Imprivata OneSign Getting Started Guide This Getting Started Guide introduces the common administration procedures that you will encounter while using the OneSign system: Chapter 1, Overview of Imprivata OneSign provides an overview of OneSign features and terminology. Chapter 2, Logging In to the OneSign Administrator guides you through the initial user account setup process. Chapter 3, Setting OneSign Properties describes deploying the appliance and setting up server connections. Chapter 4, Setting OneSign Policies introduces OneSign security policies. Chapter 5, Creating User Accounts details creating user accounts by synchronizing OneSign with a user directory. Chapter 6, Deploying an Application shows you how to deploy your first application to yourself and any other enabled users. Chapter 7, Generating Reports and Notifications shows you how to generate simple OneSign activity reports. Chapter 8, Installing the Imprivata OneSign Agent guides you through downloading and installing the client-side OneSign Agent. Chapter 9, Generating an Application Profile shows you how to generate an application profile with the Application Profile Generator. In Chapter 10, OneSign in Action, watch as your OneSign Agent proxies your credentials to log you into the application you profiled in Chapter 9. Use this Getting Started Guide to set up Imprivata OneSign for your network. After it is set up, use the Administrator s Guide, the APG Guide, and the Appliance Guide for reference.
Contacting Imprivata email support@imprivata.com Phone Support: (781) 674-2782/ Sales: (877) OneSign (663-7446) Office address 10 Maguire Road, Building 2 Lexington, MA 02421-3120 Website http://www.imprivata.com/support This product is distributed under licenses restricting its use, copying, distribution and decompilation. OneSign, Imprivata, and the Imprivata logo are registered trademarks of Imprivata, Inc.and Imprivata APG is a trademark of Imprivata, Inc. in the United States and in other countries. Adobe and Acrobat are trademarks of Adobe Systems Incorporated. ACE/Server, RSA, RSA Security, the RSA logo & SecurID are registered trademarks of RSA Security Inc. Secure Computing and SafeWord are registered trademarks of Secure Computing Corporation. Citrix and MetaFrame are registered trademarks and NFuse is a trademark of Citrix Systems, Inc. in the United States and other countries. InstallShield is a trademark of InstallShield Software Corporation. Java, JavaScript, JavaServer Pages, JSP, and Sun ONE are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Microsoft, Windows, Windows NT, Active Directory, Outlook, Hotmail, and/or other Microsoft products referenced herein are either trademarks or registered trademarks of Microsoft in the United States and/or other countries. Novell and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. UNIX is a registered trademark in the U.S. and in other countries, exclusively licensed through X/Open Company, Ltd. XML is a trademark of the World Wide Web Consortium, registered and held by its host institutions (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, and Keio University). DIGIPASS and VACMAN are registered trademarks of VASCO Data Security International Inc. Other product names used herein have been used for identification purposes only and may be trademarks or registered trademarks of their respective owners. Imprivata OneSign includes software copyrighted by MySQL AB. MySQL is a trademark of MySQL AB in the United States and other countries. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http:/ /www.openssl.org/). This product includes software developed by Apache Software Foundation (http://www.apache.org). STLport sources Copyright 1999,2000 Boris Fomitchev. The source code, object code, and documentation in the com.oreilly.servlet package is copyright and owned by Jason Hunter. Portions of this product include notices and other information provided by third-party vendors. The following copyright notices are retained when present, and conditions provided in accompanying permission notices are met: 1994 Hewlett-Packard Company. Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. 1996,97 Silicon Graphics Computer Systems, Inc. Silicon Graphics makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. 1997 Moscow Center for SPARC Technology. Moscow Center for SPARC Technology makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. 2004 Intrinsyc Software, Inc. and its licensors. All rights reserved. Under international copyright laws, neither the documentation nor software may be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form, in whole or in part without the prior written consent of Imprivata, Inc., except as described in the license agreement. The names of companies, products, people, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. 2005 Imprivata, Inc., 10 Maguire Rd, Lexington, MA, 02421 All rights reserved. Printed in the United States. MAN-SYS-GTST-3001 ii
Table of Contents Contacting Imprivata... ii Chapter 1 - Overview of Imprivata OneSign... 1 What is OneSign?...2 Imprivata OneSign Architecture...3 OneSign Terminology...3 Chapter 2 - Logging In to the OneSign Administrator... 5 Enrolling the Initial Administrator...6 Chapter 3 - Setting OneSign Properties... 9 System Settings...10 Server Connections...11 OneSign Extensions...12 Chapter 4 - Setting OneSign Policies... 13 Chapter 5 - Creating User Accounts... 15 Notifying Users...21 Chapter 6 - Deploying an Application... 23 Chapter 7 - Generating Reports and Notifications... 25 Setting an Event Notification...28 Chapter 8 - Installing the Imprivata OneSign Agent... 31 Installing the OneSign Agent...32 Authenticating to Imprivata OneSign...34 Chapter 9 - Generating an Application Profile... 37 Learning Screen Attributes...38 Recognizing the Screen...43 Capturing Credentials...45 Proxying Credentials...46 Deploying the Application...47 Chapter 10 - OneSign in Action... 49 Where Do I Go From Here?...50 Getting Started Guide iii
Table of Contents iv Getting Started Guide
Chapter 1 Overview of Imprivata OneSign Before you start importing users and deploying application profiles, please read this overview chapter. It will only take a few minutes to become familiar with OneSign. After reading this chapter, continue to the next nine brief chapters. Each one shows you an important step in administering OneSign for your enterprise. You can read all the text and follow all the procedures in under 90 minutes. Here s what you will do: 1. Read this Overview chapter to become familiar with the OneSign secure single sign-on system, its features, and its terminology. 2. Log into OneSign as an administrator. 3. Set the properties for the OneSign appliance. 4. Review the default security policy and its features. 5. Import users and notify yourself as a user. 6. Deploy a sample application profile. 7. Create a simple OneSign report and set a notification. 8. Install the OneSign Agent on your own workstation. 9. Use the Application Profile Generator (APG) to profile a web application. 10. See the OneSign Agent record your credentials for the application, and then test how OneSign handles your authentication to the application. After you have performed these steps, you can discard this book - everything else you need to know is in the Imprivata OneSign Administrator s Guide, the Imprivata APG Guide, and the Imprivata Appliance Guide. 1
Chapter 1 - Overview of Imprivata OneSign What is OneSign? The Imprivata OneSign enterprise single sign-on system is made up of the OneSign Agent and the OneSign Server. The OneSign Agent The OneSign Agent resides on the user s computer. It is represented in the system tray by an Imprivata icon. The Agent handles authentication of users locally through passwords, finger biometrics, or ID tokens with or without robust password policies. Once a user authenticates to the OneSign system, the user is automatically signed onto deployed applications as they are launched. The OneSign Agent handles the local transaction of proxying users credentials to applications and domains. The OneSign Agent downloads credential and application information from the OneSign Server at login and queries the server for changes at an interval you set on the OneSign Administrator Properties page. The OneSign Server The OneSign Server keeps track of application profiles, users and credentials, password policies, and security policies that you set. It can generate reports as needed and you can program it to notify you in the event of certain conditions. You control OneSign settings through the intuitive OneSign Administrator. The OneSign Server is actually a pair of rack-mountable redundant network appliances. Each appliance is connected to the network. They are connected to each other by an isolated failover connection. The appliance that handles the daily OneSign traffic is the Primary Appliance. The backup appliance is the Failover Appliance. The primary and the failover appliances are physically identical, but only one of them handles OneSign traffic at a time. The Primary Appliance keeps the Failover Appliance constantly updated through the secure failover connection. If the Primary Appliance fails, then the Failover Appliance immediately takes over and notifies all administrators by email that the Primary Appliance has failed. Since the Failover Appliance is an exact mirror of the Primary Appliance, users do not notice the change. 2
Imprivata OneSign Architecture A fully-deployed OneSign system integrates: The OneSign Appliance The OneSign Agent Your applications and domains Imprivata OneSign Architecture OneSign System Overview OneSign Terminology OneSign automatically and securely connects users to applications that require authentication. Users can be enabled, imported, and locked out. Throughout this Getting Started Guide, these terms have specific meanings: Applications - Applications can be any resource that requires authentication. This includes legacy, client/server and web applications, terminal emulators, Windows NT Domain, and even web sites that require authentication. Application Credentials - Credentials used to access an application (rather than a domain). Applications that require authentication have rules to govern acceptable credentials, their use, and how to change them. 3
4 Chapter 1 - Overview of Imprivata OneSign Application Profile Generator (APG) - OneSign needs information about how each application handles authentication and password changes. The APG is a web-based interface to automate the learning process. Authentication - Users are authenticated when they log into OneSign. When the user authenticates, OneSign launches a secure user session. Logins to OneSign-deployed applications in that session are handled by OneSign. Domain Credentials - Credentials used to access a domain (rather than an application). Some applications can be set to use domain credentials, or to share OneSign credentials with other applications. Domain Synchronization - You do not create users in OneSign; you synchronize the OneSign directory with the selected user directories on your domains. When you synchronize OneSign with a directory, user accounts are both added and deleted from OneSign. Their domain accounts are unaffected. Enabled/Disabled - An enabled, imported user enjoys secure single sign-on. Even when a user account exists, user access to OneSign secure single sign-on is not necessarily automatic. There may be times when you want to disable a number of user accounts, or to delay enabling them. Failover - If the Primary Appliance goes offline for any reason, the OneSign system goes into Failover Mode. As long as the network is up and the appliance is physically intact, the Failover Appliance immediately takes over. Locked Out - A user is locked out after attempting to access a OneSign account in violation of the rules set in the user s security policy. Locked-out users lose access to their OneSign accounts for a period set in that policy. Notifications - OneSign can notify administrators of system events. OneSign can track a number of specific system events. OneSign sends an email with the information or posts it to a predetermined URL. See also: Reports. Reports - Reports are a quick way to learn about OneSign activity that occurred during a time window that you define when you run the report. Users - Users are network users who you can include in the OneSign system. Any user known to your network can become an OneSign user. This Getting Started Guide is a quick tour through OneSign. For complete information on OneSign, please refer to the Administrator s Guide. For complete information on the OneSign appliance, please refer to the Appliance Guide.
Chapter 2 Logging In to the OneSign Administrator The rest of this Getting Started Guide uses specific OneSign terminology. If you have not read Overview of Imprivata OneSign on page 1, please do so before continuing. Once you have installed the appliance, you must create a user account with OneSign administrator privileges. The rest of the setup procedures in the Getting Started Guide will be performed from the account that you create in this chapter. The account that you create in this chapter requires a login to the network. The first-time connection may be established quickly through an unsecure connection, or you can secure the connection before submitting the credentials from the Initial Administrator page. You can: Make the login in clear text and establish a secure connection later. Log in using a guest account. Log in using an administrator account and change the password after you are finished. Upload the certificate before submitting the credentials. Note: The OneSign Administrator requires a networked computer running Microsoft Internet Explorer 6.0 sp1 or later on Microsoft Windows 2000 or XP Professional. Note: If you resolve hostnames, it is a good idea to be sure this OneSign server hostname is included in your DNS or WINS before continuing. 5
Chapter 2 - Logging In to the OneSign Administrator Enrolling the Initial Administrator This procedure creates the initial administrator account and the first domain and enrolls the initial administrator s credentials. To create the Initial Administrator account: 1. From the browser, go to: https://<onesign Virtual IP Address>/sso/login.html Note: You must use the virtual IP address (VIP) or fully-qualified host name that you assigned in the installation procedure. The Administrator Initial Setup screen appears: OneSign Initial Administrator Screen, Showing Optional Helper Text 2. Fill in the fields on the Initial Administrator Screen. For assistance, see the helper text in the sidebar. 6
Enrolling the Initial Administrator 3. Click Submit. The Imprivata OneSign Administrator Home page appears: OneSign Administrator Home Page Note that there is no active session and one enrolled user. You have created the initial user account with Super Administrator privileges. This was a onetime procedure, necessary only the first time you start a new OneSign appliance. This user account is like any other user account with Super Administrator privileges. Now that you have created the initial administrator account, logging in to the OneSign Administrator will be simpler. OneSign already knows your directory server type, host name, and name. From now on, administrators log in at: https://<onesign Virtual IP Address>/sso/login.html where they will be asked only for: Username Type of user directory Domain of their network user account Authentication In the next chapter you will set security parameters for OneSign. 7
Chapter 2 - Logging In to the OneSign Administrator 8
Chapter 3 Setting OneSign Properties The OneSign properties include: System Settings Server Connections OneSign Extensions In this chapter you will go through these sections in turn. Some properties must be set now; but most can be safely ignored until later. All are detailed in the OneSign Administrator s Guide. To set the system properties: 1. Click on the Properties page. The Properties window appears, showing the System Settings tab: OneSign Administrator Properties Page 9
Chapter 3 - Setting OneSign Properties System Settings Use the System Settings tab for monitoring system status, including audit logging and system lockdown status, management of your OneSign license and options, defining administrator privileges, and information relating to user OneSign Agents, including the Refresh Interval at which users OneSign Agents refresh their profiles and upload audit log information. Explore the different parts of this section, but do not change any yet. System Status and Audit Log The Lock button locks the Imprivata OneSign system for security reasons. This is a toggle button; clicking Lock replaces it with an Unlock button, and clicking Unlock replaces it with a Lock button. Ignore the Lock button for now. This is where you can set the system logging level, and where you can see an overview of your audit logs, and archive and delete old audit logs. The OneSign Server can also post a heartbeat and current system status to a URL for monitoring. License Info During the installation procedure, you uploaded the OneSign license file. The License section shows how many total user accounts you have in this appliance pair, and how many are assigned to enabled users. Administrator Privileges OneSign permits two levels of administration; this is where you define the various administrator privileges that are available to the Administrator level (Super Administrators automatically have all privileges). Agent Settings In the Agent Setting section you select settings for installing user OneSign Agents and different properties of the Agents. The user s OneSign Agent checks the server for updates at the Refresh Interval set in this section. Password Self-Service Questions OneSign supplies questions in three languages. You can requires users to answer a subset of these questions in order to access the password selfservices. You can add more questions, or delete any unwanted questions. Note: All of the options that you ignore in this tutorial are fully detailed in the Administrator s Guide and in the APG Guide. 10
Server Connections Server Connections Use the Server Connections tab for setting the mail server that will handle emails from the OneSign Server to administrators and users, and setting the connection parameters for an ID token system server if you are using one. Setting the Mail Server and Editing the Standard Messages OneSign notifies users when they can download the OneSign Agent and sends password reminders and event notifications by email from this server. 1. In the SMTP Server section, click View/Edit to open an SMTP Server form. 2. Enter the server to be used to send password reminders and event notifications and notify users for self-enrollment. 3. Click the Test button to be sure the connection is valid. 4. If credentials are required in order to send OneSign email notifications to email addresses outside of the local network, then enter a valid SMTP server account username and password combination. 5. OneSign uses a standard Notification Message to notify new users that their OneSign accounts have been created. Click the View/Edit link to customize the text of the Notification Message for your users. Depending upon your OneSign license, you also see an option to edit either the Password Reminder or the Password Self-Services Enrollment message. You do not need to edit either of them at this time. Setting ID Token System Server Properties The ID Token Server is only used if users will authenticate to OneSign via ID token. If you are supporting ID token authentication, then click View/Edit to enter the server host name, port, and encryption key before continuing. If you are not using ID token authentication, ignore this section and continue. Saving Changes There is a context-sensitive Save button at the bottom of the page that only appears when you have changed something on the Properties page. If you made any changes and you want to save them, click the Save button. 11
Chapter 3 - Setting OneSign Properties OneSign Extensions Extension objects permit OneSign to extend beyond its base capabilities to support external software tools. OneSign supports two extension obects: The Carefx Extension Object is used to synchronize user identity with the Carefx Application Context Manager. Use the OneSign Procedure Code Extension Object to manage the execution of procedure code triggered by pre-defined Agent and application events. Ignore the extension objects for now. The OneSign Extensions Tab Note: For full information about those properties that were ignored in this exercise, please see the Imprivata OneSign Administrator s Guide. You have finished setting the OneSign properties. Now you can explore security policies. Please proceed to Chapter 4, Setting OneSign Policies. 12
Chapter 4 Setting OneSign Policies Use Security Policies to control user authentication methods, lockout rules for authentication violations, user challenges, user session concurrency, hotkey locking of shared workstations, and to set the rules for password selfservices. OneSign policies are security policies for user accounts. Use OneSign security policies to: set authentication methods for users set lockout and other security conditions permit, limit, or forbid offline mode set inactivity challenges set user concurrency settings configure the optional password self-services feature You can assign security policies to individual users and to groups of users. If you do not assign any other security policy, then all users get the Default security policy. You can edit the default security policy to meet the needs of your organization. Note: For full information about those properties that were ignored in this exercise, please see the Imprivata OneSign Administrator s Guide. Feel free to explore the security policy options, and then use the default security policy for this exercise. Saving Changes There is a context-sensitive Save button at the bottom of the page that only appears when you have changed something on the Properties page. If you made any changes and you want to save them, click the Save button. You have finished setting the OneSign properties. Now you can set up user accounts. Please proceed to Chapter 5, Creating User Accounts. 13
Chapter 4 - Setting OneSign Policies 14
Chapter 5 Creating User Accounts When synchronizing Imprivata OneSign to a user directory: Selected users in the user directory who are not in the OneSign database are added to the OneSign database. Users whose first name, last name, and/or email address have changed on the user directory will have this information updated in the OneSign database. Note: OneSign does not import first name, last name, and email address values from NT Domain controllers. When you synchronize the list of users in the OneSign database to match the user account information in the user directory, new user accounts are added into the OneSign database, obsolete user accounts are removed from the OneSign user list, and pre-existing user accounts are updated as needed. To import users into the OneSign system: 1. From the Users tab, click the Synchronize button. The Synchronize Button 15
Chapter 5 - Creating User Accounts The Synchronize Users window appears: Click Add New Domain So far, the list includes only the directory that holds the account you used to log in. 2. To create accounts for users in this directory, you would simply click Next. The procedure to add a new domain is just one screen longer and it is worth seeing, so even if you have no new domain to add right now, click Add New Domain. 16
When you click Add New Domain, the Select Directory Server window appears: Selecting the Type of Directory Server 3. Select the type of directory server from the list and click Next. The Connection Parameters window appears: Setting Connection Parameters 4. You can enter information for another user directory. For this exercise it makes no difference where the user accounts are from. 17
Chapter 5 - Creating User Accounts 5. When the Connection Parameters page is complete, click Next. The Synchronize Users from [selected directory] Domain window appears: Setting Synchronization Rules 6. Select the security policy for the new user accounts. You can use the Except button to assign different security policies to some groups. 7. Select whether the new accounts will be enabled immediately or not. Note: If the number of user accounts created is more than the number of available license, then none of them will be enabled. You can enable them individually or by groups later from the Users tab. 8. OneSign can notify users of their new accounts by automated email to the email address associated with their accounts in the user directory. You can have OneSign autogenerate email addresses for users who do not have an associated email address; skip this for now. 9. You can automate the synchronization process to run daily, weekly, or monthly according to rules you set. Skip this for now. 18
10. Click Preview Users. A list of user accounts to be created and removed appears: Previewing the User Accounts to be Added 11. Review the Users to be Added tab. There are no user accounts to be removed. 19
Chapter 5 - Creating User Accounts 12. Click Synchronize Now. OneSign connects to the directory. All users in the user directory are matched against the list in OneSign (which contains only you). New records are created for the new users. Note: Depending upon the connection and the number of users being imported, this step can take a few moments. The updated Users list appears. Administrators have an asterisk after their username, and Super Administrators have two asterisks after their username. Right now you are the only Super Administrator and there are no Administrators. New User Accounts The new users cannot use their OneSign accounts until they install the OneSign Agent. Please continue to the next section. 20
Notifying Users Notifying Users There are two ways to install the OneSign Agent on user computers: Users in a Microsoft Active Directory user directory can be the target of an AD push install. These users must subsequently be notified of their inclusion into the Imprivata OneSign system. All users can self-install the OneSign Agent by means of the Notify button. To use the Notify button to notify yourself: 1. Find your account on the user list and check the checkbox. Note: Wait to notify others until you have some applications deployed. You must notify yourself now. 2. Click the Notify button. The Notify Button When you click the Notify button, you are prompted to: Install OneSign Agent Enroll self-service profile (if this option is included in your OneSign license) 21
Chapter 5 - Creating User Accounts The self-service profile enables the user to reset passwords personally after answering some verification questions; ignore it for now and select OneSign Agent. Selecting an Agent OneSign sends you an email with the information that an account now exists on OneSign, with a link to a website where you can download the OneSign Agent. This is the standard email that you saw in Chapter 3, Setting OneSign Properties. Note: The Notification email is generated by OneSign. The OneSign Agent address is specific to this OneSign Appliance and is included in the email. The From: field and the message text can be edited from a link on the Properties page, Server Connections tab. 22
Chapter 6 Deploying an Application In this section you will deploy an application profile. When you deploy an application profile, there is no change to any applications or network settings. The application profile you will deploy is the OneSign Administrator. To deploy the OneSign Administrator application: 1. Click Applications. The Applications window appears with only the Imprivata Admin UI listed under the Applications tab: The Applications Window You could simply check the checkbox and then click Deploy. This would deploy the profile with the default settings, which means deploying it to all users and groups. This is not appropriate for an administrator s tool, so we must set the deployment options for this application profile. 2. Click the red application profile name (not the Edit Profile link). 23
Chapter 6 - Deploying an Application The Application Record for the application appears: Deployment Options 3. Check Deploy This Application? 4. Uncheck Deploy to All Users and Groups? Two fields appear that permit you to select groups and individual users. 5. Leave the group selector empty, and enter your own information in the individual users section. 6. Ignore the Credentials, the Password Policy, and the Shutdown Sequence sections and click Save. Back on the Applications List, the status has changed to Deployed. No users are enrolled yet; OneSign has not yet captured your credentials. Once you authenticate to the application, OneSign will capture them and you will be enrolled. 24
Chapter 7 Generating Reports and Notifications Imprivata OneSign reports offer a quick-and-easy snapshot view of specific user activity. In this section you will generate a report of today s administrator activity. To generate a report: 1. At the top of the page, click on the Reports tab. The Reports page appears, showing the Reports tab with no reports in it at all. 2. Click Add to add a new report. The Add New Report - Select Report Type page appears: Selecting a New Report Type 25
Chapter 7 - Generating Reports and Notifications 3. Click the Administrator Activity radio button, and then click Next. The Administrator Activity Report window appears: Setting Up an Administrator Activity Report 4. Today s date is automatically selected by default. Accept the default dates and click Run to execute the report. Note: The Start Date always starts at the beginning of the day, and the End Date always ends at the end of the day. When the Start Date and the End Date are the same, the period is that whole day. 26
The report appears: An Administrator Activity Report You can see in the report what you did in this exercise. Starting from the bottom: 1. You started (booted) the Imprivata OneSign system. 2. You synchronized the database and imported users. 3. You deployed an application. You may have also executed some other actions that show up in this report. This is the end of the part of the exercise that takes place in the Imprivata OneSign Administrator. In the next step you will go through a new user experience by installing a OneSign Agent and then authenticating to OneSign. 27
Chapter 7 - Generating Reports and Notifications Setting a Notification Notifications are a means of keeping administrators informed of various Imprivata OneSign events even when they are not logged into the OneSign Administrator. Notifications can be sent to an email address or posted to a URL. In this chapter we will set a Notification to send you an email when a user logs in. To set a Notification: 4. At the top of the page, click on the Notifications Tab. The Notifications tab appears with no event notifications listed: The Notifications Tab with no Event Notifications 28
Setting a Notification 5. Click the Add button. The Add New Event Notification window appears: Adding a New Event Notification 6. From the box, select Primary Login Success and then click Next. Conditions and Action controls appear: Setting the Conditions under which the Event should be Reported 7. Leave the Conditions at their default values. In the Action section, set the Resulting Action to Send email and enter your email address. 8. Click Save. When you log into OneSign later in this exercise, OneSign will send an email to the address you entered, notifying you that you logged in. 29
Chapter 7 - Generating Reports and Notifications 30
Chapter 8 Installing the Imprivata OneSign Agent The Imprivata OneSign Agent resides on the user s local computer. Whenever the user accesses a OneSign-deployed application, the OneSign Agent responds to the application login request with the credentials on the OneSign server according to the instructions in AppProfiles.xml. OneSign offers three types of OneSign Agents: the OneSign Agent, used for most single-user computers the OneSign Workstation Agent, used for kiosks and shared workstations the OneSign Citrix Agent used for Citrix and Microsoft Terminal Server hosts For this exercise we will use the standard OneSign Agent. Note: The OneSign Agent requires Microsoft Internet Explorer 6.0 or later on Microsoft Windows 2000 or XP Professional. In this chapter you will: Install the OneSign Agent on your computer. Authenticate to the OneSign Server using the OneSign Agent. Enrolling to OneSign If you plan to use finger biometric or ID token authentication, or fingerprint identification, then each user will have to self-enroll valid credentials (fingerprint or ID token credentials). This is a simple, one-time procedure. Password authentication does not require an enrollment step because each user already has a network password. The next time they authenticate to the network they are automatically enrolled in OneSign. 31
Chapter 8 - Installing the Imprivata OneSign Agent Installing the OneSign Agent To install the Imprivata OneSign Agent on your computer: 1. After you notified users in Chapter 5, Creating User Accounts, you received a Notification email from OneSign. Click on the URL that was included in the Notification email. The New User Welcome page appears: The New User Welcome Page Note: You can use an MSI push to distribute the OneSign Agent to users in an MS Active Directory, but for this exercise use this method. 32
Installing the OneSign Agent 2. Close all other programs. (The OneSign Agent software installation process requires you to restart your computer.) 3. Click the link to begin the download. 4. You are prompted to open or save the file. The download takes 15 to 30 seconds. Click the Open or the Run button. The InstallShield wizard opens. 5. If a Windows security warning appears, click Yes or Run to continue. Note: Do NOT save the installation file. It will not work properly from anyplace except the OneSign Server. If you run it from a local drive, the OneSign Agent will install incorrectly. 6. Follow the steps in the Wizard and click the Finish button to restart the computer. The InstallShield Wizard finishes the installation. After your computer has rebooted, the logon screen appears, but now it has a OneSign authentication method selector attached to it. For this example we only use password authentication. The first time you enter your username and password, the OneSign Agent captures them, encrypts them, and stores them in the OneSign database. 33
Chapter 8 - Installing the Imprivata OneSign Agent Authenticating to Imprivata OneSign Once you have the OneSign Agent installed on your computer, you can authenticate to the OneSign system and begin enjoying the convenience of secure single sign-on. Authentication is the process of securely logging the user into the system. The authentication process compares the login attempt with the user s information in the database for use in subsequent authentication. The authentication process for users who use the OneSign Agent is almost invisible; it uses the familiar Microsoft Windows Ctrl-Alt-Delete authentication screen. Users authenticate the way they usually do. This authenticates them to OneSign which in turn authenticates them to Windows and any other deployed applications as they are launched. When the computer restarts, the Windows Ctrl-Alt-Delete logon screen appears: Starting a OneSign Agent Session Note: Users who install the OneSign Workstation Agent log into OneSign separately from their desktop session. The OneSign Agents are described fully in the Imprivata OneSign Administrator s Guide. 34
1. Press Ctrl-Alt-Delete to log in to OneSign. Authenticating to Imprivata OneSign The OneSign Agent Login Screen 2. Enter your username and password. Once you are logged into OneSign, OneSign logs you into your network account automatically. From now on, each time you log into a OneSign-deployed application, OneSign will remember your authentication information. When you launch the application after that, OneSign will authenticate you to the application automatically. Note: A password self-services enrollment message will appear if you assigned that feature to yourself in your security policy. 35
Chapter 8 - Installing the Imprivata OneSign Agent 36
Chapter 9 Generating an Application Profile Before an application can appear in the Deployed Application list, you must first generate an Application Profile for it. The OneSign Application Profile Generator (APG) is a tool for automatically generating application profiles for any type of application. In this exercise, you will generate an application profile for a web application. The web application is a simple demonstration application on the Imprivata website. The general procedure for generating, deploying, and using an application profile is: 1. Learn the screen attributes with the OneSign APG. This enables the OneSign Agent to recognize the screen when it appears. 2. Add credential-capturing information to the profile. 3. Add credential-proxying information to the profile. 4. Deploy the application profile. 5. Refresh your OneSign Agent to ensure it has the new profile. 6. Log into the application so OneSign can capture your credentials, then log out of it. 7. Launch the application again and see OneSign proxy your credentials to log you in automatically. Note: The APG must be run from a computer that has the OneSign Agent installed. If you have not yet installed the OneSign Agent, please go back to Installing the Imprivata OneSign Agent on page 31 and install it. The APG requires Microsoft Internet Explorer version 6 or later. 37
Chapter 9 - Generating an Application Profile Learning Screen Attributes To learn the sample application, you must have two browser windows open. In one of them is the sample web application, and in the other is the APG. After you launch the APG, the OneSign Administrator goes to the back. To learn the screen attributes for the sample application: 1. Log into your computer and open a browser. 2. Open the OneSign Administrator Applications page and click Add. Starting the Application Profile Generator The Application Profile Generator appears in a new window: 38
Learning Screen Attributes Naming the Application 3. Enter a descriptive name for the demo application. It is not a hostbased application. Then click Next >>. 39
Chapter 9 - Generating an Application Profile The Screen Selection page appears. Choosing Screens to Learn 4. Select the Login, Login Failure, and Login Success screens. Their borders and names turn red when they are selected. 5. Click Next >> to go to the Configure Screens Master Page. The Configure Screens Master Page appears with a list of the screens you just selected. 40
Learning Screen Attributes The Configure Screens Master Page for this Application Profile 6. Click Login to open the Learn Screen page for the Login screen. 41
Chapter 9 - Generating an Application Profile 7. Open the SSO demo application: http://www.imprivata.com/demo. Do not log in yet. The Sample Web Application Login Page You will need to have both windows available at the same time, so you may wish to make this window a little smaller. You do not need to see the entire window of the target application. 42
Learning Screen Attributes Recognizing the Screen The first step in configuring the screen is to show OneSign how to recognize the screen when it is presented to the user. 1. Back on the Learn Screen page, drag the Magnifier Icon from the Learn Screen button and drop it on the application screen. Magnifier Icon The Recognize Screen Page 2. The APG identifies the URL, screen title, and application type. The URL and title appear in editable fields, along with buttons to add unique text, re-learn the screen, and test OneSign s recognition of the screen. Note: The goal of the remaining steps is for OneSign to recognize this screen every time it appears, and to never falsely recognize another screen as this one. 43
Chapter 9 - Generating an Application Profile The Top Part of the Recognize Screen Page, Filled In for Web Application 3. Edit the URL parameters to enable unique identification of the screen. If the URL or title includes a segment that is liable to change, either with each session or each user, then you can replace that segment with an asterisk wildcard character. Ignore the Add Unique Text button. 44
Learning Screen Attributes Capturing Credentials The next step in configuring the screen is to show OneSign how to capture the user s credentials when they are entered. Later, OneSign will proxy the credentials on the user s behalf. The APG scans the screen and identifies fields for user input. OneSign uses an internal set of field names with specific meanings. In this step, you match the names of the fields that the application requests with the names of the fields that OneSign uses. For example, the application might use the label p or passwd for the field in which the user enters a password. OneSign uses password for that function. Programming Fields for Credential Capture To configure the fields for credential capture: 4. OneSign lists the user input fields from the selected screen. For each field label, select the matching OneSign meaning from the Meaning in OneSign dropdown box. For this application, select Username for u and Password for p. 5. Ignore the Obscured? checkboxes for this exercise. 6. For each user-input field, click the Locate Field icon and watch the application screen. Each field should flash when the corresponding Locate Field icon is clicked. Locating fields is an optional step to help you to error-check the profile and to find poorly-labeled controls. 45
Chapter 9 - Generating an Application Profile Proxying Credentials The third and final step provides the information used by the OneSign Agent to proxy the user s credentials. Programming Fields for Credential Capture 7. Leave the Use Default Behavior radio button selected. 8. Leave the Each Time radio button selected. 9. Click Test Recognition and drag the magnifier icon to the application screen. This test screen recognition. 10. After the screen tests successfully, click Configure Another Screen to save this screen to the application profile and return to the Configure Screens Page. 11. Now select Login Failure and learn the Login Failure page the same way (any wrong credentials will get you there). Finally, repeat the process for Login Success. To access this page, you must log into the website: the username is username and the password is password. Note: It is important to learn the success and failure screens whenever possible. These screens provide internal error-checking that can be invaluable when troubleshooting. 12. Click Save to save the profile. 46
Deploying the Application Deploying the Application The Application Profile Generator automatically saves the profile to the AppProfiles.xml file on the OneSign server. Close the demo application. Now deploy the demo application the same way you deployed the OneSign Administrator: 1. On the OneSign Administrator Applications tab, click on the name of the newly-profiled application. 2. Check the Deploy This Application? checkbox. Options appear: Deloy to All Users and Groups, and sections for Credentials, Password Policy, and Execute Shutdown Sequence and Procedure Code. 3. Uncheck the Deploy to All Users and Groups? checkbox. Deployment options appear that permit you to restrict deployment to specific groups or individuals. 4. At And/Or These Users, enter your own username and domain. 5. Ignore the rest of the options on the page and click Save. Your OneSign Agent will learn about the new application the next time it refreshes itself at the server or the next time you log in. You can force it to happen immediately: 1. Right-click the OneSign icon in the system tray. 2. Click Update OneSign Data. Forcing an Application List Update from the OneSign Server Note: This example showed you how to profile a very simple web application in the APG. Make sure you read the APG Guide before you start profiling other applications. 47
Chapter 9 - Generating an Application Profile 48
Chapter 10 OneSign in Action Now that you have an enabled OneSign account, are enrolled, and two applications have been deployed and enabled, you enjoy secure single signon for them. In this section, you will see OneSign in action. Start a new session First, log out of the current session and start a new session: 1. Log out of the OneSign Administrator by clicking on the Log Out icon in the upper right corner of the page. Close the browser window. 2. Log out and log back into the computer. It is not necessary to restart the computer. When you authenticate to OneSign, OneSign starts keeping track of your authentication requirements. With each new session you automatically download the latest OneSign security policies and credential information and the latest AppProfiles.xml file, including the application you just profiled. Authenticate to the applications (for the last time) Now OneSign will learn your application credentials: 1. Log into the OneSign Administrator normally. A text bubble appears above the OneSign Agent as OneSign records your username and password, and encrypts them. The next time you launch the application, OneSign will log into the application for you, so launching the application will bring you immediately to the Home Page. 2. Click Log Out to exit the application. 3. Open a web browser and go to http://www.imprivata.com/demo and log in using username and password as your username and password. Close the web browser. A text bubble appears above the OneSign Agent again as OneSign records and encrypts your username and password for the Demo. 49
Chapter 10 - OneSign in Action Single Sign-On to the applications When you launch each enabled application, OneSign will provide your application credentials; you don t have to! 1. Log out of your Windows session, and then log in again. 2. Launch the OneSign Administrator again. This time you are automatically authenticated. 3. Go to http://www.imprivata.com/demo again. This time you are automatically authenticated. This is the end of the Getting Started Guide. Where Do I Go From Here? Now that the appliance is installed and OneSign is set up, you can create user accounts, profile and deploy more applications, assign administrator privileges and perform all the actions necessary to provide your users with OneSign secure single sign-on. Everything you need to know for these activities and more is contained in the Administrator s Guide, APG Guide, and Appliance Guide. 50