprise in LDAP storage mode. Procedure In SSOStudio main window, in the Edit menu, click Refresh. The displayed tree is updated with the current LDAP directory.
74
Administrator Guide
The window objects that allow you to carry out the SSO belong to the Generic Windows, as shown in the following figure:
These window types allow you to detect any Microsoft Windows applications, including any HTML pages displayed by web browsers as Firefox or Internet Explorer. Do not use the Microsoft Internet Explorer plug-in (HTML Pages) to define new windows.
75
Before Starting If you want to detect a Java application, make sure the following components are properly installed on your workstation: A supported Java version (for more details about the supported JRE versions, see Appendix Quest Enterprise SSO Release Notes). The Quest SSOJava Plug-in, which must imperatively be installed after the JRE (for more information, see Appendix Enterprise SSO Advanced Installation and Configuration Guide).
76
Administrator Guide
To define the window detection, you must do the following: 1. 2. Select the window that must be detected by SSOWatch, using the target button. For details, see Section 4.1.1, Simple Detection. If necessary, modify the detection parameters for the selected window by filling in the Parameters of the selected window area.
Upon the detection of the window (Step 1), the Detect by Window Class and Detect by Window Title options are selected. These options are usually sufficient to enable the detection of the window by SSOWatch. If these options are not sufficient, you can use advanced detection parameters, by looking for additional texts in the window (Look for text option), and/or by adding constraints on the detection process (Advanced button). For details on these detection parameters, see Section 4.1.3, Restrictions.
77
The Detection tab now shows a tree structure for the targeted window, as well as its parent windows, if any. Each window is represented on two lines differentiated by the icon on the left of the line:
ICON DESCRIPTION
Real characteristics of the targeted window (real title and class). Data used to detect the targeted window (detection method, modified title).
At this point, the detection parameters of the selected window are automatically configured as follows: Detect by window class. If the window has a title, Detect by Window Title (not case sensitive).
If you want to modify these configuration parameters, make selections in the bottom half of the property page. If a targeted window has parent windows, you can modify the configuration for any intermediate window.
78
Administrator Guide
The following table lists the four available title detection methods. All these methods are not case sensitive:
METHOD DESCRIPTION
The window title must be equal to the given character string. The window title must start with the given character string. The window title must contain the given character string. The window title must end with the given character string.
Example Let us assume that the application authentication window has a title similar to Enter the password for FirstName LastName. A potential problem appears with this title because FirstName and LastName can differ from one user to another. In this case, the text must be edited and reduced to Enter the password for, and the window detection method must be set up to use: Start with or Contains.
To detect a web page, SSOWatch first looks for its URL. It can then look for the presence of an additional text or of a field in the web page. To automatically configure the necessary basic data, drag and drop the target button located in the top right of the Detection tabbed panel onto the web page that you want to detect. The data from the last targeted window are displayed in the configuration window, as shown in the following figure:
79
The Detection tab now shows the URL of the web page (Web page area). At this point, you can adjust the detection parameters of the selected web page by defining a variable URL (Variable URL area) or by detecting a field in the web page (Parameter of the web page area) for example. For details, see Section 4.1.2, Advanced Detection.
The single sign-on is triggered when all the required fields are displayed, even if the web page is not entirely loaded.
Some websites are provided by clusters of HTTP servers (for instance Hotmail) or use the URL to keep session data (for instance Yahoo! Mail). This leads to URLs with variable parts. To configure the detection of a web page that uses a variable URL, select Enable variable URL detection and click the Configure button.
80
Administrator Guide
If a variable URL detection has already been configured and you select a new URL with the Get URL button, SSOWatch checks the compatibility of the new URL with the old URL variable schema. If the schema cannot be matched, confirmation is requested before the old URL variable schema is destroyed.
The selected URL is shown in the text field. To set up the variable parts, select (with the mouse or the keyboard arrows and the SHIFT key) a part of the URL (1). The tool bar is updated and shows only the generic characters that match the selection. In the tool bar, select the wanted generic character (2). Generic characters allow you to replace: Any character (one or more). Alphanumeric characters (one or more): lower case letters, upper case letters and digits. Letters (one or more): lower or upper case. Digits (one or more). If you select a generic character, you can restore the original text with the Revert action.
Two search methods exist: In the whole window: the text is searched in all the window fields. In Field: allows you to specify a field where the search will be carried out. This field can be configured with the small target button by dragging and dropping it onto the target field. The field content will be automatically pasted in the Look for text field.
The search is not case sensitive. If the selected Windows control field identifier is 0xFFFF, the search is automatically extended to all the window control fields. This identifier is a special one and is used for generic static texts. It can also appear more than once in a window.
82
Administrator Guide
2.
3.
4.
Click OK.
The constraint is added in the constraint list. Remember that SSOWatch detects the window if only one of the listed constraints is verified.
4.1.3 Restrictions
To authenticate to an application, SSOWatch implements the users sign-on for him or her. Therefore, SSOWatch considers that an application is valid as soon as the user himself or herself is able to enter the information requested by the application. Consequently, SSOWatch only detects windows that are: Visible. Not minimized. "Active" in the MS-Windows sense that is, they can accept user inputs.
It follows that SSOWatch cannot perform SSO for minimized or hidden windows.
83
The optional parameter list that allows you to enter SSO data other than user name/password. The actions to be performed after the fields have been filled.
4.2.1 Target
You can use the following target button to select a windows control field (text field, button, etc.):
This target can be used in two ways: By performing a drag and drop onto the target control field: click the button; the mouse cursor changes to a target; drag it to the target control field and release the mouse button. Once the mouse button has been released, the field is updated with the control field information (and the intermediate windows/control fields if they exist):
The information displayed gives the control field identifier (in hexadecimal), its class and the text found when the control field was detected. A new window can be opened by clicking the target button:
84
Administrator Guide
A new target icon allows you to select the desired control field (with drag and drop). This window allows you to see the selected control fields details and the different levels of nested windows between the control field and the base window. Only the path from the base window to the target is displayed. To see all the other control fields/windows, you must select the Display all window details checkbox. You can also receive the control by its position by selecting the Identify the control by its position in the control hierarchy checkbox.
You must re-select the windows to activate this mode.
85
This property page enables you to specify: The field that will receive the user identifier (or username) that allows the user to connect to the application. The field that will receive the password associated with the username. The Do not re-prompt for account selection check box that may be used for multiple accounts for reconnection, it will be the active account that is used. Additional authentication parameters, if needed. For details, see Section 4.3.1.2, Specifying Additional Fields (Optional). The window validation method.
86
Administrator Guide
Before Starting The definition of additional fields is only possible if additional parameters are defined in the Application object associated with this window. For details, see Section 3.6.2.5, "Parameters" Tab.
87
This window allows you to associate a Parameter with an authentication field of the target application: 2. Select the wanted parameter in the list.
The Description field is in read-only mode. It displays the value of the Description field filled in upon the creation of the parameter at the Application level.
3. 4. 5. 6.
Use the target button to select in the target application the wanted authentication field. Click Insert.
The parameter appears in the window.
88
Administrator Guide
Optional parameters associated with the selected account are retrieved from the security system: if one parameter value is unknown, the user is prompted for it. It is then stored in the security system. Parameters are sent. The window is validated. BadPassword and NewPassword window types are activated.
4.3.2 BadPassword
4.3.2.1 Window Description
This property page allows you to enter: The validation method after the password has been updated in the security database (with a new authentication if needed). The cancellation method of the window if the password update fails in the security database. The field that will receive the user identifier (or username) if the user is prompted to re-authenticate. The field that will receive the user password if the user is prompted to reauthenticate in the same window. The optional parameters, if re-authentication is proposed in the same application window. For details, see Section 4.3.1.2, Specifying Additional Fields (Optional).
89
Access Collector Mode Behavior If you configure a bad password window without specifying a login field or a password field, the detection of the window deletes the collected account. At the next login window detection, a new collect will be performed. If you configure a bad password with sending of a login or a password, a BadPassword window will appear to collect the right account. If the user cancels this window then the account is deleted and the collect will be restarted at the next user connection.
4.3.3 NewPassword
In Access Collector mode, the NewPassword window type is not available.
90
Administrator Guide
This property page allows you to enter: The field that will receive the old password (optional). The field that will receive the new password (optional). The field that will receive the new password as a confirmation (optional). The window validation method if the password has been successfully updated in the security database. The cancellation method in case of failure or if the user cancels the window.
Remark As previously explained, the new password will be saved in the security database only after it has been confirmed: Either in the same window (New password and Confirm password fields set) Or in another window (NewPassword or ConfirmPassword) if the New password field has been set.
4.3.4 ConfirmPassword
In Access Collector mode, the ConfirmPassword window type is not available.
This window allows you to configure "Confirm New Password" window management: The field that will receive the old password (optional). The field that will receive the new password as a confirmation. The window validation method if the password has been successfully updated in the security database. The cancellation method in case of failure or if the user cancels the window.
92
Administrator Guide
4.3.5 BadNewPassword
In Access Collector mode, the BadNewPassword window type is not available.
This window type allows you to configure the Bad New Password window type behavior by specifying the window validation method.
This window could be managed by a StandardLogin window type. However, a NotesLogin window type can automatically select the user account according to the account name displayed in the window: If the user owns only one Lotus Notes account, the account will have to match the requested account name; otherwise SSO will not be implemented. If the user owns several accounts, SSOWatch will choose the user account corresponding to the requested account name. If none matches the requested account name, SSO will not take place.
94
Administrator Guide
4.4.1.3 Configuring the Field Where the Lotus Notes Login is Shown
The first field is the one that contains the Lotus Notes username (Enter the password of). The field must be selected using the target button. In the field where the complete Lotus username is shown, ensure that all entries are symbol remains. deleted, and that only the Select the password field using the target button. Ensure that the automatic window validation field is not checked.
When only one Notes account is accessed from the workstation, you may check the automatic window validation field. We recommend that this only be used in personal configuration mode.
95
If a single account matches (or has no data), SSOWatch Engine will prompt the user for the associated password and will save it in the security database (collect).
The password is sent to the password field. The window is validated; if the automatic validation option has not been selected in the configuration. BadPassword and NewPassword window types are activated.
This window can be managed using the StandardLogin window type. However, if the password entered is not correct, the same window is displayed again with the same username that was previously entered in the User name field (The first time this window is displayed, no username is displayed). This window type has been created to manage such a case (StandardLogin and BadPassword mix).
This window is quite different for each of the Microsoft operating systems. If you have a heterogeneous computer installation, you will have to define several windows of this type in your configuration. The Netscape 4.7 HTTP authentication window is managed by the StandardLogin window type.
96
Administrator Guide
For StandardLogin, you have to set the identifier and password fields with the target button. For the identifier field, be sure to select the field within the listbox and not the listbox itself. Internet Explorer allows you to save passwords. However, you may prefer to use SSOWatch. So clear the Remember my password checkbox and select the checkbox with the target tool. Once the SSO data has been sent to the fields, you may validate the window.
98
Administrator Guide
The Microsoft Internet Explorer plug-in manages SSO in HTML documents in Microsoft Internet Explorer 5.5 and 6.0. It works with HTML document forms. The Internet Explorer plug-in provides several window types detailed in the following table:
WINDOW TYPE DESCRIPTION
HTTP, Firewall or Proxy connection windows Web/HTML application connection page HTML page which indicates that the password entered in the HTMLLogin window is not correct, this allows SSO data collect mode. The right username and password may be entered again this time.
HTMLNewPassword HTMLBadNewPassword
HTML page which prompts for a new password (and generally for a confirmation) Window type used to handle new password refusals in HTML pages
99
To fill in the URL field, use the Get URL button. The following window appears:
100
Administrator Guide
The list of open HTML documents in Internet Explorer windows (and frames) is displayed. The list of HTML forms (and their associated fields) is shown for information only. The Internet Explorer button allows you to launch Internet Explorer if it is not already running (same as launching it from the Start menu). To select an URL, you should select the line that shows the URL, or one of its elements. The selected URL is shown in bold. The HTML page display is dynamically updated as you open new HTML windows or navigate within Internet Explorer. The Refresh button allows you to remove windows which are no longer displayed.
If only one HTML document is opened, its URL will automatically be pasted into the URL field (if it was previously empty).
101
To set up the variable parts, select (with the mouse or the keyboard arrows and the SHIFT key) a part of the URL. The tool bar is updated and shows only the generic characters that match the selection. Generic characters allow you to replace: Any character (one or more). Alphanumeric characters (one or more): lower case letters, upper case letters and digits. Letters (one or more): lower or upper case. Digits (one or more). If you select a generic character, you can restore the original text with the Revert action of the toolbar.
Example In the previous window, a Hotmail URL is shown. Variable parts are 3 and 13 numbers after "lc" and after "law". You only need to select 3 and click . The field is displayed like this: (in the toolbar), then select 13 and click again on
You can enter a text using the keyboard or select it with your mouse in an HTML page and click the Capture button: the text is pasted in the field. There are two search methods:
102
Text must be Present: if the text is found on the page, detection is successful. Text must be Absent: if the text is found on the page, detection fails.
Administrator Guide
This window displays, in a list, all the forms (and their fields) contained in the HTML page selected in the detection page. The fields are displayed in their order and an icon distinguishes the clear text fields ( ) from the fields containing a password ( ). The associated text is the fields internal name (HTML). The forms are differentiated by their names. If two or more forms have the same name (or are unnamed), the position is displayed in brackets: this is the position in the page compared to all forms with the same name.
If you do not want to use this field, validate by clicking the Clear button.
103
To customize an optional field, proceed as follows: Select the parameter in the list. Fill in Associated Field by using the target to select the target control field. Insert customization of additional field. Validate, by clicking OK.
104
Administrator Guide
This window proposes two submit methods: Simple submit or submit by clicking a Button/Image. Advanced submit by clicking a link.
105
This property page allows you to specify: The field that will receive the user identifier (or username) that allows connection to the application. The field that will receive the password corresponding to the username. The optional parameters, if necessary. The form-submit method.
5.3.1.2 Actions
In SSOWatch Engine, the following actions are performed after the form has been detected: The username and password associated with the application are retrieved from the security system:
If necessary, the user is prompted to choose between the accounts he or she owns. If the selected (or single) account has no security data in the security system, SSOWatch Engine will prompt the user for this data and will save them in the security system (collect).
Data is sent to the form fields of the HTML page. Optional parameters associated with the selected account are retrieved from the security system: if any parameter value is unknown, it is requested from the user and then stored in the security system. Parameters are sent. The form is submitted. Window with types (HTML) BadPassword or (HTML)NewPassword are activated.
106
Administrator Guide
5.3.2 HTMLBadPassword
5.3.2.1 Configuration
This property page allows you to enter: The validation method after the password has been updated in the security database (with a new authentication if necessary). The HTML field that will receive the user identifier (or username) if the user is prompted to re-authenticate. The HTML field that will receive the user password if the user is prompted to re-authenticate in the same page. The optional parameters, if re-authentication is proposed in the same window.
5.3.2.2 Actions
In SSOWatch Engine, the following actions are performed after the HTML page has been detected: The user is warned that the password stored in the security system is not the right one for this application; he is prompted to enter the right password (the user can also change the identifier if he or she has misspelled it in the collect window). If the new username/password pair is validated by the user and the security database is updated successfully:
If specified, the username, password and optional HTML parameters are sent to the application. The HTML form is submitted according to the specified method.
107
5.3.3 HTMLNewPassword
5.3.3.1 Configuration
This property page allows you to enter: The HTML field that will receive the user identifier (or username). (Optional) The HTML field that will receive the old password. (Optional) The HTML field that will receive the new password. (Optional) The HTML field that will receive the new password as confirmation. The HTML form-submit method if the password has been successfully updated in the security database. The cancellation method in case of failure or if the user cancels the window.
5.3.3.2 Actions
In SSOWatch Engine, the following actions are performed after the HTML page has been detected:
108
If specified, the user identifier and the old password are sent (if the application can have many simultaneous sessions and if several accounts are used, SSOWatch will ask the user to choose the relevant session). The application asks the user for a new password or computes one (according to the PFCP associated with the application). If password confirmation is specified, it saves the new password in the security database. In case of failure, the submission is cancelled.
Administrator Guide
In case of success:
The new password is sent (if requested). The new password is sent again (if confirmation is needed). The form is submitted.
This properties page allows the definition of: The validation method after a new password has been refused. (Optional) The HTML field for the username, if re-authentication is proposed in the same window. (Optional) The HTML field for the old password. (Optional) The HTML field for the new password. (Optional) The HTML field for new-password confirmation.
109
5.3.4.2 Execution
In SSOWatch Engine, the actions which are performed following detection of this HTML page are: The old password is reset and becomes the current password. If specified, authentication is performed with the username and old password (if a multi-session application and a number of accounts are used, SSOWatch prompts the user to choose the appropriate session). The user is prompted for a new password, or a new password is generated based on the applications password policy (PFCP). If confirmation of new password is specified, the new password is saved in the security database. If unsuccessful, SSO is cancelled. If successful, or where there is no confirmation:
The new password is sent (if specified). Confirmation is sent (if specified). The window is validated. NewPassword type windows are activated.
110
Administrator Guide
To configure a window type SAPLogin, you have to specify the following parameters:
This window is pre-selected and should normally not be modified.
Fields
SAP Main Field is where SSO data should be sent. Field selection may be done with the target be done with the target . . SAP Status bar is the field where errors are displayed. Field selection may Error text is the message displayed by SAP R/3 in case of error. This allows SSOWatch to deal with bad passwords (SAP R/3 4.5 only).
Window parameters Language and Client Name may be associated with parameters stored in the security database. Window Validation The authentication window should be validated with the Enter key.
111
In the configuration window, fill in the SAP main field field with the
button.
112
Administrator Guide
To specify an SAP R/3 server or group of servers, use the following options: Name (mandatory): server name (SAP R/3 hostname) or server group name for which SSO is to be performed. SAP system name: SAP R/3 name of the system in 3 characters (database ID). Direct connection to a server: System number: provide the SAP R/3 System Number if the target server is running more than one copies of SAP R/3. Group with load-balancing: Message Server: enter the SAP R/3 message server name as it is configured in the SAPLogon module if there are a several SAP R/3 groups with the same name but with different messages servers.
113
Description of the SAP R/3 parameters: at authentication time, SSOWatch can fill the "language" and "client name" fields as defined in the SAP R/3 application model. These parameters should be declared through the Parameters tab of the application object. Advanced parameters:
Changing the SAP R/3 users password: by default, SSOWatch manages the authentication process, and the user cannot change his or her SAP R/3 password at this stage but must use the password change transaction once connected. To avoid the complexity inherent in this procedure, activating this option will result in SSOWatch asking the user if a change of password should be made during connection to SAP R/3; SSOWatch will then manage all the password change processes as required. Automatic validation of the connection notification: the SAPGUI Scripting technology causes a message to appear, notifying the user that a script is connecting to SAPLogon. By activating this option, and by declaring the notification window title (by default this is saplogon), SSOWatch will automatically validate the notification as required. The notification will still appear in non-SSOWatch connections, and therefore for other scripts.
114
Administrator Guide
Error messages are detected by SSOWatch so that it can react when there is a password de-synchronization problem, when there is a password change, or if the new password is refused by the SAP R/3 system. In addition to the pre-configured error messages, you can declare your own specific messages: By content: enter a message and assign a meaning to it. SSOWatch will look for the message in the status bar or error dialog box. In this case, it is the message string that is looked for. This is dependent, therefore, on the language of the SAP R/3 client. By reference: if you also specify the SAP R/3 ABAP reference of the message, SSOWatch will look for the reference of the message, and not its content. Thus, it becomes independent of the client language. In this case, the content of the message field is simply for informative purpose.
The list of message references can be found using the transaction SE16, table T100.
Authentication steps: Connection refused: the SAP R/3 system has refused the connection. The user may be locked, or the server unavailable. Invalid password: the user password is incorrect. A new password is requested through SSOWatch Engines data collection windows. New password refused: the user has just changed the password, but the SAP R/3 system does not accept it. A new password is requested through SSOWatch Engines data collection windows.
115
The way this window type works is slightly different from the way other window types work, since the SSO events correspond to the display of messages; in addition, all the SSO states are managed in the same window. Once connection has been set up, SSO is disabled for this window. Three window types offer the management of terminals: Terminal (from Standard plug-in). MSTelnet (from Microsoft applications plug-in). MSTelnetW2KXP (from Microsoft applications plug-in).
The detection of these window types is the same as for standard Windows. The Actions part covers all standard window types. It is used to manage the opening of a full session (including bad and new passwords management) running in text mode and in a single Windows control field (in general an Edit field). It simulates the user keyboard entries and controls the state of the connection by detecting text banners.
116
Administrator Guide
7.1 Terminal
This window type has been created to manage the terminal connections in Edit fields, notably the Windows remote access pre- and post- dialup terminals. Its configuration window is the following:
The Host Control field will contain all the texts used for connection. Using the target icon, click the terminal window; this will copy the text across. The behavior vis--vis the text banners is defined by clicking on the Banners button (described in Section 7.3, Banners). You can also set up the timing between two searches for banners. Once SSO has been performed, or in case of failure, it is possible to click a button to close the window.
117
MSTelnet MSTelnetW2KXP
It is possible to change the performance-tuning parameters: The timer between the detection of two banners. The timeout canceling the SSO for the window.
118
Administrator Guide
7.3 Banners
The banners configuration window is the following:
This window allows you to specify SSO events (the detection of text in a new text line) and the behavior to be associated with them. The possible behaviors are:
EVENT DESCRIPTION
Login Password Custom Parameter Connection OK Enter new password Confirm new password Bad password Connection refused
The text indicates a username request. The text indicates a password request. An additional parameter is requested. The text indicates that the connection is completed successfully. It stops the SSO. The text indicates that a new password is requested. The text indicates that the same new password must be confirmed. The text indicates that there is a wrong password in the security database. The text indicates that the connection failed. It stops the SSO operation.
119
To add an event, you should: Indicate the text to look for in the Banner field. Select the associated event. Click the Add button.
To edit an event, you should: Select it in the list. Click the Edit button: it will disappear, and the information is displayed in the bottom fields. Edit the information. Click the Add button. The information is then added at the bottom of the list.
To delete an event, you should: Select it in the list. Click the Delete button.
120
Administrator Guide
HLLAPI Definition The High Level Language Application Program Interface (HLLAPI) is an IBM API that allows a PC application to communicate with a mainframe computer. HLLAPI requires a PC to run 3270 emulation software and then defines an interface between a PC application and the emulation software. This API is also called "screen-scraping" because the approach uses characters that would otherwise be displayed on a terminal screen".
For convenient purposes, the term "HLLAPI applications" in the next sections designates the applications that are using HLLAPI.
121
Quest Enterprise SSO 8.0.3 SSOWatch VALUE NAME VALUE TYPE DEFAULT VALUE DATA AND DESCRIPTION
HllLibrary
String
PCSHLL32.dll: Name of the .dll file that corresponds to the HLLAPI plug-in.
HllEntryPoint
String
HLLAPI-32bit
DWORD
1: Specifies that the application using HLLAPI is a 32-bit application. Set 0 if you use a 16-bit application.
Procedure 1. 2. 3. In SSOStudio, create a new Application. The Application object appears under the Applications node. Right-click the Application object and select New Window. The Window Properties window appears. Fill in the General tab with the following guideline: in the Window Type dropdown list, define one of the following screens:
HLLAPI Login: login screen of the HLLAPI application. HLLAPI Bad Password: screen indicating a wrong password/username. HLLAPI New Password: screen requesting a new password (this screen can be a specific screen or the login screen). (Not available in Access Collector mode). HLLAPI Standard: screen that does not need any authentication data (not available in Access Collector mode). HLLAPI Confirm Password: new password confirmation screen (not available in Access Collector mode). HLLAPI Bad New Password: screen indicating that the new password in not correct (not available in Access Collector mode).
122
Administrator Guide
4.
5. 6. 7. 8.
Fill in the Detection tab, which is described in Section 8.2.1, The Detection Tab. Fill in the Actions tab, which is described in Section 8.2.2, The Actions Tab. Click OK. The Window object appears under the Application object. To define other HLLAPI window types, restart from Step 2.
Description The Connection Type area: This area allows you to specify the communication standard used by the application.
If the connection type information is not available at the HLLAPI level, SSOWatch Engine do not take into account this parameter. If you do not know the connection type, select or clear all check boxes.
123
The Strings to Detect area: You must fill in this area to define the strings that SSOWatch must detect to enable SSO. Read carefully the following guidelines: a) b) c) Enter the name of a string to detect. Absence of: select this check box to specify that the string must not appear in the application window. Position area: fill in this area to specify the position of the string to detect in the application window:
Select Check Position. Define the row and column numbers of the string. Select Relative Coordinates if you want to specify a position relative to the position of the cursor.
d)
Click Add.
Example
In this Detection tabbed panel example, SSOWatch Engine enables SSO if: The Account Name string is located in the application window at the same row as the cursor (relative coordinates) and 14 columns before. The Password string does not appear in the application window.
124
Administrator Guide
Description The SSO Steps area: This area allows you to sort out and modify the actions that must be performed by SSOWatch Engine in the terminal emulator window. The Actions area: This area allows you to define the data that SSOWatch Engine must send to the terminal emulator. Fill in it as follows: a) b) c) Send SSO parameter: select this option if you want to send an SSO parameter, and select in the drop-down list the wanted entry. Send Key: select this option if you want to send a "common" key (as <enter> for example), and select the wanted key in the drop-down list. Send Text: select this option either if you want to send a key that does not appear in the Send Key drop-down list, or if you want to specify any text to send, and fill in the activated field.
Section 8.3, HLLAPI Applications Keys lists the keys that are compatible with many emulator software applications.
125
d)
Once by instance: (appears only with the HLLAPI Standard window type). Select this checkbox if you want to specify that SSOWatch Engine must carry out the actions listed in the SSO Steps area only one time per session instance. You should use this option to send further actions upon the detection of other HLLAPI screens than the HLLAPI screen types listed in the General tab. The Other button: if the actions listed above do not meet your requirements, you can define extended actions, by clicking the Other button.
The following window appears:
e)
@B @C @D @E @F
No No No No No
126
@H @I @J @L @N @O @P @R @T @U @V @X* @Y @Z @0 @1 @2 @3 @4 @5 @6 @7 @8 @9 @a @b @c @d @e @f @g
Help Insert Jump (SetFocus) Cursor Left New Line Space Print Reset Right Tab Cursor Up Cursor Down DBCS (Reserved) Caps Lock (No action) Cursor Right Home PF1/F1 PF2/F2 PF3/F3 PF4/F4 PF5/F5 PF6/F6 PF7/F7 PF8/F8 PF9/F9 PF10/F10 PF11/F11 PF12/F12 PF13 PF14 PF15 PF16
No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
No No No Yes Yes Yes Yes No Yes Yes Yes No No Yes No No No No No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
127
@h @i @j @k @l @m @n @o @q @s @t @u @v @x @y @z @A@C @A@D @A@E @A@F @A@H @A@I @A@J @A@L @A@Q @A@R @A@T @A@U @A@V @A@Z
PF17 PF18 PF19 PF20 PF21 PF22 PF23 PF24 End ScrLk (No action) Num Lock (No action) Page Up Page Down PA1 PA2 PA3 Test Word Delete Field Exit Erase Input System Request Insert Toggle Cursor Select Cursor Left Fast Attention Device Cancel (Cancels Print Presentation Space) Print Presentation Space Cursor Up Fast Cursor Down Fast Cursor Right Fast
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
128
@A@9 @A@b @A@c @A@d @A@e @A@f @A@g @A@h @A@i @A@j @A@l @A@t @A@y @A@z @A@ @A@+ @A@< @S@E @S@x @S@y @X@1 @X@5 @X@6 @X@7 @X@c @M@0 @M@1 @M@2 @M@3 @M@4 @M@5
Reverse Video Underscore Reset Reverse Video Red Pink Green Yellow Blue Turquoise White Reset Host Colors Print (Personal Computer) Forward Word Tab Backward Word Tab Field Field + Record Backspace Print Presentation Space on Host Dup Field Mark Display SO/SI Generate SO/SI Display Attribute Forward Character Split vertical bar () VT Numeric Pad 0 VT Numeric Pad 1 VT Numeric Pad 2 VT Numeric Pad 3 VT Numeric Pad 4 VT Numeric Pad 5
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No Yes Yes Yes No No No No No No No No No No
Yes No No No No No No No No No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No
@M@6 @M@7 @M@8 @M@9 @M@@M@, @M@. @M@e @M@f @M@i @M@r @M@s @M@p @M@n @M@a @M@b @M@c @M@d @M@h @M@(space) @M@A @M@B @M@C @M@D @M@E @M@F @M@G @M@H @M@I @M@J @M@K
130
VT Numeric Pad 6 VT Numeric Pad 7 VT Numeric Pad 8 VT Numeric Pad 9 VT Numeric Pad VT Numeric Pad , VT Numeric Pad . VT Numeric Pad Enter VT Edit Find VT Edit Insert VT Edit Remove VT Edit Select VT Edit Previous Screen VT Edit Next Screen VT PF1 VT PF2 VT PF3 VT PF4 VT HOld Screen Control Code NUL Control Code SOH Control Code STX Control Code ETX Control Code EOT Control Code ENQ Control Code ACK Control Code BEL Control Code BS Control Code HT Control Code LF Control Code VT
No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No
No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
@M@L @M@M @M@N @M@O @M@P @M@Q @M@R @M@S @M@T @M@U @M@V @M@W @M@X @M@Y @M@Z @M@u @M@v @M@w @M@x @M@y @M@z @Q@A @Q@B @Q@C @Q@D @Q@E @Q@F @Q@G @Q@H @Q@I @Q@J
Control Code FF Control Code CR Control Code SO Control Code SI Control Code DLE Control Code DC1 Control Code DC2 Control Code DC3 Control Code DC4 Control Code NAK Control Code SYN Control Code ETB Control Code CAN Control Code EM Control Code SUB Control Code ESC Control Code FS Control Code GS Control Code RS Control Code US Control Code DEL VT User Defined Key 6 VT User Defined Key 7 VT User Defined Key 8 VT User Defined Key 9 VT User Defined Key 10 VT User Defined Key 11 VT User Defined Key 12 VT User Defined Key 13 VT User Defined Key 14 VT User Defined Key 15
No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No
No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
131
VT User Defined Key 16 VT User Defined Key 17 VT User Defined Key 18 VT User Defined Key 19 VT User Defined Key 20 VT Backtab VT Clear Page VT Edit @ Alternate Cursor (The Presentation Manager Interface only) Backspace
Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
132
Administrator Guide
9. Advanced Configuration
The window types provided with SSOWatch allow you to enable SSO or account collect (in Access Collector mode) in a wide range of applications. But there are some applications that cannot be managed with these standard types. In this case, SSOWatch proposes two solutions: Custom Scripts that allow you to define precisely the actions to be performed in a window or in an HTML page; it is even possible to call a function from an external DLL. The OLE/Automation interface that offers you the benefit of the SSOWatch security data access management: with this approach, it is possible to entirely redefine the methods of detection and actions while keeping the same account-management, collection, secure-storage mechanisms.
They use the same detection mechanisms already used for this kind of window in the Standard plug-in. The detection property page is the same. However, you can select the combo box by passing the cursor over the text area or by clicking the button displaying all the different choices. The difference is in the Actions tabbed page of the Windows Properties window that allows you to create a logically ordered list of specific actions. The main behavior of the window (Login, Bad Password, New Password or New Password Confirmation window) is automatically deduced from the configured actions, except for Bad Password, which must be manually specified.
133
This logic allows you to manage simple actions of the IfThenElse type.
The context data is maintained in a data buffer that is initialized before each Script execution in the following way:
134
The current state is set to True. The window Handle is initialized with the handle of the currently processed window. The memory buffer is empty.
Administrator Guide
The identifier, password, and service name are initialized with current values. If the window has the value "Bad password", the user is requested to provide the correct password during this step. The pointer to custom user data is set to NULL.
The list of actions to be performed is displayed in a read only state, and a check box allows you to specify whether or not this window manages bad passwords. To build or edit a script, you must use the Script Editor.
135
The Script Editor window is made up of four parts: A toolbar. An actions list. A dynamic panel allowing you to edit selected action parameters. The OK and Cancel buttons.
The actions list has three columns: The actions. The execution condition (or state). The actions parameters.
ICON
DESCRIPTION
Create a new action placed after the first selected action Delete one or several action(s) Move up one (or several) action(s) Move down one (or several) action(s)
136
Modify the execution condition to Always execute Modify the execution condition to Execute if True Modify the execution condition to Execute if False
Send Key/String Send SSO parameter Send Command Message Send a JavaScript Get Control Text Get SSO parameter Click Button Select Item in list Call External Function Sleep Compare Return Special Event Create a Label Jump to Label (Goto) Display a message box Input box
Send String to Form Field Send SSO Parameter to a field Not Available. Send a JavaScript Get Field Text Get SSO parameter Send an HTML event Select Item in an HTML List Call External Function Sleep Compare Return Special Event Create a Label Jump to Label (Goto) Display a message box Input box
137
The rest of this subsection describes the different actions; each action description is introduced by a table summarizing its main characteristics: The actions name and its icon. Properties associated with the action. Information as to whether or not the action modifies the buffer and/or state.
Modify buffer
Description
Modify buffer
This action allows you to send characters (keyboard keys or strings) to a target window (the window being the primary, active window) or to a target control field/button in a window. In the Target area, it is strongly recommended to select Send to the Control (use the target icon button to select the control field). If it is not possible, that is if the window has no control fields or buttons it is better to select Send to the Window than Focused Window. Then, if necessary, modify the sending method (it is recommended to use the Automatic method. If it does not work, try another method depending on your application). In the Send Key/String area, define the characters you want to send in the target window: Select Key to send keyboard keys, as Enter, Tab, SHIFT+Tab, Space, Escape for example. To send an additional key, select None, Shift, Alt, or Control from the Additional key dropdown list. Select String and fill in the field to send a specific string. Select Buffer to send the memory buffer content.
138
Administrator Guide
Send String to Form Field (Custom Script HTML only) Modify state
Modify buffer
This action allows you to send strings to a target form field in an HTML page. In the Target area, use the HTML target button to fill in the field (the HTML page containing the target form field must be displayed). In the Send Key/String area, define the string you want to send in the target HTML form field: Select Buffer content to send the memory buffer content. Select String and fill in the field to send a specific string.
Modify buffer
This action allows you to send an SSO parameter of a user account to a target window (the window being the primary, active window) or to a target control field/button in a window. For details on the Target area, please see the Send Key/String action above. In the Parameter to Send area, define the SSO parameter you want to send: Identifier: the user identifier for the current application. Password: the associated password of the user identifier. New Password: a new password. In this case, the window is considered to be a NewPassword window type. Confirm Password: the confirmation of the new password. In this case, the window is considered to be a ConfirmPassword window type. Custom Parameter: to activate this option, you must define a parameter at the Application level (for details, see Section 3.6.2.5, ""Parameters" Tab"). Do not prompt for user account: you can select this option if the user has several accounts. The transmitted SSO parameter is copied to the memory buffer.
139
Modify buffer
Read carefully the instructions written in the Send command message area.
This action enables you to send a JavaScript if the address bar is displayed in Firefox and Internet Explorer.
Sends an event (navigation, button click, item to be checked or execution of a JavaScript) to the active HTML browser) This action is paticularly useful if you want to execute JavaScript code.
Modify buffer
This action reads the text contained in a targeted control field. The recovered text is also copied to the memory buffer.
140
Administrator Guide
Get SSO Parameter (Custom Script and Custom Script HTML) Modify state
Modify buffer
This action retrieves the value of an SSO parameter of a user account (identifier, password) and copies it to the memory buffer. For a description of the options, see the Send SSO Parameter action above.
Modify buffer
This action allows you to simulate a mouse click on: A targeted button or on a targeted check box; Any specific field in the window. If you have targeted a check box, do not forget to select Change the button state and click either Check or Uncheck depending on your needs. Select the Perform double click check box if you want to enable double click to select the value of a field.
141
Select Item in List (Custom Script) or Select Item in an HTML List (Custom Script HTML) Depending on the selected Selection Mode, the interface of this window is slightly different: By Item Number: Modify state
By Parameter:
Modify buffer
By Item Label:
This action allows you to select an element from a list. The list must be targeted with the target icon. The supported list types are: ListBox. ComboBox. ComboBoxEx32. The selection can be performed by: Item Number: the element number (position) to select, 0 being the first. Parameter: the parameter is defined at the Application level (for details, see Section 3.6.2.5, "Parameters" Tab. Item Label: a text string to look for in the list.
142
Administrator Guide
Call External function (Custom Script and Custom Script HTML) Modify state
Modify buffer
This action allows you to call a function in an external DLL. Click the Search button to choose the DLL. Enter the function name in the Function field. If the function is found in the DLL, the indicator turns green. Otherwise, it remains red. When SSO is implemented, the DLL will first be looked for in the PATH associated with the connected users environment. If it is not found, it will be looked for in the same directory as the one used during the configuration process. For more details on how to write external procedures, see Section 9.2, Extension DLL.
Modify buffer
This action suspends SSOWatch Engine for the time specified (in milliseconds). Two buttons (500 ms and 1000 ms) allow you to quickly configure the most common wait times.
Modify buffer
This action compares the memory buffer contents with a given character string. The comparison is case sensitive. The state is then modified, depending on the result of this comparison True if the string is found, False otherwise.
143
Modify buffer
You must use Return actions to stop the script. It returns one of the following status: OK: no problem. SSO Done: the identifier and/or password or parameters have been successfully sent to the application. This stop code should be used in all the custom scripts that use the Send SSO Parameter function (identifier, password). Disable the Window: SSOWatch ignores the window. Disable the Application: SSOWatch ignores the application.
Special Event (Custom Script and Custom Script HTML) Modify state
Modify buffer
This action allows you to trigger one of the events listed in the Special Event area. The Resynchronize user password event allows you to display the SSOWatch Change Password window, which allows you to change also the user's login.
Create a Label (Custom Script and Custom Script HTML) Modify state
Modify buffer This action allows you to create a label in the custom script, to manage conditional operations. You must use this action if you want to use the Jump to Label (Goto) action.
144
Administrator Guide
Jump to label (Goto) (Custom Script and Custom Script HTML) Modify state
Modify buffer
This action is only available if you have already defined a Create a Label action. It allows you to define a jump in your custom script. It is strongly recommended to use this action in association with a condition (True/False), to avoid infinite loops.
Display a message box (Custom Script and Custom Script HTML) Modify state
Modify buffer
This action allows you to display a message box in order to ask a question to the user. Use the available options to define the content of your message box. If the user can click No or Cancel, the state is set to False. Click the Buffer content radio button to enable the user to see the content of the buffer. This feature enables the user to see his login and password. You can use this action to check if a window is detected or to check that the return code of an external function is OK, in order to adjust a Custom Script.
Input box (Custom Script and Custom Script HTML) Modify state
Modify buffer
This action allows you to define an input box. Select Allow value selection from list or combobox if you prefer to display a list of items the user can select rather than a standard input field where he can enter any text.
145
m_szBuffer[SSOWATCHSSODATA_BUFFERLEN+1];// RW m_szIdentifier[SSOWATCHSSODATA_IDLEN+1];// R m_szPassword[SSOWATCHSSODATA_PWDLEN+1]; // R m_szParam[SSOWATCHSSODATA_PARAMLEN+1]; *m_UserData; *m_pInternal; *m_pInternalCred; *m_pIternalInstance; // R // R // RW // -// -// --
LPCTSTR m_szCredential;
146
Administrator Guide
The version number (m_nVersion) indicates the version of this structure. It can change between versions of SSOWatch. It must be compared to SSOWATCHSSODATA_VERSION. The state (m_bState) indicates the state of the last action (TRUE or FALSE) and can be modified to change the execution of the next actions. m_hWnd contains the handle of the currently processed window. It should not be modified. It can be used to call Win 32 functions that need a window handle as a parameter. m_szBuffer is the memory buffer. It can be modified if required. m_szCredential, m_szIdentifier and m_szPassword respectively contain the name of the service associated with the application being processed, and the identifier and password of the user for this service. These parameters should not be modified. m_szParam contains the last SSO Parameter retrieved with the "Get SSO" action. None of these fields should be modified. m_szCredential contains a string in the form: Account="" m_UserData is a pointer to custom user data, and is not used by SSOWatch (except of course by external functions). It remains valid during the entire execution of the same script
The members: m_pInternal, m_pInternalCred and m_pInternalInstance should not be modified. There are reserved for internal use by SSOWatch.
The function ended with no error. The function ended with no error and SSO has been done. An error occurred during password management. The user is not registered for the application. An error occurred during the recovery of an SSO parameter. This window should not have been processed in this context (for example, bad password window found before the logon window). SSO has already been executed for this window.
SSORET_SSOALREADYDONE
147
The application is waiting for a confirmation of password update. The password has been changed. An error occurred during access to the security database. An error occurred while the current window was being processed the window will be disabled. An error occurred while the current application was being processed the entire application will be disabled. User has disabled SSO for this application instance. User has disabled SSO for this application.
SSORET_APPLICATIONERROR
SSORET_USERCANCELLED_INSTANCE SSORET_USERCANCELLED_APPLICATION
148
Administrator Guide
149
10.2.1 GetApplication2
Description The function returns an interface pointer to ISSOApplication, unless the application is not found in the SSOWatch configuration or the challenge is not matched or this application is not configured to allow OLE/Automation access to its security information. When more than one account is associated with an application, SSOWatch asks the user to choose which account SSOWatch must use during this session. This choice will be kept until the interface pointer to ISSOApplication is released. The only way to change account is to use GetApplication2 again. Prototypes C/C++:
HRESULT GetApplication2(/*[in]*/ /*[in]*/ /*[in]*/ BSTR strAppName, BSTR strChallenge, LONG hWnd,
Visual Basic:
GetApplication2(strAppName as String, strChallenge as String, hWnd as Long) as Object
Parameters strAppName is the name of the application as defined in the active configuration of SSOWatch (for security purposes, this string is case sensitive). strChallenge is the password used to protect the OLE link. This password must match the password defined in the applications settings of the SSOWatch configuration. hWnd is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when SSOWatch asks for security information, so that SSOWatch windows will not appear under the application window (background). If this information is not available or you do not know how to get it, provide the value 0.
150
Administrator Guide
10.2.2 GetSSOEngineState
Description This function returns values corresponding to the state of the SSOWatch engine. Prototypes C/C++: Visual Basic:
HRESULT GetSSOEngineState(/*[out]*/ LONG *plSSOEngineState)
Parameters No parameters. Return Value Returns the state of the SSOWatch engine, as described in the following table:
RETURN VALUE ENGINE STATE
0 2 4
151
LoginID Password
10.3.1 Properties
10.3.1.1 The LoginId Property
Description Read-only property that returns the account name associated with the application. Prototypes C/C++: Visual Basic:
HRESULT get_LoginId([in] LONG hWnd, [out] BSTR *pVal)
Parameters hWnd is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when SSOWatch asks for security information, so that SSOWatch windows will not appear under the application window (background). If this information is not available or you do not know how to get it, provide the value 0. Return Value Name of the account associated with the application.
152
Administrator Guide
Visual Basic:
Parameters hWnd is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when SSOWatch asks for security information, so that SSOWatch windows will not appear under the application window (background). If this information is not available or you do not know how to get it, provide the value 0. Return Value Password of the application.
10.3.2 Methods
10.3.2.1 The GetSSOParameter Method
Description Method that returns an SSO parameter whose name is in strParameterName. The strParameterDesc parameter is a user-friendly description if SSOWatch needs to prompt the user for the parameter value. Prototype C/C++:
LONG hWnd, BSTR strParameterName, BSTR strParameterDesc, /*[in]*/ /*[in]*/ HRESULT GetSSOParameter(/*[in]*/
Visual Basic:
strParameterName As String, strParameterDesc As String) As String
app.GetSSOParameter(hWnd As Long,
153
Parameters hWnd is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when SSOWatch asks for security information, so that SSOWatch windows will not appear under the application window (background). If this information is not available or you do not know how to get it, provide the value 0. Return Value Returns the SSO parameter.
Visual Basic:
Parameter hWnd is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when SSOWatch asks for security information, so that SSOWatch windows will not appear under the application window (background). If this information is not available or you do not know how to get it, provide the value 0. Return Value Returns the password as a string.
154
Administrator Guide
Prototypes C/C++:
LONG hWnd, /*[out]*/ BSTR *pstrPassword) HRESULT GetNewPassword(/*[in]*/
Visual Basic:
Parameter hWnd is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when SSOWatch asks for security information, so that SSOWatch windows will not appear under the application window (background). If this information is not available or you do not know how to get it, provide the value 0. Return Value Returns a new password for the running application. Example NewPassword$ = oApp.GetNewPassword(0) oApp.Password(0) = NewPassword$ // Asks for a new password.
Visual Basic:
Parameter hWnd is the window handle of the application where the OLE/Automation script runs. This handle allows the blocking of input to the application window when SSOWatch asks for security information, so that SSOWatch windows will not appear under the application window (background). If this information is not available or you do not know how to get it, provide the value 0. Return Value Returns True if the password has expired.
155
Returns an interface pointer to ISSOEngine that allows you to call the GetApplication2 method:
Set oApp = oSSO.GetApplication2( AppName , password , 0)
When you finish, you must free the objects (if not, SSOWatch will not be stopped safely):
Set oApp = Nothing Set oSSO = Nothing
SSOAPI_OK SSOAPI_INVALID_SERVICE SSOAPI_ACCESS_DENIED SSOAPI_SUBAPI_ERROR SSOAPI_INVALID_SERVICE_TYPE SSOAPI_UNKNOWN_ERROR SSOAPI_MEMORY_FAILED SSOAPI_INVALID_PASSWD SSOAPI_UNKNOWN_PARAMETER SSOAPI_INVALID_PARAM_NAME SSOAPI_INVALID_FLAG
0 1 2 3 4 5 6 7 8 9 10
OK. Account or Service empty. No Account exists. Generic error from User Provisioning underlying API. Invalid Service Type (User Provisioning only). Unknown error. Out of memory. Invalid password: this return code is managed by the OLE/Automation API. Unknown parameter. Invalid parameter name. Internal.
156
SSOAPI_SERVICE_NOT_FOUND
11
Service not found for the system type provided. Similar to ACCESS_DENIED. Error while accessing the security server. The password change is not taken into account yet. No more applications in the application list. Not ready (for example: smartcard removed). Unknown application. Application instance disabled by the user. Application disabled by the user. The application is already disabled.
12 13 14 15 16 17 18 19
157
Application data
Applications Technical definitions Application parameters
158
Administrator Guide
Application profiles Password format control policies Password change policies Time-slices (only in Console mode).
Location This cache is located in the following registry key: HKLM\Software\Enatel\WiseGuard\Framework\Cache\CacheDir. Offline Work When servers are unavailable, queries are made on the cache. Queries that modify the cache are recorded so they can be replayed when a server becomes available. Online Work The cache is also used to reduce the number of queries between SSOWatch Engine and LDAP directory servers. So even if the LDAP directory servers are available, the cache is used and works as a buffer: When SSOWatch Engine starts or is reset, the cache is synchronized with the server data.
To force the synchronization, restart SSOWatch Engine. You can disable the synchronization of the User Account data by setting a non null value in HKLM\Software\Enatel\WiseGuard\Framework\Authentication\ CacheSynchroWithAuth
Once stored in the cache, the data is considered valid for a configurable period of time, and no query is sent to the server during this period (for details, see Section A.2, Cache and Update Timing Parameters. If the data is not found in the cache, or needs to be refreshed, the server is queried. All modifications to the data (creation, changes, deletion) are immediately copied to the server (if possible) and in the cache.
159
Tuning Parameters The registry key values detailed in Section A.2, Cache and Update Timing Parameters.allow you to: Activate asynchronous update. Set a random latency period before the first update, to avoid an over-load during the deployment. Set time slices, during which workstations are allowed to perform asynchronous update.
Mechanism When the workstation is starting up, it checks if application data in cache is available. Indeed asynchronous update may have been bypassed if the workstation was off during a too long period or during each defined time-slice. If data are not up to date: If time slices are defined:
If current time is in time-slice, update is performed. If current time is not in time-slice, the update will be performed at next timeslice, by choosing a random time in it.
At the time of asynchronous update, the directory may be unavailable. In this case update is retried later when the directory is available and according to possible time-slice.
160
Administrator Guide
30 10
1 0
Time in seconds between two LDAP directory connection checks. Duration of cache data validity. Time in seconds. The data linked to the User Profile is refreshed when the cache data validity expires.
CacheDir AccessPointCache (E-SSO Console mode only) UserCache (E-SSO Console mode only) 1
Cache directory. Cache availability on Access Points: 0 Off 1 On 1 User cache availability. 0 Off 1 On Period (in days) between two updates of the application data on the workstation (for asynchronous update). Only applies for applications of the workstation's domain.
ApplicationData UpdatePeriod
ApplicationData UpdateLatency
If activated, the workstation chooses a random latency period before updating its application data, between zero and the update period (and during chosen timeslice if defined). 0: off non null: on If multiple workstations are installed simultaneously (and during time-slice if defined), the application data is downloaded from all these workstations. This value avoids an over-load during the deployment, and creates an interval between the updates.
ApplicationData UpdateBeginTime
Starting time (in minutes) of the time-slice during which the update of the application data on the workstation is allowed. Must be less than or equal to 1440. Example: 1260 (9 pm) Ending time (in minutes) of the time-slice during which the update of the application data on the workstation is allowed. Must be less or equal to 1440. Example: 300 (5 am)
161
ApplicationData UpdateEndTime
Read this note if you use Group Policies (see Appendix Enterprise SSO Advanced Installation and Configuration Guide): The PerformanceCacheDelay value is overwritten by the Group Policy WGSS. Network cache: PerformanceCacheDelay. If you change the Group Policy, the information is propagated by Microsoft and the delay depends on servers' topology (time servers' replication).
Access Collector Mode Parameters The following registry keys allow you to configure the asynchronous directory update of collected accounts, for SSOWatch used in Access Collector mode: HKLM\Software\Enatel\WiseGuard\Framework\Cache\ SelfRegistrationUpdatePeriod Period (in minutes) between two updates of the collected SSO accounts from the workstation cache into the directory, in an asynchronous way. If this value is set to 0 or not defined, the update is done automatically each time an account is collected. HKLM\Software\Enatel\WiseGuard\Framework\Authentication\ CacheSynchroWithAuth In case of a roaming context (shared workstations, Citrix systems), this option forces a synchronous update of the cache at logon:
0: deactivated. 0: activated.
162
Administrator Guide
Web site
Please refer to our Web site for regional and international office information.
View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com.
163