e-sso 803 gettingstartedssowatch

7/29/2019 E-SSO 803 GettingStartedSSOWatch

1/37

Getting Started with SSOWatch

8.0.3Enterprise Single Sign-On


2/37

Copyright 1998-2009 Quest Software and/or its LicensorsALL RIGHTS RESERVED.

This publication contains proprietary information protected by copyright. The software described inthis publication is furnished under a software license or nondisclosure agreement. This softwaremay be used or copied only in accordance with the terms of the applicable agreement. No part of

this publication may be reproduced, stored in a retrieval system or transmitted in any form or by anymeans, electronic, mechanical or otherwise without the prior written permission of the publisher.

DISCLAIMER

The information in this publication is provided in connection with Quest branded products fromEvidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right isgranted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE

AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITYWHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTYRELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTYOF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUTLIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OFINFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVENIF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Evidian and Quest make no representations or warranties with respect to the accuracy orcompleteness of the contents of this publication and reserve the right to make changes tospecifications and product descriptions at any time without notice. Evidian and Quest do not makeany commitment to update the information contained in this publication. The information andspecifications in this publication are subject to change without notice.

Trademarks

Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, BigBrother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook,

IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg,NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka,SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!,StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRTare trademarks and registered trademarks of Quest Software, Inc in the United States of Americaand other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch,WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarksmentioned in this document are the propriety of their respective owners.

World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656Website: www.quest.comPlease refer to our website for regional and international office information.

Quest Enterprise SSO

Updated January 2010Software version 8.0.3
http://www.quest.com/http://www.quest.com/


3/37

i

CONTENTS

About This Guide ...................................................................................................... 3Access Management ......................................................................................................... 3

Conventions ............................................................................................................... 41. Overview................................................................................................................. 52. Installing SSOWatch ............................................................................................. 6

2.1 Starting the "Administration Tools" Interface............................................................... 62.2 Configuring the Workstation ........................................................................................ 82.3 Installing SSOWatch on the Workstation ....................................................................9

3. Configuring SSOWatch to Enable Single Sign-On A Step by Step Tutorial...........................................................................................12

3.1 Enabling SSO for Yahoo! Mail Using the SSOWatch Wizard................................... 123.2 Enabling SSO for Lotus Notes Application Using SSOStudio .................................. 16

3.2.1 Starting SSOStudio Personal .........................................................................173.2.2 Enabling SSO for Lotus Notes .......................................................................173.2.3 Saving the Configuration ................................................................................ 22

3.3 Going Further............................................................................................................. 234. Using SSOWatch Engine....................................................................................24

4.1 Session Opening ....................................................................................................... 244.2 SSO Data Collection.................................................................................................. 25

4.2.1 First Start of an SSO enabled application ......................................................254.2.2 Password Update Request.............................................................................26

4.3 Displaying the SSOWatch Engine Popup Menu ....................................................... 264.4 The SSOWatch Engine Management Module .......................................................... 27

4.4.1 Opening the SSOWatch Engine Management Module..................................284.4.2 User Account Management............................................................................29

4.5 Activating, Suspending, Resetting the SSOWatch Engine....................................... 304.6 Exiting SSOWatch ..................................................................................................... 324.7 Initializing the Emergency Access............................................................................. 324.8 Using the Reset Password Feature .......................................................................... 33

4.8.1 Importing the Enterprise SSO Sample Certification Authority(First-Time Use) ....................................................................................................... 334.8.2 Resetting Your Primary Password .................................................................33

About Quest Software, Inc. ....................................................................................35Contacting Quest Software.............................................................................................. 35Contacting Quest Support ............................................................................................... 35


4/37


5/37


3

About This Guide

Access Management

Subject This guide explains how to begin with SSOWatch. It describes howto install SSOWatch, how to quickly enable SSO and perform basicSSO operations.

This guide does not apply to SSOWatch used in Access Collector

mode.

Intended Reader End-users.

Software/HardwareRequired

Enterprise SSO - SSOWatch 8.0 evolution 3 and later versions.

For further information about the operating systems and othersoftware solutions mentioned in this guide, please refer to theQuest Enterprise SSO Release Notes.

Supported Operating

Systems

Enterprise SSO SSOWatch runs only on Windows systems.


6/37

Quest Enterprise SSO 8.0.3

Conventions

In order to help you get the most out of this guide, we have used specific formattingconventions. These conventions apply to procedures, icons, keystrokes and cross-references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting variousinterface elements, such as files and radio buttons.

Bolded text Interface elements that appear in Quest products, such as menus andcommands.

Italic text Used for comments.

Bold Italic text Introduces a series of procedures.

Blue text Indicates a cross-reference. When viewed in Adobe

Acrobat, this format

can be used as a hyperlink.

Used to highlight additional information pertinent to the process beingdescribed.

Used to provide Best Practice information. A best practice details therecommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them atthe same time.

| A pipe sign between elements means that you must select the elements inthat particular sequence.

4


7/37


1. Overview

Single Sign-On (SSO) is the functionality that allows users to sign-in (authenticate) onlyonce during a whole session, no matter how many applications are being accessed.They can then access their data transparently, without the constraint of retyping a newuser name/password couple.

SSOWatch performs the SSO functionality by interfacing itself between a securitysystem, where the security data is stored (in the form of user name/password couples)

and the applications that require an authentication. It consists of two technicalcomponents:

SSOWatch Engine, which performs single sign-on.

SSOStudio, which allows you to configure SSOWatch. You will use it to"teach" SSOWatch Engine how to recognize the authentication windows ofyour web and Windows applications.

For more information on SSOStudio, see Enterprise SSO - SSOWatchAdministrator Guide.

The present guide explains how to begin with SSOWatch. It describes how to install

SSOWatch, how to quickly enable SSO and perform basic SSO operations with theSSOWatch Engine.

5


8/37


2. Installing SSOWatch

Subject

SSOWatch is installable on a single workstation or deployable on all the workstations ofan enterprise network. This section introduces the interactive installation on a singleworkstation.

For information on implementing the directory mode and on enterprise-wide installation,

see Enterprise SSO Advanced Installation and Configuration Guide.

Before Starting

Make sure you have a supported Windows version.

Make sure you have a strong authentication device (smartcard, USB key, orbiometrics).

For details on the supported Windows versions and on the supported strongauthentication devices, see Quest Enterprise SSO Release Notes.

Make sure you have 25MB of available hard disk space.

Make sure you have the license information supplied with the software.

Close all running applications.

Download the Enterprise SSO installation package from the Quest supportwebsite (http://www.quest.com/support).

2.1 Starting the "Administration Tools" Interface

Subject

The Enterprise SSO Administration Tools is a task-oriented interface that allows youto configure and install your Enterprise SSO solution.

6
http://support.evidian.com/http://www.quest.com/supporthttp://www.quest.com/supporthttp://support.evidian.com/


9/37


Procedure

1. Log on as system administrator.

2. Once you have downloaded the Enterprise SSO Installation Package, runstart.hta.

The following window appears:

If the window does not appear, do the following: from the E-SSO Installation

Package; browse the Tools directory and run WGAdSetup\WGADSetup.exe andgo to Step 3 of the current procedure.

3. In the E-SSO Advanced Installation area, click one of the following, dependingon your Windows system processor:

Enterprise SSO: for 32 bits processors.

Enterprise SSO - x64: for 64 bits processors.

The Administration Tools window appears.

7


10/37


Each tool that you can run from the Administration Tools window is a wizard thatallows you to perform a specific operation during the installation process of theEnterprise SSO databases.

2.2 Configuring the Workstation

Subject

Before installing SSOWatch, you must configure the workstation so that it runs instandalone mode.

Procedure

1. Start the Administration Tools interface (see Section 2.1, Starting the"Administration Tools" Interface).

To open the Configuration Assistant if the Administration Tools does not workproperly, browse the installation package folder, double-click

TOOLS\WGConfig\WGConfig.exe and go to step 4 of the current procedure.

2. In the Select a task list, select Install software modules.

3. In the Software Installation task list, click Configure workstation.

The Configuration Assistant appears.

8


11/37


4. Follow the instructions displayed in the wizard windows with the followingguidelines:

WHEN THIS WINDOW APPEARS DO THE FOLLOWING

1. Select Standalone.

2. Click Next.

1. Select Stand-alone Windowsworkstation.

2. Click Next.

2.3 Installing SSOWatch on the Workstation

Subject

Once you have configured the workstation so that it runs in standalone mode, you caninstall SSOWatch as explained in the following procedure.

Before Starting

Configure the workstation to run in standalone mode (see Section 2.2,Configuring the Workstation).

Install Microsoft Redistributables if it is not already set up on your workstation:in the Administration Tools interface, click Install MicrosoftRedistributables.

If you plan to install the SSOJava plug-in (which is an installation feature ofSSOWatch, as shown in step 5 in the following procedure), a supported Javaversion must imperatively be already installed on your workstation (for moredetails about the supported JRE versions, see Quest Enterprise SSORelease Notes).

9


12/37


Procedure

1. Start the Administration Tools interface (see Section 2.1, Starting the"Administration Tools" Interface).

To run the SSOWatch installation wizard if the Administration Tools does notwork properly, browse the installation package folder, double-clickINSTALL\SSOWatch.msi, and go to step 4 of the current procedure.

2. In the Select a task list, select Install software modules.

3. In the Software Installation task list, click Install E-SSO Client.

The E-SSO Client installation wizard appears.

4. Follow the displayed instructions.

5. When the wizard prompts you to choose the installation type, choose Custom,click Next, and fill in the Select Features window as follows:

Biometrics Enrollment tool: installs the biometrics enrollment wizard on the

computer, which allows a user to enroll his/her biometric data for fingerprint

authentication. For more information on the Enterprise SSO biometricsfeature, see Enterprise SSO Advanced Login for Windows User Guide.

Integration with Windows Authentication: launches transparently

SSOWatch Engine at session startup using the user Windows credentials. If

this feature is not installed, SSOWatch will be launched automatically, but it

will ask the user for their credentials.

Old IE Plugin: deprecated Internet Explorer plug-in that must only be

installed for compatibility reasons with the previous WiseGuard versions.

Java plugin: allows SSOWatch to access Java applications.

10


13/37


11

If you select this feature, make sure a supported Java version is already

installed on your workstation before launching the installation of SSOWatch.

SSOStudio Personal: allows a single user to configure the applications for

which he wants to enable SSO.

SSOStudio Enterprise: dedicated to administrators: the SSO configuration

is shared by a number of users.

Fast User Switching: installs the Fast User Switching option, which allowsauthorized users to access their session from a workstation that has been

locked by another user.

6. Restart the workstation.

The SSOWatch Engine icon appears in your Windows' system tray, which islocated on the far right end of your task bar.


14/37


3. Configuring SSOWatch to EnableSingle Sign-On A Step by StepTutorial

This section explains how to quickly enable SSO. We guide you through the stepsrequired to configure SSO for a standard Windows application.

To register an application for SSO, you can use one of the following SSOWatch tools:

The SSOWatch Wizard, which is the easiest way to enable SSO for standardapplication windows.

You will find a step-by-step tutorial to register the Yahoo! Mail exampleapplication in Section 3.1, Enabling SSO for Yahoo! Mail Using the SSOWatchWizard.

SSOStudio, which is the SSOWatch personal configuration editor forapplications that cannot be configured with SSOWatch Wizard, or that requireadvanced settings.

You will find a step-by-step tutorial to register the Lotus Notes exampleapplication in Section 3.2, Enabling SSO for Lotus Notes Application UsingSSOStudio.

3.1 Enabling SSO for Yahoo! Mail Using theSSOWatch Wizard

Subject

The SSOWatch Wizard is the easiest way to enable SSO. It helps you to declare theapplications' authentication windows that must be automatically filled in by SSOWatch

Engine. The parameters of applications defined this way make up a configuration forSSOWatch Engine.

The SSOWatch wizard is suitable for standard authentication windows. Forapplications that cannot be configured through the SSOWatch wizard, you mustuse SSOStudio.

We use Yahoo! Mail as an example, but you can follow the same procedure for almostall web applications.

12


15/37


Before Starting

Start Yahoo !Mail so that the authentication window appears, as shown in the followingpicture:

Procedure

1. In the Windows system tray, right-click the SSOWatch icon (in the notificationarea) and select Add application.

The SSOWatch wizard appears.

2. Fill in the wizard as follows:

ACTION ILLUSTRATION

Step 1:Select New Application

13


16/37


ACTION ILLUSTRATION

Step 2:Select Windows, and type in the nameof your application.

Step 3:

Drag and drop the target button (1) ontologin field (as this is a web application) ofthe Yahoo! Mail authentication window(2) to fill in this window (3).

14


17/37


ACTION ILLUSTRATION

Step 4:Continue drag and drop operations to fillin this window, as shown opposite.

Step 5:Click Finish.

-


3. ClickYes.

The SSOWatch Security Data Collect windows appears.

15


18/37


4. Fill in this window as follows and click OK:

Yahoo! Mail starts automatically. SSOWatch is now configured to detect andautomatically fill in your Yahoo! Mail authentication window.

If you mistyped the user name or password in the above window, the applicationdoes not start. In this case, you need to modify the credentials for the application,as explained in Section 4.4.2.1, Change Password.

Why does the Security Data Collect window appear?

At this step of the procedure, the SSOWatch Engine is running, and yourYahoo! Mail authentication window is still displayed. Although SSOWatch candetect the window it cannot fill it in as you have not provided your authenticationinformation yet. That is the reason why the Security Data Collect windowappears: the first time you start a declared application, SSOWatch requests youruser name and password. This data is stored in a secured way by SSOWatch so itwill be able to reuse it afterwards, without requesting any new data.

3.2 Enabling SSO for Lotus Notes ApplicationUsing SSOStudio

Subject

SSOStudio Personal is the SSOWatch personal configuration editor. It provides aneasy-to-use graphical interface for declaring the applications for which you want toenable single sign-on.

You need to use SSOStudio for applications that cannot be configured with SSOWatchWizard, but you can also use it for applications that have already been configured usingSSOWatch Wizard, to modify or enhance their configurations.

16


19/37


Restriction

The following example works only with Lotus Notes 5 and later.

3.2.1 Starting SSOStudio Personal

Subject

The following procedure explains how to start SSOStudio Personal.

Procedure

To start SSOStudio Personal, do one of the following:

Click Start | Programs | Quest Software | Enterprise SSO | PersonalSSOStudio

Right-click the SSOWatch icon (in the notification area) and select OpenSSOStudio.

The Personal SSOStudio window appears.

The application that we shall use as an example is Lotus Notes.

3.2.2 Enabling SSO for Lotus Notes

The following sub-sections describe how to register the Lotus Notes application usingSSOStudio Personal.

We use Lotus Notes as an example, but you can follow the same procedure for almostall authorized applications.

3.2.2.1 Creating the Lotus Notes "Application" Object

Subject

This section describes how to quickly create the Lotus Notes Application object in yourSSOStudio configuration.

17


20/37


Procedure

1. In the SSOStudio main window, right-click the Applications node and selectNew Application.

The Application properties window appears.

2. In the Properties tab, type "Lotus Notes" in the Application Name field:

3. You do not have to change any other options. Click OK.

The Lotus Notes Application object appears under the Applications node.

3.2.2.2 Creating the Lotus Notes Authentication "Window" Object

Subject

This section describes how to quickly declare the Lotus Notes logon window in your

SSOStudio configuration.

18


21/37


Before Starting

Start Lotus Notes to display the authentication window, as shown in the following picture:

Procedure

1. In the SSOStudio main window, right-click the Lotus Notes Application object

that you have just created and select New Window.The Window properties window appears.

2. Fill in the General tab as follows:

In the Window name field, type Notes Logon.

In the Window type field, select NotesLogin.

19


22/37


3. Fill in the Detection tab as follows:

All the fields are already pre-configured for Lotus Notes, and you wouldnormally not have anything further to do. However, to show you how it works,we will describe how to configure the window manually.

a) Launch the Lotus Notes application.

b) In the Detection tab, click the target button and "dragn drop" it onto

the title bar of your Lotus Notes authentication window.

c) As many authentication windows could have the same title, we are goingto configure an additional text that will be looked for in one of the fields ofthe window, to distinguish the Lotus Notes authentication window fromthe other ones:

Select Look for text, and click the In Field sub-option.

Using the small target button , indicate the field containing the text Enter

the password of, as you did for the title detection window.

The content of the field Look for text is automatically updated with the content

of the selected field. In our case: Enter the password of John

Smith/QUEST.

Depending on your needs, you can erase the users name to only keep the

text Enter the password of. If it is not erased, SSO will only be enabled

for the user connected during this detection session.

20


23/37


4. Fill in the Actions tab as follows:

All the fields are already pre-configured for Lotus Notes, and you wouldnormally not have anything further to do. However, to show you how it works,we will describe how to configure the window manually.

a) Using the upper small target icon , select the field containing the text

Enter the password of, as you did during the detection configuration.The text in the following field is automatically updated.

b) In this field, select the Lotus Notes identifier (First name/Last name/Unit/Organization) and click the button.

c) Using the second small target icon , select the field where the

password will have to be entered.

d) Using the last small target icon select the OK button.

5. Click OK.

The Notes Logon Window object appears under the Lotus Notes Applicationobject.

6. See Section 3.2.3, Saving the Configuration.

21


24/37


22

3.2.3 Saving the Configuration

Subject

Once you have saved your configuration, SSOWatch can detect the window you havejust configured, as explained in the following procedure.

Procedure

1. Click the (Save) button located in the SSOStudio toolbar.


2. ClickYes.

The SSOWatch Security Data Collect windows appears.

3. Fill in this window as follows and click OK:

Lotus Notes starts automatically. SSOWatch is now configured to detect andautomatically fill in your Lotus Notes authentication window.

If you mistyped the user name or password in the above window, the applicationdoes not start. In this case, you need to modify the credentials for the application,as explained in Section 4.4.2.1, Change Password.


25/37


23

Why does the Security Data Collect window appear?

At this step of the procedure, the SSOWatch Engine is running, and your LotusNotes authentication window is still displayed. Although SSOWatch can detect thewindow it cannot fill it in, as you have not provided your authentication informationyet. That is the reason why the Security Data Collect window appears: the first

time you start a declared application, SSOWatch requests your user name andpassword. This data is stored in a secure way by SSOWatch, so it will be able toreuse it afterwards, without requesting any new data.

3.3 Going Further

There you are! You have configured and enabled your first SSO using SSOWatchWizard and the SSOWatch SSOStudio Configuration Editor.

Using the same steps and procedures, you can configure other types of application andauthentication windows.

The detection modes for other applications are different. For more details, seeEnterprise SSO - SSOWatch Administrator Guide.


26/37


4. Using SSOWatch Engine

This section describes SSOWatch from the user point of view. This covers basic SSOoperations: SSO data collection, and SSO engine management.

4.1 Session Opening

If you have installed SSOWatch as described in Section 2, Installing SSOWatch, the

SSOWatch engine starts automatically when you open a session.

Otherwise, SSOWatch may prompt you to authenticate through the following window:

Once the engine is started, an icon is displayed in the Windows notification area:

This indicates that the SSO engine is running.

24


27/37


4.2 SSO Data Collection

4.2.1 First Start of an SSO enabled application

During its standard utilization, SSOWatch is almost invisible to the user. However, when

it starts for the first time, or when some particular events occur such as passwordupdate requests, you will have to provide some information.

At the first launch of an SSO enabled application, when the application requests theusers authentication, the SSOWatch collect window appears in foreground (theapplication is temporarily disabled) and requests the user name and password for theapplication:

Simply provide your usual user name for this application, your password (and confirm itto avoid mistype errors), and validate by clicking the OK button.

This data will be stored in a secured way by SSOWatch so it will be able to reuse itafterwards, without requesting any new data. It has enabled the Single Sign-Onfunction.

25


28/37


4.2.2 Password Update Request

When an SSO enabled application asks for password update, this request is interceptedby SSOWatch, which displays the following window:

Simply type in a new password (and confirm it to avoid mistype errors) and validate it byclicking the OK button.

This data will be updated and securely stored in the security database, by SSOWatch,so that it will be able to reuse it afterwards, without requesting any new data.

4.3 Displaying the SSOWatch Engine Popup Menu

Subject

The SSOWatch Engine popup menu allows you to control the SSOWatch Engine. Thispopup menu is associated with the SSOWatch Engine taskbar icon:

26


29/37


From this popup menu, you can:

Emergency Access: Initialize your primary password or PIN code reset(Emergency Access). This feature runs only with the LDAP configurationstorage mode, as described in Section 4.7, Initializing the Emergency Access.

Biometric Enrollment: Enroll your biometric data using the biometrics scanwizard (a biometric authentication device must be installed on your computer).

For more information, see Enterprise SSO Advanced Login for Windows UserGuide.

Open the management module of SSOWatch: SSOEngine.

Add application: Enable SSO applications with SSOWatch Wizard.

Open SSOStudio to add an application with SSOStudio, as described inSection 3, Configuring SSOWatch to Enable Single Sign-On A Step by StepTutorial.

Suspend and Activate the SSOWatch Engine.

Reset the configuration. Exit SSOWatch: Stop the SSO Engine.

Procedure

To display this popup menu, right-click the SSOWatch Engine icon in the taskbar.

Double-clicking the SSOWatch Engine icon performs the default action (in bold):Open.

4.4 The SSOWatch Engine Management Module

The administration module of SSOEngine provides the following functions:

Managing the SSOWatch Engine.

Management of user accounts.

27


30/37


4.4.1 Opening the SSOWatch Engine Management Module

Procedure

1. To open the SSOWatch engine management module, right click theSSOWatch icon in the taskbar, and click Open, or simply double-click the

SSOWatch icon itself.The following window appears:

2. Do one of the following:

To manage your accounts, click the button:

see Section 4.4.2, User Account Management.

To manage the SSO Engine, click the button: see Section 4.5,Activating,

Suspending, Resetting the SSOWatch Engine.

28


31/37


4.4.2 User Account Management

You can see (and update) your user accounts using the User accounts option in theSSOEngine module by clicking on the icon in the SSOWatch Engine management

module.

4.4.2.1 Change Password

The button allows you to change your password for the selected account, but only

in the security database: the password is not changed in the security base of thetarget application. This action can be used to manually deal with BadPasswords.

This option may be disabled in the configuration file or with a centralizedparameter.

29

4.4.2.2 New Account

The button allows you to create a new account for the selected application.

When you create an account, you enter security information associated with thisaccount. This operation will be done automatically for the first account defined in theconfiguration (for an application).

User Roles

If you have defined several accounts, you will have to manually create the otheraccounts, through the user account management interface.

This is designed for those users who have a number of accounts on the sameapplication(s). An account name designates a role.

If a role is shown in the text box of the SSOEngine screen, the corresponding SSOapplications will be launched using the security data associated with this role.


32/37


If no role has been selected for multiple account applications, you will be prompted tochoose an account on connection.

4.4.2.3 Delete Account

The button allows you to delete security information (user name, password and

optional parameters) associated with an account. If many accounts are associated withan application, the account line will be deleted. If you delete the only remaining account, will be displayed in place of the user name.

4.4.2.4 Show Password

The button allows the owner of an account to see the password associated with the

account. Using this feature always requires the user to authenticate.

4.4.2.5 Delegate Account

The icon is only available if you use SSOWatch in standalone and LDAP storagemode. It allows the owner of an account to delegate access to other users.

4.4.2.6 Hide Applications without Credentials

This option is available by right-clicking an account. It allows you to display only theapplications for which you have an account.

4.4.2.7 Enable/Disable an Application or all Applications

This command is available by right-clicking an account. It allows you to deactivate (andactivate again) the SSO function for the specified application.

4.5 Activating, Suspending, Resetting theSSOWatch Engine

Subject

The Suspend, Activate, Reset Configuration commands allow you to manage theSSOWatch Engine.

You can use this commands either from the SSOWatch engine popup menu, or through

the SSOWatch management module, using the Home button.

30


33/37


The Suspend command allows you to suspend the use of SSO. When

suspended, the SSOWatch engine does not carry out single sign-on.

You can prevent the user from disabling the SSO engine through the configurationoptions.

SSOWatch Engine automatically suspends itself when the smart card or USB keyused for authentication is removed.

The Reset Configuration command allows you to load the modifications

performed in your SSOWatch configuration file and reset the applications andwindows states (those windows and applications which have been disabled

will be reactivated).You can use this menu when the engine is running or whenit is suspended. Once the reset action is complete, the SSO Engine will be in arunning state.

The Activate command allows you to resume the SSOWatch Engine and

enable again the use of SSO.

Procedure

To suspend the SSOWatch engine, right-click the SSOWatch engine icon andselect Suspend.

The SSOWatch engine icon changes to .

To activate the SSOWatch engine, right-click the SSOWatch engine icon andselect Activate.

The SSOWatch engine icon changes to .

To reset the SSOWatch engine configuration, right-click the SSOWatch engine

icon and select Reset Configuration .

If your SSOWatch engine was suspended, its icon changes to .

31


34/37


4.6 Exiting SSOWatch

To exit SSOWatch, right-click the SSOWatch engine icon and select Exit SSOWatch.

The SSOWatch engine icon disappears and single sign-on is disabled.

The Exit SSOWatch command can be disabled through the configuration file.

4.7 Initializing the Emergency Access

Subject

The Emergency Access feature allows you to reset your password or your PIN code incase you lost or forgot it.

Initializing the Emergency Access feature consists in choosing a set of questions and

recording the associated answers (if you want to reset your password or PIN code, youwill have to answer the question you have chosen).

This feature runs only with the LDAP configuration storage mode.

To know your configuration storage mode, right-click the SSOWatch Engine icon(located on the taskbar), select About SSOWatch, and in the displayed window,check the value of the Configuration storage mode field.

When the Emergency Access feature is enabled, you can define your questions(optional) and answers the first time that your SSOWatch engine is activated. Then youmay need to modify this data in the following cases:

The questions have changed, so you have to update your answers.

You must enter your answers periodically.

You want to change your questions/answers.

Procedure

1. Right-click the SSOWatch icon located in the notification area, and selectEmergency Access.

The Authentication window appears.

2. Enter your ID and Password and click OK.

The Emergency Access wizard appears.

3. Follow the displayed instructions.

You may have restrictions to define your questions/answers, as for example aminimum/maximum number of characters, words that you cannot use If you donot know why your questions/answers are not accepted, contact your EnterpriseSSO administrator.

32


35/37


4.8 Using the Reset Password Feature

4.8.1 Importing the Enterprise SSO Sample CertificationAuthority (First-Time Use)

Subject

To avoid Security Alert messages when connecting to the Reset Password portal, youmust import the Sample Certification Authority (CA) in your Internet Explorer webbrowser, as explained in the following procedure.

Procedure

1. Start Internet Explorer and enter in the address bar the URL corresponding tothe Reset Password web server followed by /ca.crt (example:http://MyResetPasswordServer/ca.crt)


2. Click Open, and in the displayed window, click Install Certificate.

3. Follow the instruction of the Import Certificate wizard.

It is recommended to keep the default selected options. Just click the Next andFinish buttons to install the file.

4. Click OK to close the Certificate window.

The Sample CA is imported.

4.8.2 Resetting Your Primary Password

Subject

This section describes how to securely reset your primary password from anyworkstation using Internet Explorer.

If you can no longer log on any workstation, reset your primary password as explainedin the following procedure.

33


36/37


Before Starting

The Emergency Access feature must be initialized: you must have chosen a set ofquestions and answers (see Section 4.7, Initializing the Emergency Access).

Procedure

1. Start your Internet Explorer web browser and enter in the address bar the URLcorresponding to the Reset Password web server (example:http://MyResetPasswordServer).

If you do not know this URL, contact your Enterprise SSO administrator.

2. In the displayed page, click the reset your primary password link.

3. Type your identifier and click the Submit button.

The Password reinitialization page appears.

4. Answer each question, depending on the answers you gave while initializingthe Password Reset functionality and type your new primary password twice.

5. Click the Submit button.

After a certain number of wrong answers, the process may be blocked and you willnot be able to try again. In this case, contact your Enterprise SSO administrator.

You can now use your new password to connect to your workstation.

34


37/37


About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Softwarecreates and supports smart systems management productshelping our customers solve everydayIT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software

Phone 949.754.8000 (United States and Canada)

Email [email protected]

Mail Quest Software, Inc.World Headquarters5 Polaris Way

Aliso Viejo, CA 92656USA

Web site www.quest.com

Please refer to our Web site for regional and international office information.

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who havepurchased a Quest product and have a valid maintenance contract. Quest Support providesunlimited 24x7 access to SupportLink, our self-service portal. Visit SupportLink athttp://support.quest.com/

From SupportLink, you can do the following:

Retrieve thousands of solutions from our online Knowledgebase

Download the latest releases and service packs

Create, update and review Support cases

View the Global Support Guide for a detailed explanation of support programs, online services,contact information, and policy and procedures. The guide is available at: http://support.quest.com.
http://www.quest.com/mailto:[email protected]://www.quest.com/http://support.quest.com/http://support.quest.com/http://support.quest.com/http://support.quest.com/http://support.quest.com/http://www.quest.com/mailto:[email protected]://www.quest.com/

e-sso 803 gettingstartedssowatch

Documents