Beruflich Dokumente
Kultur Dokumente
3
Getting Started with SSOWatch
Copyright 1998-2009 Quest Software and/or its Licensors ALL RIGHTS RESERVED.
This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher.
DISCLAIMER
The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice.
Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners. World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656 Website: www.quest.com Please refer to our website for regional and international office information. Quest Enterprise SSO Updated January 2010 Software version 8.0.3
CONTENTS
About This Guide ...................................................................................................... 3
Access Management ......................................................................................................... 3 Conventions ............................................................................................................... 4
Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and crossreferences.
ELEMENT CONVENTION
Select Bolded text Italic text Bold Italic text Blue text
This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care.
+ |
A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence.
1. Overview
Single Sign-On (SSO) is the functionality that allows users to sign-in (authenticate) only once during a whole session, no matter how many applications are being accessed. They can then access their data transparently, without the constraint of retyping a new user name/password couple. SSOWatch performs the SSO functionality by interfacing itself between a security system, where the security data is stored (in the form of user name/password couples) and the applications that require an authentication. It consists of two technical components: SSOWatch Engine, which performs single sign-on. SSOStudio, which allows you to configure SSOWatch. You will use it to "teach" SSOWatch Engine how to recognize the authentication windows of your web and Windows applications.
For more information on SSOStudio, see Enterprise SSO - SSOWatch Administrator Guide.
The present guide explains how to begin with SSOWatch. It describes how to install SSOWatch, how to quickly enable SSO and perform basic SSO operations with the SSOWatch Engine.
2. Installing SSOWatch
Subject SSOWatch is installable on a single workstation or deployable on all the workstations of an enterprise network. This section introduces the interactive installation on a single workstation. For information on implementing the directory mode and on enterprise-wide installation, see Enterprise SSO Advanced Installation and Configuration Guide. Before Starting Make sure you have a supported Windows version. Make sure you have a strong authentication device (smartcard, USB key, or biometrics).
For details on the supported Windows versions and on the supported strong authentication devices, see Quest Enterprise SSO Release Notes.
Make sure you have 25MB of available hard disk space. Make sure you have the license information supplied with the software. Close all running applications. Download the Enterprise SSO installation package from the Quest support website (http://www.quest.com/support).
Procedure 1. 2. Log on as system administrator. Once you have downloaded the Enterprise SSO Installation Package, run start.hta. The following window appears:
If the window does not appear, do the following: from the E-SSO Installation Package; browse the Tools directory and run WGAdSetup\WGADSetup.exe and go to Step 3 of the current procedure.
3.
In the E-SSO Advanced Installation area, click one of the following, depending on your Windows system processor:
Enterprise SSO: for 32 bits processors. Enterprise SSO - x64: for 64 bits processors. The Administration Tools window appears.
Each tool that you can run from the Administration Tools window is a wizard that allows you to perform a specific operation during the installation process of the Enterprise SSO databases.
2. 3.
In the Select a task list, select Install software modules. In the Software Installation task list, click Configure workstation. The Configuration Assistant appears.
4.
Follow the instructions displayed in the wizard windows with the following guidelines:
DO THE FOLLOWING
Procedure 1. Start the Administration Tools interface (see Section 2.1, Starting the "Administration Tools" Interface).
To run the SSOWatch installation wizard if the Administration Tools does not work properly, browse the installation package folder, double-click INSTALL\SSOWatch.msi, and go to step 4 of the current procedure.
2. 3. 4. 5.
In the Select a task list, select Install software modules. In the Software Installation task list, click Install E-SSO Client. The E-SSO Client installation wizard appears. Follow the displayed instructions. When the wizard prompts you to choose the installation type, choose Custom, click Next, and fill in the Select Features window as follows:
Biometrics Enrollment tool: installs the biometrics enrollment wizard on the computer, which allows a user to enroll his/her biometric data for fingerprint authentication. For more information on the Enterprise SSO biometrics feature, see Enterprise SSO Advanced Login for Windows User Guide. Integration with Windows Authentication: launches transparently SSOWatch Engine at session startup using the user Windows credentials. If this feature is not installed, SSOWatch will be launched automatically, but it will ask the user for their credentials. Old IE Plugin: deprecated Internet Explorer plug-in that must only be installed for compatibility reasons with the previous WiseGuard versions. Java plugin: allows SSOWatch to access Java applications.
10
If you select this feature, make sure a supported Java version is already installed on your workstation before launching the installation of SSOWatch. SSOStudio Personal: allows a single user to configure the applications for which he wants to enable SSO. SSOStudio Enterprise: dedicated to administrators: the SSO configuration is shared by a number of users. Fast User Switching: installs the Fast User Switching option, which allows authorized users to access their session from a workstation that has been locked by another user.
6.
Restart the workstation. The SSOWatch Engine icon appears in your Windows' system tray, which is located on the far right end of your task bar.
11
3.1 Enabling SSO for Yahoo! Mail Using the SSOWatch Wizard
Subject The SSOWatch Wizard is the easiest way to enable SSO. It helps you to declare the applications' authentication windows that must be automatically filled in by SSOWatch Engine. The parameters of applications defined this way make up a configuration for SSOWatch Engine.
The SSOWatch wizard is suitable for standard authentication windows. For applications that cannot be configured through the SSOWatch wizard, you must use SSOStudio.
We use Yahoo! Mail as an example, but you can follow the same procedure for almost all web applications.
12
Before Starting Start Yahoo !Mail so that the authentication window appears, as shown in the following picture:
Procedure 1. In the Windows system tray, right-click the SSOWatch icon (in the notification area) and select Add application. The SSOWatch wizard appears. Fill in the wizard as follows:
ILLUSTRATION
2.
ACTION
13
Step 3: Drag and drop the target button (1) onto login field (as this is a web application) of the Yahoo! Mail authentication window (2) to fill in this window (3).
14
Step 4: Continue drag and drop operations to fill in this window, as shown opposite.
3.
15
4.
Yahoo! Mail starts automatically. SSOWatch is now configured to detect and automatically fill in your Yahoo! Mail authentication window.
If you mistyped the user name or password in the above window, the application does not start. In this case, you need to modify the credentials for the application, as explained in Section 4.4.2.1, Change Password. Why does the Security Data Collect window appear? At this step of the procedure, the SSOWatch Engine is running, and your Yahoo! Mail authentication window is still displayed. Although SSOWatch can detect the window it cannot fill it in as you have not provided your authentication information yet. That is the reason why the Security Data Collect window appears: the first time you start a declared application, SSOWatch requests your user name and password. This data is stored in a secured way by SSOWatch so it will be able to reuse it afterwards, without requesting any new data.
16
Restriction The following example works only with Lotus Notes 5 and later.
Procedure 1. In the SSOStudio main window, right-click the Applications node and select New Application. The Application properties window appears. In the Properties tab, type "Lotus Notes" in the Application Name field:
2.
3.
You do not have to change any other options. Click OK. The Lotus Notes Application object appears under the Applications node.
18
Before Starting Start Lotus Notes to display the authentication window, as shown in the following picture:
Procedure 1. In the SSOStudio main window, right-click the Lotus Notes Application object that you have just created and select New Window. The Window properties window appears. Fill in the General tab as follows:
In the Window name field, type Notes Logon. In the Window type field, select NotesLogin.
2.
19
3.
Fill in the Detection tab as follows: All the fields are already pre-configured for Lotus Notes, and you would normally not have anything further to do. However, to show you how it works, we will describe how to configure the window manually.
a) b) c)
Launch the Lotus Notes application. In the Detection tab, click the target button and "dragn drop" it onto the title bar of your Lotus Notes authentication window. As many authentication windows could have the same title, we are going to configure an additional text that will be looked for in one of the fields of the window, to distinguish the Lotus Notes authentication window from the other ones:
Select Look for text, and click the In Field sub-option. Using the small target button , indicate the field containing the text Enter the password of, as you did for the title detection window. The content of the field Look for text is automatically updated with the content of the selected field. In our case: Enter the password of John Smith/QUEST. Depending on your needs, you can erase the users name to only keep the text Enter the password of. If it is not erased, SSO will only be enabled for the user connected during this detection session.
20
4.
Fill in the Actions tab as follows: All the fields are already pre-configured for Lotus Notes, and you would normally not have anything further to do. However, to show you how it works, we will describe how to configure the window manually.
a)
Using the upper small target icon , select the field containing the text Enter the password of, as you did during the detection configuration. The text in the following field is automatically updated. In this field, select the Lotus Notes identifier (First name/Last name/ button. Unit/Organization) and click the Using the second small target icon password will have to be entered. Using the last small target icon , select the field where the select the OK button.
b) c) d) 5.
Click OK. The Notes Logon Window object appears under the Lotus Notes Application object. See Section 3.2.3, Saving the Configuration.
6.
21
2. 3.
Click Yes. The SSOWatch Security Data Collect windows appears. Fill in this window as follows and click OK:
Lotus Notes starts automatically. SSOWatch is now configured to detect and automatically fill in your Lotus Notes authentication window.
If you mistyped the user name or password in the above window, the application does not start. In this case, you need to modify the credentials for the application, as explained in Section 4.4.2.1, Change Password.
22
Why does the Security Data Collect window appear? At this step of the procedure, the SSOWatch Engine is running, and your Lotus Notes authentication window is still displayed. Although SSOWatch can detect the window it cannot fill it in, as you have not provided your authentication information yet. That is the reason why the Security Data Collect window appears: the first time you start a declared application, SSOWatch requests your user name and password. This data is stored in a secure way by SSOWatch, so it will be able to reuse it afterwards, without requesting any new data.
23
Once the engine is started, an icon is displayed in the Windows notification area:
24
Simply provide your usual user name for this application, your password (and confirm it to avoid mistype errors), and validate by clicking the OK button. This data will be stored in a secured way by SSOWatch so it will be able to reuse it afterwards, without requesting any new data. It has enabled the Single Sign-On function.
25
Simply type in a new password (and confirm it to avoid mistype errors) and validate it by clicking the OK button. This data will be updated and securely stored in the security database, by SSOWatch, so that it will be able to reuse it afterwards, without requesting any new data.
26
From this popup menu, you can: Emergency Access: Initialize your primary password or PIN code reset (Emergency Access). This feature runs only with the LDAP configuration storage mode, as described in Section 4.7, Initializing the Emergency Access. Biometric Enrollment: Enroll your biometric data using the biometrics scan wizard (a biometric authentication device must be installed on your computer).
For more information, see Enterprise SSO Advanced Login for Windows User Guide.
Open the management module of SSOWatch: SSOEngine. Add application: Enable SSO applications with SSOWatch Wizard. Open SSOStudio to add an application with SSOStudio, as described in Section 3, Configuring SSOWatch to Enable Single Sign-On A Step by Step Tutorial. Suspend and Activate the SSOWatch Engine. Reset the configuration. Exit SSOWatch: Stop the SSO Engine.
Procedure To display this popup menu, right-click the SSOWatch Engine icon in the taskbar.
Double-clicking the SSOWatch Engine icon performs the default action (in bold): Open.
27
2.
28
When you create an account, you enter security information associated with this account. This operation will be done automatically for the first account defined in the configuration (for an application). User Roles If you have defined several accounts, you will have to manually create the other accounts, through the user account management interface. This is designed for those users who have a number of accounts on the same application(s). An account name designates a role. If a role is shown in the text box of the SSOEngine screen, the corresponding SSO applications will be launched using the security data associated with this role.
29
If no role has been selected for multiple account applications, you will be prompted to choose an account on connection.
30
The Suspend command allows you to suspend the use of SSO. When suspended, the SSOWatch engine does not carry out single sign-on.
You can prevent the user from disabling the SSO engine through the configuration options. SSOWatch Engine automatically suspends itself when the smart card or USB key used for authentication is removed.
The Reset Configuration command allows you to load the modifications performed in your SSOWatch configuration file and reset the applications and windows states (those windows and applications which have been disabled will be reactivated).You can use this menu when the engine is running or when it is suspended. Once the reset action is complete, the SSO Engine will be in a running state. The Activate command allows you to resume the SSOWatch Engine and enable again the use of SSO.
Procedure To suspend the SSOWatch engine, right-click the SSOWatch engine icon and select Suspend. The SSOWatch engine icon changes to . To activate the SSOWatch engine, right-click the SSOWatch engine icon and select Activate. . The SSOWatch engine icon changes to To reset the SSOWatch engine configuration, right-click the SSOWatch engine icon and select Reset Configuration . . If your SSOWatch engine was suspended, its icon changes to
31
When the Emergency Access feature is enabled, you can define your questions (optional) and answers the first time that your SSOWatch engine is activated. Then you may need to modify this data in the following cases: The questions have changed, so you have to update your answers. You must enter your answers periodically. You want to change your questions/answers.
Procedure 1. Right-click the SSOWatch icon located in the notification area, and select Emergency Access. The Authentication window appears. Enter your ID and Password and click OK. The Emergency Access wizard appears. Follow the displayed instructions.
You may have restrictions to define your questions/answers, as for example a minimum/maximum number of characters, words that you cannot use If you do not know why your questions/answers are not accepted, contact your Enterprise SSO administrator.
2. 3.
32
2. 3.
Click Open, and in the displayed window, click Install Certificate. Follow the instruction of the Import Certificate wizard.
It is recommended to keep the default selected options. Just click the Next and Finish buttons to install the file.
4.
Before Starting The Emergency Access feature must be initialized: you must have chosen a set of questions and answers (see Section 4.7, Initializing the Emergency Access). Procedure 1. Start your Internet Explorer web browser and enter in the address bar the URL corresponding to the Reset Password web server (example: http://MyResetPasswordServer).
If you do not know this URL, contact your Enterprise SSO administrator.
2. 3.
In the displayed page, click the reset your primary password link. Type your identifier and click the Submit button. The Password reinitialization page appears.
4. 5.
Answer each question, depending on the answers you gave while initializing the Password Reset functionality and type your new primary password twice. Click the Submit button.
After a certain number of wrong answers, the process may be blocked and you will not be able to try again. In this case, contact your Enterprise SSO administrator.
You can now use your new password to connect to your workstation.
34
Web site
Please refer to our Web site for regional and international office information.
View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com.
35