Enterprise Single Sign-On 8.0.3 – SSOWatch Administrator Guide

Transcription

Enterprise Single Sign-On 8.0.3
Administrator Guide
SSOWatch
Copyright © 1998-2009 Quest Software and/or its Licensors
ALL RIGHTS RESERVED.
This publication contains proprietary information protected by copyright. The software described in
this publication is furnished under a software license or nondisclosure agreement. This software
may be used or copied only in accordance with the terms of the applicable agreement. No part of
this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical or otherwise without the prior written permission of the publisher.
DISCLAIMER
The information in this publication is provided in connection with Quest branded products from
Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is
granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE
AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY
WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY
RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN
IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Evidian and Quest make no representations or warranties with respect to the accuracy or
completeness of the contents of this publication and reserve the right to make changes to
specifications and product descriptions at any time without notice. Evidian and Quest do not make
any commitment to update the information contained in this publication. The information and
specifications in this publication are subject to change without notice.
Trademarks
Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big
Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook,
IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg,
NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka,
SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!,
StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT
are trademarks and registered trademarks of Quest Software, Inc in the United States of America
and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch,
WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks
mentioned in this document are the propriety of their respective owners.
World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656
Website: www.quest.com
Please refer to our website for regional and international office information.
Quest Enterprise SSO
Updated – January 2010
Software version – 8.0.3
CONTENTS
About This Guide ...................................................................................................... 5
Access Management ......................................................................................................... 5
Conventions ............................................................................................................... 6
1. Overview................................................................................................................. 7
1.1 SSOWatch Basic Principles ........................................................................................ 7
1.1.1 Application Modeling ........................................................................................ 7
1.1.2 Application Access Profiles .............................................................................. 7
1.1.3 Password Format Control Policies (PFCP) ...................................................... 8
1.1.4 Application Behavior ......................................................................................... 8
1.1.5 Window Types .................................................................................................. 9
1.1.6 LDAP Directories .............................................................................................. 9
1.2 The Access Collector Mode ........................................................................................ 9
1.3 SSOWatch Components ........................................................................................... 10
1.3.1 SSOWatch Engine.......................................................................................... 10
1.3.2 SSOStudio ...................................................................................................... 11
1.3.3 SSOWatch Plug-ins ........................................................................................ 11
2. SSOWatch Engine ............................................................................................... 12
2.1 Overview.................................................................................................................... 12
2.2 The SSOWatch Engine Interface .............................................................................. 13
2.2.1 SSOWatch Engine Icon.................................................................................. 13
2.2.2 SSOWatch Engine Pop-up Menu................................................................... 13
2.2.3 The "SSOWatch: Single Sign-On Engine" Window ....................................... 15
2.3 Starting/Quitting SSOWatch Engine ......................................................................... 17
2.3.1 Starting SSOWatch Engine ............................................................................ 17
2.3.2 Quitting SSOWatch Engine ............................................................................ 18
2.3.3 Deleting the Roaming Session ....................................................................... 18
2.4 Suspending/Activating SSOWatch Engine................................................................ 19
2.5 Resetting SSOWatch Engine Configuration.............................................................. 19
2.6 Managing User Accounts .......................................................................................... 20
2.6.1 Displaying your SSOWatch User Accounts ................................................... 20
2.6.2 Displaying the Properties of a User Account.................................................. 21
2.6.3 Changing the Login Name and/or Password of a User Account ................... 22
2.6.4 Changing an expired Primary Password ........................................................ 23
2.6.5 Creating a New Account for an Application.................................................... 24
2.6.6 Deleting a User Account................................................................................. 25
2.6.7 Displaying User Account Password ............................................................... 26
2.6.8 Delegating a User Account............................................................................. 26
2.7 Disabling/Enabling SSO for Applications .................................................................. 27
2.8 Starting SSOStudio Personal .................................................................................... 28
2.9 Starting an Application............................................................................................... 29
2.10 Creating a Shortcut for an Application .................................................................... 29
2.11 Removing the Icon from the Notification Area ........................................................ 29
i
3. Configuration Editor: SSOStudio ...................................................................... 31
3.1 Interface Overview..................................................................................................... 32
3.2 Starting and Stopping SSOStudio ............................................................................. 35
3.2.1 Starting SSOStudio ........................................................................................ 35
3.2.2 Stopping SSOStudio....................................................................................... 36
3.3 Creating or Opening a Configuration ........................................................................ 36
3.4 Configuring General SSO Parameters ...................................................................... 37
3.5 Defining PFCP and Application Profiles.................................................................... 37
3.5.1 Defining Password Format Control Policies (PFCP)...................................... 38
3.5.2 Defining the Application Profiles..................................................................... 41
3.6 Defining Application and Technical Definition Objects.............................................. 45
3.6.1 Creating/Modifying Application Objects and Technical Definitions................ 46
3.6.2 Filling-in the Application Properties Window .................................................. 48
3.6.3 Defining Advanced Access Rights ................................................................. 58
3.7 Defining Window Objects .......................................................................................... 60
3.7.1 "General" Tab ................................................................................................. 60
3.7.2 "Options" Tab.................................................................................................. 63
3.7.3 "Detection" and "Actions" Tabs ...................................................................... 68
3.8 Testing the SSO ........................................................................................................ 68
3.9 Exporting or Importing Objects.................................................................................. 68
3.9.1 Exporting/Importing Objects using the Graphical Interface............................ 69
3.9.2 Importing Objects using Command Line Arguments
(Standalone Mode only)........................................................................................... 69
3.10 Managing Objects in the Tree ................................................................................. 71
3.10.1 Copying/Cutting/Pasting Objects.................................................................. 71
3.10.2 Renaming an Object ..................................................................................... 71
3.10.3 Deleting an Object from the Tree ................................................................. 72
3.11 Saving Object Configurations.................................................................................. 72
3.11.1 Saving Object Configurations in LDAP Storage Mode
(Console Mode Only)............................................................................................... 72
3.11.2 Saving Object Configurations in Local Storage Mode ................................. 73
3.12 Managing Configuration Updates............................................................................ 73
3.13 Refreshing the Tree................................................................................................. 74
4. The Generic Plug-in ............................................................................................ 75
4.1 Windows Detection.................................................................................................... 76
4.1.1 Simple Detection............................................................................................. 77
4.1.2 Advanced Detection ....................................................................................... 80
4.1.3 Restrictions ..................................................................................................... 83
4.2 User Interface ............................................................................................................ 84
4.2.1 Target.............................................................................................................. 84
4.2.2 Validation Actions ........................................................................................... 85
4.3 Generic Plug-in Actions ............................................................................................. 86
4.3.1 StandardLogin – Connection .......................................................................... 86
4.3.2 BadPassword.................................................................................................. 89
4.3.3 NewPassword................................................................................................. 90
4.3.4 ConfirmPassword ........................................................................................... 92
4.3.5 BadNewPassword .......................................................................................... 93
ii
4.4 Special Cases............................................................................................................ 94
4.4.1 NotesLogin (Lotus Notes Plug-in) .................................................................. 94
4.4.2 HTTP Authentication (Internet Explorer Plug-in)............................................ 96
5. The Microsoft Internet Explorer Plugin............................................................. 99
5.1 HTML/Internet Explorer Detection........................................................................... 100
5.1.1 URLs with Variable Parts.............................................................................. 101
5.1.2 Advanced Detection ..................................................................................... 102
5.2 User Interface .......................................................................................................... 103
5.2.1 Selecting a Field in an HTML Form.............................................................. 103
5.2.2 Custom SSO Parameters ............................................................................. 104
5.2.3 Submitting an HTML Form ........................................................................... 104
5.3 HTML/Internet Explorer Actions .............................................................................. 105
5.3.1 HTMLLogin – Connection............................................................................. 105
5.3.2 HTMLBadPassword...................................................................................... 107
5.3.3 HTMLNewPassword ..................................................................................... 108
5.3.4 HTMLBadNewPassword – New Password Refused ................................... 109
6. The SAP R/3 Plug-in.......................................................................................... 111
6.1 SAPLogin and SAPExpired Window Types ............................................................ 111
6.1.1 SAPLogin (SAP R/3 Login)........................................................................... 111
6.1.2 SAPExpired (SAP R/3 Password Expiry) ..................................................... 112
6.2 Basic Principles of the SAP R/3 Plug-in.................................................................. 112
6.3 Configuration Guide................................................................................................. 112
6.3.1 Configuring an SAP R/3 Application............................................................. 112
6.3.2 Configuring the SAPGUI Scripting Window ................................................. 113
7. Terminal Type Applications ............................................................................. 116
7.1 Terminal................................................................................................................... 117
7.2 Microsoft Telnet ....................................................................................................... 118
7.3 Banners ................................................................................................................... 119
8. The HLLAPI Plug-in........................................................................................... 121
8.1 Configuring the HLLAPI Plug-in .............................................................................. 121
8.2 Enabling Single Sign-On for HLLAPI Applications.................................................. 122
8.2.1 The Detection Tab ........................................................................................ 123
8.2.2 The Actions Tab............................................................................................ 125
8.3 HLLAPI Applications Keys....................................................................................... 126
9. Advanced Configuration................................................................................... 133
9.1 Custom Scripts Plug-ins .......................................................................................... 133
9.1.1 Basic Concepts............................................................................................. 134
9.1.2 The Actions Tab............................................................................................ 135
9.1.3 Script Editor .................................................................................................. 136
9.2 Extension DLL ......................................................................................................... 146
9.2.1 Function Prototyping..................................................................................... 146
9.2.2 SSOWatchSSOData Structure ..................................................................... 146
9.2.3 Return Code ................................................................................................. 147
iii
10. OLE/Automation Interface .............................................................................. 149
10.1 Definition of SSOWatch OLE/Automation Interface.............................................. 149
10.2 The ISSOEngine Interface .................................................................................... 150
10.2.1 GetApplication2 .......................................................................................... 150
10.2.2 GetSSOEngineState................................................................................... 151
10.3 The ISSOApplication Interface .............................................................................. 152
10.3.1 Properties ................................................................................................... 152
10.3.2 Methods ...................................................................................................... 153
10.4 Code Example ....................................................................................................... 156
10.5 Return Codes ........................................................................................................ 156
A. Cache and Application Data Update Tuning.................................................. 158
A1. Cache and Application Update Mechanism............................................................ 158
A.1.1 Cache Mechanism ....................................................................................... 158
A.1.2 Asynchronous Update Mechanism .............................................................. 159
A.2 Cache and Update Timing Parameters .................................................................. 160
About Quest Software, Inc. .................................................................................. 163
Contacting Quest Software............................................................................................ 163
Contacting Quest Support ............................................................................................. 163
iv
Administrator Guide
About This Guide
Access Management
Subject
Intended Reader
This guide explains how to use SSOWatch Configuration Editor to
describe the applications for which SSOWatch will implement
Single Sign-On.
• System integrators.
• Administrators.
• End-users.
Software/Hardware
Required
Enterprise SSO—SSOWatch 8.0 evolution 3 and later versions.
Supported Operating
Systems
Enterprise SSO SSOWatch runs only on Windows systems.
For further information about the operating systems and other
software solutions mentioned in this guide, please refer to the
Quest Enterprise SSO Release Notes.
5
Quest Enterprise SSO 8.0.3 – SSOWatch
Conventions
In order to help you get the most out of this guide, we have used specific formatting
conventions. These conventions apply to procedures, icons, keystrokes and crossreferences.
ELEMENT
CONVENTION
Select
This word refers to actions such as choosing or highlighting various
interface elements, such as files and radio buttons.
Bolded text
Interface elements that appear in Quest products, such as menus and
commands.
Italic text
Used for comments.
Bold Italic text
Introduces a series of procedures.
Blue text
Indicates a cross-reference. When viewed in Adobe® Acrobat®, this format
can be used as a hyperlink.
Used to highlight additional information pertinent to the process being
described.
Used to provide Best Practice information. A best practice details the
recommended course of action for the best result.
Used to highlight processes that should be performed with care.
+
A plus sign between two keystrokes means that you must press them at
the same time.
|
A pipe sign between elements means that you must select the elements in
that particular sequence.
6
Administrator Guide
1. Overview
1.1 SSOWatch Basic Principles
This section presents SSOWatch basic concepts.
1.1.1 Application Modeling
SSOStudio, the SSOWatch configuration editor is used to describe the applications for
which SSOWatch will enable Single Sign-On.
An application is defined by:
•
•
A set of associated user accounts (referred to as the link to the security
system).
A set of Windows or HTML pages.
The application Windows or HTML pages that refer to the authentication management
tool must be described in SSOWatch using the configuration editor.
This description allows SSOWatch to recognize the windows or HTML pages whenever
they are displayed to the user. SSOWatch intercepts these pages and implements SSO.
In addition to the elements that allow window/page detection, the description contains
the actions that the SSO engine has to perform.
Each window is defined by a type that characterizes the target application technology
and the actions that the SSOWatch engine will perform. The events that refer to the
user’s authentication in an application can be of different kinds: authentication,
password update request, etc.
SSOWatch manages the different events relating to the specific characteristics and
behavior of each application (application behavior).
1.1.2 Application Access Profiles
Application profiles define the parameters of one or more applications that can then be
defined differently, depending on the users that access them.
Application profiles are used to assign applications to users.
7
An application access profile is defined by the following parameters:
•
•
•
•
The password format managed by the application.
The SSOWatch options.
The SSO policy. Such options are: requirement for re-authentication, the
user’s ability to modify SSO data, hide/show password, etc.
Delegation parameters.
1.1.3 Password Format Control Policies (PFCP)
A PFCP defines:
•
•
The format of the passwords managed by an application: characters that are
allowed or forbidden, length, authorized/unauthorized repetitions of a same
character.
Whether a password is to be randomly generated (following the format
required), or requested from the user.
1.1.4 Application Behavior
A user authenticates to a secure application as follows:
•
•
•
The user tries to log on to the application.
If the security data provided are correct, the user is authenticated by the
application and can work normally.
If the data are incorrect, the application will display a message or re-display
the authentication window, informing the user that he or she made a mistake
during the authentication process. The user is prompted to try again.
Once connected, the user can change the password, either at will or at the application’s
request:
•
•
The user enters a new password and (sometimes) confirms it.
If the new password is accepted by the application, the user will continue
working normally. If not, the application will inform the user that the new
password has been rejected.
Start
8
Login
New
Password
Bad
Password
Bad New
Password
Administrator Guide
SSOWatch manages the application behavior with regard to the user authentication we
have just described. This behavior is configured by choosing a type for the defined
windows.
1.1.5 Window Types
A window type indicates the SSO engine behavior and the technology of the managed
application.
An application’s behavior Includes:
•
•
•
•
•
Detecting the connection step (Login).
Detecting a wrong password/username (BadPassword).
Detecting a new password request (NewPassword).
Detecting an incorrect new password (BadNewPassword).
Confirming this new password (ConfirmPassword).
The technologies managed by SSOWatch are:
•
•
•
•
Microsoft Win32 standard Windows.
HTML pages in Internet Explorer.
Windows of type "Terminal in text mode".
Some particular cases or optimizations of standard types.
1.1.6 LDAP Directories
Several types of LDAP directories are supported for user security data storage.
You can refer to the following guides:
• For more information on the supported LDAP directory versions, see Quest
Enterprise SSO Release Notes.
• For a description of the procedures for modifying an LDAP directory, see
Enterprise SSO Advanced Installation and Configuration Guide.
1.2 The Access Collector Mode
The Access Collector mode is an option of SSOWatch, which automatically collects all
user accounts and stores them in the users' directory.
This mode only works if the workstations are configured as "Standalone".
The goal of this feature is to report to the administrators all the accounts used for the
applications of the enterprise, so that they can create an appropriate access policy.
Only one account can be collected for one application (multi-account is not supported).
9
Mechanism
When an end-user launches an application that is detected by SSOWatch Engine,
SSOWatch starts the account collect.
•
•
If the account was already collected, nothing happens, and the SSO is not
performed.
If a BadPassword window is detected in the collect context, the collected
account is deleted or a new account is collected. The account will not be
deleted if the BadPassword occurs at any other moment.
Once the account is collected, the SSO is deactivated for the application.
SSOWatch Behavior
The SSO is only performed if there is no collected account for the detected application
login screen.
The passwords entered by users are never sent to the directory: they are only
temporary kept in memory for SSO purposes.
Users are not allowed to stop or suspend SSOEngine, they have no access to SSOStudio
Personal and cannot manage their accounts through the user account panel.
Configuration Update
Only the Application, Technical definition and Parameter objects are retrieved from the
directory, in an asynchronous way to avoid the update during the users authentication.
All users can access all the applications downloaded by the workstation.
1.3 SSOWatch Components
SSOWatch is made up of the components described in this section.
1.3.1 SSOWatch Engine
SSOWatch Engine is the "client" or "user" part of SSOWatch. It provides the link
between the security system and the applications by recovering security information
(login/password) and sending it to the applications.
It also manages the collection of this security data and the password format control
policies.
The collection (or self-learning) mode consists in asking the user to enter any security
information that may not yet exist in the SSOWatch security base, and to save it.
10
Administrator Guide
1.3.2 SSOStudio
SSOStudio is the SSOWatch configuration editor. It allows the creation of SSOWatch
configuration files, and the management of the SSOWatch LDAP objects.
This program is designed to be used by people who define and setup SSO.
SSOStudio can be used in Enterprise or Personal mode, so as to modify the
corresponding configuration files:
•
•
The Enterprise configuration file is common to a group of users, and is
usually saved in an LDAP directory in object format. When a simple file is
used, the configuration may be stored in a central location for ease of
deployment and use.
The Personal configuration file is specific to one person, and is saved with that
person’s personal profile (Windows profile or the person’s LDAP attributes).
SSO configuration is easily performed through "drag and drop"-oriented configuration
procedures.
1.3.3 SSOWatch Plug-ins
SSOWatch plug-ins are extensions of the SSOWatch engine and of the SSOWatch
configuration editor. They add SSO management methods for specific kinds of
applications.
Besides the management of standard Windows applications, of the following plug-ins
are available as standard in SSOWatch:
•
•
•
•
•
•
Internet Explorer, enabling SSO in HTTP/HTML applications running under
Internet Explorer 4 or later.
Lotus Notes.
Microsoft Telnet.
SAP R/3.
HLLAPI.
Customizable Scripts, to enable SSO in Windows/HTML applications not
managed by the standard window types.
For more information on the supported versions, see Quest Enterprise SSO
Release Notes.
11
2. SSOWatch Engine
This section describes the SSOWatch Engine interface, and how to use it.
2.1 Overview
SSOWatch Engine Definition
SSOWatch Engine is one of the components that are part of the SSOWatch software
module. It is in charge of the following SSO functionalities:
•
•
•
It retrieves for the IAM middleware, which runs on the workstation, SSO data
and provides this information to the application login windows.
It offers self administration functions to allow you to register yourself to
applications or change your passwords for example.
In Access Collector mode, it starts the account collect when the user launches
an application and deactivates the SSO once the account is collected.
The SSOWatch configuration
The SSOWatch configuration stores the SSO data. It can be defined by two kinds of users:
•
•
12
The Enterprise SSO (E-SSO) security administrators, through SSOStudio
Enterprise. This tool allows administrators to create and modify the
SSOWatch configuration common to many end-users.
By end-users, through SSOStudio Personal if the component is installed on
the workstation. This tool allows you to define your personal SSO data used to
log on your personal applications.
Administrator Guide
2.2 The SSOWatch Engine Interface
This section gives an overview of the SSOWatch Engine interface.
2.2.1 SSOWatch Engine Icon
The SSOWatch Engine icon is displayed in the Windows notification area, as shown in
the following illustration:
Depending on the SSOWatch Engine state, this icon can have several appearances:
ICON
DESCRIPTION
SSOWatch Engine is activated: the SSO feature is enabled (whenever it detects
a configured application login window, SSOWatch Engine automatically provides
the required SSO data)
SSOWatch Engine is suspended: the SSO feature is disabled.
SSOWatch Engine is locked: when the SSOWatch Engine detects a configured
application login window, or when you want to display the user accounts
associated with applications (see Section 2.6.1, Displaying your SSOWatch User
Accounts), SSOWatch Engine may ask you to re-authenticate. Upon a successful
authentication, the SSOWatch engine state switches to activated.
2.2.2 SSOWatch Engine Pop-up Menu
The SSOWatch Engine pop-up menu appears when you right-click the SSOWatch
Engine icon. It provides the means to control the SSOWatch Engine:
Depending on your SSOWatch configuration, some menu commands may not
appear, as detailed in the following table.
13
The following table describes the SSOWatch Engine pop-up menu:
MENU COMMAND
About SSOWatch
DESCRIPTION
Displays the SSOWatch Engine version and the storage mode of
the SSOWatch configuration file:
• LDAP: centralized configuration is defined in the LDAP
directory for which SSO access is either authorized or denied
for a given user or group of users.
• File: the configuration is saved in a file in the Windows registry.
• Self Registration: indicates that SSOWatch is used in Access
Collector mode: centralized configuration is defined in the LDAP
directory, to collect all the accounts used for the applications of
the enterprise (for more information, see Section 1.2, The
Access Collector Mode).
Emergency Access
Start the Reset Password feature, which allows you to reset by
yourself your primary password. For details, see Appendices
Enterprise SSO Advanced Login for Windows User Guide.
This menu command does not appear if the Emergency
Access feature is not implemented.
Biometric
Enrollment
Starts the E-SSO biometrics scan wizard; which allows you to enroll
or modify your fingerprints (for details, see Appendices Enterprise
SSO Advanced Login for Windows User Guide).
• You will have to reauthenticate yourself if you want to
use this feature.
• This menu command does not appear if the Biometric
Enrollment feature is not implemented.
Deactivate/Activate
cluster mode
Excludes the computer you are working on from the cluster. It stays
excluded even when you restart the computer.
Useful for maintenance operations, the PC is rebooted
independently from the others.
Click Activate cluster mode to include the computer in the cluster,
This menu command only appears if the Administrator has
activated it.
Open
Opens the SSOEngine Account panel; which allows you to manage
your user accounts.
This menu command is bold, which means that this is the
default command: double-click the SSOWatch Engine icon
to run it.
Add application
Starts SSOWatch Wizard, which is the easiest way to set up your
personal SSOWatch configuration. For an example of use of
SSOWatch Wizard, see Appendix Enterprise SSO—Getting
Started with SSOWatch.
This menu command does not appear if SSOStudio
Personal is not installed on the workstation, or if
SSOWatch is used in Access Collector mode.
14
Administrator Guide
MENU COMMAND
Open SSOStudio
DESCRIPTION
Starts SSOStudio Personal, the editor tool of your personal
SSOWatch configuration. For details on how to use SSOStudio,
see Section 3, Configuration Editor: SSOStudio.
This menu command does not appear if SSOStudio
Personal is not installed on the workstation, or if
SSOWatch is used in Access Collector mode.
Suspend, Activate
Manages the states of the SSOWatch Engine.
Depending on your configuration, this menu command may
not appear (unavailable in Access Collector mode).
Reset
Configuration
Stops and restarts SSOWatch Engine to take into account
modifications of the SSOWatch configuration.
In Access Collector mode, this command only synchronizes SSO
Account data.
Exit SSOWatch
Quits SSOWatch Engine.
Depending on your configuration, this menu command may
not appear (unavailable in Access Collector mode).
2.2.3 The "SSOWatch: Single Sign-On Engine" Window
The SSOWatch: Single Sign-On Engine window appears when you click Open in the
pop-up menu, or just by double-clicking the SSOWatch Engine icon. It is composed of
the following panels:
•
The Account panel (
•
The Home panel (
button).
button).
2.2.3.1 The "Account" Panel
When you open the SSOWatch: Single Sign-On Engine window, the Account panel
appears. It lists your user accounts managed by SSOWatch Engine. From this panel,
you can modify several user account parameters, as described in Section 2.6,
Managing User Accounts.
15
2.2.3.2 The "Home" Panel
From the Home panel, you can perform the following tasks:
•
Manage the states of the SSOWatch Engine (Area 1), as described in the
following sections:
• Section 2.4, Suspending/Activating SSOWatch Engine.
• Section 2.5, Resetting SSOWatch Engine Configuration.
• Section 2.3, Starting/Quitting SSOWatch Engine.
•
16
If you are using several user accounts for a same application, select the
current Role (Area 2—for details, see Section 2.6.5, Creating a New Account
for an Application).
Administrator Guide
2.3 Starting/Quitting SSOWatch Engine
This section explains how to start and quit the SSOWatch Engine.
2.3.1 Starting SSOWatch Engine
Subject
Usually, SSOWatch Engine starts automatically when you log on.
You may need to start SSOWatch Engine manually in the following cases:
•
•
If SSOWatch Engine has not been configured to start automatically.
If you manually quit SSOWatch Engine and want to restart it.
Procedure
1.
To manually start the SSOWatch Engine, do one of the following:
• Double-click the SSOWatch Engine desktop icon (
).
• In the Start menu, click Programs | Quest Software | Enterprise SSO |
SSOWatch.
• Use command line: the following table lists the command line arguments that
you may use to start SSOWatch (ssoengine.exe):
BINARY
ARGUMENTS
ssoengine.exe
/notrayicon:
starts SSOWatch but does not display the icon located in Windows
system tray.
/nosplashscreen:
starts SSOWatch but does not display the splash screen.
The configuration file to be used can be added as a parameter in the
SSOEngine.exe program (no option).
Example:
SSOEngine.exe "C:\Configs SSOWatch\SSOConfig2.sso"
• An authentication window appears.
2.
Fill in the ID and Password fields to authenticate yourself.
• The SSOWatch window appears.
• A welcome message appears in a balloon help on the bottom right-hand side
of your screen.
This is configurable in the E-SSO Console by creating one message per user.
• If you are using a roaming session, a balloon help appears telling you when
your session expires. You can display it at all times by passing the cursor
over the SSOWatch Engine icon.
17
2.3.2 Quitting SSOWatch Engine
Procedure
To quit SSOWatch Engine, right-click the SSOWatch Engine icon and select Exit
SSOWatch.
•
The SSOWatch engine icon disappears. The SSO feature is disabled.
Depending on your configuration, this menu command may not be available
(unavailable in Access Collector mode).
2.3.3 Deleting the Roaming Session
Subject
When you authenticate yourself with a Smart Card, you can delete your Roaming
Session via the Credential Manager icon in the task bar.
Procedure
1.
Right-click the Credential Manager icon in the task bar.
• A pop-up menu appears.
2.
Click on Roaming Session.
• The Roaming Session Management window appears.
3.
18
Click the Terminate button to delete your Roaming Session.
Administrator Guide
2.4 Suspending/Activating SSOWatch Engine
Subject
By default, SSOWatch Engine is automatically activated when you log on. You may
need to suspend it manually, as described in the following procedure.
In Access Collector mode, this functionality is deactivated.
Procedure
•
To suspend SSOWatch Engine, right-click the SSOWatch Engine icon and
select Suspend.
• The SSOWatch Engine icon state changes, as described in Section 2.2.1,
SSOWatch Engine Icon. While suspended, no automatic sign-on is made.
• Depending on your configuration, this menu command may not be available.
• SSOWatch Engine automatically suspends itself when the smartcard or USB
key used for authentication is removed.
•
To resume SSOWatch Engine, right-click the SSOWatch Engine icon and
select Activate.
• The SSOWatch Engine icon state changes, as described in Section 2.2.1,
SSOWatch Engine Icon.. The SSO feature is enabled.
2.5 Resetting SSOWatch Engine Configuration
Subject
By default, if the SSOWatch configuration changes, a notification message
automatically appears asking you if you want to take the modifications into account, as
shown in the following illustration:
You can take manually the modifications of the SSOWatch Engine configuration file,
using the Reset Configuration command, as described in the following procedure.
19
In Access Collector mode, this command only synchronizes SSO Account data.
In Access Collector mode, SSOWatch Engine automatically reloads the SSO
configuration every 6 hours: this allows taking into account changes in the SSO
data updated by the asynchronous update. You can change this value (in hour) in
the following registry key/GPO:
HKLM\Software\Enatel\SSOWatch\CommonConfig\AutomaticRefresh
Procedure
In the Windows notification area, right-click the SSOWatch Engine icon and select
Reset Configuration.
2.6 Managing User Accounts
This section describes how to manage your SSOWatch user accounts from the
SSOWatch Engine Account panel.
2.6.1 Displaying your SSOWatch User Accounts
Subject
This section describes how to display the user accounts that are defined in your
SSOWatch configuration.
Procedure
To display the list of your SSOWatch user accounts, double-click the SSOWatch Engine
icon located in the Windows notification area.
The following window appears:
20
Administrator Guide
Window Description
The Account panel displays one line per user account. For each account, the following
information is available:
COLUMN NAME
DESCRIPTION
Application
Name of the application, as defined in SSOStudio. For accounts that are
not associated with an application, <None> is displayed.
Login Name
Login name of the user account. If you have not yet used this application,
<not registered> is displayed (the login name and password of the
account has never been collected).
You can hide applications for which the user is not registered. To do so,
right-click any application and select Hide applications without credential.
Account
By default, Standard Account is displayed. If you are using several user
accounts for a same application, this column displays the name of the
account. For more information, see Section 2.6.5, Creating a New
Account for an Application
2.6.2 Displaying the Properties of a User Account
Procedure
In the Account panel, select the wanted user account and click the
right-click the wanted user account and click Properties.
button or
The following window appears:
21
Window Description
The Information Tab
Depending on your user account properties, you may be allowed to modify your user
account security data. For more details, see Section 2.6.3, Changing the Login Name
and/or Password of a User Account.
The Properties Tab
The Properties tab is a read-only tab. It displays the account properties and application
properties available for the selected user account.
The Delegation Tab
Depending on your E-SSO configuration, the Delegation tab may not appear. It allows
you to delegate your user account to other users.
2.6.3 Changing the Login Name and/or Password of a User
Account
Restriction
Depending on your SSOWatch configuration, this command may be disabled for some
or all the listed user accounts (unavailable in Access Collector mode).
For information on how to enable/disable this command, see Section 3.5.2.2,
"Access Strategy" Tab of an Application Profile Object—Description.
Procedure
1.
From the Account panel, select a user account and click the
button or
right-click the wanted user account and click Change Password.
• The following window appears:
22
Administrator Guide
2.
Modify the wanted fields and click OK.
• The modification is taken immediately into account.
You can also modify the login name and/or password of a user account from the
Account details window, which is described in Section 2.6.2, Displaying the
Properties of a User Account.
2.6.4 Changing an expired Primary Password
Subject
If you are using an authentication method that does not require the provision of the
Primary Password, such as Smart Cards or Biometrics, you can choose your new
Primary Password.
Procedure
1.
When your Primary Password is expired, the Security Data Collection
window appears.
2.
To change your Primary Password, do one of the following:
• To use your own Password, type in your chosen Password in the Password
and Confirmation fields.
• To generate a random Password, select the Generate my password
checkbox.
3.
Click the OK button.
• Your Primary Password has been changed.
If you are offline when your Primary Password is about to expire, you will be asked
to change it the next time you reconnect.
23
2.6.5 Creating a New Account for an Application
Restriction
or all the listed applications (unavailable in Access Collector mode).
"Application Profile" Tab.
Procedure
1.
From the Account panel, select an application and click the
click the wanted user account and click New account.
button or right-
2.
3.
Fill in this window with the following recommendation: in the Account field,
either type the name of a new account, or, if you want to use an additional
account that you have already created, select it in the drop-down list.
Click OK.
• The new account appears in the Account panel.
24
Administrator Guide
Going Further
If you have several accounts for an application, the following window appears by default
when SSOWatch detects the authentication window of the application:
This window allows you to select an account to log on to the application.
If you select Set current role, SSOWatch Engine will always use the selected
account, and this window will no longer appear. To display this window again, in
the Home panel, select No selected role in the Current role drop-down list.
You can also log on to the application with one of the accounts by double-clicking
the desired account in the SSOWatch Window.
2.6.6 Deleting a User Account
Subject
This section describes how to delete one or more accounts associated with an application.
Procedure
1.
From the Account panel, select an application and click the
click the wanted user account and click Delete.
button or right-
• A warning message appears.
2.
Read this message carefully. If you agree, click YES.
• The account is deleted.
If many accounts are associated with an application, the account line will be
deleted. If you delete the last account, <not registered> will be displayed in place
of the login name.
25
2.6.7 Displaying User Account Password
Restriction
"Access Strategy" Tab of an Application Profile Object—Description.
Procedure
1.
button or
right-click the wanted user account and click Show password.
• The re-authentication window appears.
2.
Log on using your Windows user account.
3.
Click Close.
2.6.8 Delegating a User Account
Restriction
"Delegation" Tab of an Application Profile Object—Description.
26
Administrator Guide
Procedure
1.
right-click the wanted user account and click Delegate.
button or
• The Account Delegation window appears.
2.
In the User name field, type the name or a part of the user name and click
Search.
• The list of users that have been found in the directory appears.
3.
4.
Select the user to whom you want to delegate the account.
Select a start and an expiration date and click Delegate.
• The account is delegated to the selected user from the start date until the
expiration date.
2.7 Disabling/Enabling SSO for Applications
Subject
By default, SSO is enabled for all the applications listed in the SSOWatch Engine
Account panel.
You can disable SSO for an application in a permanent way, or only for the current SSO
session, as explained in the following procedure.
In Access Collector mode, the SSO is automatically disabled for the applications for
which the account has been collected.
27
Procedures
Disabling SSO for an Application
•
To disable SSO for an application during the SSO session:
In the Account panel, right-click the wanted application and select Disable the
application.
• The SSO is disabled for the application during the SSO session. At
SSOEngine restart, the SSO will be enabled again.
•
To permanently disable SSO for an application:
a)
Set the following registry key to DWORD 1:
Software\Enatel\SSOWatch\CommonConfig\StoreIfApplicationIsDis
abled
b)
In the Account panel, right-click the wanted application and select
Disable the application.
• The SSO is permanently disabled for the application: the application stays
disabled even if the SSOEngine is restarted.
Enabling SSO for an Application
In the Account panel, right-click the wanted application and select Enable the
application.
If you have several disabled applications and want to enable all of them at the
same time, select Enable all applications.
2.8 Starting SSOStudio Personal
Subject
SSOStudio Personal is the SSOWatch configuration editor which allows you to describe
the applications for which you want SSOWatch to enable Single Sign-On.
In Access Collector mode, the access to SSOStudio Personal is forbidden.
Procedure
To start SSOStudio Personal from the Account panel, right-click any application and
select Open SSOStudio.
• You can also open SSOStudio Personal from the Start menu, or from the
SSOWatch Engine pop-up menu.
• This menu command is disabled if SSOStudio Personal is not installed on the
workstation, or if SSOWatch is used in Access Collector mode.
28
Administrator Guide
2.9 Starting an Application
Subject
To start an application from the Account panel, follow the procedure below.
Procedure
In the Account panel, right-click the wanted application and select Start Application.
The application starts and SSOWatch Engine performs SSO.
You can also log on to the application with one of the accounts by double-clicking
the desired account in the SSOWatch Window.
2.10 Creating a Shortcut for an Application
Subject
You can create shortcuts for applications from the Account panel, as described in the
following procedure.
Procedure
In the Account panel, right-click the wanted application and select Create Shortcut.
A shortcut for the selected application is created on your Windows desktop.
2.11 Removing the Icon from the Notification Area
Subject
Once SSOWatch is started, an icon appears in the Windows notification area. In certain
cases, it is preferable to remove this icon:
•
•
To prevent the user from seeing the application list.
In a Citrix Metaframe/Windows Terminal Server environment, when published
applications are used in conjunction with SSOWatch, an icon representing
SSOWatch running on the server appears on the client PC notification area (in
addition to any local SSOWatch which may be running).
29
Procedure
To remove the icon, do one of the following:
The first key has precedence over the second. The /notrayicon command line has
precedence over the Registry.
•
•
In the SSOWatch Engine command line (see Section 2.3.1, Starting
SSOWatch Engine), add the parameter /notrayicon.
In the Registry, create a non-null DWORD type entry called NoTrayIcon in one
of these keys:
HKLM\SOFTWARE\Policies\Enatel\SSOWatch\CommonConfig
HKLM\SOFTWARE\Enatel\SSOWatch\CommonConfig
30
Administrator Guide
3. Configuration Editor: SSOStudio
Subject
SSOStudio is the SSOWatch configuration editor. It allows you to describe the
applications for which you want SSOWatch to enable Single Sign-On or account collect
(in Access Collector mode), but which could not be configured through the SSOWatch
Wizard (as explained in the see Appendix Enterprise SSO—Getting Started with
SSOWatch).
Additionally, for those applications that have been configured using SSOWatch Wizard,
SSOStudio enables you to modify or enhance their configuration.
In case SSOWatch used in Access Collector mode, SSOStudio allows the administrator
to configure all the enterprise applications for the users, so that users' account can be
automatically collected in the users' directory.
SSOStudio provides an easy-to-use graphic interface for defining configuration
parameters. It is dedicated to application administrators, or to "super-users" who have
access to all necessary parameters.
The defined application parameters result in the creation of a unique SSOWatch Engine
configuration file. You can define as many applications as needed; SSOWatch manages
each application totally independently of others.
Application Definition
An application is defined by:
•
•
Its properties, such as acceptable password formats, its behavior as seen by
the SSO engine of SSOWatch, the accounts that the user will use to connect
to the application.
The windows displayed to the user and relating to authentication or password
management. These windows may be HTML pages from a web application.
SSOStudio Types
The two following SSOStudio types are available:
•
•
SSOStudio Enterprise: the application configuration is shared by a
number of users.
SSOStudio Personal: the application configuration is dedicated to a single
user. It is automatically accessible on opening SSOStudio Personal.
SSOStudio Personal is not available in Access Collector mode.
31
Storage Modes
The SSOStudio (Enterprise or Personal) configuration can be stored in the Windows
registry (file storage mode) or in the LDAP directory (LDAP storage mode).
The storage mode is defined during the installation phase.
•
In LDAP storage mode, centralized configuration is defined in the LDAP
directory for which SSO access is either authorized or denied for a given user
or group of users.
The Access Collector mode works only in LDAP storage mode.
•
In local storage mode, the configuration is saved in a file in the Windows
registry.
In Enterprise mode, the administrator may create as many configurations as
he or she wishes, and each configuration is saved in a file.
Operating Modes
Enterprise SSO can be installed in two different modes: Standalone mode and
Console mode.
•
In Standalone mode, the configuration of applications can entirely be done
with SSOStudio.
The Access Collector mode works only in standalone mode.
•
In Console (Client/Server) mode, the configuration of applications is only
partly done with SSOStudio: the technical definition of applications can be
done with SSOStudio, but the application definition must be terminated from
the Enterprise SSO administration console (see Appendix Enterprise SSO
Console Administrator Guide).
3.1 Interface Overview
Main Window Interface
SSOStudio presents target application parameters as SSO objects organized into a tree
structure.
SSOStudio enables you to create, modify or delete objects and to store them in an
LDAP directory (LDAP mode) or in an SSOWatch configuration file (local storage
mode). It is a "single-document" application, which means that only one configuration
can be edited at a time.
•
32
In SSOStudio Enterprise used in LDAP storage mode, the displayed tree
corresponds to the associated LDAP directory defined at initialization time, as
illustrated in the following example figure (interface example of SSOStudio
Enterprise used in LDAP storage and Console mode).
Administrator Guide
The objects may be created anywhere the administrator has object-creation rights.
The LDAP administrator is responsible for ensuring that the structure has a
branch reserved for the management of Enterprise SSO objects.
As the objects will be created directly in the LDAP directory, the directory must
be accessible when SSOStudio is being used.
•
In SSOStudio Enterprise used in local storage mode, or in SSOStudio
Personal, the tree displayed is not linked to an LDAP directory, as illustrated in
the following example figure (example interface of SSOStudio Personal).
In local storage mode, the configuration is defined with a root node called
Local SSOWatch Configuration, to which two other nodes are attached.
These are called Applications and Configuration Objects, and are used for
E-SSO object declarations.
33
Main Window Areas
The SSOStudio main window is composed of:
•
•
A menu bar.
A toolbar offering shortcuts to some menu bar options, as described in the
following table. The toolbar appearance depends on the SSOStudio mode
used (Standalone/Console, LDAP/File storage, Personal/Enterprise).
SSOSTUDIO MODE
Common buttons
BUTTON
DESCRIPTION
(SSOStudio Enterprise only)
Creates a new SSO configuration.
Opens an existing SSO configuration.
Cuts the selected item.
Copies the selected item.
Pastes the selected item.
Displays the properties of the selected item.
(LDAP storage mode only)
Refreshes the displayed LDAP directory.
Deletes the selected item.
Renames the selected item.
Standalone mode
buttons
Creates a new Application.
Creates a new Window object.
Creates a new Application profile.
Creates a new PFCP.
Opens the SSO Settings by Population window, which
allows you to define the population allowed to access
the application.
Saves the configuration.
Console mode
buttons
Creates a new Technical Definition.
Saves the Directory modifications.
Tests the selected SSO.
34
Administrator Guide
SSOSTUDIO MODE
BUTTON
DESCRIPTION
Adds the selected item to the test list
Removes the selected item from the test list.
•
A workspace showing a tree structure that allows you to select elements and
to perform actions directly by double-clicking the objects or using a popup
menu.
3.2 Starting and Stopping SSOStudio
This section explains how to start and stop SSOStudio Enterprise or SSOStudio
Personal.
3.2.1 Starting SSOStudio
Subject
The following procedure explains how to start SSOStudio Enterprise or SSOStudio
Personal.
Procedure
Starting SSOStudio Using the Windows Taskbar
1.
In the Windows taskbar, click one of the following, depending on the
SSOStudio operating mode you want to open:
• For SSOStudio Enterprise:
Start | Programs | Quest Software | Enterprise SSO | Enterprise
SSOStudio
• For SSOStudio Personal:
Start | Programs | Quest Software | Enterprise SSO | Personal
SSOStudio
• An authentication window appears.
2.
Fill-in the authentication window and click OK.
• SSOStudio appears.
Starting SSOStudio Using Command Line Arguments
3.
The following table lists the command line arguments that you may use to start
SSOStudio (builder.exe):
BINARY
ssobuilder.exe
ARGUMENTS
• /user: starts Personal SSOStudio
• /wizard: starts the SSOWatch wizard.
35
3.2.2 Stopping SSOStudio
Subject
The following procedure explains how to stop SSOStudio Enterprise or SSOStudio
Personal.
Procedure
In the File menu, click Exit.
3.3 Creating or Opening a Configuration
Subject
In SSO Studio Enterprise used in local storage mode, you can create as many
configurations as you wish (each configuration is saved in a different).
This section explains how to create a new configuration, or open an existing one.
In local storage mode, the configuration file to be used may be specified during
installation. For more information, see Appendix Enterprise SSO Advanced
Installation and Configuration Guide.
Restriction
The functionality described in this section is only available in SSOStudio Enterprise
used in local storage mode.
Procedure
•
To open an existing configuration:
a)
In the File menu, click Open.
• The Explorer window appears.
b)
Select the configuration you want to open and click OK.
• The selected configuration appears in SSOStudio main window.
•
To create a new configuration:
In the File menu, click New.
• SSOStudio displays the default configuration.
36
Administrator Guide
3.4 Configuring General SSO Parameters
Subject
The following procedure explains how to define the general SSO configuration parameters.
Restriction
The configuration described in this section is only available in SSOStudio Enterprise
used in local storage mode.
Procedure
1.
In the Edit menu, click Configuration:
• The Performance tuning area allows you to set the window detection timing.
• The Security Parameters area allows you to define permissions.
2.
Fill-in the window and click OK to save the configuration and close the
window.
3.5 Defining PFCP and Application Profiles
If you use SSOStudio Enterprise in standalone mode or SSOStudio Personal, you can
define the following configuration properties:
•
•
The Password Format Control Policies (PFCP).
The Application profiles.
In Console mode, this configuration can be performed with the Enterprise SSO
administration console (see Appendix Enterprise SSO Console Administrator Guide).
37
3.5.1 Defining Password Format Control Policies (PFCP)
Subject
This section explains how to create or modify a PFCP for the applications for which you
want to activate the SSO.
A default PFCP configuration exists in SSOStudio: you can modify it or create a new one.
Restriction
The PFCP configuration is only available if you use SSOStudio Enterprise in
standalone mode or SSOStudio Personal. In Console mode, the PFCP configuration
must be done with the administration console (see Appendix Enterprise SSO Console
Administrator Guide).
Procedure
1.
In the SSOStudio main window, do one of the following, depending on the
action you want to perform:
• To create a new PFCP, right-click the Configuration objects node and click
New PFCP.
• To modify an existing PFCP, right-click the PFCP you want to modify and
click Properties.
• The password policy properties window appears.
2.
Fill-in the window as described in the following sections:
• For basic parameter definition, fill-in the "Password Management Policy" tab:
see Section 3.5.1.1, "Password Management Policy" Tab—Description.
• For advanced parameter definition, fill-in the "Password Format Policy" tab:
see Section 3.5.1.2, "Password Format Policy" Tab—Description.
3.
38
Click OK to save the configuration and close the window.
Administrator Guide
3.5.1.1 "Password Management Policy" Tab—Description
The Password Management Policy tab allows you to define the following PFCP
elements:
•
Password Policy
The PFCP name.
•
New Password generation policy
The behavior required when the user is prompted for password change:
Automated password generation or user prompts for a password compatible
with the PFCP.
•
Advanced
• The "invalid password" string is the string or text that the application sends to
indicate that the password is not valid. If the security system is provided with
this string for SSO use, it prompts the user for a new password.
• The period for which a password is valid.
• The number of old passwords retained.
39
3.5.1.2 "Password Format Policy" Tab—Description
The Password Format Policy tab allows you to define the following elements:
•
Password Format
Defines how a valid password is created: minimum and maximum password
lengths, and the minimum and maximum number of upper-case letters, lowercase letters (excluding accented characters), numbers, or special characters
that should make up a valid password.
The special characters supported by SSOWatch are listed in the following table:
&
~
"
#
'
{
(
[
-
|
`
£
_
\
@
)
°
]
=
+
}
$
%
*
,
?
;
.
:
/
!
Accented characters are not allowed.
•
40
Forbidden characters
List of forbidden characters.
Administrator Guide
•
Advanced
Specifies the maximum number of occurrences of a given character in a
password.
•
Test Password Generation button
This button allows you to see an example of a password generated using the
rules you have configured.
3.5.2 Defining the Application Profiles
Subject
Application profiles are security objects that define a set of rights and properties that are
applied generically for one or more applications.
This section explains how to configure the application profiles for the applications for
which you want to activate the SSO.
A default Application profile configuration exists in SSOStudio: you can modify it or
create a new one.
Restriction
The Application profile configuration is only available if you use SSOStudio Enterprise in
standalone mode or SSOStudio Personal. In Console mode, the Application profile
configuration must be done with the administration console (see Appendix Enterprise
SSO Console Administrator's Guide).
Procedure
1.
• To create a new Application profile, right-click the Configuration objects
node and click New Application Profile.
• To modify an existing Application profile, right-click the Application profile you
want to modify and click Properties.
• The application profile properties window appears.
2.
Fill-in the window as described in the following sections:
• For the Properties tab, see Section 3.5.2.1, "Properties" Tab of an
Application Profile Object – Description.
• For the Access Strategy tab, see Section 3.5.2.2, "Access Strategy" Tab of
an Application Profile Object—Description.
• For the Delegation tab (only if you use SSOStudio Enterprise in standalone
and LDAP storage mode), see Section 3.5.2.3, "Delegation" Tab of an
Application Profile Object—Description.
3.
Click OK to save the configuration and close the window.
41
3.5.2.1 "Properties" Tab of an Application Profile Object – Description
The Properties tab allows you to manage the following parameters:
•
Application Profile
The name of the Application profile.
•
Password Policy
The PFCP to be applied to this application profile
•
SSOWatch Desktop options
This area allows you to define the application visibility:
• Whether the application must be added to the user’s SSOWatch dashboard.
• Whether the application is to be launched simultaneously with SSOWatch.
42
Administrator Guide
3.5.2.2 "Access Strategy" Tab of an Application Profile Object—Description
The Access Strategy tab allows you to manage the following parameters:
•
Credential storage
By default, data is stored in the directory; for architecture with tokens, data
may be stored in tokens.
•
Single Sign-On Policy
a)
Users must re-authenticate
Before each SSO, the user must confirm the primary password, PIN or
biometric identity.
b)
Users can modify account
Data may be modified. If unchecked, the user will not be allowed to
change the password through the user account management screen.
(This option is selected by default).
c)
Users can display password
The password may be displayed. The user may ask for the password to
be displayed. If this is the case, the user will be asked to re-authenticate.
d)
Users can cancel Single Sign-On
This configures the options availabe to the user when performing data
collection, or choosing between multiple accounts through the SSO engine.
All of these screens have OK and Cancel buttons, as well as the option
Disable SSO for this application.
Select this check box to allow users to cancel the SSO authentication
process with the Applications associated with the Security Profile:
• For the current session only:
The user can cancel the SSO authentication process for the whole current
session.
43
• For the application (until reset):
The user can cancel the SSO authentication process for the current
application.
• For the current window only:
The user can cancel the SSO windows, but SSOWatch continues to detect
windows associated with the application.
Clear this check box to prevent the users from cancelling SSO windows:
the user cannot Cancel (button grayed out). However, if an error occurs
(for instance, when the password is saved in a remote system), the
Cancel button will be reactivated.
•
Account Security Options
This area only appears if you use SSOStudio Enterprise in standalone and
LDAP storage mode. It allows you to select the way the Accounts are
ciphered. In the drop-down list, select one of the following entries:
a)
User: if you select this entry, only the user can decipher his account.
This is the most secure option.
If the user forgets his/her primary password or loses his/her smart card, it is
impossible to recover his/her secondary accounts.
44
b)
User, administrators: if you force a new primary password or assign a
new smart card using Token Manager, the user's secondary accounts
are also recovered.
c)
User, administrators and an external key: select this entry to allow an
external application to decipher the user's secondary accounts using a
public key. For example, you must select this entry if you want to use
Enterprise SSO with Web Access Manager. By selecting this entry, you
allow Web Access Manager to decipher the Enterprise SSO secondary
accounts of the user so that Web Access Manager can perform SSO with
these accounts.
Administrator Guide
3.5.2.3 "Delegation" Tab of an Application Profile Object—Description
The Delegation tab is only available if you use SSOStudio Enterprise in standalone and
LDAP storage mode.
The Delegation tab allows you to define the methods for delegating accounts to users:
•
•
•
•
•
Authorize delegation to everybody.
Authorize delegation to a member of the same user group.
Authorize delegation to a member of the same organizational entity.
Advanced mode: person/group/organizational entity.
Authorize the delegated user to change passwords: the delegated user is
authorized to modify the password for the delegated account.
3.6 Defining Application and Technical Definition
Objects
This section explains how to create and define Application and Technical definition objects.
•
In standalone mode, SSOStudio allows you to entirely configure Application
objects.
An application object implies the definition of:
• An application name as shown in SSOStudio and in SSOWatch Engine, and
some options regarding the access rights for this object.
• Parameters that associate this application with the SSO data in the security
system.
• Access strategy (in registry or personal configuration modes), or assignment
to user groups (in LDAP mode); the application profile should be defined for
each association to a user group.
45
SSOStudio allows you to create application objects with some pre-defined
parameters for SAP and Windows applications: see Section 3.6.1.1, Creating
a New Application Object or Technical Definition.
•
In Console mode, SSOStudio allows you to configure Technical Definitions.
A Technical definition object is a technical description of an application that
allows you to use an application, and particularly to produce single sign-on in a
Enterprise SSO environment. The application configuration must then be
completed in the administration console (see Appendix Enterprise SSO
Console Administrator Guide).
3.6.1 Creating/Modifying Application Objects and Technical
Definitions
3.6.1.1 Creating a New Application Object or Technical Definition
Subject
For Application objects, SSOStudio allows you to use templates to create SAP and
Windows application objects.
The Template Application item allows you to create an Application object with a number
of pre-defined parameters. They should be used for specific authentication scenarios.
The predefined template applications are:
•
•
SAP, for SAP R/3 application authentication (for more details, see Section 6,
The SAP R/3 Plug-in).
Windows, for authentication to an external LDAP directory.
Template applications are managed in the same way as Application objects. They
enable the single sign-on function for specific authentication procedures. A template
application has a number of predefined parameters.
The following procedure explains how to create a new technical definition or application
(with or without template).
Procedure
1.
• To create a new application or technical definition:
• Right-click the node where you want to create a new Application or Technical
Definition and click New Application or New Technical Definition.
• To create a new application using a template:
Click the node where you want to create a new template application and in
the Edit menu, click New Template-based Application/SAP or Windows.
• The Application properties window appears.
2.
46
Fill-in the Application properties window (or modify it in case of template
application) as described in Section 3.6.2, Filling-in the Application Properties
Window.
Administrator Guide
3.6.1.2 Modifying an Application Object or Technical Definition
Configuration
Subject
The following procedure explains how to modify the properties of an existing Application
Object or Technical Definition
Procedure
1.
In the SSOStudio main window, right-click the Application or Technical
Definition you want to modify and click Properties.
2.
Fill-in the Application properties window as described in Section 3.6.2, Fillingin the Application Properties Window.
• The Application properties window appears.
a)
For Application objects, fill-in the following tabs:
• Properties: see Section 3.6.2.1, "Properties" Tab of an Application Object.
• Account base: see Section 3.6.2.3, "Account Base" tab of an Application
Object.
• Launcher: see Section 3.6.2.4, "Launcher" Tab.
• Parameters: see Section 3.6.2.5, "Parameters" Tab.
• Application Profile: see Section 3.6.2.6, "Application Profile" Tab.
b)
For Technical Definition objects, fill-in the following tabs:
• Properties: see Section 3.6.2.2, "Properties" Tab of a Technical Definition
Object.
• Launcher: see Section 3.6.2.4, "Launcher" Tab.
• Parameters: see Section 3.6.2.5, "Parameters" Tab.
47
3.6.2 Filling-in the Application Properties Window
3.6.2.1 "Properties" Tab of an Application Object
The Properties tab described in this section only appears if you use SSOStudio
Enterprise in standalone mode, or SSOStudio Personal.
The Properties tab of an Application Object allows you to define the basic parameters
of an Application.
•
Application Name
This field will be shown in the objects tree of SSOStudio and in the data
collection and account management dialog boxes of SSOWatch Engine.
•
Session management
Indicates whether all the application’s windows depend on the same
application instance.
•
OLE/Automation
Grants OLE/Automation access to this application (and all the associated
security objects). For further security, you can enter a password for which OLE
clients will be prompted. For more information, see Section 10.,
"OLE/Automation Interface".
•
Options
• Enable this application (this option is selected by default)
If this option is cleared, SSOWatch Engine will ignore this application. This is
used to temporarily disable an application without deleting it from the
configuration file.
48
Administrator Guide
• Try previous password when "bad password" windows detected
If this option is selected, the fields are filled with the last valid password at
"bad password" detection (this can be useful if the password change is not
immediately taken into account by the application).
• User must provide credentials
This check box only appears in Access Collector mode.
If this check box is cleared, the user will be able to cancel the collect (or the
bad password) window that appears when he/she launches an application.
3.6.2.2 "Properties" Tab of a Technical Definition Object
The Properties tab described in this section only appears if you use SSOStudio
Enterprise in Console mode.
The Properties tab of a Technical Definition object allows you to define the basic
parameters of a Technical definition.
•
Identification
The Technical reference name. This field will be shown in the objects tree of
SSOStudio.
•
Session management
Indicates whether all the application’s windows depend on the same
application instance.
•
Try previous password when "bad password" windows detected
If this option is selected, the fields are filled with the last valid password at
"bad password" detection (this can be useful if the password change is not
immediately taken into account by the application).
49
3.6.2.3 "Account Base" tab of an Application Object
The Account Base tab only appears if you use SSOStudio Enterprise in standalone
mode, or SSOStudio Personal.
The Account base tab allows you to define the Account Base associated with an
application. An Account is a username/password pair that allows connection to an
application. There is also an account parameter that can store complementary
authentication data; for instance, a Windows Domain name is a complementary
parameter of a Windows account.
The account name is internal to SSOWatch: it is used to store and retrieve security data
and to give a user-friendly name to this data. A user-friendly name is particularly useful
when using multiple accounts: you can give names like "Notes Admin" or "Notes User" if
a Notes user is also the administrator.
Accounts are global: they are shared by applications and by SSOWatch
configurations, because they refer to objects stored in the security system storage
and which are bound to the user.
•
•
In most cases, one single account is associated with an application. It is called
a Standard account.
In some cases, it is possible to use the Windows username and password to
perform SSO to an application. An example is the Windows Terminal Server
login. To use this security credential in SSO, you must associate the Primary
Authentication Identifier with the application (check the corresponding
option). The Windows username can be used in different formats:
• Short name: username only.
50
Administrator Guide
• Windows 2000 (and later): Username including the Windows domain, for
instance: [email protected].
• NT 4: Username preceded by NETBIOS domain, for instance:
QUEST\jsmith.
•
Share Account Base with Another Application: for this, indicate in an
application that you consider as account reference, the applications authorized
to use this reference base.
You can also share an account base between two Applications using command
line arguments. This feature may allow you to create batch files to automate this
task. You can combine this feature with the possibility of importing objects using
command lines, which is described in Section 3.9.2, Importing Objects using
Command Line Arguments (Standalone Mode only).
Before Starting
•
•
The Applications must be created.
Close the SSOStudio graphical interface.
Procedure
To share an Account base, at the Windows prompt, type the following command:
<SSOWatch installation folder> [/login <name>]
[/password <password>] /share <MasterApplication> <SlaveApplication>
Arguments into square brackets [ ] are optional.
Where:
ARGUMENT NAME
VALUE
<SSOWatch installation
folder>
"C:\Program Files\Quest Software\E-SSO\SSOBuilder.exe"
by default.
/login <name> and
/password <password>
Login name and password of the E-SSO administrator.
• Use the format DOMAIN\login.
• If the login name and password of the
administrator are not specified, the SSOStudio
authentication window will appear.
The administrator account used to run the import
must have
/share <MasterApplication>
<SlaveApplication>
• <MasterApplication>: name of the Application owning
the Account base to share.
• <SlaveApplication>: name of the Application that will
use the Account base.
This parameter works only with Application objects.
51
Example:
The following command allows you to share the Account Base AB1 owned by APP1
with APP2:
/login DOMAIN\WGAdmin /password AdminPWD /share APP1 APP2
•
External Names: this button only appears if you use SSOStudio Enterprise in
standalone and LDAP storage mode. It allows you to define a mapping
between the Enterprise SSO application that you are configuring and the
name of an external application that must be identified by Enterprise SSO.
This option is particularly useful to integrate Web Access Manager with
Enterprise SSO. For example, if you are defining an application called
MyHTMLApplication that already uses Web Access Manager Account Bases,
click this button and in the displayed window, enter the names of the Web
Access Manager Account Bases defined for this application. By this way,
Enterprise SSO will be able to use these Web Access Manager Account
Bases to perform SSO with this application.
Each external application name must be unique in the directory.
3.6.2.4 "Launcher" Tab
The Launcher tab is used to define how SSOWatch Engine may start an application.
52
Administrator Guide
This window allows you to define the following parameters:
•
Change Icon button
The icon associated with the application, which will be displayed in SSOWatch
Engine.
•
Application description for user
The application description, which will be displayed in SSOWatch Engine.
•
Target
The command line or URL (for web applications), which opens the application.
•
Start in folder
The directory where the command line should start.
•
Command line parameters
The SSO parameters to be sent to the command line, if necessary.
The Insert button insert in the command line the item selected in the list
(identifier/password).
3.6.2.5 "Parameters" Tab
Parameters Tab of an Application Object (Standalone Mode only)
Subject
The Parameters tab allows you to add a list of additional authentication parameters (as
Windows Domains or Languages for example). These parameters will enable you to
define more fields than simply the couple of fields user name/password of the target
application authentication window.
53
Window Description
•
Add button: click this button to add a parameter. The following window
appears:
• To add an existing parameter, select it and click OK.
In standalone mode, the parameter Windows Domain must be used only with
Applications that may use Enterprise SSO Advanced Login.
• To create a new parameter, type its name in the Name field and click Add.
• To delete or rename an existing parameter, select it and click Delete or
Rename.
• To define an External Name for a parameter, select the wanted parameter
and click External Name. For more information, see Managing External
Names below.
•
•
54
Delete button: select a parameter and click Delete.
Properties button:
Select a parameter then click this button to define the properties of the
selected parameter.
Administrator Guide
a)
Description: mandatory description of the parameter for a better
understanding.
b)
Parameter type:
• Default: the value of the parameter is collected for each SSO account and
can be modified by the user.
• Global: the value of the parameter is the same for all SSO accounts and is
not proposed to the user.
• Rule: the value is dynamically defined as a user data function, and cannot be
changed.
c)
Value: this is the default value assigned to the parameter. If nothing is
entered here, it will be requested at first authentication (data collection)
as a function of the parameter type defined previously.
If you have selected Rule in the Parameter type area, between
parentheses, get the exact LDAP attribute name (using an LDAP
browser) and type it in the Value field. For example, type (mail) to
indicate that the parameter value is the user's mail address.
• If you want to add several LDAP attributes, type them one after another,
without comma. Example: (mail)(dn).
• You can be more specific about the parameter value by using the following rules:
To keep only the first n characters of the LDAP value, use the syntax
(attLDAP,n).
Three functions are used to handle LDAP values: UPPER, LOWER and
CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of
the user's mail address in upper case.
Managing External Names
This window appears when you click the External Name button. It allows you to define
a mapping between the parameter that you are configuring within Enterprise SSO and
the name of an external parameter (created using another SSO tool) that must be
identified by Enterprise SSO.
This option is particularly useful to integrate User Provisioning or Web Access
Manager with Enterprise SSO.
55
"Parameters" Tab of a Technical Definition Object (Console Mode only)
Subject
The Parameters tab allows you to add a list of additional authentication parameters (as
Windows Domains or Languages for example). These parameters will enable you to
define more fields than simply the couple of fields name/password of the target
application authentication window.
• The list of authentication parameters for the technical reference must be
coherent with the parameters defined at the application level.
• The creation of an application is described in Appendix Enterprise SSO
Console Administrator Guide.
56
Administrator Guide
Window Description
•
Add button: click this button to add a parameter:
To add an existing parameter, select it and click OK.
The parameter called Windows Domain (which is created upon the installation of
the Enterprise SSO suite), must be used only in Standalone mode.
To create or modify listed parameters, use the Enterprise SSO console. For
details, see Appendix Enterprise SSO Console Administrator Guide.
•
•
Delete button: select a parameter and click Delete.
Properties button: this button is always disabled.
3.6.2.6 "Application Profile" Tab
By default, every user is authorized to access the application. The Application Profile
tab allows you to define the application profile, with an access right granted to all the
users by default.
In LDAP storage mode and Personal mode, only one profile may be assigned per
application.
57
To allow the user to dynamically create new accounts from SSOWatch Engine module,
select User can create additional accounts.
3.6.3 Defining Advanced Access Rights
Subject
SSOStudio allows you to define advanced management of access rights, as explained
in the following procedure.
Restriction
The SSO setting by population window is only available in SSOStudio Enterprise used
in standalone and LDAP storage mode.
Procedure
1.
In the SSOStudio main window, right-click the application for which you want
to define advanced access permissions and click SSO Settings by
population.
• The SSO Settings by population window appears.
2.
58
Fill-in the window as described in the following Window Description section.
Administrator Guide
Window Description
The SSO settings by population window allows you to define the population (user,
organizational group or units) that you want to access the application. It is necessary to
assign an application profile to each one.
If several profiles are associated with a user, priority is given to the profile:
1.
2.
User.
Group.
If there are several groups, the notion of priority indicated on the interface is
applied. This is dedicated only to groups (with 0 as the highest priority level).
3.
Organizational Unit.
59
3.7 Defining Window Objects
Subject
Window objects are subordinated to Application or Technical definition objects. They
can only exist if they are associated with an application object.
Procedure
1.
In the SSOStudio main window, right-click the application for which you want
to define a window object and click New Window.
• The Window Properties window appears.
2.
Fill-in the Window Properties window tabs as described in the following
sections:
• For the General tab, see Section 3.7.1, "General" Tab.
• For the Options tab, see Section 3.7.2, "Options" Tab.
• The Detection and Actions tabs are described in the sections of this guide
that are related to the "plug-in types", as their content depends on the
selected window type.
3.7.1 "General" Tab
The General tab allows you to give a name to the window object and to set its type. The
type cannot be modified once the window has been created.
60
Administrator Guide
•
Window Name
By default, this field is automatically filled in with the name of the selected Window
Type. It is recommended to enter a name clearer than the default name.
•
Window Type
Displayed Window types are loaded from the different SSOWatch plug-ins.
The following table shows the window types provided by the different plug-ins
and their associated technology:
The Window Type Description area displays the description of the selected
window type.
WINDOW TYPE
TECHNOLOGY
BEHAVIOR
DESCRIPTION
Generic Windows
StandardLogin
Win32/Java
Login
BadPassword
Win32/Java
BadPassword
NewPassword
Win32/Java
NewPassword
BadNewPassword
Win32/Java
BadNewPassword
ConfirmPassword
Win32/Java
ConfirmPassword
Terminal
Terminal
All
HTML Pages (reserved for old versions. Do not use to detect new windows)
IELogin
Win32
Login +
BadPassword
HTTP authentication
window
HTMLLogin
HTML/IE
Login
HTMLBadPassword
HTML/IE
BadPassword
Authentication in HTML
pages
HTMLNewPassword
HTML/IE
NewPassword +
ConfirmPassword
HTMLBadNewPassword
HTML/IE
BadNewPassword
CustomScript
Win32
All
Graphic scripts
enabling customized
SSO creation
CustomScriptHTML
HTML/IE
All
Graphical scripts
allowing customized
SSO creation for web
applications under
Internet Explorer.
MSTelnet
Terminal
All
MSTelnetW2KXP
Terminal
All
Customizable Window Types
Microsoft Applications
Not supported.
Telnet Microsoft for
Windows 2000 and XP
61
WINDOW TYPE
TECHNOLOGY
BEHAVIOR
DESCRIPTION
Lotus Notes Windows
NotesLogin
Win32
Login
Lotus 4.x and 5.x
authentication
SAPLogin
Win32
Login
SAP R/3 Authentication
SAPExpired
Win32
NewPassword
SAPGUI Scripting
Win32
Login
HLLAPI Login
Win32
Login
HLLAPI Bad Password
Win32
BadPassword
HLLAPI New Password
Win32
NewPassword +
LoginNewPassword
HLLAPI Confirm
Password
Win32
ConfirmPassword
HLLAPI Bad New
Password
Win32
BadNewPassword
HLLAPI Standard
Win32
SAP Windows
Plugin HLL API Windows
62
Authentication for SAP
R/3 version 6.20
Administrator Guide
3.7.2 "Options" Tab
The Options tab allows you to define the following properties:
•
•
•
Specific detection conditions to trigger the single sign-on when the window
appears (Detection criteria area).
SSOWatch Engine execution options to carry out SSO (Execution Options area).
Advanced SSO options (Advanced options area).
3.7.2.1 Detection Criteria Area
Use language criteria
This option allows you to trigger the single sign-on only if the selected language is one
of the input languages installed on the computer. This option can be useful to optimize
response times.
Procedure
1.
2.
In the Windows Control Pane, double-click Regional and Language Options
to display the input languages installed on the computer.
In the Languages tab, click Details.
63
3.
4.
Click the Configure button to select the wanted system languages.
Select Show local language variants to display the speech communities of
each language.
Use SSO State criteria
This option allows you to trigger the single sign-on only if the selected SSO states are met.
This option is particularly useful for the Customizable Window Type (Custom
Script type).
Click the Configure button to select the conditions of the window activation depending
on the state of the application. For details, see table below:
OPTION NAME
DESCRIPTION
The window is always detected
This option is selected by default: the window is
always detected and processed by SSOWatch
Engine, without any condition.
SSO has not been performed
Select this option to trigger SSOWatch Engine only if
the SSO operation has not been done. With this
option, SSOWatch Engine can perform SSO upon the
first detection of the window, then, as long as the
application runs, this window is no longer detected.
SSO has been performed and
the password is valid
The window is detected and processed by SSOWatch
Engine only if the SSO operation has been done with
a valid password.
SSO has been performed and
the password has expired and
must be changed
This option depends on the password validity period
parameter (defined in the PFCP properties window).
This window is detected and processed only if the
SSO operation has been done and that the password
validity period has expired.
The password has been refused
and resynchronized
(BadPassword)
These options can be particularly useful for
applications that use several authentication windows
that you have defined using custom scripts. For
example, if you have to define the following windows
for the same application:
A new password has been
provided but not confirmed
The new password has been
confirmed
A new password has been
refused (after a rollback)
• A custom bad password window.
• A custom new password window, which contains
only a field for the old password and a field for the
new password.
• A custom password confirmation window, which
contains a field to confirm the new password.
• A custom bad new password window, which
appears when the user enters a wrong new
password.
To avoid inopportune detection and processing of
these windows by SSOWatch Engine, select for each
window, the appropriate option in the Application
State Conditions window.
64
Administrator Guide
Example of use with the "SSO has been performed and the password has expired and
must be changed" option.
To display automatically the change password window of an application, do the
following:
We consider in the following example that the change password window appears
when you click a button.
Procedure
1.
2.
3.
In SSOStudio, create the Application object (for details, see Section 3.6,
Defining Application and Technical Definition Objects.
From this object, define the Login and Change Password windows (for details,
see Section 3.7, Defining Window Objects.
Define the Password Expire window , with the following guidelines:
• In the General tab, select Custom script (Window type).
• In the Options tab, select Use SSO state criteria, then click the Configure
button and select SSO has been performed and the password has
expired and must be changed.
• Detection tab: drag and drop the target button to the window where the
Change Password button is located.
• Fill in the Actions tab as follows:
The Password Expire window is a virtual window, which allows you to display
automatically the Change Password window when the password has expired.
65
3.7.2.2 Execution Options Area
Activate window masking
This option allows you to hide the window of an application by an SSOWatch window
displaying a customizable text. You can use this option if you do not want that the user
sees his/here login/password for example.
Do not disable the window during SSO
This option is useful with custom script windows only. It allows you to set the focus on
the custom script window in case of focus issues.
Interpret reappearance of login window as meaning 'bad password'
Select this option for login windows that display at least twice in case of bad
login/password values. This is the case for the authentication window used by Internet
Explorer to login restricted areas for example:
66
Administrator Guide
3.7.2.3 Advanced Options area
Select the checkboxes to activate the following actions:
Do not disable the window during SSO and Do not disable the window when
asking for user input
Select these options so that the user can interact with the window detected during SSO.
This is only relevant for IE and Firefox.
Use alternative field detection method. Activate this if the contents of the web
page are not always identical. This can be slower than the default method.
Select this option so that:
•
•
The window definition for IE 6, 7 and 8 is the same for the three of them.
If the web page is modified, SSO is still executed.
• If this option slows down the window detection then you must select one
window for each IE version.
• You must start the configuration over again if you select this option.
Try to use for Firefox. If this definition is for Internet Explorer, it will also be used
for Firefox. Note: this option may not work with all web pages.
Select this option so that the window definition for IE is also applied to Firefox.
• If this option does not work, you must create a specific window definition for
Firefox.
• You must start the configuration over again if you select this option.
67
3.7.3 "Detection" and "Actions" Tabs
The Detection and Actions tabs are described in the sections of this guide that are
related to the "plug-in types", as their content depends on the selected window type.
3.8 Testing the SSO
Subject
SSOStudio Enterprise used in Console mode allows you to test the SSO configuration
you have created.
Restriction
This functionality is available only if you use SSOStudio Enterprise in Console mode.
Procedure
1.
In the SSOStudio main window, right-click the Technical definition nodes or
Windows you want to test list and click Add to Test List.
To remove the window from the list, right-click the object and click Remove from
Test List.
• A small check appears in the Technical definition window icon.
2.
Right-click one of the selected item and click Test.
• A confirmation window appears, to inform you that the test mode is about to
be started.
3.
Click OK.
• The selected applications appear in the SSOWatch Engine list, which
displays the result of the test.
3.9 Exporting or Importing Objects
The Import/Export feature allows you to reuse SSO configurations. You may use when
testing SSO configurations: if the Application and Window objects that you have created
in your test environment are working, use the import/export feature to exploit them in the
live environment.
You can export/import the following objects:
• An Application (standalone mode) or an External Reference (Console mode) and its
associated Windows.
• Windows, PFCPs (standalone mode only) or Application Profiles (standalone mode only).
Each exported object is saved in an .SSE (SSOWatch Export) file.
68
Administrator Guide
3.9.1 Exporting/Importing Objects using the Graphical Interface
Exporting Procedure
To export an object, do the following:
1.
In the SSOStudio main window, right-click the object you want to export and
click Export.
2.
Choose a saving location for the object and click OK.
Importing Procedure
To import an object, do the following:
1.
In the SSOStudio main window, right-click the node where you want to import
the file.
To import a window, select the application that will receive this window.
2.
Select the object to import and click OK.
• The object appears in the tree, at the selected location.
3.9.2 Importing Objects using Command Line Arguments
(Standalone Mode only)
Subject
You can import .SSE files using command line arguments. This feature may allow you
to create batch files to automate the import of several objects from your test
environment to the live environment.
This feature is more powerful than the import of objects using the graphical
interface. You can use it to define accesses to applications in addition to the import
operation.
Before Starting
Export the wanted objects using the graphical interface, as described in Section 3.9.1,
Exporting/Importing Objects using the Graphical Interface.
For details on the objects that you can import, see Section 3.9, Exporting or
Importing Objects.
•
•
Close the SSOStudio graphical interface.
Note that you can combine this feature with the possibility of sharing account
base using command lines, which is described in Section 3.6.2.3, "Account
Base" tab of an Application Object
69
Procedure
To import an object, at the Windows prompt, type the following command:
<SSOWatch installation folder> [/login <name>]
[/password <password>] /import <filename.sse> /location
<Organization DN> [/access <group>] [/profile <profile>]
Arguments into square brackets [ ] are optional.
Where:
ARGUMENT NAME
VALUE
<SSOWatch installation
folder>
by default.
/login <name> and
/password <password>
Login name and password of the Enterprise SSO
administrator.
• Use the format DOMAIN\login.
• If the login name and password of the
administrator are not specified, the SSOStudio
authentication window will appear.
• The administrator account used to run the import
must have sufficient rights.
/import <filename.sse>
Full path name of the .sse file, which contains the object(s)
to import.
If the object to import is associated with another ESSO object (an Application associated with a PFCP
for example), and if the name of this object (PFCP) is
used by other objects, the first name found is used. If
no object is found, the default object is used.
/location <Organization DN>
Distinguished Name of the organization where the object will
be created.
/access <group>
Name of the group of users for whom you want to specify an
access to the imported Application.
• You can use either the format "Group Name" or
"Group DN".
• If you do not specify this argument, check the
access configuration using SSOStudio.
• This argument works only with Application
objects.
/profile <profile>
Name of the Application Profile that will be associated with
the imported Application.
• You can use either the format "Group Name" or
"Group DN".
• If you do not specify this argument, the default
Application profile will be used.
• This argument works only with Application objects.
70
Administrator Guide
Examples
•
The following command allows you to import MyExportedFile.sse into the
Applications container.
"C:\Program Files\Quest Software\E-SSO\SSOBuilder.exe" /
login DOMAIN\WGAdmin /password AdminPWD /import C:\MyExportedFile.sse /
location OU=Applications,OU=Organization,DC=domain,DC=acme,DC=com
•
You have created the APP application, for which the access is restricted to the
group of users GROOP. To import this application and keep the restricted
access to GROOP, use the following command:
"C:\Program Files\Quest Software\E-SSO\SSOBuilder.exe" /
login DOMAIN\WGAdmin /password AdminPWD /import C:\MyExportedAPP.sse /
location OU=Applications,OU=Organization,DC=domain,DC=acme,DC=com
/access GROOP
3.10 Managing Objects in the Tree
This section explains how to copy, cut, paste, rename and delete objects of the tree.
3.10.1 Copying/Cutting/Pasting Objects
Subject
You can perform basic operations with objects, as explained in the following procedure.
Procedure
1.
In the SSOStudio main window, right-click the object you want to copy and
click one of the following command:
• Copy, to duplicate the selected object.
• Cut, to copy the object and remove it from its current location (the object
won't be removed if it is not pasted afterwards).
2.
In the tree, right-click the node where you want to paste the copied object and
click Paste.
• The object appears in the tree at the selected location.
3.10.2 Renaming an Object
Procedure
1.
In the SSOStudio main window, right-click the object you want to rename and
click Rename.
• The object name is selected
2.
Type the name you want to see appear for the object and press the Enter key.
• The object name is renamed.
71
3.10.3 Deleting an Object from the Tree
Subject
If you use SSOStudio Enterprise in LDAP mode, the tree displayed corresponds to the
LDAP directory. If you delete an object from the tree, it will not be deleted from the LDAP
directory as long as you have not updated it (see Section 3.13, Refreshing the Tree).
Procedure
1.
In the SSOStudio main window, right-click the object you want to delete and
click Delete.
• A confirmation window appears
2.
Click OK.
• The object is deleted from the tree.
3.11 Saving Object Configurations
This section explains how to save the object configurations.
•
In SSOStudio used in local storage mode, Enterprise and Personal
configurations are stored differently:
• Enterprise mode: you can create as many configurations as you wish, and
each configuration is saved in a file.
• Personal mode: a single and unique configuration is dedicated to you. It is
automatically accessible on opening SSOStudio Personal, and is stored in
the security database defined during the installation phase (LDAP directory
or Windows Registry).
•
In LDAP storage mode, centralized configuration is defined in the LDAP
directory for which SSO access is either authorized or denied for a given user
or group of users.
3.11.1 Saving Object Configurations in LDAP Storage Mode
(Console Mode Only)
Subject
In LDAP storage mode, centralized configuration is defined in the LDAP directory for
which SSO access is either authorized or denied for a given user or group of users.
•
•
In standalone mode, the configuration is immediately and automatically saved
in the LDAP directory.
In Console mode, you must save the directory modifications, as explained in
the following procedure.
Procedure
In SSOStudio (used in LDAP storage and Console mode), in the File menu, click
Update directory.
The LDAP directory is updated with the configurations defined in SSOStudio.
72
Administrator Guide
3.11.2 Saving Object Configurations in Local Storage Mode
Subject
In local storage mode, the storage operation depends on the SSOStudio version used:
•
•
In SSOStudio Personal, a single and unique configuration is dedicated to each
user. It is automatically accessible on opening SSOStudio Personal.
In SSOStudio Enterprise, you can save as many configurations as wanted:
each configuration is saved in a file.
Procedure
•
In SSOStudio Personal (local storage mode), click File | Save.
• The configuration is saved in the Windows Registry.
•
In SSOStudio Enterprise (local storage mode), click File | Save.
Give a name to the configuration and select the location where you want to
save the configuration.
• The configuration is saved in a .sso file in the selected location.
3.12 Managing Configuration Updates
Subject
To optimize network traffic, you can use the update management feature: by default, the
Enterprise SSO workstations retrieve the whole SSO configuration periodically. The
update management feature allows you to post an update, which generates a unique
identifier. The workstations retrieve the application data and this identifier. As long as
the identifier is unchanged between the directory and the cache of the workstations, the
workstations do not update their SSO configurations.
Restriction
The functionality described in this section is only available in SSOStudio Enterprise
used in LDAP storage mode and standalone mode.
Procedure
•
To enable the update management feature:
In the File menu of SSOStudio Enterprise, select Manage Updates and click
Disable Update Management. To post an update, which generates a unique
identifier:
In the File menu of SSOStudio Enterprise, select Manage Updates and click
Post an Update.
When a workstation runs an update, it retrieves the entire configuration (and not only
the configuration corresponding to the last posted update). So this feature does not
avoid workstations retrieving the applications configured by administrators after the
last posted update if the data on the workstation is older than the last posted update.
73
3.13 Refreshing the Tree
Subject
Refreshing the tree means updating it so as it displays the current correspondent LDAP
directory.
If you have performed modifications in the tree and have not saved them,
refreshing the tree will cancel all your unsaved modifications.
Restriction
This functionality is available only if you use SSOStudio Enterprise in LDAP storage mode.
Procedure
In SSOStudio main window, in the Edit menu, click Refresh.
The displayed tree is updated with the current LDAP directory.
74
Administrator Guide
4. The Generic Plug-in
The "generic plug-in" allows you to define single sign-on (SSO) or account collect (in
Access Collector mode) configurations by detecting windows used by the following
types of applications:
•
•
•
Any Microsoft Windows applications.
Web applications (Internet Explorer or Firefox).
Java applications or applets.
The window objects that allow you to carry out the SSO belong to the Generic
Windows, as shown in the following figure:
• These window types allow you to detect any Microsoft Windows applications,
including any HTML pages displayed by web browsers as Firefox or Internet
Explorer.
• Do not use the Microsoft Internet Explorer plug-in (HTML Pages) to define new
windows.
75
Before Starting
If you want to detect a Java application, make sure the following components are
properly installed on your workstation:
•
•
A supported Java version (for more details about the supported JRE versions,
see Appendix Quest Enterprise SSO Release Notes).
The Quest SSOJava Plug-in, which must imperatively be installed after the
JRE (for more information, see Appendix Enterprise SSO Advanced
Installation and Configuration Guide).
4.1 Windows Detection
When you create a Window in the configuration editor, you have to define the window
that must be detected by SSOWatch. You must carry out this operation through the
Detection tabbed panel:
76
Administrator Guide
To define the window detection, you must do the following:
1.
2.
Select the window that must be detected by SSOWatch, using the target
button. For details, see Section 4.1.1, Simple Detection.
If necessary, modify the detection parameters for the selected window by
filling in the Parameters of the selected window area.
• Upon the detection of the window (Step 1), the Detect by Window Class
and Detect by Window Title options are selected. These options are usually
sufficient to enable the detection of the window by SSOWatch.
• If these options are not sufficient, you can use advanced detection
parameters, by looking for additional texts in the window (Look for text
option), and/or by adding constraints on the detection process (Advanced
button). For details on these detection parameters, see Section 4.1.3,
Restrictions.
4.1.1 Simple Detection
Depending on the type of window to detect, the selection area of the Detection tabbed
panel is different:
•
•
•
To detect the window of an application, you drag and drop the target button
onto the title bar of the window that you want to detect. For details, see
Section 4.1.1.1, Simple Detection of a Window.
To detect a Java applet, you drag and drop the target button onto the entire
login area of the Java login page. For details, see Section 4.1.1.1, Simple
Detection of a Window.
To detect a web page, you drag and drop the target button onto the web page
that you want to detect. For details, see Section 4.1.1.2, Simple Detection of a
Web Page.
4.1.1.1 Simple Detection of a Window
To detect a window, SSOWatch first looks for its title (for standard or Java application)
or its login area (for Java applet). It can then look for the presence of an additional text
in the window.
To automatically configure the necessary basic data, do one of the following:
•
•
For standard or Java application windows, drag and drop the target button
located in the top right of the Detection tabbed panel onto the title bar of the
window that you want to detect. The data from the last targeted window are
displayed in the configuration window, as shown in the following figure.
For Java applets, drag and drop the target button located in the top right of the
Detection tabbed panel onto the login/password area of the Java applet that
you want to detect. The data from the last targeted window are displayed in
the configuration window, as shown in the following figure.
77
The Detection tab now shows a tree structure for the targeted window, as well as its
parent windows, if any. Each window is represented on two lines differentiated by the
icon on the left of the line:
ICON
DESCRIPTION
Real characteristics of the targeted window (real title and class).
Data used to detect the targeted window (detection method, modified title).
At this point, the detection parameters of the selected window are automatically
configured as follows:
•
•
Detect by window class.
If the window has a title, Detect by Window Title (not case sensitive).
If you want to modify these configuration parameters, make selections in the bottom half
of the property page. If a targeted window has parent windows, you can modify the
configuration for any intermediate window.
78
Administrator Guide
The following table lists the four available title detection methods. All these methods are
not case sensitive:
METHOD
DESCRIPTION
Is equal to
The window title must be equal to the given character string.
Starts with
The window title must start with the given character string.
Contains
The window title must contain the given character string.
Ends with
The window title must end with the given character string.
Example
Let us assume that the application authentication window has a title similar to Enter the
password for FirstName LastName.
A potential problem appears with this title because FirstName and LastName can differ
from one user to another.
In this case, the text must be edited and reduced to Enter the password for, and the
window detection method must be set up to use: Start with or Contains.
4.1.1.2 Simple Detection of a Web Page
• If you are using different web browsers at the same time (Internet Explorer and
Firefox for example), you must create two different windows: one window for
the web page displayed in Internet Explorer, and another one for the web page
displayed in Firefox.
• If the title of the web page is different depending on the language used, you
must also create as much as different windows as there are different titles.
To detect a web page, SSOWatch first looks for its URL. It can then look for the
presence of an additional text or of a field in the web page.
To automatically configure the necessary basic data, drag and drop the target button
located in the top right of the Detection tabbed panel onto the web page that you want
to detect. The data from the last targeted window are displayed in the configuration
window, as shown in the following figure:
79
The Detection tab now shows the URL of the web page (Web page area). At this point,
you can adjust the detection parameters of the selected web page by defining a variable
URL (Variable URL area) or by detecting a field in the web page (Parameter of the
web page area) for example. For details, see Section 4.1.2, Advanced Detection.
The single sign-on is triggered when all the required fields are displayed, even if
the web page is not entirely loaded.
4.1.2 Advanced Detection
4.1.2.1 The Enable Variable URL Detection option
This option is only available upon the detection of a web page URL.
Some websites are provided by clusters of HTTP servers (for instance Hotmail) or use
the URL to keep session data (for instance Yahoo! Mail). This leads to URLs with
variable parts.
To configure the detection of a web page that uses a variable URL, select Enable
variable URL detection and click the Configure button.
80
Administrator Guide
If a variable URL detection has already been configured and you select a new URL
with the Get URL button, SSOWatch checks the compatibility of the new URL with
the old URL variable schema. If the schema cannot be matched, confirmation is
requested before the old URL variable schema is destroyed.
The variable URL configuration window looks like this:
The selected URL is shown in the text field.
To set up the variable parts, select (with the mouse or the keyboard arrows and the
SHIFT key) a part of the URL (1). The tool bar is updated and shows only the generic
characters that match the selection.
In the tool bar, select the wanted generic character (2). Generic characters allow you to
replace:
•
•
•
•
•
Any character (one or more).
Alphanumeric characters (one or more): lower case letters, upper case letters
and digits.
Letters (one or more): lower or upper case.
Digits (one or more).
If you select a generic character, you can restore the original text with the
Revert action.
4.1.2.2 The Look for text option
There are cases where detection based on a window class and title is not enough to
distinguish multiple windows. For example, assuming you need to configure a detection
method that distinguishes between two authentication windows that are both standard
dialog boxes (class "#32770") and have the same title (for example, Enter password).
Such a case requires that you configure an advanced detection method performing a
search for a specific text in the window’s fields.
To configure advanced detection, select in the window list the window that must be
detected, and select Look for text.
81
Two search methods exist:
•
•
In the whole window: the text is searched in all the window fields.
In Field: allows you to specify a field where the search will be carried out. This
field can be configured with the small target button by dragging and dropping it
onto the target field. The field content will be automatically pasted in the Look
for text field.
• The search is not case sensitive.
• If the selected Windows control field identifier is 0xFFFF, the search is
automatically extended to all the window control fields. This identifier is a
special one and is used for generic static texts. It can also appear more than
once in a window.
4.1.2.3 The Advanced button
You can define a list of constraints to refine the advanced detection parameters, using
the Advanced button. This button allows you to add constraints on windows that are
detected by SSOWatch, to enable or disable the single sign-on, as described in the
following procedure:
1.
In the Detection tabbed panel, click the Advanced button.
82
Administrator Guide
2.
Click the Add button.
3.
Fill in this window with the following guidelines:
• The fields are already filled in by default with the values of the selected target
window.
• Use the target button only if the target window is not the wanted one.
• If you select only the Signature check box, the SSO will be disabled, as this
parameter changes.
• If you select several check boxes to define the constraint, the application
containing the window to detect must meet all the parameters defined by
these check boxes.
4.
Click OK.
• The constraint is added in the constraint list.
Remember that SSOWatch detects the window if only one of the listed constraints
is verified.
4.1.3 Restrictions
To authenticate to an application, SSOWatch implements the user’s sign-on for him or
her. Therefore, SSOWatch considers that an application is valid as soon as the user
himself or herself is able to enter the information requested by the application.
Consequently, SSOWatch only detects windows that are:
•
•
•
Visible.
Not minimized.
"Active" in the MS-Windows sense – that is, they can accept user inputs.
It follows that SSOWatch cannot perform SSO for minimized or hidden windows.
83
4.2 User Interface
In this section, we introduce the tools and elements of the user interface that allow you
to configure Windows types.
The tools are:
•
The target (
•
The optional parameter list that allows you to enter SSO data other than user
name/password.
The actions to be performed after the fields have been filled.
•
) that allows you to select a Windows control (field or button).
4.2.1 Target
You can use the following target button to select a window’s control field (text field,
button, etc.):
This target can be used in two ways:
•
•
By performing a drag and drop onto the target control field: click the button;
the mouse cursor changes to a target; drag it to the target control field and
release the mouse button.
Once the mouse button has been released, the field is updated with the control
field information (and the intermediate windows/control fields if they exist):
The information displayed gives the control field identifier (in hexadecimal), its class and
the text found when the control field was detected.
A new window can be opened by clicking the target button:
84
Administrator Guide
A new target icon allows you to select the desired control field (with drag and drop). This
window allows you to see the selected control field’s details and the different levels of
nested windows between the control field and the base window.
Only the path from the base window to the target is displayed. To see all the other
control fields/windows, you must select the Display all window details checkbox.
You can also receive the control by its position by selecting the Identify the control by
its position in the control hierarchy checkbox.
You must re-select the windows to activate this mode.
4.2.2 Validation Actions
When the fields have been filled by SSOWatch Engine, you must validate the window
with the Enter key or by clicking the OK button (for example). In most of the window
types you have the following choices:
85
4.3 Generic Plug-in Actions
4.3.1 StandardLogin – Connection
4.3.1.1 Window Description
This property page enables you to specify:
•
•
•
•
•
86
The field that will receive the user identifier (or username) that allows the user
to connect to the application.
The field that will receive the password associated with the username.
The Do not re-prompt for account selection check box that may be used for
multiple accounts – for reconnection, it will be the active account that is used.
Additional authentication parameters, if needed. For details, see Section 4.3.1.2,
Specifying Additional Fields (Optional).
The window validation method.
Administrator Guide
4.3.1.2 Specifying Additional Fields (Optional)
Subject
This section focuses on the Additional fields customization area of the Actions tab of
the StandardLogin window type. This area allows you to define more fields than simply
the couple of fields user name/password of the target application authentication window.
Before Starting
The definition of additional fields is only possible if additional parameters are defined in
the Application object associated with this window. For details, see Section 3.6.2.5,
"Parameters" Tab.
87
Procedure
1.
Click Customize.
This window allows you to associate a Parameter with an authentication field
of the target application:
2.
Select the wanted parameter in the list.
The Description field is in read-only mode. It displays the value of the Description
field filled in upon the creation of the parameter at the Application level.
3.
4.
Use the target button to select in the target application the wanted
authentication field.
Click Insert.
• The parameter appears in the window.
5.
6.
If necessary, repeat the operation with other parameters.
Click OK.
4.3.1.3 SSOWatch Engine Behavior
In SSOWatch Engine, the following actions are performed after the window has been
detected:
•
The username and password associated with the application are retrieved
from the security system:
• If required, the user will be prompted to choose one of his or her accounts.
• If the selected (or single) account has no security data in the security system,
SSOWatch Engine will prompt the user for this data and will save it in the
security system (collect).
•
88
Data is sent to the window.
Administrator Guide
•
•
•
•
Optional parameters associated with the selected account are retrieved from
the security system: if one parameter value is unknown, the user is prompted
for it. It is then stored in the security system.
Parameters are sent.
The window is validated.
BadPassword and NewPassword window types are activated.
4.3.2 BadPassword
This property page allows you to enter:
•
•
•
•
•
The validation method after the password has been updated in the security
database (with a new authentication if needed).
The cancellation method of the window if the password update fails in the
security database.
The field that will receive the user identifier (or username) if the user is
prompted to re-authenticate.
The field that will receive the user password if the user is prompted to reauthenticate in the same window.
The optional parameters, if re-authentication is proposed in the same
application window. For details, see Section 4.3.1.2, Specifying Additional
Fields (Optional).
89
Full Version Behavior
detected:
•
•
•
The user is warned that the password stored in the security system is not the
right one for this application; he or she is prompted to enter the right password
(the user can also change the identifier if he or she has misspelled it in the
collect window).
If the user cancels the window or if an error occurs, the window is cancelled
according to the selected method.
If the new username/password pair is validated by the user and the security
database is updated successfully:
• The specified, username, password and optional parameters are sent to the
application.
• The window is validated according to the specified method.
Access Collector Mode Behavior
•
•
If you configure a bad password window without specifying a login field or a
password field, the detection of the window deletes the collected account. At
the next login window detection, a new collect will be performed.
If you configure a bad password with sending of a login or a password, a
BadPassword window will appear to collect the right account. If the user
cancels this window then the account is deleted and the collect will be
restarted at the next user connection.
4.3.3 NewPassword
In Access Collector mode, the NewPassword window type is not available.
90
Administrator Guide
•
•
•
•
•
The field that will receive the old password (optional).
The field that will receive the new password (optional).
The field that will receive the new password as a confirmation (optional).
The window validation method if the password has been successfully updated
in the security database.
The cancellation method in case of failure or if the user cancels the window.
detected:
•
•
•
•
•
If specified, the old password is sent (if the application can have many
sessions at the same time and if several accounts are used, SSOWatch will
ask the user to choose the relevant session).
The application asks the user for a new password or computes it itself
(according to the PFCP associated with the application).
If the password is confirmed, the new password is saved in the security database.
In case of failure, the window is cancelled.
In case of success, or without confirmation:
•
•
•
•
The new password is sent (if requested).
The new password is sent again (if confirmation is needed).
BadNewPassword and ConfirmPassword windows are activated.
91
Remark
As previously explained, the new password will be saved in the security database only
after it has been confirmed:
•
•
Either in the same window (New password and Confirm password fields set)
Or in another window (NewPassword or ConfirmPassword) if the New
password field has been set.
4.3.4 ConfirmPassword
In Access Collector mode, the ConfirmPassword window type is not available.
This window allows you to configure "Confirm New Password" window management:
•
•
•
•
92
The field that will receive the old password (optional).
The field that will receive the new password as a confirmation.
The window validation method if the password has been successfully updated
in the security database.
Administrator Guide
detected:
•
•
•
•
If specified, the old password is sent (optional).
The password is updated in the security database.
In case of failure, the window is cancelled.
In case of success, the window is validated and the ConfirmPassword and
BadNewPassword window types are disabled.
4.3.5 BadNewPassword
In Access Collector mode, the BadNewPassword window type is not available.
This window type allows you to configure the Bad New Password window type behavior
by specifying the window validation method.
detected:
•
•
•
The old password becomes the current password.
NewPassword window types are reactivated.
93
4.4 Special Cases
"Standard" window types do not allow you to manage all kinds of applications.
Therefore, SSOWatch provides some tools that allow you to manage these cases:
Custom Scripts and the OLE/Automation Interface.
For well-known and commonly used applications, specific window types are provided to
speed up configuration and optimize SSO processing.
4.4.1 NotesLogin (Lotus Notes Plug-in)
The Lotus Notes plug-in has a window type that manages Lotus Notes 4.x, 5.x and 6.5
authentication windows:
This window could be managed by a StandardLogin window type. However, a
NotesLogin window type can automatically select the user account according to the
account name displayed in the window:
•
•
If the user owns only one Lotus Notes account, the account will have to match
the requested account name; otherwise SSO will not be implemented.
If the user owns several accounts, SSOWatch will choose the user account
corresponding to the requested account name. If none matches the requested
account name, SSO will not take place.
4.4.1.1 Lotus Notes Identifier Format
The Lotus Notes identifier (or username) may be stored in the SSOWatch security database
using Lotus Notes formats (username, account name, Lotus Notes canonic name).
94
Administrator Guide
4.4.1.3 Configuring the Field Where the Lotus Notes Login is Shown
The first field is the one that contains the Lotus Notes username (Enter the password
of…). The field must be selected using the target button.
In the field where the complete Lotus username is shown, ensure that all entries are
symbol remains.
deleted, and that only the
Select the password field using the target button.
Ensure that the automatic window validation field is not checked.
When only one Notes account is accessed from the workstation, you may check
the automatic window validation field. We recommend that this only be used in
personal configuration mode.
detected:
•
•
The Lotus Notes identifier is retrieved from the field as shown above.
A search is conducted for the account name in all the accounts associated
with the application (beginning with full names):
• If necessary, the user will have to choose between the accounts that match
(or those that have no data associated with them).
95
• If a single account matches (or has no data), SSOWatch Engine will prompt
the user for the associated password and will save it in the security database
(collect).
•
•
•
The password is sent to the password field.
The window is validated; if the automatic validation option has not been
selected in the configuration.
BadPassword and NewPassword window types are activated.
4.4.2 HTTP Authentication (Internet Explorer Plug-in)
When you connect to some websites, an HTTP authentication window is displayed.
Under Windows XP, this window looks like:
This window can be managed using the StandardLogin window type. However, if the
password entered is not correct, the same window is displayed again with the same
username that was previously entered in the User name field (The first time this window
is displayed, no username is displayed). This window type has been created to manage
such a case (StandardLogin and BadPassword mix).
• This window is quite different for each of the Microsoft operating systems. If
you have a heterogeneous computer installation, you will have to define
several windows of this type in your configuration.
• The Netscape 4.7 HTTP authentication window is managed by the
StandardLogin window type.
96
Administrator Guide
The configuration page looks like this:
For StandardLogin, you have to set the identifier and password fields with the target
button.
For the identifier field, be sure to select the field within the listbox and not the listbox itself.
Internet Explorer allows you to save passwords. However, you may prefer to use
SSOWatch. So clear the Remember my password checkbox and select the checkbox
with the target tool.
Once the SSO data has been sent to the fields, you may validate the window.
SSO actions for this window type correspond to StandardLogin and BadPassword
window types:
•
The content of the Identifier field is retrieved; if it is empty, it is a
StandardLogin behavior, and Standardlogin actions can be taken:
• The username and password are retrieved from the security system.
• If necessary, the user will be prompted to choose between the different
accounts for this application.
• If the selected (or single) account has no data, SSOWatch Engine will ask the
user for the associated password and will save it in the security database
(collect).
• Data is sent to the window.
• Clear the Remember my password checkbox.
97
• The window is validated.
• BadPassword window type is activated.
•
If the identifier is not empty, it is a BadPassword behavior:
• The user is warned that the password stored in the security system is not the
one required by the application; so, he or she is prompted to enter the good
password (the user can also change the identifier if he or she has misspelled
it in the collect window).
• If the new username/user password pair is validated by the user and the
security database is updated successfully.
• Username, password and optional fields are provided for the application.
• The window is validated.
• NewPassword window types are enabled.
98
Administrator Guide
5. The Microsoft Internet Explorer
Plugin
• This plug-in is deprecated. To create new windows allowing SSO with Internet
Explorer or Firefox, use the Generic plug-in, as described in Section 4, The
Generic Plug-in.
• Use the Microsoft Internet Explorer plug-in only to modify single sign-on
(SSO) configurations already using windows defined through this plug-in.
• To migrate windows created with the Microsoft Internet Explorer plug-in to the
Generic Plug-in, create the same windows using the Generic plug-in.
The Microsoft Internet Explorer plug-in manages SSO in HTML documents in Microsoft
Internet Explorer 5.5 and 6.0. It works with HTML document forms.
The Internet Explorer plug-in provides several window types detailed in the following table:
WINDOW TYPE
DESCRIPTION
IELogin
HTTP, Firewall or Proxy connection windows
HTMLLogin
Web/HTML application connection page
HTMLBadPassword
HTML page which indicates that the password entered in
the HTMLLogin window is not correct, this allows SSO
data collect mode.
The right username and password may be entered again
this time.
HTMLNewPassword
HTML page which prompts for a new password (and
generally for a confirmation)
HTMLBadNewPassword
Window type used to handle new password refusals in
HTML pages
99
5.1 HTML/Internet Explorer Detection
The detection of HTML pages is URL-based.
Start by launching Internet Explorer.
For Windows 2003 servers, check that the Internet Explorer option Enable thirdparty browser extensions (in Internet options | Advanced | Browser) is
selected.
The HTML Detection property page looks like this:
To fill in the URL field, use the Get URL button. The following window appears:
100
Administrator Guide
The list of open HTML documents in Internet Explorer windows (and frames) is
displayed.
The list of HTML forms (and their associated fields) is shown for information only.
The Internet Explorer button allows you to launch Internet Explorer if it is not already
running (same as launching it from the Start menu).
To select an URL, you should select the line that shows the URL, or one of its elements.
The selected URL is shown in bold.
The HTML page display is dynamically updated as you open new HTML windows or
navigate within Internet Explorer. The Refresh button allows you to remove windows
which are no longer displayed.
If only one HTML document is opened, its URL will automatically be pasted into
the URL field (if it was previously empty).
5.1.1 URLs with Variable Parts
Some websites are provided by clusters of HTTP servers (for instance Hotmail) or use
the URL to keep session data (for instance Yahoo! Mail).
This leads to URLs with variable parts.
To configure detection using a variable URL, select Enable variable URL detection
and click the Configure button.
If a variable URL detection has already been configured and you select a new URL
with the Get URL button, SSOWatch checks the compatibility of the new URL with
the old URL variable schema. If the schema cannot be matched, confirmation is
requested before the old URL variable schema is destroyed.
The variable URL configuration window looks like this:
The selected URL is shown in the text field.
101
To set up the variable parts, select (with the mouse or the keyboard arrows and the
SHIFT key) a part of the URL. The tool bar is updated and shows only the generic
characters that match the selection.
Generic characters allow you to replace:
•
•
•
•
•
Any character (one or more).
Alphanumeric characters (one or more): lower case letters, upper case letters
and digits.
Letters (one or more): lower or upper case.
Digits (one or more).
If you select a generic character, you can restore the original text with the
Revert action of the toolbar.
Example
In the previous window, a Hotmail URL is shown. Variable parts are 3 and 13 numbers
after "lc" and after "law".
You only need to select 3 and click
. The field is displayed like this:
(in the toolbar), then select 13 and click again on
5.1.2 Advanced Detection
Advanced detection in an Internet Explorer HTML page is based on text search.
The dialog box that allows you to configure the advanced detection parameter looks like:
You can enter a text using the keyboard or select it with your mouse in an HTML page
and click the Capture button: the text is pasted in the field.
There are two search methods:
•
•
102
Text must be Present: if the text is found on the page, detection is
successful.
Text must be Absent: if the text is found on the page, detection fails.
Administrator Guide
5.2 User Interface
In this section, we introduce the tools and elements of the user interface that are used
to configure HTML/Internet Explorer window types.
These tools are:
•
•
The HTML form selection tool (icon
) which allows the association of an
SSO parameter (username, password) with an HTML form field.
The custom parameters list which allows the setting up of additional
parameters (other than username and password) which will be sent to the
application so as to perform SSO.
•
The HTML form submission-method selection tool (same icon
).
5.2.1 Selecting a Field in an HTML Form
The field selection window for an HTML form is as follows:
This window displays, in a list, all the forms (and their fields) contained in the HTML
page selected in the detection page.
The fields are displayed in their order and an icon distinguishes the clear text fields
(
) from the fields containing a password (
). The associated text is the field’s
internal name (HTML).
The forms are differentiated by their names. If two or more forms have the same name
(or are unnamed), the position is displayed in brackets: this is the position in the page
compared to all forms with the same name.
If you do not want to use this field, validate by clicking the Clear button.
103
5.2.2 Custom SSO Parameters
The following window allows you to enter and configure optional parameters that will be
sent to the target application:
To customize an optional field, proceed as follows:
•
•
•
•
Select the parameter in the list.
Fill in Associated Field by using the target to select the target control field.
Insert customization of additional field.
Validate, by clicking OK.
5.2.3 Submitting an HTML Form
The window for setting up the HTML form submission method is the following:
104
Administrator Guide
This window proposes two submit methods:
•
•
Simple submit or submit by clicking a Button/Image.
Advanced submit by clicking a link.
5.2.3.1 Simple Submit / Button Click
•
•
•
To submit a form by simulating the Enter key, simply select the form.
To submit the form by clicking a button, select the desired button.
To check that it is actually the desired button, you can make it blink in the
HTML page using the Highlight button.
5.2.3.2 Click a Link
This method is used to submit a form by clicking a text or an image starting a
JavaScript script.
Such a link is recognized by its URL starting with javascript:
5.3 HTML/Internet Explorer Actions
5.3.1 HTMLLogin – Connection
5.3.1.1 Configuration
105
This property page allows you to specify:
•
•
•
•
The field that will receive the user identifier (or username) that allows
connection to the application.
The field that will receive the password corresponding to the username.
The optional parameters, if necessary.
The form-submit method.
5.3.1.2 Actions
In SSOWatch Engine, the following actions are performed after the form has been
detected:
•
The username and password associated with the application are retrieved
from the security system:
• If necessary, the user is prompted to choose between the accounts he or
she owns.
• If the selected (or single) account has no security data in the security system,
SSOWatch Engine will prompt the user for this data and will save them in the
security system (collect).
•
•
•
•
•
106
Data is sent to the form fields of the HTML page.
Optional parameters associated with the selected account are retrieved from
the security system: if any parameter value is unknown, it is requested from
the user and then stored in the security system.
Parameters are sent.
The form is submitted.
Window with types (HTML) BadPassword or (HTML)NewPassword are
activated.
Administrator Guide
5.3.2 HTMLBadPassword
•
•
•
•
The validation method after the password has been updated in the security
database (with a new authentication if necessary).
The HTML field that will receive the user identifier (or username) if the user is
prompted to re-authenticate.
The HTML field that will receive the user password if the user is prompted to
re-authenticate in the same page.
The optional parameters, if re-authentication is proposed in the same window.
5.3.2.2 Actions
In SSOWatch Engine, the following actions are performed after the HTML page has
been detected:
•
•
The user is warned that the password stored in the security system is not the
right one for this application; he is prompted to enter the right password (the
user can also change the identifier if he or she has misspelled it in the collect
window).
If the new username/password pair is validated by the user and the security
database is updated successfully:
• If specified, the username, password and optional HTML parameters are sent
to the application.
• The HTML form is submitted according to the specified method.
107
5.3.3 HTMLNewPassword
•
•
•
•
•
•
The HTML field that will receive the user identifier (or username).
(Optional) The HTML field that will receive the old password.
(Optional) The HTML field that will receive the new password.
(Optional) The HTML field that will receive the new password as confirmation.
The HTML form-submit method if the password has been successfully
updated in the security database.
5.3.3.2 Actions
In SSOWatch Engine, the following actions are performed after the HTML page has
been detected:
•
•
•
•
108
If specified, the user identifier and the old password are sent (if the application
can have many simultaneous sessions and if several accounts are used,
SSOWatch will ask the user to choose the relevant session).
The application asks the user for a new password or computes one (according
to the PFCP associated with the application).
If password confirmation is specified, it saves the new password in the security
database.
In case of failure, the submission is cancelled.
Administrator Guide
•
In case of success:
• The new password is sent (if requested).
• The new password is sent again (if confirmation is needed).
• The form is submitted.
5.3.4 HTMLBadNewPassword – New Password Refused
This properties page allows the definition of:
•
•
•
•
•
The validation method after a new password has been refused.
(Optional) The HTML field for the username, if re-authentication is proposed in
the same window.
(Optional) The HTML field for the old password.
(Optional) The HTML field for the new password.
(Optional) The HTML field for new-password confirmation.
109
5.3.4.2 Execution
In SSOWatch Engine, the actions which are performed following detection of this HTML
page are:
•
•
•
•
•
•
The old password is reset and becomes the current password.
If specified, authentication is performed with the username and old password
(if a multi-session application and a number of accounts are used, SSOWatch
prompts the user to choose the appropriate session).
The user is prompted for a new password, or a new password is generated
based on the application’s password policy (PFCP).
If confirmation of new password is specified, the new password is saved in the
security database.
If unsuccessful, SSO is cancelled.
If successful, or where there is no confirmation:
•
•
•
•
110
The new password is sent (if specified).
Confirmation is sent (if specified).
NewPassword type windows are activated.
Administrator Guide
6. The SAP R/3 Plug-in
This section gives a brief description of the SSOWatch SAP R/3 plug-in for SSOWatch.
The SAP R/3 plug-in provides different types of windows for the management of single
sign-on, depending on the version of SAP R/3 clients and servers. To identify the
window corresponding to each version of the SAP R/3 components, see Appendix
Quest Enterprise SSO Release Notes.
The SAPLogin and SAPExpired window types defined in version 3.71 of
SSOWatch are still available, to ensure the continuity of deployed configurations.
However, we recommend that that these are ported to SAPGUI Scripting and
Advanced SAPGUILogin window types.
6.1 SAPLogin and SAPExpired Window Types
6.1.1 SAPLogin (SAP R/3 Login)
This window type manages SAP R/3 4.5 connection. It includes bad password
management (BadPassword).
With version 4.6, only authentication is managed.
To configure a window type SAPLogin, you have to specify the following parameters:
This window is pre-selected and should normally not be modified.
•
Fields
• SAP Main Field is where SSO data should be sent. Field selection may be
done with the target
.
• SAP Status bar is the field where errors are displayed. Field selection may
be done with the target
.
• Error text is the message displayed by SAP R/3 in case of error. This allows
SSOWatch to deal with bad passwords (SAP R/3 4.5 only).
•
Window parameters
Language and Client Name may be associated with parameters stored in the
security database.
•
Window Validation
The authentication window should be validated with the Enter key.
111
6.1.2 SAPExpired (SAP R/3 Password Expiry)
This window type manages SAP R/3 4.5 password expiry.
In Access Collector mode, the SAPExpired window type is not available.
In the configuration window, fill in the SAP main field field with the
button.
6.2 Basic Principles of the SAP R/3 Plug-in
Pre-requisites
•
SAPGUI 6.20 Scripting must be activated on the SAP R/3 server, with the
following parameter:
Sapgui/user_scripting = TRUE
•
•
SAPGUI Scripting must be activated on the SAP R/3 client.
The connection description in the SAPLogon must not use the slow connection
parameter.
SAPGUI Scripting works only with the new SAP R/3 visual design.
•
6.3 Configuration Guide
6.3.1 Configuring an SAP R/3 Application
An application should be configured with the SSOWatch configuration editor. For SAP
R/3 applications, use the SAP application model in SSOStudio.
Configuring an Application for SAPGUI Scripting
If you use SAPGUI Scripting window types, the OLE/automation option in the
configuration is not required. It should, therefore, be left inactivated.
112
Administrator Guide
6.3.2 Configuring the SAPGUI Scripting Window
6.3.2.1 The Detection Tab
The detection of SAP R/3 connections is based on their connection servers or
server groups.
•
•
•
•
•
To specify an SAP R/3 server or group of servers, use the following options:
Name (mandatory): server name (SAP R/3 hostname) or server group name
for which SSO is to be performed.
SAP system name: SAP R/3 name of the system in 3 characters (database ID).
Direct connection to a server:
System number: provide the SAP R/3 System Number if the target server is
running more than one copies of SAP R/3.
Group with load-balancing:
Message Server: enter the SAP R/3 message server name as it is configured
in the SAPLogon module if there are a several SAP R/3 groups with the same
name but with different messages servers.
113
6.3.2.2 The Actions Tab
•
•
Description of the SAP R/3 parameters: at authentication time, SSOWatch can
fill the "language" and "client name" fields as defined in the SAP R/3
application model. These parameters should be declared through the
Parameters tab of the application object.
Advanced parameters:
• Changing the SAP R/3 user’s password: by default, SSOWatch manages the
authentication process, and the user cannot change his or her SAP R/3
password at this stage but must use the password change transaction once
connected. To avoid the complexity inherent in this procedure, activating this
option will result in SSOWatch asking the user if a change of password
should be made during connection to SAP R/3; SSOWatch will then manage
all the password change processes as required.
• Automatic validation of the connection notification: the SAPGUI Scripting
technology causes a message to appear, notifying the user that a script is
connecting to SAPLogon. By activating this option, and by declaring the
notification window title (by default this is saplogon), SSOWatch will
automatically validate the notification as required. The notification will still
appear in non-SSOWatch connections, and therefore for other scripts.
114
Administrator Guide
•
To define error messages, click the Errors button:
Error messages are detected by SSOWatch so that it can react when there is a
password de-synchronization problem, when there is a password change, or if the new
password is refused by the SAP R/3 system. In addition to the pre-configured error
messages, you can declare your own specific messages:
•
•
By content: enter a message and assign a meaning to it. SSOWatch will look
for the message in the status bar or error dialog box. In this case, it is the
message string that is looked for. This is dependent, therefore, on the
language of the SAP R/3 client.
By reference: if you also specify the SAP R/3 ABAP reference of the message,
SSOWatch will look for the reference of the message, and not its content.
Thus, it becomes independent of the client language. In this case, the content
of the ‘message’ field is simply for informative purpose.
The list of message references can be found using the transaction SE16, table T100.
Authentication steps:
•
•
•
Connection refused: the SAP R/3 system has refused the connection. The
user may be locked, or the server unavailable.
Invalid password: the user password is incorrect. A new password is
requested through SSOWatch Engine’s data collection windows.
New password refused: the user has just changed the password, but the SAP
R/3 system does not accept it. A new password is requested through
SSOWatch Engine’s data collection windows.
115
7. Terminal Type Applications
Terminal type windows manage SSO in text fields emulating a line mode terminal. The
terminal must be displayed in a text-edit control field.
Some emulator windows may not meet these requirements. In this case, the use of
some other methods like OLE/Automation interface access could be necessary.
The way this window type works is slightly different from the way other window types
work, since the SSO events correspond to the display of messages; in addition, all the
SSO states are managed in the same window.
Once connection has been set up, SSO is disabled for this window.
Three window types offer the management of terminals:
•
•
•
Terminal (from Standard plug-in).
MSTelnet (from Microsoft applications plug-in).
MSTelnetW2KXP (from Microsoft applications plug-in).
The detection of these window types is the same as for standard Windows.
The Actions part covers all standard window types. It is used to manage the opening of
a full session (including bad and new passwords management) running in text mode
and in a single Windows control field (in general an Edit field). It simulates the user
keyboard entries and controls the state of the connection by detecting text banners.
116
Administrator Guide
7.1 Terminal
This window type has been created to manage the terminal connections in Edit fields,
notably the Windows remote access pre- and post- dialup terminals.
Its configuration window is the following:
The Host Control field will contain all the texts used for connection. Using the target
icon, click the terminal window; this will copy the text across.
The behavior vis-à-vis the text banners is defined by clicking on the Banners button
(described in Section 7.3, Banners).
You can also set up the timing between two searches for banners.
Once SSO has been performed, or in case of failure, it is possible to click a button to
close the window.
117
7.2 Microsoft Telnet
Two window types are available for managing the Microsoft Telnet application:
WINDOW TYPE
DESCRIPTION
MSTelnet
Not supported
MSTelnetW2KXP
Telnet Microsoft in Windows 2000 and XP OS
The configuration window is the following:
It is possible to change the performance-tuning parameters:
•
•
118
The timer between the detection of two banners.
The timeout canceling the SSO for the window.
Administrator Guide
7.3 Banners
The banners configuration window is the following:
This window allows you to specify SSO events (the detection of text in a new text line)
and the behavior to be associated with them.
The possible behaviors are:
EVENT
DESCRIPTION
Login
The text indicates a username request.
Password
The text indicates a password request.
Custom Parameter
An additional parameter is requested.
Connection OK
The text indicates that the connection is completed
successfully. It stops the SSO.
Enter new password
The text indicates that a new password is requested.
Confirm new password
The text indicates that the same new password must be
confirmed.
Bad password
The text indicates that there is a wrong password in the
security database.
Connection refused
The text indicates that the connection failed. It stops the SSO
operation.
119
To add an event, you should:
•
•
•
Indicate the text to look for in the Banner field.
Select the associated event.
Click the Add button.
To edit an event, you should:
•
•
•
•
Select it in the list.
Click the Edit button: it will disappear, and the information is displayed in the
bottom fields.
Edit the information.
Click the Add button. The information is then added at the bottom of the list.
To delete an event, you should:
•
•
120
Select it in the list.
Click the Delete button.
Administrator Guide
8. The HLLAPI Plug-in
Subject
This section describes how to enable single sign-on or account collect (in Access
Collector mode) for applications using HLLAPI.
Intented Readers
•
•
System Integrators.
Administrators.
HLLAPI Definition
The High Level Language Application Program Interface (HLLAPI) is an IBM API that
allows a PC application to communicate with a mainframe computer. HLLAPI requires a
PC to run 3270 emulation software and then defines an interface between a PC
application and the emulation software. This API is also called "screen-scraping" because
the approach uses characters that would otherwise be displayed on a terminal screen".
For convenient purposes, the term "HLLAPI applications" in the next sections
designates the applications that are using HLLAPI.
8.1 Configuring the HLLAPI Plug-in
Subject
SSOWatch uses default configuration parameters to implement the HLLAPI plug-in. You
may need to modify these parameters if the HLLAPI that you are using does not fit
these parameters.
Procedure
To modify the the SSOWatch HLLAPI plug-in default configuration parameters, using
Registry Editor, add the HllAPI key in SOFTWARE/Enatel/SSOWatch/ and create the
values listed in the following table.
Modifying the Windows Registry may damage your Windows system. It is strongly
recommended to be accommodated to Registry Editor to modify registry keys and
values.
121
VALUE NAME
VALUE TYPE
String
HllLibrary
DEFAULT VALUE DATA AND DESCRIPTION
PCSHLL32.dll:
Name of the .dll file that corresponds to the HLLAPI plug-in.
HllEntryPoint
String
hllapi:
Function name of HLLAPI the in the DLL.
HLLAPI-32bit
DWORD
1:
Specifies that the application using HLLAPI is a 32-bit
application. Set 0 if you use a 16-bit application.
8.2 Enabling Single Sign-On for HLLAPI
Applications
Subject
To enable SSO for HLLAPI applications, you must declare the application in the
SSOWatch configuration and define the window types that must be detected by
SSOWatch Engine, as described in the following procedure.
Before Starting
•
•
Your emulation software must be configured to establish connections trough
HLLAPI.
Check that that the global configuration parameters used to implement the
HLLAPI plug-in are correctly set, as described in Section 8.1, Configuring the
HLLAPI Plug-in.
Procedure
1.
In SSOStudio, create a new Application.
The Application object appears under the Applications node.
2.
Right-click the Application object and select New Window.
The Window Properties window appears.
3.
Fill in the General tab with the following guideline: in the Window Type dropdown list, define one of the following screens:
• HLLAPI Login: login screen of the HLLAPI application.
• HLLAPI Bad Password: screen indicating a wrong password/username.
• HLLAPI New Password: screen requesting a new password (this screen can
be a specific screen or the login screen).
(Not available in Access Collector mode).
• HLLAPI Standard: screen that does not need any authentication data (not
available in Access Collector mode).
• HLLAPI Confirm Password: new password confirmation screen (not
available in Access Collector mode).
• HLLAPI Bad New Password: screen indicating that the new password in not
correct (not available in Access Collector mode).
122
Administrator Guide
4.
If necessary, fill in the Options tab.
If you are defining an HLLAPI New Password screen, and if the new password
must be provided in the login screen, then select Use Manual SSO State
Conditions, click Configure and select SSO has been done. Password has
expired and must be changed.
5.
6.
7.
Fill in the Detection tab, which is described in Section 8.2.1, The Detection Tab.
Fill in the Actions tab, which is described in Section 8.2.2, The Actions Tab.
Click OK.
The Window object appears under the Application object.
8.
To define other HLLAPI window types, restart from Step 2.
8.2.1 The Detection Tab
Subject
The section gives information on how to fill in the Detection tab for HLLAPI screen
types. This tab allows you to define the screen requirements to satisfy to enable SSO.
Description
•
The Connection Type area:
This area allows you to specify the communication standard used by the
application.
• If the connection type information is not available at the HLLAPI level,
SSOWatch Engine do not take into account this parameter.
• If you do not know the connection type, select or clear all check boxes.
123
•
The Strings to Detect area:
You must fill in this area to define the strings that SSOWatch must detect to
enable SSO. Read carefully the following guidelines:
a)
Enter the name of a string to detect.
b)
Absence of: select this check box to specify that the string must not
appear in the application window.
c)
Position area: fill in this area to specify the position of the string to detect
in the application window:
• Select Check Position.
• Define the row and column numbers of the string.
• Select Relative Coordinates if you want to specify a position relative to the
position of the cursor.
d)
Click Add.
Example
In this Detection tabbed panel example, SSOWatch Engine enables SSO if:
•
•
124
The Account Name string is located in the application window at the same
row as the cursor (relative coordinates) and 14 columns before.
The Password string does not appear in the application window.
Administrator Guide
8.2.2 The Actions Tab
Subject
The section gives information on how to fill in the Actions tab for HLLAPI window types.
This tab allows you to define the authentication data that SSOWatch Engine must send
to the terminal emulator.
Description
•
The SSO Steps area:
This area allows you to sort out and modify the actions that must be performed
by SSOWatch Engine in the terminal emulator window.
•
The Actions area:
This area allows you to define the data that SSOWatch Engine must send to
the terminal emulator. Fill in it as follows:
a)
Send SSO parameter: select this option if you want to send an SSO
parameter, and select in the drop-down list the wanted entry.
b)
Send Key: select this option if you want to send a "common" key (as
<enter> for example), and select the wanted key in the drop-down list.
c)
Send Text: select this option either if you want to send a key that does
not appear in the Send Key drop-down list, or if you want to specify any
text to send, and fill in the activated field.
Section 8.3, HLLAPI Applications Keys lists the keys that are compatible with
many emulator software applications.
125
d)
Once by instance: (appears only with the HLLAPI Standard window
type). Select this checkbox if you want to specify that SSOWatch Engine
must carry out the actions listed in the SSO Steps area only one time per
session instance. You should use this option to send further actions upon
the detection of other HLLAPI screens than the HLLAPI screen types
listed in the General tab.
e)
The Other button: if the actions listed above do not meet your
requirements, you can define extended actions, by clicking the Other
button.
Fill in this window as follows:
• Sleep: select this option to suspend SSOWatch Engine for a specified time
specified before processing the next displayed action in the SSO Steps area.
• Exit DLL: select this option to call a function in an external DLL. If the
function is found in the DLL, the indicator turns green.
• When SSO is implemented, the DLL is searched in the paths defined in the
%PATH% environment variable of the user who is logged on. If it is not found,
the DLL is searched in the same directory as the one used during the
configuration process.
• For more details on external DLL, see Section 9.2, Extension DLL.
8.3 HLLAPI Applications Keys
The following table lists the keys that are compatible with many emulator software
applications.
MNEMONIC
MEANING
3270
5250
VT
@B
Left Tab
Yes
Yes
No
@C
Clear
Yes
Yes
No
@D
Delete
Yes
Yes
No
@E
Enter
Yes
Yes
No
@F
Erase EOF
Yes
Yes
No
126
Administrator Guide
MNEMONIC
MEANING
3270
5250
VT
@H
Help
No
Yes
No
@I
Insert
Yes
Yes
No
@J
Jump (SetFocus)
Yes
Yes
No
@L
Cursor Left
Yes
Yes
Yes
@N
New Line
Yes
Yes
Yes
@O
Space
Yes
Yes
Yes
@P
Print
Yes
Yes
Yes
@R
Reset
Yes
Yes
No
@T
Right Tab
Yes
Yes
Yes
@U
Cursor Up
Yes
Yes
Yes
@V
Cursor Down
Yes
Yes
Yes
@X*
DBCS (Reserved)
Yes
Yes
No
@Y
Caps Lock (No action)
Yes
Yes
No
@Z
Cursor Right
Yes
Yes
Yes
@0
Home
Yes
Yes
No
@1
PF1/F1
Yes
Yes
No
@2
PF2/F2
Yes
Yes
No
@3
PF3/F3
Yes
Yes
No
@4
PF4/F4
Yes
Yes
No
@5
PF5/F5
Yes
Yes
No
@6
PF6/F6
Yes
Yes
Yes
@7
PF7/F7
Yes
Yes
Yes
@8
PF8/F8
Yes
Yes
Yes
@9
PF9/F9
Yes
Yes
Yes
@a
PF10/F10
Yes
Yes
Yes
@b
PF11/F11
Yes
Yes
Yes
@c
PF12/F12
Yes
Yes
Yes
@d
PF13
Yes
Yes
Yes
@e
PF14
Yes
Yes
Yes
@f
PF15
Yes
Yes
Yes
@g
PF16
Yes
Yes
Yes
127
MNEMONIC
MEANING
3270
5250
VT
@h
PF17
Yes
Yes
Yes
@i
PF18
Yes
Yes
Yes
@j
PF19
Yes
Yes
Yes
@k
PF20
Yes
Yes
Yes
@l
PF21
Yes
Yes
No
@m
PF22
Yes
Yes
No
@n
PF23
Yes
Yes
No
@o
PF24
Yes
Yes
No
@q
End
Yes
Yes
No
@s
ScrLk (No action)
Yes
Yes
Yes
@t
Num Lock (No action)
Yes
Yes
Yes
@u
Page Up
No
Yes
No
@v
Page Down
No
Yes
No
@x
PA1
Yes
Yes
No
@y
PA2
Yes
Yes
No
@z
PA3
Yes
Yes
No
@A@C
Test
No
Yes
No
@A@D
Word Delete
Yes
Yes
No
@A@E
Field Exit
Yes
Yes
No
@A@F
Erase Input
Yes
Yes
No
@A@H
System Request
Yes
Yes
No
@A@I
Insert Toggle
Yes
Yes
No
@A@J
Cursor Select
Yes
Yes
No
@A@L
Cursor Left Fast
Yes
Yes
No
@A@Q
Attention
Yes
Yes
No
@A@R
Device Cancel
(Cancels Print Presentation Space)
Yes
Yes
No
@A@T
Print Presentation Space
Yes
Yes
Yes
@A@U
Cursor Up Fast
Yes
Yes
No
@A@V
Cursor Down Fast
Yes
Yes
No
@A@Z
Cursor Right Fast
Yes
Yes
No
128
Administrator Guide
MNEMONIC
MEANING
3270
5250
VT
@A@9
Reverse Video
Yes
Yes
No
@A@b
Underscore
Yes
No
No
@A@c
Reset Reverse Video
Yes
No
No
@A@d
Red
Yes
No
No
@A@e
Pink
Yes
No
No
@A@f
Green
Yes
No
No
@A@g
Yellow
Yes
No
No
@A@h
Blue
Yes
No
No
@A@i
Turquoise
Yes
No
No
@A@j
White
Yes
No
No
@A@l
Reset Host Colors
Yes
No
No
@A@t
Print (Personal Computer)
Yes
Yes
No
@A@y
Forward Word Tab
Yes
Yes
No
@A@z
Backward Word Tab
Yes
Yes
No
@A@−
Field −
No
Yes
No
@A@+
Field +
No
Yes
No
@A@<
Record Backspace
No
Yes
No
@S@E
Print Presentation Space on Host
No
Yes
No
@S@x
Dup
Yes
Yes
No
@S@y
Field Mark
Yes
Yes
No
@X@1
Display SO/SI
Yes
Yes
No
@X@5
Generate SO/SI
No
Yes
No
@X@6
Display Attribute
No
Yes
No
@X@7
Forward Character
No
Yes
No
@X@c
Split vertical bar (¦)
No
Yes
No
@M@0
VT Numeric Pad 0
No
No
Yes
@M@1
VT Numeric Pad 1
No
No
Yes
@M@2
VT Numeric Pad 2
No
No
Yes
@M@3
VT Numeric Pad 3
No
No
Yes
@M@4
VT Numeric Pad 4
No
No
Yes
@M@5
VT Numeric Pad 5
No
No
Yes
129
MNEMONIC
MEANING
3270
5250
VT
@M@6
VT Numeric Pad 6
No
No
Yes
@M@7
VT Numeric Pad 7
No
No
Yes
@M@8
VT Numeric Pad 8
No
No
Yes
@M@9
VT Numeric Pad 9
No
No
Yes
@M@-
VT Numeric Pad—
No
No
Yes
@M@,
VT Numeric Pad ,
No
No
Yes
@M@.
VT Numeric Pad .
No
No
Yes
@M@e
VT Numeric Pad Enter
No
No
Yes
@M@f
VT Edit Find
No
No
Yes
@M@i
VT Edit Insert
No
No
Yes
@M@r
VT Edit Remove
No
No
Yes
@M@s
VT Edit Select
No
No
Yes
@M@p
VT Edit Previous Screen
No
No
Yes
@M@n
VT Edit Next Screen
No
No
Yes
@M@a
VT PF1
No
No
Yes
@M@b
VT PF2
No
No
Yes
@M@c
VT PF3
No
No
Yes
@M@d
VT PF4
No
No
Yes
@M@h
VT HOld Screen
No
No
Yes
@M@(space)
Control Code NUL
No
No
Yes
@M@A
Control Code SOH
No
No
Yes
@M@B
Control Code STX
No
No
Yes
@M@C
Control Code ETX
No
No
Yes
@M@D
Control Code EOT
No
No
Yes
@M@E
Control Code ENQ
No
No
Yes
@M@F
Control Code ACK
No
No
Yes
@M@G
Control Code BEL
No
No
Yes
@M@H
Control Code BS
No
No
Yes
@M@I
Control Code HT
No
No
Yes
@M@J
Control Code LF
No
No
Yes
@M@K
Control Code VT
No
No
Yes
130
Administrator Guide
MNEMONIC
MEANING
3270
5250
VT
@M@L
Control Code FF
No
No
Yes
@M@M
Control Code CR
No
No
Yes
@M@N
Control Code SO
No
No
Yes
@M@O
Control Code SI
No
No
Yes
@M@P
Control Code DLE
No
No
Yes
@M@Q
Control Code DC1
No
No
Yes
@M@R
Control Code DC2
No
No
Yes
@M@S
Control Code DC3
No
No
Yes
@M@T
Control Code DC4
No
No
Yes
@M@U
Control Code NAK
No
No
Yes
@M@V
Control Code SYN
No
No
Yes
@M@W
Control Code ETB
No
No
Yes
@M@X
Control Code CAN
No
No
Yes
@M@Y
Control Code EM
No
No
Yes
@M@Z
Control Code SUB
No
No
Yes
@M@u
Control Code ESC
No
No
Yes
@M@v
Control Code FS
No
No
Yes
@M@w
Control Code GS
No
No
Yes
@M@x
Control Code RS
No
No
Yes
@M@y
Control Code US
No
No
Yes
@M@z
Control Code DEL
No
No
Yes
@Q@A
VT User Defined Key 6
No
No
Yes
@Q@B
No
No
Yes
@Q@C
No
No
Yes
@Q@D
No
No
Yes
@Q@E
No
No
Yes
@Q@F
No
No
Yes
@Q@G
No
No
Yes
@Q@H
No
No
Yes
@Q@I
No
No
Yes
@Q@J
No
No
Yes
131
MNEMONIC
MEANING
3270
5250
VT
@Q@K
No
No
Yes
@Q@L
No
No
Yes
@Q@M
No
No
Yes
@Q@N
No
No
Yes
@Q@0
No
No
Yes
@Q@a
VT Backtab
No
No
Yes
@Q@r
VT Clear Page
No
No
Yes
@Q@s
VT Edit
No
No
Yes
@@
@
Yes
Yes
Yes
@$
Alternate Cursor (The Presentation
Manager Interface only)
Yes
Yes
Yes
@<
Backspace
Yes
Yes
Yes
132
Administrator Guide
9. Advanced Configuration
The window types provided with SSOWatch allow you to enable SSO or account collect
(in Access Collector mode) in a wide range of applications. But there are some
applications that cannot be managed with these standard types. In this case,
SSOWatch proposes two solutions:
•
•
Custom Scripts that allow you to define precisely the actions to be performed
in a window or in an HTML page; it is even possible to call a function from an
external DLL.
The OLE/Automation interface that offers you the benefit of the SSOWatch
security data access management: with this approach, it is possible to entirely
redefine the methods of detection and actions while keeping the same
account-management, collection, secure-storage mechanisms.
9.1 Custom Scripts Plug-ins
The Custom Script and Custom Script HTML plug-ins open SSOWatch to some
applications not managed either by the standard or dedicated plug-ins. It offers a
"scripting logic" while keeping the same simple and user-friendly configuration interface
offered by SSOStudio. In addition, it is possible to call a function from an external DLL.
• The Custom Script HTML plug-in is deprecated. Use only the Custom Script
plug-in to create new scripts.
• You may use the Custom Script HTML plug-in only to modify windows
defined through this plug-in.
• To migrate windows created with the Custom Script HTML plug-in, create the
same windows using the Custom Script plug-in.
They use the same detection mechanisms already used for this kind of window in the
Standard plug-in. The detection property page is the same.
However, you can select the combo box by passing the cursor over the text area or by
clicking the button displaying all the different choices.
The difference is in the Actions tabbed page of the Windows Properties window that
allows you to create a logically ordered list of specific actions.
The main behavior of the window (Login, Bad Password, New Password or New
Password Confirmation window) is automatically deduced from the configured actions,
except for Bad Password, which must be manually specified.
133
9.1.1 Basic Concepts
9.1.1.1 Scripting Logic
Actions are executed one after the other. Their execution is based on a True or False
state, which is transmitted to each action, and sometimes modified by some of them. An
action is executed only if its state (Condition) corresponds to the current state, or if no
state is specified for this action (No condition).
The initial state of an action is True.
The following table summarizes the behaviors by indicating whether an action is
performed on the basis of its execution condition and the current state. The symbol "
" means that the action is performed.
STATE CONDITION
TRUE
FALSE
None
True
False
This logic allows you to manage simple actions of the If…Then…Else… type.
9.1.1.2 Data "Buffer"
All the actions include a context that contains the following data:
•
•
•
•
•
•
•
•
The current state: this can be modified by any action, thus affecting the
execution of the next actions.
The Handle of the currently processed window.
A memory Buffer allowing data to be passed between actions.
The identifier of the connected application user.
The associated password.
The value of the last recovered SSO parameter (other than the identifier and
the password).
The account associated with the application in the security database.
A pointer to custom user data.
The context data is maintained in a data buffer that is initialized before each Script
execution in the following way:
•
•
•
134
The current state is set to True.
The window Handle is initialized with the handle of the currently processed
window.
The memory buffer is empty.
Administrator Guide
•
•
The identifier, password, and service name are initialized with current values.
If the window has the value "Bad password", the user is requested to provide
the correct password during this step.
The pointer to custom user data is set to NULL.
9.1.2 The Actions Tab
By default, the Actions tabbed page is empty. The following figure shows an example
of a filled in Actions tabbed page.
The list of actions to be performed is displayed in a read only state, and a check box
allows you to specify whether or not this window manages bad passwords. To build or
edit a script, you must use the Script Editor.
135
9.1.3 Script Editor
The Script Editor window is made up of four parts:
•
•
•
•
A toolbar.
An actions list.
A dynamic panel allowing you to edit selected action parameters.
The OK and Cancel buttons.
The actions list has three columns:
•
•
•
The actions.
The execution condition (or state).
The actions parameters.
9.1.3.1 Script Editor Toolbar
The toolbar allows you to create new actions, modify their execution conditions, and
move actions.
ICON
DESCRIPTION
Create a new action placed after the first selected action
Delete one or several action(s)
Move up one (or several) action(s)
Move down one (or several) action(s)
136
Administrator Guide
ICON
DESCRIPTION
Modify the execution condition to Always execute
Modify the execution condition to Execute if True
Modify the execution condition to Execute if False
9.1.3.2 Script Editor Actions
The action creation icon in the toolbar displays a menu with a list of all the available
actions. The table below summarizes the available actions, showing the correspondence
between the two types of plug-ins (Custom Script and Custom Script HTML).
ICON
CUSTOM SCRIPT
CUSTOM SCRIPT HTML
Send Key/String
Send String to Form Field
Send SSO parameter
Send SSO Parameter to a field
Send Command Message
Not Available.
Send a JavaScript
Send a JavaScript
Get Control Text
Get Field Text
Get SSO parameter
Get SSO parameter
Click Button
Send an HTML event
Select Item in list
Select Item in an HTML List
Call External Function
Call External Function
Sleep
Sleep
Compare
Compare
Return
Return
Special Event
Special Event
Create a Label
Create a Label
Jump to Label (Goto)
Jump to Label (Goto)
Display a message box
Display a message box
Input box
Input box
137
The rest of this subsection describes the different actions; each action description is
introduced by a table summarizing its main characteristics:
•
•
•
The action’s name and its icon.
Properties associated with the action.
Information as to whether or not the action modifies the buffer and/or state.
[Icon] Action name
Modify state
Modify buffer
Description
Send Key/String (Custom Script only)
Modify state
Modify buffer
This action allows you to send characters (keyboard keys or strings) to a target window (the
window being the primary, active window) or to a target control field/button in a window.
In the Target area, it is strongly recommended to select Send to the Control (use the target
icon button to select the control field). If it is not possible, that is if the window has no control
fields or buttons it is better to select Send to the Window than Focused Window. Then, if
necessary, modify the sending method (it is recommended to use the Automatic method. If
it does not work, try another method depending on your application).
In the Send Key/String area, define the characters you want to send in the target window:
• Select Key to send keyboard keys, as Enter, Tab, SHIFT+Tab, Space, Escape for
example.
To send an additional key, select None, Shift, Alt, or Control from the Additional
key dropdown list.
• Select String and fill in the field to send a specific string.
• Select Buffer to send the memory buffer content.
138
Administrator Guide
Send String to Form Field (Custom Script HTML only)
Modify state
Modify buffer
This action allows you to send strings to a target form field in an HTML page.
In the Target area, use the HTML target button to fill in the field (the HTML page containing
the target form field must be displayed).
In the Send Key/String area, define the string you want to send in the target HTML form field:
• Select Buffer content to send the memory buffer content.
• Select String and fill in the field to send a specific string.
Send SSO Parameter (Custom Script only)
Modify state
Modify buffer
This action allows you to send an SSO parameter of a user account to a target window (the
window being the primary, active window) or to a target control field/button in a window.
For details on the Target area, please see the Send Key/String action above.
In the Parameter to Send area, define the SSO parameter you want to send:
• Identifier: the user identifier for the current application.
• Password: the associated password of the user identifier.
• New Password: a new password. In this case, the window is considered to be a
NewPassword window type.
• Confirm Password: the confirmation of the new password. In this case, the window is
considered to be a ConfirmPassword window type.
• Custom Parameter: to activate this option, you must define a parameter at the
Application level (for details, see Section 3.6.2.5, ""Parameters" Tab").
• Do not prompt for user account: you can select this option if the user has several
accounts.
The transmitted SSO parameter is copied to the memory buffer.
139
Send Command Message (Custom Script only)
Modify state
Modify buffer
Read carefully the instructions written in the Send command message area.
Send a JavaScript
Modify state
This action enables you to send a JavaScript if the address bar is displayed in
Firefox and Internet Explorer.
Send an HTML event (Custom Script HTML only)
Modify state
Sends an event (navigation, button click, item to be checked or execution of a JavaScript) to
the active HTML browser)
This action is paticularly useful if you want to execute JavaScript code.
Get Control Text (Custom Script only)
Modify state
Modify buffer
This action reads the text contained in a targeted control field. The recovered text is also
copied to the memory buffer.
140
Administrator Guide
Get SSO Parameter (Custom Script and Custom Script HTML)
Modify state
Modify buffer
This action retrieves the value of an SSO parameter of a user account (identifier,
password…) and copies it to the memory buffer. For a description of the options, see the
Send SSO Parameter action above.
Click Button (Custom Script only)
Modify state
Modify buffer
This action allows you to simulate a mouse click on:
• A targeted button or on a targeted check box;
• Any specific field in the window.
If you have targeted a check box, do not forget to select Change the button state
and click either Check or Uncheck depending on your needs.
Select the Perform double click check box if you want to enable double click to
select the value of a field.
141
Select Item in List (Custom Script) or Select Item in an HTML List
(Custom Script HTML)
Depending on the selected Selection Mode, the
interface of this window is slightly different:
Modify state
• By Item Number:
• By Parameter:
Modify buffer
• By Item Label:
This action allows you to select an element from a list. The list must be targeted with the
target icon. The supported list types are:
• ListBox.
• ComboBox.
• ComboBoxEx32.
The selection can be performed by:
• Item Number: the element number (position) to select, 0 being the first.
• Parameter: the parameter is defined at the Application level (for details, see
Section 3.6.2.5, "Parameters" Tab.
• Item Label: a text string to look for in the list.
142
Administrator Guide
Call External function (Custom Script and Custom Script HTML)
Modify state
Modify buffer
This action allows you to call a function in an external DLL.
Click the Search button to choose the DLL.
Enter the function name in the Function field. If the function is found in the DLL, the indicator
turns green. Otherwise, it remains red.
When SSO is implemented, the DLL will first be looked for in the PATH associated with the
connected user’s environment. If it is not found, it will be looked for in the same directory as
the one used during the configuration process.
For more details on how to write external procedures, see Section 9.2, Extension DLL.
Sleep (Custom Script and Custom Script HTML)
Modify state
Modify buffer
This action suspends SSOWatch Engine for the time specified (in milliseconds). Two buttons
(500 ms and 1000 ms) allow you to quickly configure the most common wait times.
Compare (Custom Script and Custom Script HTML)
Modify state
Modify buffer
This action compares the memory buffer contents with a given character string. The
comparison is case sensitive.
The state is then modified, depending on the result of this comparison – True if the string is
found, False otherwise.
143
Return (Custom Script and Custom Script HTML)
Modify state
Modify buffer
You must use Return actions to stop the script. It returns one of the following status:
• OK: no problem.
• SSO Done: the identifier and/or password or parameters have been successfully sent to
the application. This stop code should be used in all the custom scripts that use the Send
SSO Parameter function (identifier, password).
• Disable the Window: SSOWatch ignores the window.
• Disable the Application: SSOWatch ignores the application.
Special Event (Custom Script and Custom Script HTML)
Modify state
Modify buffer
This action allows you to trigger one of the events listed in the Special Event area.
The Resynchronize user password event allows you to display the SSOWatch
Change Password window, which allows you to change also the user's login.
Create a Label (Custom Script and Custom Script HTML)
Modify state
Modify buffer
This action allows you to create a label in the custom script, to manage conditional
operations. You must use this action if you want to use the Jump to Label (Goto) action.
144
Administrator Guide
Jump to label (Goto) (Custom Script and Custom Script HTML)
Modify state
Modify buffer
This action is only available if you have already defined a Create a Label action. It allows
you to define a jump in your custom script. It is strongly recommended to use this action in
association with a condition (True/False), to avoid infinite loops.
Display a message box (Custom Script and Custom Script HTML)
Modify state
Modify buffer
This action allows you to display a message box in order to ask a question to the user. Use
the available options to define the content of your message box.
If the user can click No or Cancel, the state is set to False.
Click the Buffer content radio button to enable the user to see the content of the buffer. This
feature enables the user to see his login and password.
You can use this action to check if a window is detected or to check that the return
code of an external function is OK, in order to adjust a Custom Script.
Input box (Custom Script and Custom Script HTML)
Modify state
Modify buffer
This action allows you to define an input box. Select Allow value selection from list or
combobox if you prefer to display a list of items the user can select rather than a standard
input field where he can enter any text.
145
9.2 Extension DLL
An SSOWatch extension library sample can be found on the SSOWatch CDROM
(CustomDllSample)
To be included in an SSOWatch script, an external function must respect the
following rules:
•
•
•
•
•
•
•
It must publish a C interface.
It must accept a single parameter that is a pointer to a SSOWatchSSOData
data structure.
It must return a specific return code.
It must be able to read and modify the memory buffer.
It must be able to read and modify the current state.
It must not modify other fields that are read only in the SSOWatchSSOData
structure.
All these elements are defined in the C/C++ header files
SSOWatchSSOData.h and SSOWatchWindows.h.
9.2.1 Function Prototyping
An external function must use the prototype:
extern « C » DWORD (*)(SSOWatchSSOData *)
9.2.2 SSOWatchSSOData Structure
The following structure defines the SSOWatchSSOData structure provided as a
parameter to the external function. This structure contains the data that is carried from
one action to another:
struct SSOWatchSSOData
{
};
146
int
m_nVersion;
// R
BOOL
m_bState;
// RW
HWND
m_hWnd;
// R
TCHAR
m_szBuffer[SSOWATCHSSODATA_BUFFERLEN+1];// RW
TCHAR
m_szIdentifier[SSOWATCHSSODATA_IDLEN+1];// R
TCHAR
m_szPassword[SSOWATCHSSODATA_PWDLEN+1]; // R
TCHAR
m_szParam[SSOWATCHSSODATA_PARAMLEN+1];
// R
LPCTSTR m_szCredential;
// R
void
*m_UserData;
// RW
void
*m_pInternal;
// --
void
*m_pInternalCred;
// --
void
*m_pIternalInstance;
// --
Administrator Guide
The version number (m_nVersion) indicates the version of this structure. It can change
between versions of SSOWatch. It must be compared to
SSOWATCHSSODATA_VERSION.
The state (m_bState) indicates the state of the last action (TRUE or FALSE) and can be
modified to change the execution of the next actions.
m_hWnd contains the handle of the currently processed window. It should not be
modified. It can be used to call Win 32 functions that need a window handle as a
parameter.
m_szBuffer is the memory buffer. It can be modified if required.
m_szCredential, m_szIdentifier and m_szPassword respectively contain the
name of the service associated with the application being processed, and the identifier
and password of the user for this service. These parameters should not be modified.
m_szParam contains the last SSO Parameter retrieved with the "Get SSO" action.
None of these fields should be modified.
m_szCredential contains a string in the form: Account="…"
m_UserData is a pointer to custom user data, and is not used by SSOWatch (except of
course by external functions). It remains valid during the entire execution of the same script
The members: m_pInternal, m_pInternalCred and m_pInternalInstance
should not be modified. There are reserved for internal use by SSOWatch.
9.2.3 Return Code
The function must return a code that is a combination of one of the values in the
following table together with the code SSORET_STOP if the script must be stopped.
CODE
DESCRIPTION
SSORET_OK
The function ended with no error.
SSORET_SSODONE
The function ended with no error and SSO
has been done.
SSORET_PASSWORDERROR
An error occurred during password
management.
SSORET_NOREGISTRATION
The user is not registered for the application.
SSORET_PARAMETERERROR
An error occurred during the recovery of an
SSO parameter.
SSORET_WRONGWINDOWSEQUENCE
This window should not have been processed
in this context (for example, bad password
window found before the logon window).
SSORET_SSOALREADYDONE
SSO has already been executed for this
window.
147
CODE
DESCRIPTION
SSORET_WAITFORPASSWORDCHANGE
The application is waiting for a confirmation of
password update.
SSORET_PASSWORDCHANGED
The password has been changed.
SSORET_REMOTEERROR
An error occurred during access to the
security database.
SSORET_WINDOWERROR
An error occurred while the current window
was being processed – the window will be
disabled.
SSORET_APPLICATIONERROR
An error occurred while the current
application was being processed – the entire
application will be disabled.
SSORET_USERCANCELLED_INSTANCE
User has disabled SSO for this application
instance.
SSORET_USERCANCELLED_APPLICATION
User has disabled SSO for this application.
148
Administrator Guide
10. OLE/Automation Interface
For some specific applications like line terminal emulators, or applications that cannot
be configured with any of the SSOWatch window types, SSOWatch provides an
OLE/Automation interface.
SSOWatch Engine behaves like a COM server and accepts calls from several clients.
These clients connect with the COM protocol, or use high-level programming languages
like Visual Basic, or any language that supports this kind of programming interface
(most terminal emulators like Hummingbird Exceed or AttachMate Extra do). You may
also use this interface from any C/C++ program.
Clients connecting to SSOWatch Engine use the active SSOWatch configuration and
benefit from SSOWatch application behavior management and password policies.
By default, access to SSOWatch objects using OLE/Automation interface is forbidden.
You have to explicitly authorize this action in the general options of the application
object.
For security reasons, you must specify a password in the configuration to protect
access.
10.1 Definition of SSOWatch OLE/Automation
Interface
The OLE/Automation interface provides two types of objects:
•
•
An object that represents SSOWatch Engine. This object is the connection
point to this interface. Through this object you can access Application objects.
Application objects that give access to the application’s security information:
login identifier, password, optional parameters. Application objects can
manage the synchronization of these parameters.
149
10.2 The ISSOEngine Interface
ISSOEngine provides the GetApplication2 and the GetSSOEngineState functions.
The GetApplication function is obsolete and should not be used.
10.2.1 GetApplication2
Description
The function returns an interface pointer to ISSOApplication, unless the application is
not found in the SSOWatch configuration or the challenge is not matched or this
application is not configured to allow OLE/Automation access to its security information.
When more than one account is associated with an application, SSOWatch asks the
user to choose which account SSOWatch must use during this session. This choice will
be kept until the interface pointer to ISSOApplication is released. The only way to
change account is to use GetApplication2 again.
Prototypes
C/C++:
HRESULT GetApplication2(/*[in]*/
BSTR strAppName,
/*[in]*/
BSTR strChallenge,
/*[in]*/
LONG hWnd,
/*[out]*/ IDispatch *pIDispatch)
Visual Basic:
GetApplication2(strAppName as String,
strChallenge as String,
hWnd as Long) as Object
Parameters
150
•
strAppName is the name of the application as defined in the active
configuration of SSOWatch (for security purposes, this string is case
sensitive).
•
strChallenge is the password used to protect the OLE link. This password
must match the password defined in the applications settings of the
SSOWatch configuration.
•
hWnd is the window handle of the application where the OLE/Automation
script runs. This handle allows the blocking of input to the application window
when SSOWatch asks for security information, so that SSOWatch windows
will not appear under the application window (background). If this information
is not available or you do not know how to get it, provide the value 0.
Administrator Guide
Return Value
Returns a pointer to the ISSOApplication interface.
Example
Dim oSSO, oApp As Object
Set oSSO = CreateObject (“SSOEngine.SSOEngine”)
Set oApp = oSSO.GetApplication2 ("MyApplication","Password",0)
10.2.2 GetSSOEngineState
Description
This function returns values corresponding to the state of the SSOWatch engine.
Prototypes
•
C/C++:
HRESULT GetSSOEngineState(/*[out]*/ LONG *plSSOEngineState)
•
Visual Basic:
Get SSOEngineState () as Long
Parameters
No parameters.
Return Value
Returns the state of the SSOWatch engine, as described in the following table:
RETURN VALUE
ENGINE STATE
0
Started
2
Stopped
4
Suspended
151
10.3 The ISSOApplication Interface
Once the ISSOApplication interface pointer has been obtained the following methods
(or functions) and properties (or parameters) are available:
METHOD
PROPERTIES
GetSSOParameter
LoginID
GetNewPassword
Password
GetUserApplicationPassword
Get_IsExpired
10.3.1 Properties
10.3.1.1 The LoginId Property
Description
Read-only property that returns the account name associated with the application.
Prototypes
•
C/C++:
HRESULT get_LoginId([in] LONG hWnd, [out] BSTR *pVal)
•
Visual Basic:
app.LoginId(hWnd As Long) As String
Parameters
hWnd is the window handle of the application where the OLE/Automation script runs.
This handle allows the blocking of input to the application window when SSOWatch
asks for security information, so that SSOWatch windows will not appear under the
application window (background). If this information is not available or you do not know
how to get it, provide the value 0.
Return Value
Name of the account associated with the application.
152
Administrator Guide
10.3.1.2 The Password Property
Description
Read/Write property for getting or setting the application password.
Prototypes
•
C/C++:
HRESULT get_Password(/*[in]*/ LONG hWnd, /*[out]*/ BSTR *pVal)
HRESULT put_Password(/*[in]*/ LONG hWnd)
•
Visual Basic:
app.Password(hWnd As Long) As String
Parameters
Return Value
Password of the application.
10.3.2 Methods
10.3.2.1 The GetSSOParameter Method
Description
Method that returns an SSO parameter whose name is in strParameterName. The
strParameterDesc parameter is a user-friendly description if SSOWatch needs to
prompt the user for the parameter value.
Prototype
•
C/C++:
HRESULT GetSSOParameter(/*[in]*/
LONG hWnd,
/*[in]*/
BSTR strParameterName,
/*[in]*/
BSTR strParameterDesc,
/*[out]*/ BSTR *pVal)
•
Visual Basic:
app.GetSSOParameter(hWnd As Long,
strParameterName As String,
strParameterDesc As String) As String
153
Parameters
Return Value
Returns the SSO parameter.
10.3.2.2 The GetUserApplicationPassword Method
Description
This method collects the password of the running application and returns the password
entered by the user.
Prototype
•
C/C++:
HRESULT GetUserApplicationPassword(/*[in]*/
LONG hWnd,
/*[out]*/ BSTR *pVal)
•
Visual Basic:
GetUserApplicationPassword(hWnd As Long) As String
Parameter
Return Value
Returns the password as a string.
10.3.2.3 The GetNewPassword Method
Description
Prompts the user for a new password (or creates a new one automatically, following the
password policy) for the running application.
Remember that you must call the Password property when you use this method to
save the new password.
154
Administrator Guide
Prototypes
•
C/C++:
HRESULT GetNewPassword(/*[in]*/
LONG hWnd,
/*[out]*/ BSTR *pstrPassword)
•
Visual Basic:
app.GetNewPassword(hWnd As Long) As String
Parameter
Return Value
Returns a new password for the running application.
Example
NewPassword$ = oApp.GetNewPassword(0)
oApp.Password(0) = NewPassword$
// Asks for a new password.
// Saves the new password.
10.3.2.4 The get_IsExpired Method
Description
This method allows you to know if the password has expired. It must be used after the
GetNewPassword method.
Prototypes
•
C/C++:
HRESULT get_IsExpired(/*[in]*/
LONG hWnd,
/*[out]*/ BOOL *pbExpired)
•
Visual Basic:
app.get_IsExpired(hWnd As Long) As BOOL
Parameter
Return Value
Returns True if the password has expired.
155
10.4 Code Example
To use these interfaces, you must first connect to SSOWatch Engine. To do this, you
must create an "SSOEngine.SSOEngine" object:
Dim oSSO, oApp
Set oSSO = CreateObject(“SSOEngine.SSOEngine”)
Returns an interface pointer to ISSOEngine that allows you to call the GetApplication2
method:
Set oApp = oSSO.GetApplication2(« AppName », « password », 0)
Then you can use the security information:
Wscript.Echo « Login: » & oApp.LoginId(0)
Wscript.Echo « Password: »
& oApp.Password(0)
When you finish, you must free the objects (if not, SSOWatch will not be stopped safely):
Set oApp = Nothing
Set oSSO = Nothing
10.5 Return Codes
Return codes are HRESULT with the FACILITY_ITF feature.
DEFINE
VALUE
MEANING
SSOAPI_OK
0
OK.
SSOAPI_INVALID_SERVICE
1
Account or Service empty.
SSOAPI_ACCESS_DENIED
2
No Account exists.
SSOAPI_SUBAPI_ERROR
3
Generic error from User Provisioning
underlying API.
SSOAPI_INVALID_SERVICE_TYPE
4
Invalid Service Type (User
Provisioning only).
SSOAPI_UNKNOWN_ERROR
5
Unknown error.
SSOAPI_MEMORY_FAILED
6
Out of memory.
SSOAPI_INVALID_PASSWD
7
Invalid password: this return code is
managed by the OLE/Automation API.
SSOAPI_UNKNOWN_PARAMETER
8
Unknown parameter.
SSOAPI_INVALID_PARAM_NAME
9
Invalid parameter name.
SSOAPI_INVALID_FLAG
10
Internal.
156
Administrator Guide
DEFINE
VALUE
MEANING
SSOAPI_SERVICE_NOT_FOUND
11
Service not found for the system type
provided. Similar to
ACCESS_DENIED.
SSOAPI_SERVER_ERROR
12
Error while accessing the security
server.
SSOAPI_PASSWD_NOT_CHANGED_YET
13
The password change is not taken
into account yet.
SSOAPI_NOMOREAPP
14
No more applications in the
application list.
SSOAPI_NOTREADY
15
Not ready (for example: smartcard
removed).
SSOAPI_UNKNOWN_APPLICATION
16
Unknown application.
SSOAPI_CANCELLED_BYUSER
17
Application instance disabled by the
user.
SSOAPI_CANCELLED_BYUSER_APPLICATION
18
Application disabled by the user.
SSOAPI_DISABLED_APPLICATION
19
The application is already disabled.
157
A. Cache and Application Data
Update Tuning
You can enable the use of the cache and asynchronous updates though the User Profile
(either using Enterprise SSO Console or Token Manager depending on your E-SSO
solution, for more information, see Appendix Enterprise SSO Console Administrator
Guide or Appendix Enterprise SSO Token Manager Administrator Guide).
The following sub-sections give information on how to tune the cache (when enabled)
and configure asynchronous updates on your E-SSO workstations.
A1. Cache and Application Update Mechanism
A.1.1 Cache Mechanism
Subject
Because LDAP directory servers may be unavailable (offline work on a laptop, failure of
the servers or network), the SSO engine can create a cache when it works in LDAP
storage mode.
The cache is created on the user's workstation upon the user authentication. It contains
the following data:
•
User data:
• Technical definitions of the declared applications: application objects, window
types, default PFCP, default Application profile.
• User Accounts.
• User Profile (configured using Token Manager or E-SSO Console depending
on your E-SSO suite).
•
Access Point data:
•
•
•
•
•
Installation mode.
Target base.
Authentication type.
Authentication method.
Application data
• Applications
• Technical definitions
• Application parameters
158
Administrator Guide
•
•
•
•
Application profiles
Password format control policies
Password change policies
Time-slices (only in Console mode).
Location
This cache is located in the following registry key:
HKLM\Software\Enatel\WiseGuard\Framework\Cache\CacheDir.
Offline Work
When servers are unavailable, queries are made on the cache. Queries that modify the
cache are recorded so they can be replayed when a server becomes available.
Online Work
The cache is also used to reduce the number of queries between SSOWatch Engine
and LDAP directory servers. So even if the LDAP directory servers are available, the
cache is used and works as a buffer:
•
When SSOWatch Engine starts or is reset, the cache is synchronized with the
server data.
• To force the synchronization, restart SSOWatch Engine.
• You can disable the synchronization of the User Account data by setting a non
null value in
HKLM\Software\Enatel\WiseGuard\Framework\Authentication\
CacheSynchroWithAuth
•
•
•
Once stored in the cache, the data is considered valid for a configurable
period of time, and no query is sent to the server during this period (for details,
see Section A.2, Cache and Update Timing Parameters.
If the data is not found in the cache, or needs to be refreshed, the server is
queried.
All modifications to the data (creation, changes, deletion) are immediately
copied to the server (if possible) and in the cache.
A.1.2 Asynchronous Update Mechanism
Subject
The asynchronous update of the application data on the workstations (LDAP storage
mode only) avoids the update during the user’s authentication. Thus, the network and
the directory are not massively loaded during critical hours (for instance, mornings at 9)
and user’s authentication duration decreases.
159
Tuning Parameters
The registry key values detailed in Section A.2, Cache and Update Timing
Parameters.allow you to:
•
•
•
Activate asynchronous update.
Set a random latency period before the first update, to avoid an over-load
during the deployment.
Set time slices, during which workstations are allowed to perform
asynchronous update.
Mechanism
When the workstation is starting up, it checks if application data in cache is available.
Indeed asynchronous update may have been bypassed if the workstation was off during
a too long period or during each defined time-slice.
If data are not up to date:
•
If time slices are defined:
• If current time is in time-slice, update is performed.
• If current time is not in time-slice, the update will be performed at next timeslice, by choosing a random time in it.
•
If no time slice is defined, update is performed.
At the time of asynchronous update, the directory may be unavailable. In this case update
is retried later when the directory is available and according to possible time-slice.
A.2 Cache and Update Timing Parameters
Full version Parameters
You can modify the cache and application data update timing parameters by editing
values located in the following registry keys:
HKLM\Software\Policies\Enatel\WiseGuard\Framework\Cache.
HKLM\Software\Enatel\WiseGuard\Framework\Cache.
The second key must be set on every computer, while the first key (Policies) can
be set with centralized parameters (for more details, see Appendix Enterprise
SSO Advanced Installation and Configuration Guide).
160
Administrator Guide
The cache timings can be set with these values:
VALUE
DEFAULT
MIN
DESCRIPTION
Directory
PingPeriod
30
1
Time in seconds between two LDAP
directory connection checks.
Performance
CacheDelay
10
0
Duration of cache data validity. Time in
seconds.
The data linked to the User Profile is
refreshed when the cache data
validity expires.
Cache directory.
CacheDir
AccessPointCache
(E-SSO Console mode
only)
1
UserCache (E-SSO
Console mode only)
1
Cache availability on Access Points:
• 0 Off
• 1 On
User cache availability.
• 0 Off
• 1 On
Period (in days) between two updates of
the application data on the workstation (for
asynchronous update).
ApplicationData
UpdatePeriod
Only applies for applications of the
workstation's domain.
ApplicationData
UpdateLatency
0
If activated, the workstation chooses a
random latency period before updating its
application data, between zero and the
update period (and during chosen timeslice if defined).
• 0: off
• non null: on
If multiple workstations are installed
simultaneously (and during time-slice if
defined), the application data is
downloaded from all these workstations.
This value avoids an over-load during
the deployment, and creates an interval
between the updates.
ApplicationData
UpdateBeginTime
Starting time (in minutes) of the time-slice
during which the update of the application
data on the workstation is allowed.
Must be less than or equal to 1440.
Example: 1260 (9 pm)
ApplicationData
UpdateEndTime
Ending time (in minutes) of the time-slice
during which the update of the application
data on the workstation is allowed.
Must be less or equal to 1440.
Example: 300 (5 am)
161
Read this note if you use Group Policies (see Appendix Enterprise SSO
Advanced Installation and Configuration Guide):
The PerformanceCacheDelay value is overwritten by the Group Policy WGSS.
Network cache: PerformanceCacheDelay. If you change the Group Policy, the
information is propagated by Microsoft and the delay depends on servers' topology
(time servers' replication).
Access Collector Mode Parameters
The following registry keys allow you to configure the asynchronous directory update of
collected accounts, for SSOWatch used in Access Collector mode:
•
HKLM\Software\Enatel\WiseGuard\Framework\Cache\
SelfRegistrationUpdatePeriod
Period (in minutes) between two updates of the collected SSO accounts from
the workstation cache into the directory, in an asynchronous way.
If this value is set to 0 or not defined, the update is done automatically each
time an account is collected.
•
HKLM\Software\Enatel\WiseGuard\Framework\Authentication\
CacheSynchroWithAuth
In case of a roaming context (shared workstations, Citrix systems), this option
forces a synchronous update of the cache at logon:
• 0: deactivated.
• ≠ 0: activated.
162
Administrator Guide
About Quest Software, Inc.
Now more than ever, organizations need to work smart and improve efficiency. Quest Software
creates and supports smart systems management products—helping our customers solve everyday
IT challenges faster and easier. Visit www.quest.com for more information.
Contacting Quest Software
Phone
949.754.8000 (United States and Canada)
Email
[email protected]
Mail
Quest Software, Inc.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656
USA
Web site
www.quest.com
Please refer to our Web site for regional and international office information.
Contacting Quest Support
Quest Support is available to customers who have a trial version of a Quest product or who have
purchased a Quest product and have a valid maintenance contract. Quest Support provides
unlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink at
http://support.quest.com/
From SupportLink, you can do the following:
•
•
•
Retrieve thousands of solutions from our online Knowledgebase
Download the latest releases and service packs
Create, update and review Support cases
View the Global Support Guide for a detailed explanation of support programs, online services,
contact information, and policy and procedures. The guide is available at: http://support.quest.com.
163

Enterprise Single Sign-On 8.0.3 – SSOWatch Administrator Guide

Transcription

Similar documents

DVU Log-in Credentials

Teacher Pages

parents! - First In Math

New to Neat Repeatz? Get Started in 2 Easy Steps!

Laxmi Khattri [email protected]

Security Password Form

New Parent access HO - Delaware City Schools

Setting up Accounting information from PrintNet

1. Go to ezlm.adp.com and click the

Registration - Facultad de Derecho