Enterprise Single Sign-On SSOWatch Administrator Guide

Transcription

1 Enterprise Single Sign-On SSOWatch Administrator Guide

2 2013 Quest Software, Inc. and/or its Licensors ALL RIGHTS RESERVED. This publication contains proprietary information protected by copyright. The software described in this publication is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or otherwise without the prior written permission of the publisher. DISCLAIMER The information in this publication is provided in connection with Quest branded products from Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Evidian and Quest make no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserve the right to make changes to specifications and product descriptions at any time without notice. Evidian and Quest do not make any commitment to update the information contained in this publication. The information and specifications in this publication are subject to change without notice. Trademarks Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook, IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch, WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks mentioned in this document are the propriety of their respective owners. World Headquarters, 5 Polaris Way, Aliso Viejo, CA Website: Please refer to our website for regional and international office information. This documentation is also available online at This site provides robust search capabilities that allow you to search across all related documents. Quest Enterprise SSO Version Last updated May 8, 2013

3 Contents About This Guide... 7 Overview... 7 Conventions Overview SSOWatch module of Quest ESSO: Basic Principles Application Modeling Application Access Profiles Password Format Control Policies (PFCP) Application Behavior Window Types LDAP Directories The Access Collector Mode SSOWatch Components Enterprise SSO Studio Quest Enterprise SSO Plug-ins SSOWatch Overview The SSOWatch Interface QESSO SSOWatch icon SSOWatch Pop-up Menu The SSOWatch window Starting/Quitting SSOWatch Starting SSOWatch Quitting SSOWatch Suspending/Activating SSOWatch Resetting SSOWatch Configuration Managing User Accounts Providing SSO Data When Launching an SSO Enabled Application for the First Time Displaying your SSOWatch User Accounts Displaying the Properties of a User Account Changing the Login Name and/or Password of a User Account Changing an Expired Primary Password Creating a New Account for an Application Deleting a User Account Displaying User Account Password Delegating a User Account Disabling/Enabling SSO for Applications Requesting an Access to an Application Through the Request Manager Portal Testing the SSO Configuration of an Application Starting Personal SSO Studio Starting an Application Creating a Shortcut for an Application Removing the Icon from the Notification Area Configuration Editor: Quest Enterprise SSO Studio

4 3.1 Interface Overview Starting and Stopping Enterprise SSO Studio Starting Enterprise SSO Studio Stopping Enterprise SSO Studio Creating or Opening a Configuration Configuring General SSO Parameters Defining PFCP and Application Profiles Defining Password Format Control Policies (PFCP) Defining the Application Profiles Defining Application and Technical Definition Objects Creating/Modifying Application Objects and Technical Definitions Filling-in the Application Properties Window Defining Advanced Access Rights Defining Window Objects "General" Tab "Options" Tab "Detection" and "Actions" Tabs Testing the SSO Exporting or Importing Objects Exporting/Importing Objects using the Graphical Interface Importing Objects using Command Line Arguments (without Controller) Managing Objects in the Tree Copying/Cutting/Pasting Objects Renaming an Object Deleting an Object from the Tree Saving Object Configurations Saving Object Configurations in LDAP Storage Mode (with Controller) Saving Object Configurations in Local Storage Mode Managing Configuration Updates Refreshing the Tree The Generic Plug-in Window Detection Simple Detection Advanced Detection Restrictions User Interface Target Validation Actions Generic Plug-in Actions StandardLogin Connection BadPassword NewPassword ConfirmPassword BadNewPassword Special Cases NotesLogin (Lotus Notes Plug-in) HTTP Authentication (Internet Explorer Plug-in)

5 5 The Microsoft Internet Explorer Plugin HTML/Internet Explorer Detection Variable URLs Advanced Detection User Interface Selecting a Field in an HTML Form Custom SSO Parameters Submitting an HTML Form HTML/Internet Explorer Actions HTMLLogin Connection HTMLBadPassword HTMLNewPassword HTMLBadNewPassword New Password Refused The SAP R/3 Plug-in SAPLogin and SAPExpired Window Types SAPLogin (SAP R/3 Login) SAPExpired (SAP R/3 Password Expiry) Basic Principles of the SAP R/3 Plug-in Configuration Guide Configuring an SAP R/3 Application Configuring the SAPGUI Scripting Window Terminal Type Applications Terminal Microsoft Telnet Banners The HLLAPI Plug-in Configuring the HLLAPI Plug-in Configuring the HLLAPI Plug-in for a Single Application Configuring the HLLAPI Plug-in for Different Types of Applications HLLAPI Plug-in Registry Keys Enabling SSO for HLLAPI Applications The Detection Tab The Actions Tab HLLAPI Applications Keys Advanced Configuration Custom Scripts Plug-ins Basic Concepts The Actions Tab Script Editor Extension DLL Function Prototyping SSOWatchSSOData Structure Return Code OLE/Automation Interface Definition of SSOWatch OLE/Automation Interface The ISSOEngine Interface GetApplication

6 GetSSOEngineState The ISSOApplication Interface Properties Methods Code Example Return Codes Appendix A: Cache Tuning and Asynchronous Update of the Application Data A.1 Cache and Application Update Mechanism A.1.1 Cache Mechanism A.1.2 Asynchronous Update Mechanism A.2 Cache and Update Timing Parameters Appendix B: Integrating Care-FX with SSOWatch B.1 Authentication Description B.1.1 Logging On B.1.2 Logging Out B.2 Configuring the Implementation B.2.1 Activating the FCC Notification Integrating the COM Interface About Quest Software, Inc Contacting Quest Software Contacting Quest Support

7 About This Guide Overview This document explains how to use Quest Enterprise SSO Configuration Editor to describe the applications for which SSOWatch module of Quest ESSO (QESSO SSOWatch) will implement Single Sign-On. It is intended for system integrators, administrators, consultants, analysts, and any other IT professionals using the product. Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and crossreferences. ELEMENT Select Bolded text Italic text Bold Italic text Blue text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest products, such as menus and commands. Used for comments. Introduces a series of procedures. Indicates a cross-reference. When viewed in Adobe Acrobat, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence. 7

8 1 Overview 1.1 SSOWatch module of Quest ESSO: Basic Principles This section presents Quest ESSO SSOWatch basic concepts Application Modeling Enterprise SSO Studio, the Enterprise SSO configuration editor is used to describe the applications for which SSOWatch will enable Single Sign-On. An application is defined by: A set of associated user accounts (referred to as the link to the security system). A set of Windows or HTML pages. The application Windows or HTML pages that refer to the authentication management tool must be described in SSOWatch using the configuration editor. This description allows SSOWatch to recognize the windows or HTML pages whenever they are displayed to the user. SSOWatch intercepts these pages and implements SSO. In addition to the elements that allow window/page detection, the description contains the actions that the SSO engine has to perform. Each window is defined by a type that characterizes the target application technology and the actions that SSOWatch will perform. The events that refer to the user s authentication in an application can be of different kinds: authentication, password update request, etc. SSOWatch manages the different events relating to the specific characteristics and behavior of each application (application behavior) Application Access Profiles Application profiles define the parameters of one or more applications that can then be defined differently, depending on the users that access them. Application profiles are used to assign applications to users. An application access profile is defined by the following parameters: 8

9 The password format managed by the application. The SSOWatch options. The SSO policy. Such options are: requirement for re-authentication, the user s ability to modify SSO data, hide/show password, etc. Delegation parameters Password Format Control Policies (PFCP) A PFCP defines: The format of the passwords managed by an application: characters that are allowed or forbidden, length, authorized/unauthorized repetitions of a same character. Whether a password is to be randomly generated (following the format required), or requested from the user Application Behavior A user authenticates to a secure application as follows: The user tries to log on to the application. If the security data provided are correct, the user is authenticated by the application and can work normally. If the data are incorrect, the application will display a message or re-display the authentication window, informing the user that he or she made a mistake during the authentication process. The user is prompted to try again. Once connected, the user can change the password, either at will or at the application s request: The user enters a new password and (sometimes) confirms it. If the new password is accepted by the application, the user will continue working normally. If not, the application will inform the user that the new password has been rejected. SSOWatch manages the application behavior with regard to the user authentication we have just described. This behavior is configured by choosing a type for the defined windows. 9

10 1.1.5 Window Types A window type indicates the SSO engine behavior and the technology of the managed application. An application s behavior Includes: Detecting the connection step (Login). Detecting a wrong password/username (BadPassword). Detecting a new password request (NewPassword). Detecting an incorrect new password (BadNewPassword). Confirming this new password (ConfirmPassword). The technologies managed by SSOWatch are: Microsoft Win32 standard Windows. HTML pages in Internet Explorer. Windows of type "Terminal in text mode". Some particular cases or optimizations of standard types LDAP Directories Several types of LDAP directories are supported for user security data storage. You can refer to the following guides: For more information on the supported LDAP directory versions, see Release Notes. For a description of the procedures for modifying an LDAP directory, see Quest ESSO Installation Guide. 1.2 The Access Collector Mode The Access Collector mode is an option of SSOWatch which automatically collects all user accounts and stores them in the users' directory. This mode only works if the workstations are configured as "without Controller". The goal of this feature is to report to the administrators all the accounts used for the applications of the enterprise, so that they can create an appropriate access policy. Only one account can be collected for one application (multi-account is not supported). Mechanism When an end-user launches an application that is detected by SSOWatch, SSOWatch starts the account collect. If the account was already collected, nothing happens and the SSO is not performed. 10

11 If a BadPassword window is detected in the collect context, the collected account is deleted or a new account is collected. The account will not be deleted if the BadPassword occurs at any other moment. Once the account is collected, the SSO is deactivated for the application. SSOWatch Behavior The SSO is only performed if there is no collected account for the detected application login screen. The passwords entered by users are never sent to the directory: they are only temporary kept in memory for SSO purposes. Users are not allowed to stop or suspend SSOWatch, they have no access to the Personal SSO Studio and cannot manage their accounts through the user Account panel. Configuration Update Only the Application, Technical definition and Parameter objects are retrieved from the directory, in an asynchronous way to avoid the update during the user authentication. All users can access all the applications downloaded by the workstation. 1.3 SSOWatch Components SSOWatch provides the link between the security system and the applications by recovering security information (login/password) and sending it to the applications. It also manages the collection of this security data and the password format control policies. The collection (or self-learning) mode consists in asking the user to enter any security information that may not yet exist in the Quest ESSO security base, and to save it. SSOWatch is made up of the components described in this section Enterprise SSO Studio Enterprise SSO Studio is the Quest Enterprise SSO configuration editor. It allows the creation of Quest Enterprise SSO configuration files, and the management of the Quest Enterprise SSO LDAP objects. This program is designed to be used by people who define and setup SSO. Quest Enterprise SSO Studio can be used in Enterprise or Personal mode, so as to modify the corresponding configuration files: The Enterprise configuration file is common to a group of users, and is usually saved in an LDAP directory in object format. When a simple file is used, the configuration may be stored in a central location for ease of deployment and use. The Personal configuration file is specific to one person, and is saved with that person s personal profile (Windows profile or the person s LDAP attributes). 11

12 SSO configuration is easily performed through "drag and drop"-oriented configuration procedures Quest Enterprise SSO Plug-ins Quest Enterprise SSO plug-ins are extensions of the SSOWatch and of the Enterprise SSO configuration editor. They add SSO management methods for specific kinds of applications. Besides the management of standard Windows applications, of the following plug-ins are available as standard in SSOWatch: Internet Explorer, enabling SSO in HTTP/HTML applications running under Internet Explorer 4 or later. Lotus Notes. Microsoft Telnet. SAP R/3. HLLAPI. Custom Scripts, to enable SSO in Windows/HTML applications not managed by the standard window types. For more information on the supported versions, see Release Notes. 12

13 2 SSOWatch This section describes the SSOWatch interface and how to use it. 2.1 Overview SSOWatch Definition SSOWatch is in charge of the following SSO functionalities: It retrieves for the IAM middleware, which runs on the workstation, SSO data and provides this information to the application login windows. It offers self-administration functions to allow you to register yourself to applications or change your passwords for example. In Access Collector mode, it starts the account collect when the user launches an application and deactivates the SSO once the account is collected. The SSOWatch Configuration The SSOWatch configuration stores the SSO data. It can be defined by two kinds of users: The Quest ESSO security administrators, through Enterprise SSO Studio. This tool allows administrators to create and modify the SSOWatch configuration common to many end-users. By end-users, through Personal SSO Studio if the component is installed on the workstation. This tool allows you to define your personal SSO data used to log on your personal applications. 2.2 The SSOWatch Interface This section gives an overview of the SSOWatch interface QESSO SSOWatch icon The QESSO SSOWatch icon is displayed in the Windows notification area, as shown in the following illustration: Depending on the SSOWatch state, this icon can have several appearances: 13

14 ICON DESCRIPTION SSOWatch is activated: the SSO feature is enabled (whenever it detects a configured application login window, SSOWatch automatically provides the required SSO data) SSOWatch is suspended: the SSO feature is disabled. SSOWatch is locked: when the SSOWatch detects a configured application login window, or when you want to display the user accounts associated with applications (see Displaying your SSOWatch User Accounts), SSOWatch may ask you to reauthenticate. Upon a successful authentication, SSOWatch state switches to activated SSOWatch Pop-up Menu The SSOWatch Pop-up Menu appears when you right-click the QESSO SSOWatch icon. It provides the means to control SSOWatch: Depending on your SSOWatch configuration, some menu commands may not appear, as detailed in the following table. The following table describes the SSOWatch Pop-up Menu: 14

15 MENU COMMAND DESCRIPTION About QESSO SSOWatch Displays the QESSO SSOWatch version and the storage mode of the SSOWatch configuration file: LDAP: centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users. File: the configuration is saved in a file in the Windows registry. Self Registration: indicates that SSOWatch is used in Access Collector mode: centralized configuration is defined in the LDAP directory, to collect all the accounts used for the applications of the enterprise (for more information, see Section 1.2, "The Access Collector Mode"). Account delegation Open QESSO Studio Enables you to delegate one or several of your accounts to specific users of your choice during a specific length of time. Opens the SSO Account panel; which allows you to manage your user accounts. This menu command is bold, which means that this is the default command: double-click the QESSO SSOWatch icon to run it. Add application Starts Enterprise SSO Wizard, which is the easiest way to set up your personal SSOWatch configuration. This menu command does not appear if Personal SSO Studio is not installed on the workstation, or if SSOWatch is used in Access Collector mode. Open QESSO Studio Starts Personal SSO Studio, the editor tool of your personal SSOWatch configuration. For details on how to use Enterprise SSO Studio, see Section 3., "Configuration Editor: Enterprise SSO Studio". This menu command does not appear if Personal SSO Studio is not installed on the workstation, or if SSOWatch is used in Access Collector mode. Suspend, Activate Manages the states of SSOWatch. Depending on your configuration, this menu command may not appear (unavailable in Access Collector mode). 15

16 MENU COMMAND DESCRIPTION Reset Configuration Exit QESSO SSOWatch Stops and restarts SSOWatch to take into account modifications of the SSOWatch configuration. In Access Collector mode, this command only synchronizes SSO Account data. Quits SSOWatch. Depending on your configuration, this menu command may not appear (unavailable in Access Collector mode) The SSOWatch window The SSOWatch window appears when you click Open in the pop-up menu, or just by double-clicking the QESSO SSOWatch icon. It is composed of the following panels: The Account panel ( button). The Home panel ( button) The "Account" Panel When you open the SSOWatch window, the Account panel appears. It lists your user accounts managed by SSOWatch. From this panel, you can modify several user account parameters, as described in 2.6 Managing User Accounts The "Home" Panel From the Home panel, you can perform the following tasks: 16

17 Manage the states of SSOWatch (Area 1), as described in the following sections: 2.4, "Suspending/Activating Enterprise SSO". 2.5 Resetting SSOWatch Configuration. 2.3 Starting/Quitting SSOWatch. If you are using several user accounts for a same application, select the current Role (Area 2 - for details, see Section 2.6.6, "Creating a New Account for an Application"). 2.3 Starting/Quitting SSOWatch This section explains how to start and quit the SSOWatch Starting SSOWatch Subject Usually, SSOWatch starts automatically when you log on. You may need to start SSOWatch manually in the following cases: If SSOWatch has not been configured to start automatically. If you manually quit SSOWatch and want to restart it. Procedure 1. To manually start SSOWatch, do one of the following: a) Double-click the QESSO SSOWatch icon on desktop. b) In the Start menu, click Programs Quest Software Enterprise SSO Enterprise SSO. 17

18 c) Use the command line: the following table lists the command line arguments that you may use to start SSOWatch engine (ssoengine.exe): /notrayicon: starts SSOWatch but does not display the icon located in Windows system tray. /nosplashscreen: starts SSOWatch but does not display the splash screen. The configuration file to be used can be added as a parameter in the SSOEngine.exe program (no option). Example: SSOEngine.exe "C:\Configs SSOWatch\SSOConfig2.sso" An authentication window appears. 2. Fill in the ID and Password fields to authenticate yourself. The SSOWatch window appears. A welcome message appears in a balloon help on the bottom right-hand side of your screen. This is configurable in the Quest ESSO Console by creating one message per user If you are using a roaming session, a balloon help appears telling you when your session expires. You can display it at all times by passing the cursor over the QESSO SSOWatch icon Quitting SSOWatch Procedure To exit SSOWatch, right-click the QESSO SSOWatch icon and select Exit QESSO SSOWatch. The QESSO SSOWatch icon disappears. The SSO feature is disabled. Depending on your configuration, this menu command may not be available (unavailable in Access Collector mode). 2.4 Suspending/Activating SSOWatch Subject By default, SSOWatch is automatically activated when you log on. You may need to suspend it manually, as described in the following procedure. In Access Collector mode, this functionality is deactivated. Procedure To suspend SSOWatch, right-click the QESSO SSOWatch icon and select Suspend. The QESSO SSOWatch icon state changes, as described in QESSO SSOWatch icon. While suspended, no automatic sign-on is made. 18

19 Depending on your configuration, this menu command may not be available. SSOWatch automatically suspends itself when the smartcard or USB key used for authentication is removed. To resume SSOWatch, right-click the QESSO SSOWatch icon and select Activate. The QESSO SSOWatch icon state changes, as described in QESSO SSOWatch icon. The SSO feature is enabled. 2.5 Resetting SSOWatch Configuration Subject By default, if the SSOWatch configuration changes, a notification message automatically appears asking you if you want to take the modifications into account, as shown in the following illustration: You can take manually the modifications of the SSOWatch configuration file, using the Reset Configuration command, as described in the following procedure. In Access Collector mode, this command only synchronizes SSO Account data. In Access Collector mode, SSOWatch automatically reloads the SSO configuration every 6 hours: this allows taking into account changes in the SSO data updated by the asynchronous update. You can change this value (in hour) in the following registry key/gpo: HKLM\Software\Enatel\SSOWatch\CommonConfig\AutomaticRefresh Procedure In the Windows notification area, right-click the QESSO SSOWatch icon and select Reset Configuration. 2.6 Managing User Accounts This section describes how to manage your SSOWatch user accounts from the SSOWatch Account panel. 19

20 2.6.1 Providing SSO Data When Launching an SSO Enabled Application for the First Time At the first launch of an SSO enabled application, when the application requests the user s authentication, the SSOWatch collect window appears in foreground (the application is temporarily unavailable) and requests the user name and password for the application: Simply provide your usual user name for this application, your password (and confirm it to avoid mistype errors), and validate by clicking the OK button. This data will be stored in a secured way by SSOWatch so it will be able to reuse it afterwards, without requesting any new data. It has enabled the Single Sign-On function for this application. Depending on your configuration, the following controls can be available: The Cancel button: if available, click this button to cancel the authentication data collection. You can then log on manually or quit the application. Note that depending on your configuration, the dialog box may not appear if you start another application instance (without quitting the first one). In this case, quit all the application instances and restart the application. The Disable SSO for this application check box. If you select this option and click OK, the authentication data collection execution is cancelled until further notice for the application. To enable again the collection, see 2.7 Disabling/Enabling SSO for Applications. For more information on how to enable/disable these controls, see Section , "Access Strategy Tab of an Application Profile", or the Quest ESSO Console Administrator Guide. The link I don t have any account for this application may appear. Click this link to request an access to the application through the Request Manager portal. For more information on how to enable/disable this link, see Quest ESSO Console Administrator Guide. 20

21 2.6.2 Displaying your SSOWatch User Accounts Subject This section describes how to display the user accounts that are defined in your SSOWatch configuration. Procedure To display the list of your SSOWatch user accounts, double-click the QESSO SSOWatch icon located in the Windows notification area. The SSOWatch window appears. Window Description The Account panel displays one line per user account. For each account, the following information is available: COLUMN NAME DESCRIPTION Application Name of the application, as defined in Enterprise SSO Studio. For accounts that are not associated with an application, <None> is displayed. Login Name Login name of the user account. If you have not yet used this application, <not registered> is displayed (the login name and password of the account has never been collected). You can hide applications for which the user is not registered. To do so, right-click any application and select Hide applications without credential. Account By default, Standard Account is displayed. If you are using several user accounts for a same application, this column displays the name of the account. For more information, see Creating a New Account for an Application Displaying the Properties of a User Account Before Starting In Access Collector mode, this functionality is deactivated. Procedure In the Account panel, select the wanted user account and click the button or right-click the wanted user account and click Properties. The following window appears: 21

22 Window Description The Information Tab Depending on your user account properties, you may be allowed to modify your user account security data. For more details, see Changing the Login Name and/or Password of a User Account. The Properties Tab Read-only tab, which displays the account properties and application properties available for the selected user account. The Delegation Tab Depending on your Quest ESSO configuration, the Delegation tab may not appear. It allows you to delegate your user account to other users Changing the Login Name and/or Password of a User Account Restriction Depending on your SSOWatch configuration, this command may be disabled for some or all the listed user accounts (unavailable in Access Collector mode). Procedure For information on how to enable/disable this command, see Section , "Access Strategy Tab of an Application Profile". 1. From the Account panel, select a user account and click the button or right-click the wanted user account and click Change Password. 22

23 The following window appears: Quest Enterprise SSO SSOWatch Administrator Guide 2. Modify the wanted fields and click OK. The modification is taken immediately into account. You can also modify the login name and/or password of a user account from the Account details window, which is described in Displaying the Properties of a User Account Changing an Expired Primary Password Subject If you are using an authentication method that does not require the provision of the Primary Password, such as smart cards or biometric devices, you can choose your new Primary Password. Procedure 1. When your Primary Password is expired, the Security Data Collection window appears. 23

24 2. To change your Primary Password, do one of the following: To use your own password, type in your chosen password in the Password and Confirmation fields. To generate a random password, select the Generate my password check box. 3. Click the OK button. Your Primary Password has been changed. If you are offline when your Primary Password is about to expire, you will be asked to change it the next time you log on Creating a New Account for an Application Restriction Depending on your SSOWatch configuration, this command may be disabled for some or all the listed applications (unavailable in Access Collector mode). Procedure For information on how to enable/disable this command, see Section , ""Application Profile" Tab". 1. From the Account panel, select an application and click the button or rightclick the wanted user account and click New account. The following window appears: 24

25 2. Fill in this window with the following recommendation: in the Account field, either type the name of a new account, or, if you want to use an additional account that you have already created, select it in the drop-down list. 3. Click OK. The new account appears in the Account panel. Going Further If you have several accounts for an application, the following window appears by default when SSOWatch detects the authentication window of the application: This window allows you to select an account to log on to the application. 25

26 If you select Set current role, SSOWatch will always use the selected account, and this window will no longer appear. To display this window again, in the Home panel, select No selected role in the Current role drop-down list. You can also log on to the application with one of the accounts by double-clicking the desired account in the SSOWatch window Deleting a User Account Subject This section describes how to delete one or more accounts associated with an application. In Access Collector mode, this functionality is deactivated. Procedure 1. From the Account panel, select an application and click the button or rightclick the wanted user account and click Delete. A warning message appears. 2. Read this message carefully. If you agree, click YES. The account is deleted. If many accounts are associated with an application, the account line will be deleted. If you delete the last account, <not registered> will be displayed in place of the login name Displaying User Account Password Restriction Depending on your SSOWatch configuration, this command may be disabled for some or all the listed user accounts (unavailable in Access Collector mode). Procedure For information on how to enable/disable this command, see Section , "Access Strategy Tab of an Application Profile". 1. From the Account panel, select a user account and click the button or rightclick the wanted user account and click Show password. The re-authentication window appears. 2. Log on using your Windows user account. The following window appears: 26

27 3. Click Close Delegating a User Account Subject You can delegate one or several user accounts by using the Wizard, the Self Service Admin Portal (see Self Service Admin Portal User Guide) or by doing it manually. Restriction Depending on your SSOWatch configuration, this command may be disabled for some or all the listed user accounts (unavailable in Access Collector mode). For information on how to enable/disable this command, see Section , "Delegation Tab of an Application Profile" Delegating a User Account With the Wizard Use the Account Delegation Wizard to delegate one or several user accounts quickly and simply. To do so, follow this procedure: Procedure 1. Right-click the QESSO SSOWatch icon. The SSOWatch Pop-up Menu appears. 2. Select Account delegation. 3. Reauthenticate yourself is needed. The Account Delegation wizard appears. 27

28 4. Click the Next button. The Account delegation window appears. 5. Select the account(s) you want to delegate by ticking the corresponding check boxe(s) or click the Select all button to select all the accounts. 6. Select a start and an expiration date and click the Next button. The Account Delegation window appears. 28

29 7. Select the user(s) to whom you want to delegate the account and click the Next button. Your selected account(s) has/have been delegated to the selected user(s) Delegating a User Account Manually Procedure 1. From the Account panel, select one or several user accounts and click the button or right-click the wanted user account and click Delegate. 2. Reauthenticate yourself is needed. The Account Delegation window appears. 29

30 3. In the User name field, type the name or a part of the user name and click Search. The list of users that have been found in the directory appears. 4. Select the user to whom you want to delegate the account. 5. Select a start and an expiration date and click Delegate. The account is delegated to the selected user from the start date until the expiration date Removing a User Account Delegation Procedure 1. Right-click the QESSO SSOWatch icon. The SSOWatch Pop-up Menu appears. 2. Select Account delegation. The Account Delegation wizard appears. 3. Select Manage existing account delegations and click the Next button. The Account delegation list window appears. 4. Select an account delegation and click the Remove button. The account is not delegated anymore. 2.7 Disabling/Enabling SSO for Applications Subject By default, SSO is enabled for all the applications listed in the SSOWatch Account panel. You can disable SSO for an application in a permanent way, or only for the current SSO session, as explained in the following procedure. 30

31 In Access Collector mode, the SSO is automatically disabled for the applications for which the account has been collected. Depending on your configuration, the commands of the following procedure may be disabled. For more information, see Section , "Access Strategy Tab of an Application Profile", or the Quest ESSO Console Administrator Guide. Procedures Disabling SSO for an Application To disable SSO for an application during the SSO session: In the Account panel, right-click the wanted application and select Disable the application. The SSO is disabled for the application during the SSO session. At SSOWatch engine restart, the SSO will be enabled again. To permanently disable SSO for an application: a) Set the following registry key to DWORD 1: Software\Enatel\SSOWatch\CommonConfig\StoreIfApplicationIsDisabled b) In the Account panel, right-click the wanted application and select Disable the application. The SSO is permanently disabled for the application: the application stays disabled even if the SSOWatch Engine is restarted. Enabling SSO for an Application In the Account panel, right-click the wanted application and select Enable the application. If you have several disabled applications and want to enable all of them at the same time, select Enable all applications. 2.8 Requesting an Access to an Application Through the Request Manager Portal Subject When SSOWatch is integrated with Identity & Access Manager, you can request an access to an SSO enabled application in the following cases: Upon the first start of this application (that is when SSOWatch has not registered any credentials for this application), as detailed in Providing SSO Data When Launching an SSO Enabled Application for the First Time. At any time from the SSOWatch Account panel, as detailed in the following procedure. Restrictions You have an access to the Request Manager portal. 31

32 The administrator has enabled the Request Access command for the selected application. Procedure 1. In the Account panel, right-click the wanted application and select Request Access. The Request Manager portal appears. 2. Log on to the portal and send a request to access the application. 2.9 Testing the SSO Configuration of an Application Subject The SSOWatch engine includes a test tool, which allows you to check if an application is correctly configured. It tests the following: Main window or Web page detection. URL detection if applicable. Advanced detection parameters (variable URLs, Look for text option, list of constraints). Before Starting You have configured the Application Profile associated with the application to test: the test tool is launched by clicking Test application on the shortcut menu that appears when you right-click an application displayed in the Account panel. This command is available only if the Application Profile associated with the selected application is correctly configured, as detailed in: Section , "Properties Tab of an Application Profile", for your Personal SSO Studio configuration. Quest ESSO Console Administrator Guide, for corporate applications. You have checked that the application to test is not started. Procedure 1. From the Account panel, right-click the application to test and select Test application. 2. Complete the window. Additional Information The Window configuration information area displays by default information on the window selected in the drop-down list (window title and URL configuration if any). You can change this information by selecting another window using the target button. This feature is useful to check if an SSO configuration works with a new version of an application for example. When the main window detection succeeds, the SSOWatch engine does the following tests: It checks the variable URLs and Look for text parameters if any. The test stops on the first detected invalid parameter. You can bypass the test of 32

33 these parameters by selecting the Bypass the advanced detection control check box. Then, it checks the list of constraints if any. The test does not stop, even if an error occurs. Finally, the engine tests the detection of the configured fields. The test stops on the first detected invalid field. If the field detection succeeds, you can select the Perform SSO check box. This starts immediately the real SSO process. The Export button allows you to save in a plain text file the information displayed in the Live report area Starting Personal SSO Studio Subject Personal SSO Studio is your personal configuration editor, which allows you to describe personal applications for which you want to enable Single Sign-On. In Access Collector mode, the access to Personal SSO Studio is forbidden. Procedure To start Personal SSO Studio from the Account panel, right-click any application and select Open SSO Studio. You can also open Personal SSO Studio from the Start menu. This menu command is disabled if Personal SSO Studio is not installed on the workstation, or if SSOWatch is used in Access Collector mode Starting an Application Subject To start an application from the Account panel, follow the procedure below. In Access Collector mode, this functionality is deactivated. Procedure In the Account panel, right-click the wanted application and select Start Application. The application starts and SSOWatch performs SSO. You can also log on to the application with one of the accounts by double-clicking the desired account in the SSOWatch window. 33

34 2.12 Creating a Shortcut for an Application Subject You can create shortcuts for applications from the Account panel, as described in the following procedure. In Access Collector mode, this functionality is deactivated. Procedure In the Account panel, right-click the wanted application and select Create Shortcut. A shortcut for the selected application is created on your Windows desktop Removing the Icon from the Notification Area Subject Once SSOWatch is started, an icon appears in the Windows notification area. In certain cases, it is preferable to remove this icon: To prevent the user from seeing the application list. In a Citrix Metaframe/Windows Terminal Server environment, when published applications are used in conjunction with SSOWatch, an icon representing SSOWatch running on the server appears on the client PC notification area (in addition to any local SSOWatch which may be running). Procedure To remove the icon, do one of the following: The first key has precedence over the second. The /notrayicon command line has precedence over the Registry. a) In the SSOWatch command line (see Starting SSOWatch), add the parameter /notrayicon. b) In the Registry, create a non-null DWORD type entry called NoTrayIcon in one of these keys: HKLM\SOFTWARE\Policies\Enatel\SSOWatch\CommonConfig HKLM\SOFTWARE\Enatel\SSOWatch\CommonConfig 34

35 3 Configuration Editor: Quest Enterprise SSO Studio Subject Enterprise SSO Studio is the SSOWatch configuration editor. It allows you to describe the applications for which you want SSOWatch to enable Single Sign-On or account collect (in Access Collector mode), but which could not be configured through the Enterprise SSO Wizard. Additionally, for those applications that have been configured using Enterprise SSO Wizard, Enterprise SSO Studio enables you to modify or enhance their configuration. In case SSOWatch used in Access Collector mode, Enterprise SSO Studio allows the administrator to configure all the enterprise applications for the users, so that users' account can be automatically collected in the users' directory. Enterprise SSO Studio provides an easy-to-use graphic interface for defining configuration parameters. It is dedicated to application administrators, or to "super-users" who have access to all necessary parameters. The defined application parameters result in the creation of a unique SSOWatch configuration file. You can define as many applications as needed; SSOWatch manages each application totally independently of others. Application Definition An application is defined by: Its properties, such as acceptable password formats, its behavior as seen by the SSOWatch, the accounts that the user will use to connect to the application. The windows displayed to the user and relating to authentication or password management. These windows may be HTML pages from a web application. Quest Enterprise SSO Studio Types The two following Quest Enterprise SSO Studio types are available: Enterprise SSO Studio: the application configuration is shared by a number of users. Personal SSO Studio: the application configuration is dedicated to a single user. It is automatically accessible on opening Personal SSO Studio. Personal SSO Studio is not available in Access Collector mode. 35

36 Storage Modes The SSO Studio (Enterprise or Personal) configuration can be stored in the Windows registry (file storage mode) or in the LDAP directory (LDAP storage mode). The storage mode is defined during the installation phase. In LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users. The Access Collector mode works only in LDAP storage mode Operating Modes In local storage mode, the configuration is saved in a file in the Windows registry. In Enterprise mode, the administrator may create as many configurations as he or she wishes, and each configuration is saved in a file. Quest ESSO can be installed in two different modes: With and without Controller (for more details, see Quest ESSO Installation Guide). Without Controller, the configuration of applications can entirely be done with Enterprise SSO Studio. The Access Collector mode works only without Controller With Controller (Client/Server) mode, the configuration of applications is only partly done with SSO Studio: the technical definition of applications can be done with SSO Studio, but the application definition must be terminated from the Quest ESSO administration console (see Quest ESSO Console Administrator's Guide). 3.1 Interface Overview Main Window Interface Enterprise SSO Studio presents target application parameters as SSO objects organized into a tree structure. Enterprise SSO Studio enables you to create, modify or delete objects and to store them in an LDAP directory (LDAP mode) or in a SSOWatch configuration file (local storage mode). It is a "single-document" application, which means that only one configuration can be edited at a time. In Enterprise SSO Studio used in LDAP storage mode, the displayed tree corresponds to the associated LDAP directory defined at initialization time, as illustrated in the following example figure (interface example of Enterprise SSO Studio used in LDAP storage and with Controller). 36

37 The objects may be created anywhere the administrator has object-creation rights. The LDAP administrator is responsible for ensuring that the structure has a branch reserved for the management of Quest ESSO objects. As the objects will be created directly in the LDAP directory, the directory must be accessible when Enterprise SSO Studio is being used. In Enterprise SSO Studio used in local storage mode, or in Personal SSO Studio, the tree displayed is not linked to an LDAP directory, as illustrated in the following example figure (example interface of Personal SSO Studio). In local storage mode, the configuration is defined with a root node called Local SSOWatch Configuration, to which two other nodes are attached. These are called Applications and Configuration Objects, and are used for Quest ESSO object declarations. Main Window Areas The Enterprise SSO Studio main window is composed of: A menu bar. 37

38 A toolbar offering shortcuts to some menu bar options, as described in the following table. The toolbar appearance depends on the SSO Studio mode used (Without and with Controller, LDAP/File storage, Personal/Enterprise). ENTERPRISE SSO STUDIO MODE BUTTON DESCRIPTION Common buttons (Enterprise SSO Studio only) Creates a new SSO configuration. (Enterprise SSO Studio only) Opens an existing SSO configuration. Cuts the selected item. Copies the selected item. Pastes the selected item. Displays the properties of the selected item. (LDAP storage mode only) Refreshes the displayed LDAP directory. Deletes the selected item. Renames the selected item. Without Controller buttons Creates a new Application. Creates a new Window object. Creates a new Application profile. Creates a new PFCP. (Enterprise SSO Studio only) Opens the SSO Settings by Population window, which allows you to define the population allowed to access the application. Saves the configuration. With Controller buttons Creates a new Technical Definition. 38

39 ENTERPRISE SSO STUDIO MODE BUTTON DESCRIPTION Saves the Directory modifications. Tests the selected SSO. Adds the selected item to the test list Removes the selected item from the test list. A workspace showing a tree structure that allows you to select elements and to perform actions directly by double-clicking the objects or using a popup menu. 3.2 Starting and Stopping Enterprise SSO Studio This section explains how to start and stop Enterprise SSO Studio or Personal SSO Studio Starting Enterprise SSO Studio Subject The following procedure explains how to start Enterprise SSO Studio or Personal SSO Studio. Procedure Starting Enterprise SSO Studio Using the Windows Taskbar 1. In the Windows taskbar, click one of the following, depending on the Enterprise SSO Studio operating mode you want to open: For Enterprise SSO Studio: Start Programs Quest Software Enterprise SSO Enterprise SSO Studio For Personal SSO Studio: Start Programs Quest Software Enterprise SSO Personal SSOStudio An authentication window appears. 2. Fill-in the authentication window and click OK. Enterprise SSO Studio appears. Starting Enterprise SSO Studio Using Command Line Arguments The following table lists the command line arguments that you may use to start Enterprise SSO Studio (builder.exe): /user: starts Personal Enterprise SSO Studio 39

40 /wizard: starts the Enterprise SSO wizard Stopping Enterprise SSO Studio Subject The following procedure explains how to stop Enterprise SSO Studio or Personal SSO Studio. Procedure In the File menu, click Exit. 3.3 Creating or Opening a Configuration Subject In Enterprise SSO Studio used in local storage mode, you can create as many configurations as you wish (each configuration is saved in a different). This section explains how to create a new configuration, or open an existing one. Restriction In local storage mode, the configuration file to be used may be specified during installation. For more information, see Quest ESSO Installation Guide. The functionality described in this section is only available in Enterprise SSO Studio used in local storage mode. Procedure To open an existing configuration: a) In the File menu, click Open. The Explorer window appears. b) Select the configuration you want to open and click OK. The selected configuration appears in Enterprise SSO Studio main window. To create a new configuration: In the File menu, click New. Enterprise SSO Studio displays the default configuration. 3.4 Configuring General SSO Parameters Subject The following procedure explains how to define the general SSO configuration parameters. 40

41 Restriction The configuration described in this section is only available in Enterprise SSO Studio used in local storage mode. Procedure 1. In the Edit menu, click Configuration: The following window appears: The Performance tuning area allows you to set the window detection timing. The Security Parameters area allows you to define permissions. 2. Fill-in the window and click OK to save the configuration and close the window. 3.5 Defining PFCP and Application Profiles If you use Enterprise SSO Studio without Controller or Personal SSO Studio, you can define the following configuration properties: The Password Format Control Policies (PFCP). The Application profiles. With Controller, this configuration can be performed with the Quest ESSO administration console (see Quest ESSO Console Administrator Guide). Defining Password Format Control Policies (PFCP) Subject This section explains how to create or modify a PFCP for the applications for which you want to activate the SSO. A default PFCP configuration exists in Enterprise SSO Studio: you can modify it or create a new one. 41

42 Restriction The PFCP configuration is only available if you use Enterprise SSO Studio without Controller mode or Personal SSO Studio. With Controller, the PFCP configuration must be done with the administration console (see Quest ESSO Console Administrator Guide). Procedure 1. In the Enterprise SSO Studio main window, do one of the following, depending on the action you want to perform: To create a new PFCP, right-click the Configuration objects node and click New PFCP. To modify an existing PFCP, right-click the PFCP you want to modify and click Properties. The password policy properties window appears. 2. Fill-in the window as described in the following sections: For basic parameter definition, fill-in the "Password Management Policy" tab: see "Password Management Policy" Tab - Description. For advanced parameter definition, fill-in the "Password Format Policy" tab: see "Password Format Policy" Tab - Description. 3. Click OK to save the configuration and close the window "Password Management Policy" Tab - Description The Password Management Policy tab allows you to define the following PFCP elements: Password Policy The PFCP name. New Password generation policy 42

43 The behavior required when the user is prompted for password change: Automated password generation or user prompts for a password compatible with the PFCP. Advanced a) The "invalid password" string is the string or text that the application sends to indicate that the password is not valid. If the security system is provided with this string for SSO use, it prompts the user for a new password. b) The period for which a password is valid. c) The number of old passwords retained "Password Format Policy" Tab - Description The Password Format Policy tab allows you to define the following elements: Password Format Defines how a valid password is created: minimum and maximum password lengths, and the minimum and maximum number of upper-case letters, lowercase letters (excluding accented characters), numbers, or special characters that should make up a valid password. The special characters supported by SSOWatch are listed in the following table: & ~ " # ' { ( [ - ` _ ) 43

44 ] = + } $ % *,? ;. : /! Accented characters are not allowed. Forbidden characters List of forbidden characters. Advanced Specifies the maximum number of occurrences of a given character in a password. Test Password Generation button This button allows you to see an example of a password generated using the rules you have configured Defining the Application Profiles Subject Application profiles are security objects that define a set of rights and properties that are applied generically for one or more applications. This section explains how to configure the application profiles for the applications for which you want to activate the SSO. A default Application profile configuration exists in Enterprise SSO Studio: you can modify it or create a new one. Restriction The Application profile configuration is only available if you use Enterprise SSO Studio without Controller or Personal SSO Studio. With Controller, the Application profile configuration must be done with the administration console (see Quest ESSO Console Administrator Guide). Procedure 1. In the Enterprise SSO Studio main window, do one of the following, depending on the action you want to perform: To create a new Application profile, right-click the Configuration objects node and click New Application Profile. To modify an existing Application profile, right-click the Application profile you want to modify and click Properties. The application profile properties window appears. 2. Fill-in the window as described in the following sections: For the Properties tab, see Properties Tab of an Application Profile. 44

45 For the Access Strategy tab, see Access Strategy Tab of an Application Profile. For the Delegation tab (only if you use Enterprise SSO Studio without Controller and in LDAP storage mode), see Delegation Tab of an Application Profile. 3. Click OK to save the configuration and close the window Properties Tab of an Application Profile The Properties tab allows you to configure the following parameters: Application Profile name. Password Policy associated with the Application Profile. For details on how to create a Password Policy, see Defining Password Format Control Policies (PFCP). SSOWatch Desktop options: a) Display the applications associated with this profile in the user s SSOWatch Account panel. b) Automatically launch the applications associated with this profile when SSOWatch starts. c) Test the applications associated with this profile to check if the SSO configuration works. For details on how to use the test mode, see Section 2.9, "Testing the SSO Configuration of an Application". This option is available with Personal SSO Studio. It is also available with Enterprise SSO Studio in the Application Profile in Quest ESSO Console. 45

46 Access Strategy Tab of an Application Profile The Access Strategy tab allows you to configure the following parameters: Credential storage Storage location of the SSO accounts used by the applications associated with the Application Profile. If you select Store on token, ensure that the proper authentication method is supported. For more information, contact your security administrator. Single Sign-On Policy a) Users must re-authenticate Before each SSO, the user must confirm the primary password, PIN or biometric identity. b) Users can modify account This option is selected by default. If unchecked, the user will not be allowed to change the password through the user account management screen. a) Users can display password The user may ask for the password to be displayed. If this is the case, the user will be asked to re-authenticate. b) Users can cancel Single Sign-On If this option is cleared, the user cannot cancel the SSO execution when he/she starts an application associated with the Application Profile: If the user starts an application for the first time, he/she must complete the authentication data collection dialog box. If the user has several accounts for an application, he/she must select an account in the account selection dialog box (the Cancel button is unavailable). 46

47 If a problem occurs (for example, if the authentication data cannot be saved due to network issues), the Cancel button is available again to allow the user to log on manually or to quit the application. Select this option to allow users to temporarily cancel the SSO execution for applications associated with the Application Profile, then select in the drop-down list the scope of this option: For the current session only: if the user cancels the SSO execution, he/she can then start as many application instances as required, the SSO execution remains disabled. The SSO is enabled again when the user quits all the application instances and restarts the application (or resets the SSO configuration or restarts SSOWatch). For the application (until reset): the user can disable the SSO execution either for the current SSO session (see above) or until further notice: in the latter case, to enable again the SSO execution for the suspended applications, the user must use the appropriate contextual command from the SSOWatch Account panel (or reset the SSO configuration, or restart SSOWatch). For the current window only: if the user cancels the SSO execution for an application, the SSO is disabled for this application instance only. For more details on the commands and controls that are modified by this option, see the following sections: Section 2.6.1, "Providing SSO Data When Launching an SSO Enabled Application for the First Time". Section 2.6.6, "Creating a New Account for an Application". Section 2.7, "Disabling/Enabling SSO for Applications". Account Security Options This area only appears if you use Enterprise SSO Studio without controller and in LDAP storage mode. It allows you to select the way the secondary accounts used by the applications associated with the Application Profile are ciphered. In the drop-down list, select one of the following entries: a) User: only the user can decipher his/her secondary accounts. This is the most secure option. If the user forgets his/her primary password or loses his/her smart card, it is impossible to recover his/her secondary accounts. b) User, administrators: the user and you can decipher his/her secondary accounts. Thus, if you force a new primary password or assign a new smart card using Quest ESSO Console, the user's secondary accounts are also recovered. c) User, administrators and an external key: select this entry to allow an external application to decipher the user's secondary accounts using a public key. For example, you must select this entry if you want to use Quest ESSO with Web Access Manager (WAM). By selecting this entry, you allow WAM to decipher the Quest ESSO secondary accounts of the user so that WAM can perform SSO with these accounts. 47

48 Delegation Tab of an Application Profile Quest Enterprise SSO SSOWatch Administrator Guide The Delegation tab is only available if you use Enterprise SSO Studio without Controller and in LDAP storage mode. The Delegation tab allows you to define the methods for delegating accounts to users: Authorize delegation to everybody. Authorize delegation to a member of the same user group. Authorize delegation to a member of the same organizational entity. Advanced mode: person/group/organizational entity. Authorize the delegated user to change passwords: the delegated user is authorized to modify the password for the delegated account. You can ask the person delegating the account(s) to reauthenticate on the workstation where the Studio is installed by setting the following registry key: SOFTWARE\Enatel\SSOWatch\CommonConfig\ReauthOnDelegate DWORD Defining Application and Technical Definition Objects This section explains how to create and define Application and Technical definition objects. Without Controller, Enterprise SSO Studio allows you to entirely configure Application objects. An application object implies the definition of: a) An application name as shown in Enterprise SSO Studio and in SSOWatch, and some options regarding the access rights for this object. b) Parameters that associate this application with the SSO data in the security system. 48

49 c) Access strategy (in registry or personal configuration modes), or assignment to user groups (in LDAP mode); the application profile should be defined for each association to a user group. Enterprise SSO Studio allows you to create application objects with some predefined parameters for SAP and Windows applications: see Creating a New Application Object or Technical Definition. With Controller, Enterprise SSO Studio allows you to configure Technical Definitions. A Technical definition object is a technical description of an application that allows you to use an application, and particularly to produce single sign-on in a Quest ESSO environment. The application configuration must then be completed in the administration console (see Quest ESSO Console Administrator Guide) Creating/Modifying Application Objects and Technical Definitions Creating a New Application Object or Technical Definition Subject For Application objects, Enterprise SSO Studio allows you to use templates to create SAP and Windows application objects. The Template Application item allows you to create an Application object with a number of pre-defined parameters. They should be used for specific authentication scenarios. The predefined template applications are: SAP, for SAP R/3 application authentication (for more details, see Section 6., "The SAP R/3 Plug-in"). Windows, for authentication to an external LDAP directory. Template applications are managed in the same way as Application objects. They enable the single sign-on function for specific authentication procedures. A template application has a number of predefined parameters. The following procedure explains how to create a new technical definition or application (with or without template). Procedure 1. In the Enterprise SSO Studio main window, do one of the following, depending on the action you want to perform: To create a new application or technical definition: Right-click the node where you want to create a new Application or Technical Definition and click New Application or New Technical Definition. To create a new application using a template: Click the node where you want to create a new template application and in the Edit menu, click New Template-based Application/SAP or Windows. The Application properties window appears. 49

50 2. Fill-in the Application properties window (or modify it in case of template application) as described in Filling-in the Application Properties Window Modifying an Application Object or Technical Definition Configuration Subject The following procedure explains how to modify the properties of an existing Application Object or Technical Definition. Procedure 1. In the Enterprise SSO Studio main window, right-click the Application or Technical Definition you want to modify and click Properties. The Application properties window appears. 2. Fill-in the Application properties window as described in Filling-in the Application Properties Window. For Application objects, fill-in the following tabs: Properties: see "Properties" Tab of an Application Object. Account base: see "Account Base" tab of an Application Object. Launcher: see "Launcher" Tab. Parameters: see "Parameters" Tab Application Profile: see "Application Profile" Tab. For Technical Definition objects, fill-in the following tabs: Properties: see "Properties" Tab of a Technical Definition Object. Launcher: see "Launcher" Tab. Parameters: see "Parameters" Tab Filling-in the Application Properties Window "Properties" Tab of an Application Object The Properties tab described in this section only appears if you use Enterprise SSO Studio without Controller, or Personal SSO Studio. 50

51 The Properties tab of an Application Object allows you to define the basic parameters of an Application. Application Name This field will be shown in the objects tree of Enterprise SSO Studio and in the data collection and account management dialog boxes of SSOWatch. Session management (advanced) Indicates whether all the application s windows depend on the same application instance. OLE/Automation Grants OLE/Automation access to this application (and all the associated security objects). For further security, you can enter a password for which OLE clients will be prompted. For more information, see Section 10., "OLE/Automation Interface". Options a) Enable this application (this option is selected by default) If this option is cleared, SSOWatch will ignore this application. This is used to temporarily disable an application without deleting it from the configuration file. b) Try previous password when "bad password" windows detected If this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not immediately taken into account by the application). c) User must provide credentials This check box only appears in Access Collector mode. If this check box is cleared, the user will be able to cancel the collect (or the bad password) window that appears when he/she launches an application. 51

52 "Properties" Tab of a Technical Definition Object The Properties tab described in this section only appears if you use Enterprise SSO Studio with Controller. The Properties tab of a Technical Definition object allows you to define the basic parameters of a Technical definition. Identification The Technical reference name. This field will be shown in the objects tree of Enterprise SSO Studio. Session management Indicates whether all the application s windows depend on the same application instance. Try previous password when "bad password" windows detected If this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not immediately taken into account by the application) "Account Base" tab of an Application Object The Account Base tab only appears if you use Enterprise SSO Studio without Controller or Personal SSO Studio. 52

53 The Account Base tab allows you to define the Account Base associated with an application. An Account is a username/password pair that allows connection to an application. There is also an account parameter that can store complementary authentication data; for instance, a Windows Domain name is a complementary parameter of a Windows account. The account name is internal to SSOWatch: it is used to store and retrieve security data and to give a user-friendly name to this data. A user-friendly name is particularly useful when using multiple accounts: you can give names like "Notes Admin" or "Notes User" if a Notes user is also the administrator. Accounts are global: they are shared by applications and by SSOWatch configurations, because they refer to objects stored in the security system storage and which are bound to the user. In most cases, one single account is associated with an application. It is called a Standard account. In some cases, it is possible to use the Windows username and password to perform SSO to an application. An example is the Windows Terminal Server login. To use this security credential in SSO, you must associate the Primary Authentication Identifier with the application (check the corresponding option). The Windows username can be used in different formats: Short name: username only. Windows 2000 (and later): Username including the Windows domain, for instance: jsmith@quest.com. NT 4: Username preceded by NETBIOS domain, for instance: QUEST\jsmith. Share Account Base with Another Application: for this, indicate in an application that you consider as account reference, the applications authorized to use this reference base. 53

54 You can also share an account base between two Applications using command line arguments. This feature may allow you to create batch files to automate this task. You can combine this feature with the possibility of importing objects using command lines, which is described in Importing Objects using Command Line Arguments (without Controller) Before Starting The Applications must be created. Close the Enterprise SSO Studio graphical interface. Procedure To share an Account base, at the Windows prompt, type the following command: <SSOWatch installation folder> [/login <name>] [/password <password>] /share <MasterApplication> <SlaveApplication> Arguments into square brackets [ ] are optional. Where: ARGUMENT NAME VALUE <SSOWatch installation folder> /login <name> and /password <password> "C:\Program Files\Quest Software\QESSO Client\SSOBuilder.exe " by default. Login name and password of the Quest ESSO administrator. Note: Use the format DOMAIN\login. If the login name and password of the administrator are not specified, the Enterprise SSO Studio authentication window will appear. The administrator account used to run the import must have /share <MasterApplication> <SlaveApplication> <MasterApplication>: name of the Application owning the Account base to share. <SlaveApplication>: name of the Application that will use the Account base. Note: This parameter works only with Application objects. Example The following command allows you to share the Account Base AB1 owned by APP1 with APP2: "C:\Program Files\Quest Software\QESSO Client\SSOBuilder.exe" /login DOMAIN\WGAdmin /password AdminPWD /share APP1 APP2 External Names: this button only appears if you use Enterprise SSO Studio without Controller and LDAP storage mode. It allows you to define a mapping between the Quest 54

55 ESSO application that you are configuring and the name of an external application that must be identified by Quest ESSO. This option is particularly useful to integrate Web Access Manager with Quest ESSO. For example, if you are defining an application called MyHTMLApplication that already uses Web Access Manager Account Bases, click this button and in the displayed window, enter the names of the Web Access Manager Account Bases defined for this application. By this way, Quest ESSO will be able to use these Web Access Manager Account Bases to perform SSO with this application. Each external application name must be unique in the directory "Launcher" Tab The Launcher tab is used to define how SSOWatch may start an application. This window allows you to define the following parameters: Change Icon button The icon associated with the application, which will be displayed in SSOWatch. Application description for user The application description, which will be displayed in SSOWatch. Target The command line or URL (for web applications), which opens the application. Start in folder The directory where the command line should start. Command line parameters The SSO parameters to be sent to the command line, if necessary. The Insert button insert in the command line the item selected in the list (identifier/password). 55

56 Authentication methods required if automatic start is used check box and drop down list Since SSOWatch can launch applications during session opening, this option enables you to control which applications are launched regarding the authentication method used to log on. Select the check box and in the drop down list, select the authentication methods required to launch the applications "Parameters" Tab Parameters Tab of an Application Object (without Controller) Subject The Parameters tab allows you to add a list of additional authentication parameters (as Windows Domains or Languages for example). These parameters will enable you to define more fields than simply the couple of fields user name/password of the target application authentication window. Window Description Add button: click this button to add a parameter. The following window appears: 56

57 a) To add an existing parameter, select it and click OK. The parameter Windows Domain must be used only with Applications that may use Advanced Login. b) To create a new parameter, type its name in the Name field and click Add. c) To delete or rename an existing parameter, select it and click Delete or Rename. To define an External Name for a parameter, select the wanted parameter and click External Name. For more information, see "Managing External Names" below. Delete button: select a parameter and click Delete. Properties button: Select a parameter then click this button to define the properties of the selected parameter. a) Description: mandatory description of the parameter for a better understanding. b) Parameter type: Default: the value of the parameter is collected for each SSO account and can be modified by the user. Global: the value of the parameter is the same for all SSO accounts and is not proposed to the user. Rule: the value is dynamically defined as a user data function, and cannot be changed. 57

58 c) Value: this is the default value assigned to the parameter. If nothing is entered here, it will be requested at first authentication (data collection) as a function of the parameter type defined previously. If you have selected Rule in the Parameter type area, between parentheses, get the exact LDAP attribute name (using an LDAP browser) and type it in the Value field. For example, type (mail) to indicate that the parameter value is the user's mail address. If you want to add several LDAP attributes, type them one after another, without comma. Example: (mail)(dn). You can be more specific about the parameter value by using the following rules: To keep only the first n characters of the LDAP value, use the syntax (attldap,n). Three functions are used to handle LDAP values: UPPER, LOWER and CAPITALIZED. Example: UPPER(mail,10) will return the first 10 characters of the user's mail address in upper case. Managing External Names This window appears when you click the External Name button. It allows you to define a mapping between the parameter that you are configuring within Quest ESSO and the name of an external parameter (created using another SSO tool) that must be identified by Quest ESSO. This option is particularly useful to integrate User Provisioning or Web Access Manager with Quest ESSO. Parameters Tab of a Technical Definition Object (With Controller) The Parameters tab allows you to add a list of additional authentication parameters (as Windows Domains or Languages for example). These parameters will enable you to define more fields than simply the couple of fields name/password of the target application authentication window. The list of authentication parameters for the technical reference must be coherent with the parameters defined at the application level. The creation of an application is described in Quest ESSO Console Administrator Guide. 58

59 Window Description Add button: click this button to add a parameter: a) To add an existing parameter, select it and click OK. The parameter called Windows Domain (which is created upon the installation of Quest ESSO), must be used only without Controller. To create a new parameter, type its name in the Name field and click Add. To delete or rename an existing parameter, select it and click Delete or Rename. b) To define an External Name for a parameter, select the wanted parameter and click External Name. For more information, see "Managing External Names" below. Delete button: select a parameter and click Delete. Properties button: this button is always disabled. 59

60 "Application Profile" Tab Quest Enterprise SSO SSOWatch Administrator Guide By default, every user is authorized to access the application. The Application Profile tab allows you to define the application profile, with an access right granted to all the users by default. In LDAP storage mode and Personal mode, only one profile may be assigned per application To allow the user to dynamically create new accounts from SSOWatch, select User can create additional accounts Defining Advanced Access Rights Subject Enterprise SSO Studio allows you to define advanced management of access rights, as explained in the following procedure. Restriction The SSO setting by population window is only available in Enterprise SSO Studio used without Controller and LDAP storage mode. Procedure 1. In the Enterprise SSO Studio main window, right-click the application for which you want to define advanced access permissions and click SSO Settings by population. The SSO Settings by population window appears. 2. Fill-in the window as described in the following Window Description section. 60

61 Window Description The SSO settings by population window allows you to define the population (user, organizational group or units) that you want to access the application. It is necessary to assign an application profile to each one. If several profiles are associated with a user, priority is given to the profile: 1. User. 2. Group. If there are several groups, the notion of priority indicated on the interface is applied. This is dedicated only to groups (with 0 as the highest priority level). 3. Organizational Unit. 3.7 Defining Window Objects Subject Window objects are subordinated to Application or Technical definition objects. They can only exist if they are associated with an application object. Procedure 1. In the Enterprise SSO Studio main window, right-click the application for which you want to define a window object and click New Window. The Window Properties window appears. 61

62 2. Fill-in the Window Properties window tabs as described in the following sections: a) For the General tab, see "General" Tab. b) For the Options tab, see "Options" Tab. c) The Detection and Actions tabs are described in the sections of this guide that are related to the "plug-in types", as their content depends on the selected window type "General" Tab The General tab allows you to give a name to the window object and to set its type. The type cannot be modified once the window has been created. Window Name By default, this field is automatically filled in with the name of the selected Window Type. It is recommended to enter a name clearer than the default name. Window Type Displayed Window types are loaded from the different Quest Enterprise SSO Plug-ins. The following table shows the window types provided by the different plug-ins and their associated technology: The Window Type Description area displays the description of the selected window type. 62

63 WINDOW TYPE TECHNOLOGY BEHAVIOR DESCRIPTION Generic Windows StandardLogin Win32/Java Login BadPassword Win32/Java BadPassword NewPassword Win32/Java NewPassword BadNewPassword Win32/Java BadNewPassword ConfirmPassword Win32/Java ConfirmPassword Terminal Terminal All HTML Pages (reserved for old versions. Do not use to detect new windows) IELogin Win32 Login + BadPassword HTTP authentication window HTMLLogin HTML/IE Login Authentication in HTML pages HTMLBadPassword HTML/IE BadPassword HTMLNewPassword HTML/IE NewPassword + ConfirmPassword HTMLBadNewPass word HTML/IE BadNewPassword Customizable Window Types CustomScript Win32 All Graphic scripts enabling customized SSO creation CustomScriptHTML HTML/IE All Graphical scripts allowing customized SSO creation for web applications under Internet Explorer. Microsoft Applications MSTelnet Terminal All Not supported. MSTelnetW2KXP Terminal All Telnet Microsoft for Windows 2000 and XP Lotus Notes Windows NotesLogin Win32 Login Lotus 4.x and 5.x authentication SAP Windows SAPLogin Win32 Login SAP R/3 63

64 WINDOW TYPE TECHNOLOGY BEHAVIOR DESCRIPTION SAPExpired Win32 NewPassword Authentication SAPGUI Scripting Win32 Login Authentication for SAP R/3 version 6.20 Plugin HLL API Windows HLLAPI Login Win32 Login HLLAPI Bad Password Win32 BadPassword HLLAPI New Password Win32 NewPassword + LoginNewPasswor d HLLAPI Confirm Password HLLAPI Bad New Password HLLAPI Standard Win32 Win32 Win32 ConfirmPassword BadNewPassword "Options" Tab The Options tab allows you to define the following properties: 64

65 Specific detection conditions to trigger the single sign-on when the window appears (Detection criteria area). SSOWatch execution options to carry out SSO (Execution Options area). Advanced SSO options (Advanced options area) Detection Criteria Area Use language criteria This option allows you to trigger the single sign-on only if the selected language is one of the input languages installed on the computer. This option can be useful to optimize response times. Procedure 1. In the Windows Control Pane, double-click Regional and Language Options to display the input languages installed on the computer. 2. In the Languages tab, click Details. 3. Click the Configure button to select the wanted system languages. 4. Select Show local language variants to display the speech communities of each language. Use SSO State criteria This option allows you to trigger the single sign-on only if the selected SSO states are met. This option is particularly useful for the Customizable Window Type (Custom Script type). Click the Configure button to select the conditions of the window activation depending on the state of the application. For details, see table below: OPTION NAME DESCRIPTION The window is always detected SSO has not been performed This option is selected by default: the window is always detected and processed by SSOWatch, without any condition. Select this option to trigger SSOWatch only if the SSO operation has not been done. With this option, SSOWatch can perform SSO upon the first detection of the window, then, as long as the application runs, this window is no longer detected. SSO has been performed and the password is valid The window is detected and processed by SSOWatch only if the SSO operation has been done with a valid password. 65

66 OPTION NAME DESCRIPTION SSO has been performed and the password has expired and must be changed This option depends on the password validity period parameter (defined in the PFCP properties window). This window is detected and processed only if the SSO operation has been done and that the password validity period has expired. The password has been refused and resynchronized (BadPassword) A new password has been provided but not confirmed The new password has been confirmed A new password has been refused (after a rollback) These options can be particularly useful for applications that use several authentication windows that you have defined using custom scripts. For example, if you have to define the following windows for the same application: A custom bad password window. A custom new password window, which contains only a field for the old password and a field for the new password. A custom password confirmation window, which contains a field to confirm the new password. A custom bad new password window, which appears when the user enters a wrong new password. To avoid inopportune detection and processing of these windows by SSOWatch, select for each window, the appropriate option in the Application State Conditions window. Example of use with the "SSO has been performed and the password has expired and must be changed" option. To display automatically the change password window of an application, do the following: We consider in the following example that the change password window appears when you click a button. Procedure 1. In Enterprise SSO Studio, create the Application object (for details, see 3.6 Defining Application and Technical Definition Objects. 2. From this object, define the Login and Change Password windows (for details, see 3.7 Defining Window Objects. 3. Define the Password Expire window, with the following guidelines: In the General tab, select Custom script (Window type). In the Options tab, select Use SSO state criteria, then click the Configure button and select SSO has been performed and the password has expired and must be changed. 66

67 Detection tab: drag and drop the target button to the window where the Change Password button is located. Fill in the Actions tab as follows: The Password Expire window is a virtual window, which allows you to display automatically the Change Password window when the password has expired Execution Options Area Activate window masking This option allows you to hide the window of an application by a SSOWatch window displaying a customizable text. You can use this option if you do not want that the user sees his/her login/password for example. Do not disable the window during SSO This option is useful with custom script windows only. It allows you to set the focus on the custom script window in case of focus issues. Interpret reappearance of login window as meaning 'bad password' Select this option for login windows that display at least twice in case of bad login/password values. This is the case for the authentication window used by Internet Explorer to login restricted areas for example: 67

68 Advanced Options area Select the check boxes to activate the following actions: Do not disable the window during SSO and Do not disable the window when asking for user input Select these options so that the user can interact with the window detected during SSO. This is only relevant for IE, Firefox and Chrome. Use alternative field detection method. Activate this if the contents of the web page are not always identical. This can be slower than the default method. Select this option so that: The window definition for IE 6, 7 and 8 is the same for the three of them. If the web page is modified, SSO is still executed. If this option slows down the window detection then you must select one window for each IE version. You must start the configuration over again if you select this option. 68

69 Try to use for Firefox. If this definition is for Internet Explorer, it will also be used for Firefox. This option may not work with all web pages. Select this option so that the window definition for IE is also applied to Firefox. If this option does not work, you must create a specific window definition for Firefox. You must start the configuration over again if you select this option "Detection" and "Actions" Tabs The Detection and Actions tabs are described in the sections of this guide that are related to the "plug-in types", as their content depends on the selected window type. 3.8 Testing the SSO Subject Enterprise SSO Studio allows you to test the SSO configuration you have created. Restrictions This functionality is available only if you use Enterprise SSO Studio with Controller. This functionality is not available with Personal SSO Studio. Procedure 1. In the Enterprise SSO Studio main window, right-click the Technical definitions you want to test and click Add to Test List. To remove a technical definition from the list, right-click the object and select Remove from Test List. A small check appears in the Technical definition icon. 2. Right-click one of the selected item and click Test. A confirmation window appears, to inform you that SSOWatch is about to be started in test mode. 3. Click OK. The SSOWatch Account panel displays only the selected technical definitions: you can start the applications corresponding to these technical definitions to test the windows detection and the collection of the security data, without any modifications in the directory. To disable the test mode, do the following: In Enterprise SSO Studio, remove the technical definitions from the test list. Reset the SSOWatch engine configuration. 69

70 3.9 Exporting or Importing Objects Quest Enterprise SSO SSOWatch Administrator Guide The Import/Export feature allows you to reuse SSO configurations. You may use when testing SSO configurations: if the Application and Window objects that you have created in your test environment are working, use the import/export feature to exploit them in the live environment. You can export/import the following objects: An Application (without Controller) or an External Reference (with Controller) and its associated Windows. Windows, PFCPs (without Controller) or Application Profiles (without Controller). Each exported object is saved in an.sse (SSOWatch Export) file Exporting/Importing Objects using the Graphical Interface Exporting Procedure To export an object, do the following: 1. In the Enterprise SSO Studio main window, right-click the object you want to export and click Export. The Explorer window appears. 2. Choose a saving location for the object and click OK. Importing Procedure To import an object, do the following: 1. In the Enterprise SSO Studio main window, right-click the node where you want to import the file. To import a window, select the application that will receive this window. The Explorer window appears. 2. Select the object to import and click OK. The object appears in the tree, at the selected location Importing Objects using Command Line Arguments (without Controller) Subject You can import.sse files using command line arguments. This feature may allow you to create batch files to automate the import of several objects from your test environment to the live environment. 70

71 Before Starting This feature is more powerful than the import of objects using the graphical interface. You can use it to define accesses to applications in addition to the import operation. Export the wanted objects using the graphical interface, as described in Exporting/Importing Objects using the Graphical Interface. For details on the objects that you can import, see 3.9 Exporting or Importing Objects Close the Enterprise SSO Studio graphical interface. Note that you can combine this feature with the possibility of sharing account base using command lines, which is described in "Account Base" tab of an Application Object.Procedure To import an object, at the Windows prompt, type the following command: <SSOWatch installation folder> [/login <name>] [/password <password>] /import <filename.sse> /location <Organization DN> [/access <group>] [/profile <profile>] Arguments into square brackets [ ] are optional. Where: ARGUMENT NAME VALUE <SSOWatch installation folder> /login <name> and /password <password> /import <filename.sse> "C:\Program Files\Quest Software\QESSO Client\SSOBuilder.exe" by default. Login name and password of the Quest ESSO administrator. Note: Use the format DOMAIN\login. If the login name and password of the administrator are not specified, the Enterprise SSO Studio authentication window will appear. The administrator account used to run the import must have sufficient rights. Full path name of the.sse file, which contains the object(s) to import. If the object to import is associated with another Quest ESSO object (an Application associated with a PFCP for example), and if the name of this object (PFCP) is used by other objects, the first name found is used. If no object is found, the default object is used. 71

72 ARGUMENT NAME VALUE /location <Organization DN> /access <group> Distinguished Name of the organization where the object will be created. Name of the group of users for whom you want to specify an access to the imported Application. You can use either the format "Group Name" or "Group DN". If you do not specify this argument, check the access configuration using Enterprise SSO Studio. This argument works only with Application objects. /profile <profile> Name of the Application Profile that will be associated with the imported Application. Examples You can use either the format "Group Name" or "Group DN". If you do not specify this argument, the default Application profile will be used. This argument works only with Application objects. The following command allows you to import MyExportedFile.sse into the Applications container. " C:\Program Files\Quest Software\QESSO Client\SSOBuilder.exe " /login DOMAIN\WGAdmin /password AdminPWD /import C:\MyExportedFile.sse /location OU=Applications,OU=Organization,DC=domain,DC=acme,DC=com You have created the APP application, for which the access is restricted to the group of users GROOP. To import this application and keep the restricted access to GROOP, use the following command: " C:\Program Files\Quest Software\QESSO Client\SSOBuilder.exe" /login DOMAIN\WGAdmin /password AdminPWD /import C:\MyExportedAPP.sse /location OU=Applications,OU=Organization,DC=domain,DC=acme,DC=com /access GROOP 3.10 Managing Objects in the Tree This section explains how to copy, cut, paste, rename and delete objects of the tree Copying/Cutting/Pasting Objects Subject You can perform basic operations with objects, as explained in the following procedure. 72

73 Procedure 1. In the Enterprise SSO Studio main window, right-click the object you want to copy and click one of the following command: Copy, to duplicate the selected object. Cut, to copy the object and remove it from its current location (the object won't be removed if it is not pasted afterwards). 2. In the tree, right-click the node where you want to paste the copied object and click Paste. The object appears in the tree at the selected location Renaming an Object Procedure 1. In the Enterprise SSO Studio main window, right-click the object you want to rename and click Rename. The object name is selected 2. Type the name you want to see appear for the object and press the Enter key. The object name is renamed Deleting an Object from the Tree Subject If you use Enterprise SSO Studio in LDAP mode, the tree displayed corresponds to the LDAP directory. If you delete an object from the tree, it will not be deleted from the LDAP directory as long as you have not updated it (see 3.13 Refreshing the Tree). Procedure 1. In the Enterprise SSO Studio main window, right-click the object you want to delete and click Delete. A confirmation window appears 2. Click OK. The object is deleted from the tree Saving Object Configurations This section explains how to save the object configurations. In Enterprise SSO Studio used in local storage mode, Enterprise and Personal configurations are stored differently: Enterprise mode: you can create as many configurations as you wish, and each configuration is saved in a file. Personal mode: a single and unique configuration is dedicated to you. It is automatically accessible on opening Personal SSO Studio, and is stored in the security database defined during the installation phase (LDAP directory or Windows Registry). 73

74 In LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users Saving Object Configurations in LDAP Storage Mode (with Controller) Subject In LDAP storage mode, centralized configuration is defined in the LDAP directory for which SSO access is either authorized or denied for a given user or group of users. In without Controller, the configuration is immediately and automatically saved in the LDAP directory. In with Controller, you must save the directory modifications, as explained in the following procedure. Procedure In Enterprise SSO Studio (used in LDAP storage and with Controller), in the File menu, click Update directory. The LDAP directory is updated with the configurations defined in Enterprise SSO Studio Saving Object Configurations in Local Storage Mode Subject In local storage mode, the storage operation depends on the Enterprise SSO Studio version used: In Personal SSO Studio, a single and unique configuration is dedicated to each user. It is automatically accessible on opening Personal SSO Studio. In Enterprise SSO Studio, you can save as many configurations as wanted: each configuration is saved in a file. Procedure In Personal SSO Studio (local storage mode), click File Save. The configuration is saved in the Windows Registry. In Enterprise SSO Studio (local storage mode), click File Save. The Explorer window appears. Give a name to the configuration and select the location where you want to save the configuration. The configuration is saved in a.sso file in the selected location. 74

75 3.12 Managing Configuration Updates Subject To optimize network traffic, you can use the update management feature: by default, the Quest ESSO workstations retrieve the whole SSO configuration periodically. The update management feature allows you to post an update, which generates a unique identifier. The workstations retrieve the application data and this identifier. As long as the identifier is unchanged between the directory and the cache of the workstations, the workstations do not update their SSO configurations. Restriction The functionality described in this section is only available in Enterprise SSO Studio used in LDAP storage mode and without Controller. Procedure To enable the update management feature: In the File menu of Enterprise SSO Studio, select Manage Updates and click Disable Update Management. To post an update, which generates a unique identifier: In the File menu of Enterprise SSO Studio, select Manage Updates and click Post an Update. When a workstation runs an update, it retrieves the entire configuration (and not only the configuration corresponding to the last posted update). So this feature does not avoid workstations retrieving the applications configured by administrators after the last posted update if the data on the workstation is older than the last posted update Refreshing the Tree Subject Refreshing the tree means updating it so as it displays the current correspondent LDAP directory. Restriction If you have performed modifications in the tree and have not saved them, refreshing the tree will cancel all your unsaved modifications. This functionality is available only if you use Enterprise SSO Studio in LDAP storage mode. Procedure In Enterprise SSO Studio main window, in the Edit menu, click Refresh. The displayed tree is updated with the current LDAP directory. 75

76 4 The Generic Plug-in The "generic plug-in" allows you to define single sign-on (SSO) or account collect (in Access Collector mode) configurations by detecting windows used by the following types of applications: Any Microsoft Windows applications. Web applications (Internet Explorer, Firefox or Chrome). Java applications or applets. The configuration of SSO for Java requires advanced skills. To deliver SSO access to Java applications, integration service is required. Please contact Quest Support. The window objects that allow you to carry out the SSO belong to the Generic Windows, as shown in the following figure: These window types allow you to detect any Microsoft Windows applications, including any HTML pages displayed by web browsers such as Internet Explorer, Firefox or Chrome. 76

77 Do not use the Microsoft Internet Explorer plug-in (HTML Pages) to define new windows. Before Starting If you want to detect a Java application, make sure the following components are properly installed on your workstation: A supported Java version (for more details about the supported JRE versions, see Release Notes). The Quest SSOJava Plug-in, which must imperatively be installed after the JRE (for more information, see Quest ESSO Installation Guide). 4.1 Window Detection When you create a Window in the configuration editor, you have to define the window that must be detected by SSOWatch. You must carry out this operation through the Detection tabbed panel: To define the window detection, you must do the following: 1. Select the window that must be detected by SSOWatch, using the target button. For details, see Simple Detection. 2. If necessary, modify the detection parameters for the selected window by filling in the Parameters of the selected window area. 77

78 Upon the detection of the window (Step 1), the Detect by Window Class and Detect by Window Title options are selected. These options are usually sufficient to enable the detection of the window by SSOWatch. If these options are not sufficient, you can use advanced detection parameters, by looking for additional texts in the window (Look for text option), and/or by adding constraints on the detection process (Advanced button). For details on these detection parameters, see Restrictions Simple Detection Depending on the type of window to detect, the selection area of the Detection tabbed panel is different: To detect the window of an application, you drag and drop the target button onto the title bar of the window that you want to detect. For details, see Simple Detection of a Window or a Java Applet. To detect a Java applet, you drag and drop the target button onto the entire login area of the Java login page. For details, see Simple Detection of a Window or a Java Applet. To detect a web page, you drag and drop the target button onto the web page that you want to detect. For details, see Simple Detection of a Web Page Simple Detection of a Window or a Java Applet To detect a window, SSOWatch first looks for its title (for standard or Java application) or its login area (for Java applet). It can then look for the presence of an additional text in the window. To automatically configure the necessary basic data, do one of the following: For standard or Java application windows, drag and drop the target button located in the top right of the Detection tabbed panel onto the title bar of the window that you want to detect. The data from the last targeted window are displayed in the configuration window, as shown in the following figure. For Java applets, drag and drop the target button located in the top right of the Detection tabbed panel onto the login/password area of the Java applet that you want to detect. The data from the last targeted window are displayed in the configuration window, as shown in the following figure. 78

79 The Detection tab now shows a tree structure for the targeted window, as well as its parent windows, if any. Each window is represented on two lines differentiated by the icon on the left of the line: ICON DESCRIPTION Real characteristics of the targeted window (real title and class). Data used to detect the targeted window (detection method, modified title). At this point, the detection parameters of the selected window are automatically configured as follows: Detect by window class. If the window has a title, Detect by Window Title (not case sensitive). If you want to modify these configuration parameters, make selections in the bottom half of the property page. If a targeted window has parent windows, you can modify the configuration for any intermediate window. The following table lists the four available title detection methods. All these methods are not case sensitive: 79

80 METHOD DESCRIPTION Is equal to Starts with Contains Ends with The window title must be equal to the given character string. The window title must start with the given character string. The window title must contain the given character string. The window title must end with the given character string. Example Let us assume that the application authentication window has a title similar to Enter the password for FirstName LastName. A potential problem appears with this title because FirstName and LastName can differ from one user to another. In this case, the text must be edited and reduced to Enter the password for, and the window detection method must be set up to use: Start with or Contains Simple Detection of a Web Page If you are using different web browsers at the same time (Internet Explorer and Firefox for example), you must create two different windows: one window for the web page displayed in Internet Explorer, and another one for the web page displayed in Firefox. If the title of the web page is different depending on the language used, you must also create as much as different windows as there are different titles. To detect a web page, SSOWatch first looks for its URL. It can then look for the presence of an additional text or of a field in the web page. To automatically configure the necessary basic data, drag and drop the target button located in the top right of the Detection tabbed panel onto the web page that you want to detect. The data from the last targeted window are displayed in the configuration window, as shown in the following figure: 80

81 The Detection tab now shows the URL of the web page (Web page area). At this point, you can adjust the detection parameters of the selected web page by defining a variable URL (Variable URL area) or by detecting a field in the web page (Parameter of the web page area) for example. For details, see Advanced Detection. The single sign-on is triggered when all the required fields are displayed, even if the web page is not entirely loaded Advanced Detection The Enable Variable URL Detection option Restriction This option is only available upon the detection of a web page URL. Description Some websites are provided by clusters of HTTP servers (for instance Hotmail) or use the URL to keep session data (for instance Yahoo! Mail). This leads to URLs with variable parts. To configure the detection of a web page that uses a variable URL, select Enable variable URL detection and click the Configure button. If a variable URL detection has already been configured and you select a new URL with the Get URL button, SSOWatch checks the compatibility of the new URL with the 81

82 old URL variable schema. If the schema cannot be matched, confirmation is requested before the old URL variable schema is destroyed. The variable URL configuration window looks like this: The selected URL is shown in the text field. To set up the variable parts, select (with the mouse or the keyboard arrows and the SHIFT key) a part of the URL (1). The tool bar is updated and shows only the generic characters that match the selection. In the tool bar, select the wanted generic character (2). Generic characters are represented as follows: Replaces any character (one or more). Corresponds to.+ in a regular expression. Replaces alphanumeric characters (one or more): lower case letters, upper case letters and digits. Corresponds to [a-za-z0-9_]+ in a regular expression. Replaces letters (one or more): lower or upper case. Corresponds to [a-za- Z_]+ in a regular expression. Replaces digits (one or more). Corresponds to [0-9]+ in a regular expression. If you select a generic character, you can restore the original text with the Revert action. A variable URL must never begin with a generic character. Example In the previous window, a Hotmail URL is shown. Variable parts are 3 and 13 numbers after "lc" and after "law". You only need to select 3 and click. The field is displayed like this: (in the toolbar), then select 13 and click again on 82

83 The Look for text option Quest Enterprise SSO SSOWatch Administrator Guide There are cases where detection based on a window class and title is not enough to distinguish multiple windows. For example, assuming you need to configure a detection method that distinguishes between two authentication windows that are both standard dialog boxes (class "#32770") and have the same title (for example, Enter password). Such a case requires that you configure an advanced detection method performing a search for a specific text in the window s fields. To configure advanced detection, select in the window list the window that must be detected, and select Look for text. Two search methods exist: In the whole window: the text is searched in all the window fields. In Field: allows you to specify a field where the search will be carried out. This field can be configured with the small target button by dragging and dropping it onto the target field. The field content will be automatically pasted in the look for text field. The search is not case sensitive. If the selected Windows control field identifier is 0xFFFF, the search is automatically extended to all the window control fields. This identifier is a special one and is used for generic static texts. It can also appear more than once in a window The Advanced button You can define a list of constraints to refine the advanced detection parameters, using the Advanced button. This button allows you to add constraints on windows that are detected by SSOWatch, to enable or disable the single sign-on, as described in the following procedure: 1. In the Detection tabbed panel, click the Advanced button. The following window appears: 2. Click the Add button. The following window appears: 83

84 3. Fill in this window with the following guidelines: a) The fields are already filled in by default with the values of the selected target window. b) Use the target button only if the target window is not the wanted one. c) If you select only the Signature check box, the SSO will be disabled, as this parameter changes. d) If you select several check boxes to define the constraint, the application containing the window to detect must meet all the parameters defined by these check boxes. 4. Click OK. The constraint is added in the constraint list. Remember that SSOWatch detects the window if only one of the listed constraints is verified Restrictions To authenticate to an application, SSOWatch implements the user s sign-on for him or her. Therefore, SSOWatch considers that an application is valid as soon as the user himself or herself is able to enter the information requested by the application. Consequently, SSOWatch only detects windows that are: Visible. Not minimized. "Active" in the MS-Windows sense that is, they can accept user inputs. It follows that SSOWatch cannot perform SSO for minimized or hidden windows. 84

85 4.2 User Interface In this section, we introduce the tools and elements of the user interface that allow you to configure Windows types. The tools are: The target ( ) that allows you to select a Windows control (field or button) Target The optional parameter list that allows you to enter SSO data other than user name/password. The actions to be performed after the fields have been filled. You can use the following target button to select a window s control field (text field, button, etc.): This target can be used in two ways: By performing a drag and drop onto the target control field: click the button; the mouse cursor changes to a target; drag it to the target control field and release the mouse button. Once the mouse button has been released, the field is updated with the control field information (and the intermediate windows/control fields if they exist): The information displayed gives the control field identifier (in hexadecimal), its class and the text found when the control field was detected. A new window can be opened by clicking the target button: 85

86 A new target icon allows you to select the desired control field (with drag and drop). This window allows you to see the selected control field s details and the different levels of nested windows between the control field and the base window. This is useful for example to select control fields with the same name in windows containing multi-frames. Only the path from the base window to the target is displayed. To see all the other control fields/windows, you must select the Display all window details check box. You can also receive the control by its position by selecting the Identify the control by its position in the control hierarchy check box. You must re-select the windows to activate this mode Validation Actions When the fields have been filled by SSOWatch, you must validate the window with the Enter key or by clicking the OK button (for example). In most of the window types you have the following choices: 4.3 Generic Plug-in Actions StandardLogin Connection This type of window is the most frequent one. It performs the login for most of the applications of type Win32, Web and Java. 86

87 Window Description This property page enables you to specify: The field that will receive the user identifier (or username) that allows the user to connect to the application. The field that will receive the password associated with the username. The Do not re-prompt for account selection check box that may be used for multiple accounts for reconnection, it will be the active account that is used. Additional authentication parameters, if needed. For details, see Specifying Additional Fields (Optional). The window validation method Specifying Additional Fields (Optional) Subject This section focuses on the Additional fields customization area of the Actions tab of the StandardLogin window type. This area allows you to define more fields than simply the couple of fields user name/password of the target application authentication window. 87

88 Before Starting The definition of additional fields is only possible if additional parameters are defined in the Application object associated with this window. For details, see Section , ""Parameters" Tab". Procedure 1. Click Customize. The following window appears: 88

89 This window allows you to associate a Parameter with an authentication field of the target application: 2. Select the wanted parameter in the list. The Description field is in read-only mode. It displays the value of the Description field filled in upon the creation of the parameter at the Application level. 3. Use the target button to select in the target application the wanted authentication field. 4. Click Insert. The parameter appears in the window. 5. If necessary, repeat the operation with other parameters. 6. Click OK SSOWatch Behavior In SSOWatch, the following actions are performed after the window has been detected: The username and password associated with the application are retrieved from the security system: If required, the user will be prompted to choose one of his or her accounts. If the selected (or single) account has no security data in the security system, SSOWatch will prompt the user for this data and will save it in the security system (collect). Data is sent to the window. Optional parameters associated with the selected account are retrieved from the security system: if one parameter value is unknown, the user is prompted for it. It is then stored in the security system. Parameters are sent. The window is validated. BadPassword and NewPassword window types are activated BadPassword Detects that the login previously submitted to the application by the SSO engine has been rejected by the application. The login must therefore be recollected and submitted to the application. This window is triggered only if the SSO has already been played on the application. 89

90 Window Description This property page allows you to enter: The validation method after the password has been updated in the security database (with a new authentication if needed). The cancellation method of the window if the password update fails in the security database. The field that will receive the user identifier (or username) if the user is prompted to re-authenticate. The field that will receive the user password if the user is prompted to reauthenticate in the same window. The optional parameters, if re-authentication is proposed in the same application window. For details, see Specifying Additional Fields (Optional) SSOWatch Behavior Full Version Behavior In SSOWatch, the following actions are performed after the window has been detected: The user is warned that the password stored in the security system is not the right one for this application; he or she is prompted to enter the right password (the user can also change the identifier if he or she has misspelled it in the collect window). If the user cancels the window or if an error occurs, the window is cancelled according to the selected method. If the new username/password pair is validated by the user and the security database is updated successfully: 90

91 a) The specified, username, password and optional parameters are sent to the application. b) The window is validated according to the specified method. Access Collector Mode Behavior If you configure a bad password window without specifying a login field or a password field, the detection of the window deletes the collected account. At the next login window detection, a new collect will be performed. If you configure a bad password with sending of a login or a password, a BadPassword window will appear to collect the right account. If the user cancels this window then the account is deleted and the collect will be restarted at the next user connection NewPassword Detects that a new password is requested by the application. This window is triggered only if the SSO has already been played on the application. In Access Collector mode, the NewPassword window type is not available Window Description This property page allows you to enter: The field that will receive the old password (optional). The field that will receive the new password (optional). The field that will receive the new password as a confirmation (optional). The window validation method if the password has been successfully updated in the security database. 91

92 The cancellation method in case of failure or if the user cancels the window SSOWatch Behavior In SSOWatch, the following actions are performed after the window has been detected: If specified, the old password is sent (if the application can have many sessions at the same time and if several accounts are used, SSOWatch will ask the user to choose the relevant session). The application asks the user for a new password or computes it itself (according to the PFCP associated with the application). If the password is confirmed, the new password is saved in the security database. In case of failure, the window is cancelled. In case of success, or without confirmation: The new password is sent (if requested). The new password is sent again (if confirmation is needed). The window is validated. BadNewPassword and ConfirmPassword windows are activated. Remark As previously explained, the new password will be saved in the security database only after it has been confirmed: Either in the same window (New password and Confirm password fields set) Or in another window (NewPassword or ConfirmPassword) if the New password field has been set ConfirmPassword Confirms a new password if it has not been done in the NewPassword window type. Default operation: a new password has been provided but not confirmed. In Access Collector mode, the ConfirmPassword window type is not available. 92

93 Window Description This window allows you to configure "Confirm New Password" window management: The field that will receive the old password (optional). The field that will receive the new password as a confirmation. The window validation method if the password has been successfully updated in the security database. The cancellation method in case of failure or if the user cancels the window SSOWatch Behavior In SSOWatch, the following actions are performed after the window has been detected: If specified, the old password is sent (optional). The password is updated in the security database. In case of failure, the window is cancelled. In case of success, the window is validated and the ConfirmPassword and BadNewPassword window types are disabled BadNewPassword Detects that the new password submitted to the application is rejected. This window restores the old password and asks the user to re-enter a new password. If the PFCP et PGP are configured correctly, this window should not appear. Default operation: a new password has been submitted but not confirmed or a new password has been confirmed. In Access Collector mode, the BadNewPassword window type is not available. 93

94 Window Description This window type allows you to configure the Bad New Password window type behavior by specifying the window validation method SSOWatch Behavior In SSOWatch, the following actions are performed after the window has been detected: The old password becomes the current password. NewPassword window types are reactivated. The window is validated. 4.4 Special Cases "Standard" window types do not allow you to manage all kinds of applications. Therefore, SSOWatch provides some tools that allow you to manage these cases: Custom Scripts and the OLE/Automation Interface. For well-known and commonly used applications, specific window types are provided to speed up configuration and optimize SSO processing NotesLogin (Lotus Notes Plug-in) The Lotus Notes plug-in has a window type that manages Lotus Notes 4.x, 5.x and 6.5 authentication windows. This plug-in is generally used for all the applications that always display the login and ask for the password to be entered. 94

95 A NotesLogin window type automatically selects the user account according to the account name displayed in the window. If the user owns: Only one Lotus Notes account, the account will have to match the requested account name; otherwise SSO will not be implemented. Several accounts, SSOWatch will choose the user account corresponding to the requested account name. If none matches the requested account name, SSO will not take place Lotus Notes Identifier Format The Lotus Notes identifier (or username) may be stored in the Quest ESSO security database using Lotus Notes formats (username, account name, Lotus Notes canonic name) Window Description This tabbed panel is pre-configured and should not be modified. However, if the SSOWatch Engine actions do not work with the preconfigured parameters, drag and drop the target buttons onto the target fields of the Lotus Notes login window, and if required, modify the preconfigured parameters. 95

96 Configuring the Field Containing the Lotus Notes Login The first field is the one that contains the Lotus Notes username (Enter the password of ). The field must be selected using the target button. In the field where the complete Lotus username is shown, ensure that all entries are deleted, and that only the symbol remains. Select the password field using the target button. Ensure that the automatic window validation field is not checked. When only one Notes account is accessed from the workstation, you may check the automatic window validation field. We recommend that this only be used in personal configuration mode SSOWatch Behavior In SSOWatch, the following actions are performed after the window has been detected: The Lotus Notes identifier is retrieved from the field as shown above. A search is conducted for the account name in all the accounts associated with the application (beginning with full names): If necessary, the user will have to choose between the accounts that match (or those that have no data associated with them). If a single account matches (or has no data), SSOWatch will prompt the user for the associated password and will save it in the security database (collect). The password is sent to the password field. The window is validated; if the automatic validation option has not been selected in the configuration. BadPassword and NewPassword window types are activated HTTP Authentication (Internet Explorer Plug-in) When you connect to some websites, an HTTP authentication window is displayed. Under Windows XP, this window looks like: 96

97 This window can be managed using the StandardLogin window type. However, if the password entered is not correct, the same window is displayed again with the same username that was previously entered in the User name field (The first time this window is displayed, no username is displayed). This window type has been created to manage such a case (StandardLogin and BadPassword mix). This window is quite different for each of the Microsoft operating systems. If you have a heterogeneous computer installation, you will have to define several windows of this type in your configuration. The Netscape 4.7 HTTP authentication window is managed by the StandardLogin window type Window Description The configuration page looks like this: 97

98 For StandardLogin, you have to set the identifier and password fields with the target button. For the identifier field, be sure to select the field within the list box and not the lustiest itself. Internet Explorer allows you to save passwords. However, you may prefer to use SSOWatch. So clear the Remember my password check box and select the check box with the target tool. Once the SSO data has been sent to the fields, you may validate the window SSOWatch Behavior SSO actions for this window type correspond to StandardLogin and BadPassword window types: The content of the Identifier field is retrieved; if it is empty, it is a StandardLogin behavior, and Standardlogin actions can be taken: The username and password are retrieved from the security system. If necessary, the user will be prompted to choose between the different accounts for this application. If the selected (or single) account has no data, SSOWatch will ask the user for the associated password and will save it in the security database (collect). Data is sent to the window. Clear the Remember my password check box. The window is validated. BadPassword window type is activated. If the identifier is not empty, it is a BadPassword behavior: The user is warned that the password stored in the security system is not the one required by the application; so, he or she is prompted to enter the good password (the user can also change the identifier if he or she has misspelled it in the collect window). If the new username/user password pair is validated by the user and the security database is updated successfully. Username, password and optional fields are provided for the application. The window is validated. NewPassword window types are enabled. 98

99 5 The Microsoft Internet Explorer Plugin Before Starting This plug-in is deprecated. To create new windows allowing SSO with Internet Explorer, Firefox or Chrome, use the Generic plug-in, as described in Section 4., "The Generic Plug-in". Use the Microsoft Internet Explorer plug-in only to modify single sign-on (SSO) configurations already using windows defined through this plug-in. To migrate windows created with the Microsoft Internet Explorer plug-in to the Generic Plug-in, create the same windows using the Generic plug-in. Description The Microsoft Internet Explorer plug-in manages SSO in HTML documents in Microsoft Internet Explorer 5.5 and 6.0. It works with HTML document forms. The Internet Explorer plug-in provides several window types detailed in the following table: WINDOW TYPE DESCRIPTION IELogin HTMLLogin HTMLBadPassword HTMLNewPassword HTMLBadNewPassword HTTP, Firewall or Proxy connection windows Web/HTML application connection page HTML page which indicates that the password entered in the HTMLLogin window is not correct, this allows SSO data collect mode. The right username and password may be entered again this time. HTML page which prompts for a new password (and generally for a confirmation) Window type used to handle new password refusals in HTML pages 5.1 HTML/Internet Explorer Detection The detection of HTML pages is URL-based. Start by launching Internet Explorer. 99

100 For Windows 2003 servers, check that the Internet Explorer option Enable third-party browser extensions (in Internet options/advanced/browser) is selected. The HTML Detection property page looks like this: To fill in the URL field, use the Get URL button. The following window appears: 100

101 The list of open HTML documents in Internet Explorer windows (and frames) is displayed. The list of HTML forms (and their associated fields) is shown for information only. The Internet Explorer button allows you to launch Internet Explorer if it is not already running (same as launching it from the Start menu). To select an URL, you should select the line that shows the URL, or one of its elements. The selected URL is shown in bold. The HTML page display is dynamically updated as you open new HTML windows or navigate within Internet Explorer. The Refresh button allows you to remove windows which are no longer displayed. If only one HTML document is opened, its URL will automatically be pasted into the URL field (if it was previously empty) Variable URLs For more information, go to section , "The Enable Variable URL Detection option" Advanced Detection Advanced detection in an Internet Explorer HTML page is based on text search. The dialog box that allows you to configure the advanced detection parameter looks like: You can enter a text using the keyboard or select it with your mouse in an HTML page and click the Capture Text button: the text is pasted in the field. There are two search methods: Text must be Present: if the text is found on the page, detection is successful. Text must be Absent: if the text is found on the page, detection fails. 101

102 5.2 User Interface Quest Enterprise SSO SSOWatch Administrator Guide In this section, we introduce the tools and elements of the user interface that are used to configure HTML/Internet Explorer window types. These tools are: The HTML form selection tool (icon ) which allows the association of an SSO parameter (username, password) with an HTML form field. The custom parameters list which allows the setting up of additional parameters (other than username and password) which will be sent to the application so as to perform SSO. The HTML form submission-method selection tool (same icon ) Selecting a Field in an HTML Form The field selection window for an HTML form is as follows: This window displays, in a list, all the forms (and their fields) contained in the HTML page selected in the detection page. The fields are displayed in their order and an icon distinguishes the clear text fields ( ) from the fields containing a password ( name (HTML). ). The associated text is the field s internal The forms are differentiated by their names. If two or more forms have the same name (or are unnamed), the position is displayed in brackets: this is the position in the page compared to all forms with the same name. 102

103 If you do not want to use this field, validate by clicking the Clear button Custom SSO Parameters The following window allows you to enter and configure optional parameters that will be sent to the target application: To customize an optional field, proceed as follows: 1. Select the parameter in the list. 2. Fill in Associated Field by using the target to select the target control field. 3. Insert customization of additional field. 4. Validate, by clicking OK Submitting an HTML Form The window for setting up the HTML form submission method is the following: 103

104 This window proposes two submit methods: Simple submit or submit by clicking a Button/Image. Advanced submit by clicking a link Simple Submit / Button Click To submit a form by simulating the Enter key, simply select the form. To submit the form by clicking a button, select the desired button. To check that it is actually the desired button, you can make it blink in the HTML page using the Highlight button Click a Link This method is used to submit a form by clicking a text or an image starting a JavaScript script. Such a link is recognized by its URL starting with javascript: 104

105 5.3 HTML/Internet Explorer Actions HTMLLogin Connection Configuration Quest Enterprise SSO SSOWatch Administrator Guide This property page allows you to specify: The field that will receive the user identifier (or username) that allows connection to the application. The field that will receive the password corresponding to the username. The optional parameters, if necessary. The form-submit method Actions In SSOWatch, the following actions are performed after the form has been detected: The username and password associated with the application are retrieved from the security system: If necessary, the user is prompted to choose between the accounts he or she owns. If the selected (or single) account has no security data in the security system, SSOWatch will prompt the user for this data and will save them in the security system (collect). Data is sent to the form fields of the HTML page. Optional parameters associated with the selected account are retrieved from the security system: if any parameter value is unknown, it is requested from the user and then stored in the security system. 105

106 Parameters are sent. The form is submitted. Window with types (HTML) BadPassword or (HTML)NewPassword are activated HTMLBadPassword Configuration This property page allows you to enter: The validation method after the password has been updated in the security database (with a new authentication if necessary). The HTML field that will receive the user identifier (or username) if the user is prompted to re-authenticate. The HTML field that will receive the user password if the user is prompted to reauthenticate in the same page. The optional parameters, if re-authentication is proposed in the same window Actions In SSOWatch, the following actions are performed after the HTML page has been detected: The user is warned that the password stored in the security system is not the right one for this application; he is prompted to enter the right password (the user can also change the identifier if he or she has misspelled it in the collect window). 106

107 If the new username/password pair is validated by the user and the security database is updated successfully: If specified, the username, password and optional HTML parameters are sent to the application. The HTML form is submitted according to the specified method HTMLNewPassword Configuration This property page allows you to enter: The HTML field that will receive the user identifier (or username). (Optional) The HTML field that will receive the old password. (Optional) The HTML field that will receive the new password. (Optional) The HTML field that will receive the new password as confirmation. The HTML form-submit method if the password has been successfully updated in the security database. The cancellation method in case of failure or if the user cancels the window Actions In SSOWatch, the following actions are performed after the HTML page has been detected: If specified, the user identifier and the old password are sent (if the application can have many simultaneous sessions and if several accounts are used, SSOWatch will ask the user to choose the relevant session). 107

108 The application asks the user for a new password or computes one (according to the PFCP associated with the application). If password confirmation is specified, it saves the new password in the security database. In case of failure, the submission is cancelled. In case of success: The new password is sent (if requested). The new password is sent again (if confirmation is needed). The form is submitted HTMLBadNewPassword New Password Refused Configuration This properties page allows the definition of: The validation method after a new password has been refused. (Optional) The HTML field for the username, if re-authentication is proposed in the same window. (Optional) The HTML field for the old password. (Optional) The HTML field for the new password. (Optional) The HTML field for new-password confirmation Actions In SSOWatch, the actions which are performed following detection of this HTML page are: The old password is reset and becomes the current password. 108

109 If specified, authentication is performed with the username and old password (if a multi-session application and a number of accounts are used, SSOWatch prompts the user to choose the appropriate session). The user is prompted for a new password, or a new password is generated based on the application s password policy (PFCP). If confirmation of new password is specified, the new password is saved in the security database. If unsuccessful, SSO is cancelled. If successful, or where there is no confirmation: The new password is sent (if specified). Confirmation is sent (if specified). The window is validated. NewPassword type windows are activated. 109

110 6 The SAP R/3 Plug-in This section gives a brief description of the SSOWatch SAP R/3 plug-in for SSOWatch. The SAP R/3 plug-in provides different types of windows for the management of single sign-on, depending on the version of SAP R/3 clients and servers. To identify the window corresponding to each version of the SAP R/3 components, see Release Notes. The SAPLogin and SAPExpired window types defined in version 3.71 of SSOWatch are still available, to ensure the continuity of deployed configurations. However, we recommend that these are ported to SAPGUI Scripting and Advanced SAPGUILogin window types. 6.1 SAPLogin and SAPExpired Window Types SAPLogin (SAP R/3 Login) This window type manages SAP R/3 4.5 connection. It includes bad password management (BadPassword). With version 4.6, only authentication is managed. To configure a window type SAPLogin, you have to specify the following parameters: This window is pre-selected and should normally not be modified. Fields SAP Main Field is where SSO data should be sent. Field selection may be done with the target. SAP Status bar is the field where errors are displayed. Field selection may be done with the target. Error text is the message displayed by SAP R/3 in case of error. This allows SSOWatch to deal with bad passwords (SAP R/3 4.5 only). Window parameters Language and Client Name may be associated with parameters stored in the security database. Window Validation 110

111 The authentication window should be validated with the Enter key SAPExpired (SAP R/3 Password Expiry) This window type manages SAP R/3 4.5 password expiry. In Access Collector mode, the SAPExpired window type is not available. In the configuration window, fill in the SAP main field with the button. 6.2 Basic Principles of the SAP R/3 Plug-in Pre-requisites SAPGUI 6.20 Scripting must be activated on the SAP R/3 server, with the following parameter: Sapgui/user_scripting = TRUE SAPGUI Scripting must be activated on the SAP R/3 client. The connection description in the SAPLogon must not use the slow connection parameter. SAPGUI Scripting works only with the new SAP R/3 visual design. 6.3 Configuration Guide Configuring an SAP R/3 Application An application should be configured with the Enterprise SSO configuration editor. For SAP R/3 applications, use the SAP application model in Enterprise SSO Studio. Configuring an Application for SAPGUI Scripting If you use SAPGUI Scripting window types, the OLE/automation option in the configuration is not required. It should, therefore, be left inactivated Configuring the SAPGUI Scripting Window The Detection Tab The detection of SAP R/3 connections is based on their connection servers or server groups. 111

112 To specify an SAP R/3 server or group of servers, use the following options: Name (mandatory): server name (SAP R/3 hostname) or server group name for which SSO is to be performed. SAP System Name: SAP R/3 name of the system in 3 characters (database ID). Direct server connection: System number: provide the SAP R/3 System Number if the target server is running more than one copies of SAP R/3. Group with load-balancing: Message Server: enter the SAP R/3 message server name as it is configured in the SAPLogon module if there are a several SAP R/3 groups with the same name but with different messages servers. 112

113 The Actions Tab Description of the SAP R/3 parameters: at authentication time, SSOWatch can fill the "language" and "client name" fields as defined in the SAP R/3 application model. These parameters should be declared through the Parameters tab of the application object. Automatic validation of the credentials: The user does not have to validate the credentials sent by Quest ESSO to start an SAP session. The Auto validate login page check-box is selected by default. Changing the SAP R/3 user s password: by default, SSOWatch manages the authentication process, and the user cannot change his or her SAP R/3 password at this stage but must use the password change transaction once connected. To avoid the complexity inherent in this procedure, activating this option will result in SSOWatch asking the user if a change of password should be made during connection to SAP R/3; SSOWatch will then manage all the password change processes as required. Automatic validation of the connection notification: the SAPGUI Scripting technology causes a message to appear, notifying the user that a script is connecting to SAPLogon. By activating this option, and by declaring the notification window title (by default this is saplogon), SSOWatch will automatically validate the notification as required. The notification will still appear in non-ssowatch connections, and therefore for other scripts. To define error messages, click the Errors button: 113

114 Error messages are detected by SSOWatch so that it can react when there is a password de-synchronization problem, when there is a password change, or if the new password is refused by the SAP R/3 system. In addition to the pre-configured error messages, you can declare your own specific messages: By content: enter a message and assign a meaning to it. SSOWatch will look for the message in the status bar or error dialog box. In this case, it is the message string that is looked for. This is dependent, therefore, on the language of the SAP R/3 client. By reference: if you also specify the SAP R/3 ABAP reference of the message, SSOWatch will look for the reference of the message, and not its content. Thus, it becomes independent of the client language. In this case, the content of the message field is simply for informative purpose. The list of message references can be found using the transaction SE16, table T100. Authentication steps: Connection refused: the SAP R/3 system has refused the connection. The user may be locked, or the server unavailable. Invalid password: the user password is incorrect. A new password is requested through SSOWatch data collection windows. New password refused: the user has just changed the password, but the SAP R/3 system does not accept it. A new password is requested through SSOWatch data collection windows. 114

115 7 Terminal Type Applications Terminal type windows manage SSO in text fields emulating a line mode terminal. The terminal must be displayed in a text-edit control field. Some emulator windows may not meet these requirements. In this case, the use of some other methods like OLE/Automation interface access could be necessary. The way this window type works is slightly different from the way other window types work, since the SSO events correspond to the display of messages; in addition, all the SSO states are managed in the same window. Once connection has been set up, SSO is disabled for this window. Three window types offer the management of terminals: Terminal (from Standard plug-in). MSTelnet (from Microsoft applications plug-in). SSOWatch also works with PUTTY MSTelnetW2KXP (from Microsoft applications plug-in). The detection of these window types is the same as for standard Windows. The Actions part covers all standard window types. It is used to manage the opening of a full session (including bad and new passwords management) running in text mode and in a single Windows control field (in general Edit field). It simulates the user keyboard entries and controls the state of the connection by detecting text banners. 7.1 Terminal This window type has been created to manage the terminal connections in Edit fields, notably the Windows remote access pre- and post- dialup terminals. Its configuration window is the following: 115

116 The Host Control field will contain all the texts used for connection. Using the target icon, click the terminal window; this will copy the text across. The behavior vis-à-vis the text banners is defined by clicking on the Banners button (described in 7.3 Banners). You can also set up the timing between two searches for banners. Once SSO has been performed, or in case of failure, it is possible to click a button to close the window. 7.2 Microsoft Telnet Two window types are available for managing the Microsoft Telnet application: WINDOW TYPE DESCRIPTION MSTelnet MSTelnetW2KXP Not supported Telnet Microsoft in Windows 2000 and XP OS The configuration window is the following: 116

117 It is possible to change the performance-tuning parameters: The timer between the detection of two banners. The timeout canceling the SSO for the window. 7.3 Banners The banners configuration window is the following: This window allows you to specify SSO events (the detection of text in a new text line) and the behavior to be associated with them. 117

118 The possible behaviors are: EVENT DESCRIPTION Login Password Custom Parameter Connection OK Enter new password Confirm new password Bad password Connection refused The text indicates a username request. The text indicates a password request. An additional parameter is requested. The text indicates that the connection is completed successfully. It stops the SSO. The text indicates that a new password is requested. The text indicates that the same new password must be confirmed. The text indicates that there is a wrong password in the security database. The text indicates that the connection failed. It stops the SSO operation. To add an event, you should: Indicate the text to look for in the Banner field. Select the associated event. Click the Add button. To edit an event, you should: Select it in the list. Click the Edit button: it will disappear, and the information is displayed in the bottom fields. Edit the information. Click the Add button. The information is then added at the bottom of the list. To delete an event, you should: Select it in the list. Click the Delete button. 118

119 8 The HLLAPI Plug-in Subject This section describes how to enable single sign-on or account collect (in Access Collector mode) for applications using HLLAPI. Intended Readers System Integrators. Administrators. HLLAPI Definition The High Level Language Application Program Interface (HLLAPI) is an IBM API that allows a PC application to communicate with a mainframe computer. HLLAPI requires a PC to run 3270 emulation software and then defines an interface between a PC application and the emulation software. This API is also called "screen-scraping" because the approach uses characters that would otherwise be displayed on a terminal screen". For convenience purposes, the term "HLLAPI applications" in the next sections designates the applications that are using HLLAPI. 8.1 Configuring the HLLAPI Plug-in If the default configuration parameters used to implement the HLLAPI plug-in are not working with your HLLAPI application, or if you want to configure single sign-on for different types of HLLAPI applications installed on the same workstation, you must modify keys and values in the Windows Registry to fit your requirements. Modifying the Windows Registry may damage your Windows system. It is strongly recommended to be accommodated to Registry Editor to modify keys and values Configuring the HLLAPI Plug-in for a Single Application 1. Start Registry Editor and add the HllAPI key in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch. 2. Add the values detailed in HLLAPI Plug-in Registry Keys depending on your requirements. It is not mandatory to set all the values listed in HLLAPI Plug-in Registry Keys. If a value is not set, the default value data is used. 119

120 8.1.2 Configuring the HLLAPI Plug-in for Different Types of Applications 1. Start Registry Editor and add the HllAPI key in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch. 2. Create the following value: VALUE NAME ENABLEMULTIEMULATOR Description Type Value data Enable/Disable the management of different types of HLLAPI applications on the same workstation. REG_DWORD 0: disabled. 1: enabled. Location HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\Hl lapi Example: 3. Add as many subkeys as there are types of applications in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HllAPI. Example: to add Attachmate EXTRA! and Rumba terminal emulation applications, you can create the following subkeys: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI\Attachmate EXTRA! HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI\Rumba 4. Add in each subkey the values detailed in HLLAPI Plug-in Registry Keys depending on your requirements. [HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI\Attachmate EXTRA!] "HllLibrary"="C:\\Program Files\\Attachmate\\E!E2K\\ehlapi32.dll" "HllEntryPoint"="hllapi" "HLLAPI-32bit"=dword: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HllAPI\Rumba "HllEntryPoint"="hllapi" "HllLibrary"="D:\\Program Files\\NetManage\\RUMBA\\System\\ehlapi32.Dll" "HLLAPI-32bit"=dword: "IgnoreWindowsHandle"=dword: "UseTitleInDetection"=dword: HLLAPI Plug-in Registry Keys If the EnableMultiEmulator key is set to 1 (see Configuring the HLLAPI Plug-in for Different Types of Applications), the registry keys listed in this section that are located directly under HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI are ignored. 120

121 Value name Description Type Value data Location EnableMultiEmulator Enable/Disable the management of different types of HLLAPI applications on the same workstation. REG_DWORD 0: disabled. 1: enabled. HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\Hl lapi Value name Description HllLibrary DLL file that must be used by the HLLAPI plug-in If the EnableMultiEmulator key is set to 1, this value must be set (no default value allowed). Type Value data Location REG_SZ Pathname of the.dll file. Default: PCSHLL32.dll. Single application: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI Multi applications: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI\<App. Name>, where <App. Name> is the name of the HLLAPI application. Value name Description HllEntryPoint Name of the HLLAPI function in the DLL file. If the EnableMultiEmulator key is set to 1, this value must be set (no default value allowed) Type Value data Location REG_SZ Default: hllapi. Single application: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI Multi applications: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI\<App. Name>, where <App. Name> is the name of the HLLAPI application. 121

122 Value name Description Type Value data Location HLLAPI-32bit Specifies that the HLLAPI application is a 32-bit application. IMPORTANT: If the EnableMultiEmulator key is set to 1, this value must be set (no default value allowed) REG_DWORD 1 (default): 32-bit application 0: 16-bit application Single application: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI Multi applications: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI\<App. Name>, where <App. Name> is the name of the HLLAPI application. Value name Description Type Value data Location IgnoreWindowsHandle Allows SSOWatch to support HLLAPI libraries which are not able to return Windows handle properly REG_DWORD 1: enabled. 0 (default): disabled Single application: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI Multi applications: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI\<App. Name>, where <App. Name> is the name of the HLLAPI application. Value name Description UseTitleInDetection Allows the SSOWatch engineto detect the title of the HLLAPI application. Type REG_DWORD Value data 1 (default): enabled (displays the Title check button in the Detection tab. For details, see The Detection Tab). 0: disabled 122

123 Location Single application: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI Multi applications: HKLM\SOFTWARE\Enatel\SSOWatch\HllAPI\<App. Name>, where <App. Name> is the name of the HLLAPI application. 8.2 Enabling SSO for HLLAPI Applications Subject To enable SSO for HLLAPI applications, you must declare the application in the SSOWatch configuration and define the window types that must be detected by SSOWatch as described in the following procedure. Before Starting Your emulation software must be configured to establish connections through HLLAPI. Check that the global configuration parameters used to implement the HLLAPI plug-in are correctly set, as described in 8.1 Configuring the HLLAPI Plug-in. Procedure 1. In Enterprise SSO Studio, create a new Application. The Application object appears under the Applications node. 2. Right-click the Application object and select New Window. The Window Properties window appears. 3. Fill in the General tab with the following guideline: in the Window Type dropdown list, define one of the following screens: HLLAPI Login: login screen of the HLLAPI application. HLLAPI Bad Password: screen indicating a wrong password/username. HLLAPI New Password: screen requesting a new password (this screen can be a specific screen or the login screen). (Not available in Access Collector mode). HLLAPI Standard: screen, that does not need any authentication data (not available in Access Collector mode). HLLAPI Confirm Password: new password confirmation screen (not available in Access Collector mode). HLLAPI Bad New Password: screen indicating that the new password in not correct (not available in Access Collector mode). 4. If necessary, fill in the Options tab. If you are defining an HLLAPI New Password screen, and if the new password must be provided in the login screen, then select Use Manual SSO State Conditions, click Configure and select SSO has been done. Password has expired and must be changed. 5. Fill in the Detection tab, which is described in The Detection Tab" 6. Fill in the Actions tab, which is described in The Actions Tab. 7. Click OK. 123

124 The Window object appears under the Application object. 8. To define other HLLAPI window types, restart from Step The Detection Tab Subject The section gives information on how to fill in the Detection tab for HLLAPI screen types. This tab allows you to define the screen requirements to satisfy to enable SSO. Description The Connection Type area: This area allows you to specify the communication standard used by the application. If the connection type information is not available at the HLLAPI level, SSOWatch does not take into account this parameter. If you do not know the connection type, select or clear all check boxes. The Strings to Detect area: You must fill in this area to define the strings that SSOWatch must detect to enable SSO. Read carefully the following guidelines: a) Enter the name of a string to detect. b) Absence of: select this check box to specify that the string must not appear in the application window. 124

125 c) Position area: fill in this area to specify the position of the string to detect in the application window: Select Check Position. Define the row and column numbers of the string. Select Relative Coordinates if you want to specify a position relative to the position of the cursor. d) Click the Title check button to enter a part of the title of the window to be detected so that SSO is performed on the emulator. This button is displayed only if the UseTitleInDetection key has been positioned. For more information on this key, see 8.1 Configuring the HLLAPI Plug-in. Not all emulators enable you to retrieve the title name of the window. e) Click Add. Example In this Detection tabbed panel example, SSOWatch enables SSO if: The Account Name string is located in the application window at the same row as the cursor (relative coordinates) and 14 columns before. The Password string does not appear in the application window. 125

126 8.2.2 The Actions Tab Subject The section gives information on how to fill in the Actions tab for HLLAPI window types. This tab allows you to define the authentication data that SSOWatch must send to the terminal emulator. Description The SSO Steps area: This area allows you to sort out and modify the actions that must be performed by SSOWatch in the terminal emulator window. The Actions area: This area allows you to define the data that SSOWatch must send to the terminal emulator. Fill in it as follows: Send SSO parameter: select this option if you want to send an SSO parameter, and select in the drop-down list the wanted entry. Send Key: select this option if you want to send a "common" key (as <enter> for example), and select the wanted key in the drop-down list. Send Text: select this option either if you want to send a key that does not appear in the Send Key drop-down list, or if you want to specify any text to send, and fill in the activated field. Section 8.3 HLLAPI Applications Keys lists the keys that are compatible with many emulator software applications. Once by instance: (appears only with the HLLAPI Standard window type). Select this check box if you want to specify that SSOWatch must carry out the actions listed in the SSO Steps area only one time per session instance. You should use this option to send further actions upon the 126

127 detection of other HLLAPI screens than the HLLAPI screen types listed in the General tab. The Other button: if the actions listed above do not meet your requirements, you can define extended actions, by clicking the Other button. The following window appears: Fill in this window as follows: Sleep: select this option to suspend SSOWatch for a specified time specified before processing the next displayed action in the SSO Steps area. Exit DLL: select this option to call a function in an external DLL. If the function is found in the DLL, the indicator turns green. When SSO is implemented, the DLL is searched in the paths defined in the %PATH% environment variable of the user who is logged on. If it is not found, the DLL is searched in the same directory as the one used during the configuration process. For more details on external DLL, see Section 9.2, "Extension DLL". 8.3 HLLAPI Applications Keys The following table lists the keys that are compatible with many emulator software applications. MNEMONIC MEANING Left Tab Yes Yes Clear Yes Yes Delete Yes Yes Enter Yes Yes Erase EOF Yes Yes Help No Yes Insert Yes Yes Jump (SetFocus) Yes Yes No 127

128 MNEMONIC MEANING Cursor Left Yes Yes New Line Yes Yes Space Yes Yes Print Yes Yes Reset Yes Yes Right Tab Yes Yes Cursor Up Yes Yes Cursor Down Yes Yes DBCS (Reserved) Yes Yes Caps Lock (No action) Yes Yes Cursor Right Yes Yes Home Yes Yes PF1/F1 Yes Yes PF2/F2 Yes Yes PF3/F3 Yes Yes PF4/F4 Yes Yes PF5/F5 Yes Yes PF6/F6 Yes Yes PF7/F7 Yes Yes PF8/F8 Yes Yes PF9/F9 Yes Yes PF10/F10 Yes Yes PF11/F11 Yes Yes PF12/F12 Yes Yes PF13 Yes Yes PF14 Yes Yes PF15 Yes Yes PF16 Yes Yes PF17 Yes Yes PF18 Yes Yes PF19 Yes Yes Yes 128

129 MNEMONIC MEANING PF20 Yes Yes PF21 Yes Yes PF22 Yes Yes PF23 Yes Yes PF24 Yes Yes End Yes Yes ScrLk (No action) Yes Yes Num Lock (No action) Yes Yes Page Up No Yes Page Down No Yes PA1 Yes Yes PA2 Yes Yes PA3 Yes Yes No Test No Yes No Word Delete Yes Yes No Field Exit Yes Yes No Erase Input Yes Yes No System Request Yes Yes No Insert Toggle Yes Yes No Cursor Select Yes Yes No Cursor Left Fast Yes Yes No Attention Yes Yes No Device Cancel (Cancels Print Presentation Space) Yes Yes No Print Presentation Space Yes Yes Yes Cursor Up Fast Yes Yes No Cursor Down Fast Yes Yes No Cursor Right Fast Yes Yes No Reverse Video Yes Yes No Underscore Yes No No Reset Reverse Video Yes No No 129

130 MNEMONIC MEANING VT Red Yes No No Pink Yes No No Green Yes No No Yellow Yes No No Blue Yes No No Turquoise Yes No No White Yes No No Reset Host Colors Yes No No Print (Personal Computer) Yes Yes No Forward Word Tab Yes Yes No Backward Word Tab Yes Yes No Field No Yes No Field + No Yes Record Backspace No Yes Print Presentation Space on Host No Yes Dup Yes Yes Field Mark Yes Yes Display SO/SI Yes Yes Generate SO/SI No Yes Display Attribute No Yes Forward Character No Yes Split vertical bar ( ) No Yes VT Numeric Pad 0 No No VT Numeric Pad 1 No No VT Numeric Pad 2 No No VT Numeric Pad 3 No No VT Numeric Pad 4 No No VT Numeric Pad 5 No No VT Numeric Pad 6 No No VT Numeric Pad 7 No No Yes 130

131 MNEMONIC MEANING VT VT Numeric Pad 8 No No VT Numeric Pad 9 No No VT Numeric Pad - No No VT Numeric Pad, No No VT Numeric Pad. No No VT Numeric Pad Enter No No VT Edit Find No No VT Edit Insert No No VT Edit Remove No No VT Edit Select No No VT Edit Previous Screen No No VT Edit Next Screen No No VT PF1 No No VT PF2 No No VT PF3 No No VT PF4 No No VT HOld Screen No No Control Code NUL No No Control Code SOH No No Control Code STX No No Control Code ETX No No Control Code EOT No No Control Code ENQ No No Control Code ACK No No Control Code BEL No No Control Code BS No No Control Code HT No No Control Code LF No No Control Code VT No No Control Code FF No No Control Code CR No No Yes 131

132 MNEMONIC MEANING VT Control Code SO No No Yes Control Code SI No No Yes Control Code DLE No No Yes Control Code DC1 No No Yes Control Code DC2 No No Yes Control Code DC3 No No Yes Control Code DC4 No No Yes Control Code NAK No No Yes Control Code SYN No No Yes Control Code ETB No No Yes Control Code CAN No No Yes Control Code EM No No Yes Control Code SUB No No Yes Control Code ESC No No Yes Control Code FS No No Yes Control Code GS No No Yes Control Code RS No No Yes Control Code US No No Yes Control Code DEL No No Yes VT User Defined Key 6 No No VT User Defined Key 7 No No VT User Defined Key 8 No No VT User Defined Key 9 No No VT User Defined Key 10 No No VT User Defined Key 11 No No VT User Defined Key 12 No No VT User Defined Key 13 No No VT User Defined Key 14 No No VT User Defined Key 15 No No VT User Defined Key 16 No No VT User Defined Key 17 No No Yes 132

133 MNEMONIC MEANING VT VT User Defined Key 18 No No Yes VT User Defined Key 19 No No Yes VT User Defined Key 20 No No Yes VT Backtab No No Yes VT Clear Page No No Yes VT Edit No No Yes Yes Alternate Cursor (The Presentation Manager Interface only) Yes Yes Backspace Yes Yes Yes 133

134 9 Advanced Configuration The window types provided with SSOWatch allow you to enable SSO or account collect (in Access Collector mode) in a wide range of applications. But there are some applications that cannot be managed with these standard types. In this case, SSOWatch proposes two solutions: Custom Scripts that allow you to define precisely the actions to be performed in a window or in an HTML page; it is even possible to call a function from an external DLL. The OLE/Automation interface that offers you the benefit of the SSOWatch security data access management: with this approach, it is possible to entirely redefine the methods of detection and actions while keeping the same accountmanagement, collection, secure-storage mechanisms. 9.1 Custom Scripts Plug-ins The Custom Script and Custom Script HTML plug-ins open SSOWatch to some applications not managed either by the standard or dedicated plug-ins. It offers a "scripting logic" while keeping the same simple and user-friendly configuration interface offered by Enterprise SSO Studio. In addition, it is possible to call a function from an external DLL. The Custom Script HTML plug-in is deprecated. Use only the Custom Script plug-in to create new scripts. You may use the Custom Script HTML plug-in only to modify windows defined through this plug-in. To migrate windows created with the Custom Script HTML plug-in, create the same windows using the Custom Script plug-in. They use the same detection mechanisms already used for this kind of window in the Standard plug-in. The detection property page is the same. However, you can select the combo box by passing the cursor over the text area or by clicking the button displaying all the different choices. The difference is in the Actions tabbed page of the Windows Properties window that allows you to create a logically ordered list of specific actions. The main behavior of the window (Login, Bad Password, New Password or New Password Confirmation window) is automatically deduced from the configured actions, except for Bad Password, which must be manually specified. 134

135 9.1.1 Basic Concepts Scripting Logic Actions are executed one after the other. Their execution is based on a True or False state, which is transmitted to each action, and sometimes modified by some of them. An action is executed only if its state (Condition) corresponds to the current state, or if no state is specified for this action (No condition). The initial state of an action is True. The following table summarizes the behaviors by indicating whether an action is performed on the basis of its execution condition and the current state. The symbol " " means that the action is performed. STATE CONDITION TRUE FALSE None True False This logic allows you to manage simple actions of the If Then Else type Data "Buffer" All the actions include a context that contains the following data: The current state: this can be modified by any action, thus affecting the execution of the next actions. The Handle of the currently processed window. A memory Buffer allowing data to be passed between actions. The identifier of the connected application user. The associated password. The value of the last recovered SSO parameter (other than the identifier and the password). The account associated with the application in the security database. A pointer to custom user data. The context data is maintained in a data buffer that is initialized before each Script execution in the following way: The current state is set to True. The window Handle is initialized with the handle of the currently processed window. The memory buffer is empty. 135

136 The identifier, password, and service name are initialized with current values. If the window has the value "Bad password", the user is requested to provide the correct password during this step. The pointer to custom user data is set to NULL The Actions Tab By default, the Actions tabbed page is empty. The following figure shows an example of a filled in Actions tabbed page. The list of actions to be performed is displayed in a read only state, and a check box allows you to specify whether or not this window manages bad passwords. To build or edit a script, you must use the Script Editor. 136

137 9.1.3 Script Editor The Script Editor window is made up of four parts: A toolbar. An actions list. A dynamic panel allowing you to edit selected action parameters. The OK and Cancel buttons. The actions list has three columns: The actions. The execution condition (or state). The actions parameters Script Editor Toolbar The toolbar allows you to create new actions, modify their execution conditions, and move actions. ICON DESCRIPTION Create a new action placed after the first selected action Delete one or several action(s) Move up one (or several) action(s) Move down one (or several) action(s) Modify the execution condition to Always execute 137

138 ICON DESCRIPTION Modify the execution condition to Execute if True Modify the execution condition to Execute if False Script Editor Actions The action creation icon in the toolbar displays a menu with a list of all the available actions. The table below summarizes the available actions, showing the correspondence between the two types of plug-ins (Custom Script and Custom Script HTML). ICON CUSTOM SCRIPT CUSTOM SCRIPT HTML Send Key/String Send SSO parameter Send Command Message Send a JavaScript Get Control Text Get SSO parameter Click Button Select Item in list Call External Function Sleep Compare Return Special Event Create a Label Jump to Label (Goto) Display a message box Send String to Form Field Send SSO Parameter to a field Not Available. Send a JavaScript Get Field Text Get SSO parameter Send an HTML event Select Item in an HTML List Call External Function Sleep Compare Return Special Event Create a Label Jump to Label (Goto) Display a message box 138

139 ICON CUSTOM SCRIPT CUSTOM SCRIPT HTML Input box Check certificate Input box Check certificate The rest of this subsection describes the different actions; each action description is introduced by a table summarizing its main characteristics: The action s name and its icon. Properties associated with the action. Information as to whether or not the action modifies the buffer and/or state. [ICON] ACTION NAME Modify state Modify buffer Description Send Key/String (Custom Script only) Modify state Modify buffer 139

140 Send Key/String (Custom Script only) This action allows you to send characters (keyboard keys or strings) to a target window (the window being the primary, active window) or to a target control field/button in a window. In the Target area, it is strongly recommended to select Send to the Control (use the target icon button to select the control field). If it is not possible, that is if the window has no control fields or buttons it is better to select Send to the Window than Focused Window. Then, if necessary, modify the sending method (it is recommended to use the Automatic method. If it does not work, try another method depending on your application). In the Send Key/String area, define the characters you want to send in the target window: Select Key to send keyboard keys, as Enter, Tab, SHIFT+Tab, Space, Escape for example. To send an additional key, select None, Shift, Alt, or Control from the Additional key dropdown list. Select String and fill in the field to send a specific string. Select Buffer to send the memory buffer content. Send String to Form Field (Custom Script HTML only) Modify state Modify buffer This action allows you to send strings to a target form field in an HTML page. In the Target area, use the HTML target button to fill in the field (the HTML page containing the target form field must be displayed). In the Send Key/String area, define the string you want to send in the target HTML form field: Select Buffer content to send the memory buffer content. Select String and fill in the field to send a specific string. 140

141 Send SSO Parameter (Custom Script only) Modify state Modify buffer This action allows you to send an SSO parameter of a user account to a target window (the window being the primary, active window) or to a target control field/button in a window. For details on the Target area, please see the Send Key/String action above. In the Parameter to Send area, define the SSO parameter you want to send: Identifier: the user identifier for the current application. Password: the associated password of the user identifier. New Password: a new password. In this case, the window is considered to be a NewPassword window type. Confirm Password: the confirmation of the new password. In this case, the window is considered to be a ConfirmPassword window type. Custom Parameter: to activate this option, you must define a parameter at the Application level (for details, see Section , ""Parameters" Tab"). Do not prompt for user account: you can select this option if the user has several accounts. The transmitted SSO parameter is copied to the memory buffer. Send Command Message (Custom Script only) Modify state Modify buffer Read carefully the instructions written in the Send command message area. 141

142 Send a JavaScript Modify state This action enables you to send a JavaScript if the address bar is displayed in Internet Explorer, Firefox and Chrome. Send an HTML event (Custom Script HTML only) Modify state Sends an event (navigation, button click, item to be checked or execution of a JavaScript) to the active HTML browser) This action is particularly useful if you want to execute JavaScript code. Get Control Text (Custom Script only) Modify state Modify buffer This action reads the text contained in a targeted control field. The recovered text is also copied to the memory buffer. 142

143 Get SSO Parameter (Custom Script and Custom Script HTML) Modify state Modify buffer This action retrieves the value of an SSO parameter of a user account (identifier, password ) and copies it to the memory buffer. For a description of the options, see the Send SSO Parameter action above. Click Button (Custom Script only) Modify state Modify buffer This action allows you to simulate a mouse click on: A targeted button or on a targeted check box; Any specific field in the window. Select the Perform double click check box if you want to enable double click to select the value of a field. If you have targeted a check box, do not forget to select Change the button state and click either Check or Uncheck depending on your needs. 143

144 Select Item in List (Custom Script) or Select Item in an HTML List (Custom Script HTML) Depending on the selected Selection Mode, the interface of this window is slightly different: By Item Number: Modify state By Parameter: Modify buffer By Item Label: This action allows you to select an element from a list. The list must be targeted with the target icon. The supported list types are: ListBox. ComboBox. ComboBoxEx32. The selection can be performed by: Item Number: the element number (position) to select, 0 being the first. Parameter: the parameter is defined at the Application level (for details, see Section , ""Parameters" Tab". Item Label: a text string to look for in the list. 144

145 Call External function (Custom Script and Custom Script HTML) Modify state Modify buffer This action allows you to call a function in an external DLL. Click the Search button to choose the DLL. Enter the function name in the Function field. If the function is found in the DLL, the indicator turns green. Otherwise, it remains red. When SSO is implemented, the DLL will first be looked for in the PATH associated with the connected user s environment. If it is not found, it will be looked for in the same directory as the one used during the configuration process. For more details on how to write external procedures, see Extension DLL. Sleep (Custom Script and Custom Script HTML) Modify state Modify buffer This action suspends SSOWatch for the time specified (in milliseconds). Two buttons (500 ms and 1000 ms) allow you to quickly configure the most common wait times. Compare (Custom Script and Custom Script HTML) Modify state Modify buffer 145

146 Compare (Custom Script and Custom Script HTML) This action compares the memory buffer contents with a given character string. The comparison is case sensitive. The state is then modified, depending on the result of this comparison True if the string is found, False otherwise. Check certificate (Custom Script and Custom Script HTML) Modify state Modify buffer This action enables you to check the SSL certificate of a web server before performing the SSO. The check is done by comparing the web server certificate with a local certificate You must provide the following information: The web server where to download the certificate from. The location of the local certificate. Return (Custom Script and Custom Script HTML) Modify state Modify buffer 146

147 Return (Custom Script and Custom Script HTML) You must use Return actions to stop the script. It returns one of the following status: OK: no problem. SSO Done: the identifier and/or password or parameters have been successfully sent to the application. This stop code should be used in all the custom scripts that use the Send SSO Parameter function (identifier, password). Disable the Window: SSOWatch ignores the window. Disable the Application: SSOWatch ignores the application. Special Event (Custom Script and Custom Script HTML) Modify state Modify buffer This action allows you to trigger one of the events listed in the Special Event area. The Resynchronize user password event allows you to display the SSOWatch Change Password window, which allows you to change also the user's login. Create a Label (Custom Script and Custom Script HTML) Modify state Modify buffer This action allows you to create a label in the custom script, to manage conditional operations. You must use this action if you want to use the Jump to Label (Goto) action. 147

148 Jump to label (Goto) (Custom Script and Custom Script HTML) Modify state Modify buffer This action is only available if you have already defined a Create a Label action. It allows you to define a jump in your custom script. It is strongly recommended to use this action in association with a condition (True/False), to avoid infinite loops. Display a message box (Custom Script and Custom Script HTML) Modify state Modify buffer This action allows you to display a message box in order to ask a question to the user. Use the available options to define the content of your message box. If the user can click No or Cancel, the state is set to False. Click the Buffer content radio button to enable the user to see the content of the buffer. This feature enables the user to see his login and password. You can use this action to check if a window is detected or to check that the return code of an external function is OK, in order to adjust a Custom Script. 148

149 Input box (Custom Script and Custom Script HTML) Modify state Modify buffer This action allows you to define an input box. Select Allow value selection from list or combobox if you prefer to display a list of items the user can select rather than a standard input field where he can enter any text. Extension DLL The DLL enables you to perform the integration of an application with the SSO where the other methods have failed. This means creating a specific SSO agent for a specific application; which requires programing skills. A SSOWatch extension library sample can be found in the SSOWatch package (CustomDllSample) To be included in an Enterprise SSO script, an external function must respect the following rules: It must publish a C interface. It must accept a single parameter that is a pointer to a SSOWatchSSOData data structure. It must return a specific return code. It must be able to read and modify the memory buffer. It must be able to read and modify the current state. It must not modify other fields that are read only in the SSOWatchSSOData structure. All these elements are defined in the C/C++ header files SSOWatchSSOData.h and SSOWatchWindows.h. Function Prototyping An external function must use the prototype: extern «C» DWORD (*)(SSOWatchSSOData *) SSOWatchSSOData Structure The following structure defines the SSOWatchSSOData structure provided as a parameter to the external function. This structure contains the data that is carried from one action to another: struct SSOWatchSSOData { 149