plzz1FR6

8/13/2019 plzz1FR6

http://slidepdf.com/reader/full/plzz1fr6 1/67

PUBLIC

Document Version: 1.0 – 12/2011

8/13/2019 plzz1FR6


© Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in anyform or for any purpose without the express permission of SAP AG.The information contained herein may be changed without priornotice.

Some software products marketed by SAP AG and its distributorscontain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registeredtrademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p,System p5, System x, System z, System z10, System z9, z10, z9,iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,Power Architecture, POWER6+, POWER6, POWER5+, POWER5,POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, SystemStorage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,WebSphere, Netfinity, Tivoli and Informix are trademarks orregistered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. andother countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are eithertrademarks or registered trademarks of Adobe Systems Incorporated inthe United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of theOpen Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks ofCitrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registeredtrademarks of W3C®, World Wide Web Consortium, MassachusettsInstitute of Technology.Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., usedunder license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAPBusinessObjects Explorer, and other SAP products and servicesmentioned herein as well as their respective logos are trademarks or

registered trademarks of SAP AG in Germany and other countries.Business Objects and the Business Objects logo, BusinessObjects,Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, andother Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of

Business Objects Software Ltd. in the United States and in othercountries.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere,and other Sybase products and services mentioned herein as well astheir respective logos are trademarks or registered trademarks of

Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks oftheir respective companies. Data contained in this document servesinformational purposes only. National product specifications mayvary.

These materials are subject to change without notice. These materialsare provided by SAP AG and its affiliated companies ("SAP Group")for informational purposes only, without representation or warranty ofany kind, and SAP Group shall not be liable for errors or omissionswith respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the expresswarranty statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additionalwarranty.

Disclaimer

Some components of this product are based on Java™. Any code change in these components may cause unpredictableand severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.

Terms for Included OpenSource SoftwareThis SAP software contains also the third party open source software

products listed below. Please note that for these third party productsthe following special terms and conditions shall apply.1. domainname-parser (http://code.google.com/p/domainname-parser/)Copyright (c)Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the"Software"), to deal in the Software without restriction, includingwithout limitation the rights to use, copy, modify, merge, publish,distribute, sublicense, and/or sell copies of the Software, and to permit

persons to whom the Software is furnished to do so, subject to thefollowing conditions:

The above copyright notice and this permission notice shall beincluded in all copies or substantial portions of the Software.

SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +49/18 05/34 34 24F +49/18 05/34 34 20www.sap.com

8/13/2019 plzz1FR6


Typographic Conventions

Type Style Description

Example Text Words or characters quoted fromthe screen. These include fieldnames, screen titles,pushbuttons labels, menunames, menu paths, and menuoptions.Cross-references to otherdocumentation

Example text Emphasized words or phrases inbody text, graphic titles, andtable titles

EXAMPLE TEXT Technical names of systemobjects. These include reportnames, program names,transaction codes, table names,and key concepts of aprogramming language whenthey are surrounded by bodytext, for example, SELECT andINCLUDE.

Example text Output on the screen. Thisincludes file and directory namesand their paths, messages,names of variables andparameters, source text, andnames of installation, upgradeand database tools.

Example text Exact user entry. These arewords or characters that youenter in the system exactly as

they appear in thedocumentation.

<Example text> Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, forexample, F2 or ENTER.

Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Librarydocumentation to help you identify differenttypes of information at a glance. For moreinformation, see Help on Help GeneralInformation Classes and Information Classesfor Business Information Warehouse on thefirst page of any version of SAP Library .

8/13/2019 plzz1FR6


User Guide: Enterprise Single Sign-On

4 12/2011

Contents

1 Introduction ......................................................................................... 6 1.1 About this Document ............................................................................. 6

2 Preparation .......................................................................................... 7 2.1 Initial Soft Token Logon ........................................................................ 7 2.2 Local Management Console (LMC) ....................................................... 8 2.3 Applications .......................................................................................... 10

2.3.1 Using the E-SSO Learning Wizard to Register and Update Application Controls ...... 11 2.3.2 Register a New Application ......................................................................................... 12 2.3.3 Register a Password Change Dialog .......................................................................... 16 2.3.4 Register a Predefined Application .............................................................................. 19 2.3.5 Register a Terminal Emulator Application .................................................................. 22 2.3.6 Register IBM Personal Communicator for an IBM Series System ............................. 23 2.3.7 View and Edit Single Sign-On Options for an Application .......................................... 27

2.4 Credentials ............................................................................................ 29 2.4.1 Add a New Credential ................................................................................................. 31 2.4.2 View and Edit Credential Details ................................................................................ 32

2.5 Drag and Drop Credentials .................................................................. 34 2.5.1 Add a New Drag and Drop Credential ........................................................................ 36 2.5.2 View and Edit Drag and Drop Credential Details ........................................................ 37

2.6 Policies .................................................................................................. 39 2.6.1 Add a New Password Policy ....................................................................................... 40 2.6.2 Edit the Attributes of a Password Policy ..................................................................... 41

2.7 Blacklist ................................................................................................ 43

2.8 Authentication ...................................................................................... 44 2.8.1 Token Type Switching................................................................................................. 45 2.8.2 Enterprise Single Sign-On Soft-Token Utility .............................................................. 46 2.8.3 Import/Export Soft Token (Soft Token Mode) ............................................................. 47 2.8.4 Certificates (Smart Card Mode) .................................................................................. 49

2.9 Enterprise Single Sign-On to Web Applications (Web SSO) ............ 50 2.9.1 Enterprise Single Sign-On Web Toolbar and Icons .................................................... 51 2.9.2 Register a Website and Credential Information .......................................................... 52 2.9.3 Password Change for a Website ................................................................................ 54 2.9.4 How to Activate or Deactivate the Enterprise Single Sign-On Web Toolbar .............. 55

2.10 Enable or Disable Enterprise Single Sign-On .................................. 56 2.11 Enable or Disable E-SSO Learning Wizard ...................................... 56

2.12 Log In To or Log Out From Enterprise Single Sign-On (SoftToken Only) ................................................................................................ 57

3 Usage ................................................................................................. 58 3.1 Log on to Windows (Smart Card only) ............................................... 58

3.1.1 Log on to Windows XP ............................................................................................... 58 3.1.2 Log on to Windows Vista or Windows 7 ..................................................................... 59

3.2 Log on to a Windows Application ....................................................... 61 3.3 Log on to IBM Personal Communicator ............................................. 61 3.4 Using Web E-SSO ................................................................................. 62 3.5 Log on to Applications or Websites Using the Drag & Drop

Feature ........................................................................................................ 63

8/13/2019 plzz1FR6


12/2011 5

3.6 E-SSO Card Configuration Tool .......................................................... 64

4 Additional Information ...................................................................... 65 4.1 Soft Token Troubleshooting................................................................ 65

4.1.1 Reset the E-SSO Password ....................................................................................... 66 4.1.2 Change the E-SSO Password .................................................................................... 67 4.1.3 Change Security Question .......................................................................................... 67

8/13/2019 plzz1FR6


1 Introduction

6 12/2011

1 IntroductionEnterprise Single Sign-On (E-SSO) helps end users log on to multiple systems orapplications without the need to remember every password or logon dialog. Once a user has

successfully authenticated to the Enterprise Single Sign-On application, further logon toapplications running under the system’s control are carried out automatically. Enterprise Single Sign-On supports the following methods of signing-on to an application: Windows logon (for smart card-based authentication only)

This method can either be certificate-based or can use a user ID/password combinationstored on the smart card.

Certificate-based authentication (for smart card-based authentication only)Certificate-based authentication is provided via the standard interfaces such as MicrosoftCrypto-API, RSA PKCS#11 or the GSS-API. The requirements of most application logonrequirements can be fulfilled via these interfaces, such as Internet browsers, e-mailclients, VPN clients, and so on.

Windows logon and certificate-based authentication are not available foroperation with a soft token.

Logon to Windows applicationsThis feature allows you to use single sign-on for password-protected Windows, .NET,terminal emulator, and Java applications.

Logon to Websites (Web Single Sign-On)This feature allows you to log on to password-protected Websites using single sign-on. Atoolbar for Microsoft Internet Explorer and Mozilla Firefox enables the registration andmanagement of sites for single sign-on.

1.1 About this Document

Purpose This document describes how to use Enterprise Single Sign-On on Windows XP, WindowsVista, and Windows 7.

ConstraintsThis guide does not provide information about how to install, modify, remove, and configureEnterprise Single Sign-On. For such information, see the Enterprise Single Sign-OnInstallation and Configuration Guide .

8/13/2019 plzz1FR6


2 Preparation

12/2011 7

2 Preparation

2.1 Initial Soft Token LogonUse

After the initial installation of Enterprise Single Sign-On, and a subsequent restart, aninitialization dialog will appear prompting the user to enter a specific password for EnterpriseSingle Sign-On (E-SSO) to capture, encrypt, and safely store all your credentials, as well aschoosing a password recovery question and appropriate answer.

Procedure1. When you start Windows for the first time after Enterprise Single Sign-On installation, the

Initialize E-SSO Password dialog appears:

2. Enter a password into the E-SSO Password field. The password must be at least 8charcters long. To achieve a higher level of security, it is recommended to use a mix ofupper- and lower-case characters, numbers, and special characters.

3. Optionally check Enable automatic logon to E-SSO when logged into Windows session(can be deactivated via Local Management Console) to allow Windows to automaticallylog on to the Enterprise Single Sign-On application after successful Windows logon. Thisoption can be activated or deactivated at any time via the Password Options feature inthe Local Management Console. This feature uses the Windows Data Protection API(DPAPI) to protect the password.

4. Under Question/Answer for E-SSO Password Recovery :

Select a question from the Question drop-down menu. Enter the corresponding, individual answer into the Answer field.

5. This information will now be used to access, and recover, Enterprise Single Sign-On fromthis point onwards. The Enterprise Single Sign-On icon will appear in the taskbar ( ).

8/13/2019 plzz1FR6


2 Preparation

8 12/2011

For automatic logon only: If a Windows password is reset by the System Administrator, the user will be prompted to enter the Enterprise Single Sign-Onpassword after Windows logon to re-enable the automatic logon feature (DPAPI):

2.2 Local Management Console (LMC)UseEnterprise Single Sign-On has a Local Management Console (LMC) in which all aspects of

the application can be configured. This section details how to open the Local ManagementConsole and details the GUI.

Procedure1. The Local Management Console can be open via one of the following options:

Via Start menu: click Start > All Programs > SAP > signon > Local ManagementConsole .

Double-click the Enterprise Single Sign-On icon in the system tray. Right-click the Enterprise Single Sign-On icon in the system tray and choose Local

Management Console in the context menu:

Soft token taskbar menu

Smart card taskbar menu

In your Internet browser (Internet Explorer or Firefox), click the Local ManagementConsole icon on the Enterprise Single Sign-On Web toolbar:

8/13/2019 plzz1FR6


2 Preparation

12/2011 9

For more information about the Enterprise Single Sign-On Web toolbar, seeEnterprise Single Sign-On Web Single Sign-On (Web E-SSO) [page 50 ] or UsingWeb E-SSO [page 62 ].

2. The Local Management Console appears:

The Search box and button located at the top of the left pane can be used to lookfor a specific term with the whole naviagtion tree in the left pane. Enter searchcriteria and click Search; use F3 on your keyboard to go to the next search result.

The navigation tree in the left pane allows a user to view and configure each of theaspects for the application. Clicking a node will display the details for that nodeeither in the right pane or in a pop-up window. The following nodes are available:

Node Description

Applications Applications allows you to register, view, edit or delete a Windows orWeb application. For more information about Applications , see

Applications [page 10] .

Credentials Credentials allows you to add, view, edit and delete the credentialscontained with the soft token or smart card. For more informationabout Credentials , see Credentials [page 29] .

Drag & DropCredentials Drag & Drop Credentials allows you to add, view, edit and deletecredentials used for drag & drop. The drag & drop feature isprovided to allow single sign-on to applications or Websites thatcannot be registered to Enterprise Single Sign-On. For moreinformation on Drag & Drop Credentials, see Drag & DropCredentials [page 34] .

Policies Policies allows you to add, view, edit and delete password policies. A Password Policy is a set of rules that govern the characters to beused as well as the password length for Windows- or web-basedpasswords that are created in Enterprise Single Sign-On. For moreinformation about password policies, see Policies [page 39] .

Blacklist Blacklist allows you to view and delete applications from the

blacklist. The blacklist is a list of applications for which Enterprise

8/13/2019 plzz1FR6


2 Preparation

10 12/2011

Single Sign-On functions are disabled. For more information aboutthe blacklist, see Blacklist [page 43] .

Authentication Authentication allows you to access authentication-related tools andfeatures, specifically Token Switching (Soft Token/Smart Card),Token Utility, and Certificates. For more information aboutauthentication, see Authentication [page 44] .

Depending on which node is clicked a menu will appear above the information in the rightpane - indicated by a row of icons. Depending on task, one or more of the following icons willbe available:

Icon Description

Add a new entry to the selected node.

Modify an existing entry on the selected node.

Remove an existing entry from the selected node.

View an entry from the selected node.

Create an application file <*.api> to be imported to the EnterpriseSingle Sign-On Management Console (coming soon).

2.3 ApplicationsThe following information appears when you click the Applications node:

8/13/2019 plzz1FR6


8/13/2019 plzz1FR6


2 Preparation

12 12/2011

Open the E-SSO Learning Wizard1. When you start a Windows application for the first time after Enterprise Single Sign-On

installation, Enterprise Single Sign-On detects if the application requires authenticationand automatically launches the E-SSO Learning Wizard:

2. The application registration dialog allows you to perform the following: Click Register to register the application and, optionally, the credentials (proceed to

the next section). Click Later to register at a later time and close the application registration dialog. Click Never to disable single sign-on functions for this application and close the

application registration dialog. The application will be added to the blacklist. For moreinformation about managing the blacklist, see Blacklist [page 43].

3. If the E-SSO Learning Wizard is not automatically launched, you can open the wizardeither: Via the Local Management Console, see Local Management Console (LMC) [page 8]:

select Applications from the left pane of the dialog and click . You can alsoright-click Applications on the left pane of the Local Management Console and select

Add in the context menu. Via the system tray: Right-click the Enterprise Single Sign-On icon in the system

tray and select Register New application .

Disable E-SSO Learning WizardTo disable the E-SSO Learning Wizard, right-click the Enterprise Single Sign-On icon inthe system tray and click Disable E-SSO Learning Wizard in the context menu.

2.3.2 Register a New ApplicationUseIf you intend to use Enterprise Single Sign-On for a Windows application (for example,Skype), you will first need to register the application. The E-SSO Learning Wizard is anfeature that helps you register and update Windows application controls.

Procedure

1. Open the E-SSO Learning Wizard. See Open E-SSO Learning Wizard [page 12] .

8/13/2019 plzz1FR6


2 Preparation

12/2011 13

2. The Welcome to the E-SSO Learning Wizard dialog appears. Select Register a New Application and click Next .

3. The Select Window Function dialog appears: Select Login Dialog and click Next .

8/13/2019 plzz1FR6


2 Preparation

14 12/2011

4. The Select the login dialog you want to register dialog appears: Drag the Select Dialog icon to the Windows application dialog that you want to register and click Next .

5. The logon parameters dialog appears displaying the Locate icon next to each logonparameter:

6. If the application logon dialog has only one field, select Login dialog only has one password field .

7. Drag the Locate icon for each logon parameter to the specific field in the applicationdialog that you want to register.

The User Name , Password and Submit (OK) Button are required fields. For logondialogs with only one password field, the Password and Submit (OK) Button arerequired fields.

8/13/2019 plzz1FR6


2 Preparation

12/2011 15

Be careful during regsitration to choose the correct field or GUI element.Sometimes there are multiple elements very close to one another and moving themouse a few pixels locates a new element. Therefore you may find that even

though the element looks correct it is actually not.8. The logon fields in the application will be highlighted and a checkmark icon is

displayed next to the parameter to confirm that it has been linked. If you link the incorrectfield, you can click the remove icon to remove the link.

9. Click Next .10. The Enter Credentials dialog appears:

11. The Application field displays the name of the application.12. In the succeeding fields, either:

Select a credential that has been previously added (for example, you use the sameand password for Skype, Yahoo and company intranet) in the Credential name field.The entries for the User Name and Password fields will be automatically entered.Or…

Add a new credential by entering information into the Credential name , User Name orPassword fields.

13. In the Preferences area: Click Automatic login if you want to be automatically logged into the application when

it is launched.

During first time registration, the Default Credential is selected and cannot be edited;this option will be enabled if you add another credential to this application.14. Click Next .

While entering information in this dialog is optional, Enterprise Single Sign-Onwill require you to link a credential to the application. You can do this byperforming any of the following actions:

Modify the application and link it to a credential. See View and Edit SingleSign-On Options for an Application [page 27] .

Add a new credential and link it to the application. See Add a NewCredential [page 29] .

8/13/2019 plzz1FR6


2 Preparation

16 12/2011

Modify a credential and link it to the application. See View and EditCredential Details [page 32] .

When you launch a registered application, Enterprise Single Sign-Onautomatically detects if the application is not linked to a credential. Click Yes

to add a credential for the application:

15. The completion dialog appears; click Finish to close the dialog. The application and,optionally, the credentials are now registered to Enterprise Single Sign-On and aredisplayed on the Local Management Console. You can now use single sign-on to log onto this application. For more information, see Log In to a Windows Application [page 61] .

16. To add another credential to an application, follow step 2 of this section. You areprompted with a message asking if you want to update the application. Click Yes thenproceed with the rest of the steps in this section.

2.3.3 Register a Password Change DialogUseRegister password change dialogs. This section is only applicable for applications alreadyregistered with Enterprise Single Sign-On.

Procedure1. When an application password change dialog is launched, Enterprise Single Sign-On

detects if the application requires registration. Enterprise Single Sign-On automaticallylaunches the E-SSO Learning Wizard:

Click Yes to register the password change dialog and, optionally, change thecredentials (proceed to step 6).

If the E-SSO Learning Wizard is not automatically launched, you can open the wizardvia the system tray: Right-click the Enterprise Single Sign-On icon in the systemtray and select Register New application .

2. The Welcome to the E-SSO Learning Wizard dialog appears. Select Register a New Application and click Next .

8/13/2019 plzz1FR6


2 Preparation

12/2011 17

3. The Select Window Function dialog appears. Select Change Password Dialog and clickNext .

4. The Select the Login Dialog you want to register dialog appears:

5. Drag the Select Dialog icon to the password change dialog that you want to register andclick Next .

6. The logon parameters dialog appears displaying the Field icon next to each logonparameter:

7. Drag the Field icon for each logon parameter to the specific field in the applicationdialog that you want to register.

8. The logon fields in the application will be highlighted and a checkmark icon isdisplayed next to the parameter to confirm that it has been linked. If you link the incorrectfield, you can click the remove icon to remove the link.

9. Click Next .

8/13/2019 plzz1FR6


2 Preparation

18 12/2011

10. The Enter the New and Confirmation Password dialog appears; the old password isentered per default:

11. In the Manual Change Password area, optionally enter a new password into the NewPassword and Confirm Password fields to change your password now.

12. The Auto Change Password area deals with future password changes. The followingoptions are available:

Option Description

Auto passwordchange in thefuture

E-SSO automatically generates a new password every time theapplication password change dialog is launched.To enable this option:1. In the Auto Change Password area, check the option Auto password

change in future .

2. The drop-down menu Select Password Policy appears. Select thepassword policy for this credential. For more information on passwordpolicies, see Policies [page 39].

Notify me ofautom passwordchanges

If you select this option, a message dialog is displayed every time E-SSOautomatically generates a new password.To enable this option:1. In the Auto Change Password area, check the option Notify me of

auto password changes .2. The option Automatically change password in the future will also be

enabled. If you have not selected the password policy for thiscredential, do it now.

13. After selecting the options, click Next . If you have entered a new password in the ManualChange Password area, proceed to the next step. If you have not entered a newpassword, proceed to step 15.

8/13/2019 plzz1FR6


2 Preparation

12/2011 19

14. If you have entered a new password in the previous dialog, you are prompted to confirmif the password has been validated by the application. Click Next to confirm or Failed togo back to the previous dialog and enter a new password.

’ 15. The completion dialog appears; click Finish to close the dialog. The password change

dialog and, optionally the credentials, are now registered to Enterprise Single Sign-Onand is displayed on the Local Management Console. You can now continue using singlesign-on to log on to this application. For more information, see Log In to a Windows

Application [page 61] .

2.3.4 Register a Predefined ApplicationUseEnterprise Single Sign-On has built-in predefined applications (for example, YahooMessenger and Google Talk). You have to define the credentials for the specific applicationsthat you want to use.

PrerequisitesFor System Administrators: Use a predefined applications file to distribute applications toEnterprise Single Sign-On. To start using the predefined applications, the applicationdefinition should be added to the predefined application file.

Procedure1. Open the E-SSO Learning Wizard. See Open E-SSO Learning Wizard [page 12] .2. The Welcome to the E-SSO Learning Wizard dialog appears. Select Register a

Predefined Application and click Next .

8/13/2019 plzz1FR6


2 Preparation

20 12/2011

3. The Select the predefined application dialog appears.

4. Select the predefined application that you want to define and link to a credential and clickNext and proceed to step 6.The Select the predefined application dialog allows you to perform the followingactions:

Option Description

Add Register and store the predefined application definition in the predefinedapplication file. Click Next and proceed to the next step.

Export Export a predefined application file from the default location to anotherlocation (for example, <C:\\temp\admin.pda> ). Click Cancel to exitthe dialog.

Import Copy a predefined application file from another location (for example, <C:\\temp\admin.pda> ) to the predefined application file location.

Click Cancel to exit.

Per default, the PDA files are stored, exported from and imported to%ALLUSERSPROFILE%\SAP\Signon\Predef\PreDefAp.pda .

5. The Enter Credentials dialog appears:

8/13/2019 plzz1FR6


2 Preparation

12/2011 21

6. In the Login info area: The Application field displays the name of the application. In the next fields, either:

Select a credential that has been previously added from the drop-down box(recommended if you use the same user name and password for more than oneapplication) in the Credential name field. The entries for the User Name andPassword fields will be automat ically entered. Or…

Add a new credential by entering information into the Credential name , User Name or Password fields.

7. In the Preferences area: Click Automatic login if you want to be automatically logged into the application when

it is launched. During first time registration, the Default Credential is selected and cannot be edited;

this option will be enabled if you add another credential to this application.8. Click Next .

While entering information in this dialog is optional, Enterprise Single Sign-Onwill require you to link a credential to the application. You can do this byperforming any of the following actions:

Modify the application and link it to a credential. See View and Edit SingleSign-On Options for an Application [page 27] .

Add a new credential and link it to the application. See Add a NewCredential [page 29] .

Modify a credential and link it to the application. See View and EditCredential Details [page 32] .

When you launch a registered application, Enterprise Single Sign-Onautomatically detects if the application is not linked to a credential. Click Yes toadd a credential for the application:

9. The completion dialog appears. Click Finish to close the dialog. The application and,optionally, the credentials are now registered to Enterprise Single Sign-On and can beviewed, edited or removed via the Local Management Console.

8/13/2019 plzz1FR6


2 Preparation

22 12/2011

2.3.5 Register a Terminal Emulator ApplicationUseEnterprise Single Sign-On automatically detects a terminal emulator application logon dialogand launches the wizard to register for single sign-on use.Procedure1. Launch the terminal emulator application and connect to the server.2. When a terminal emulator application logon dialog is launched, Enterprise Single Sign-

On detects that the application requires registration. Enterprise Single Sign-Onautomatically launches the E-SSO Learning Wizard:

3. The application registration dialog allows you to perform the following: Click Register to register the terminal emulator application and, optionally, the

credentials (proceed to the next step). Click Later to register at a later time and close the application registration dialog. Click Never to disable single sign-on functions for this application and close the

application registration dialog. The application will also be added to the blacklist. Formore information on managing the blacklist, see Blacklist [page 43] .


5. The Application field displays the name of the application.6. The Host field displays the IP address of the server.7. You can optionally enter information in the succeeding fields; to do this, either:

Select a credential that has been previously added (for example, you use the sameuser name and password for Skype, Yahoo and company intranet) in the Credentialname field. The entries for the User Name and Password fields will be automaticallyentered. Or…


8/13/2019 plzz1FR6


2 Preparation

12/2011 23

8. In the Terminal Application Install Path area, click the button. The file explorer dialogappears:

9. Locate the folder where the terminal emulator application installer is located (for example, <C:\Program Files\PASSPORT> ) and click OK .

You need to specify the exact location of the installation package. Otherwise, youcannot successfully register the application.

10. The Enter Credentials dialog re-appears; click Finish to complete the configuration. Youcan now use single sign-on to log on to this terminal emulator application. For moreinformation, see Register a Terminal Emulator Application [page 22].

2.3.6 Register IBM Personal Communicator for an IBMSeries SystemUseThis section details how to register IBM Personal Communicator for an IBM Series Systemfor E-SSO.

PrerequisitesFor System Administrators: There is a scenario when the host is not displayed on the IBMiSeries status bar on the bottom of the logon dialog. If this scenario occurs, perform thefollowing operations on the client and server.1. On the server:

Add the ADM file Signon.adm from the Enterprise Single Sign-On package.Configure the parameters of the terminal emulator host as follows:

8/13/2019 plzz1FR6


2 Preparation

24 12/2011

One of the hosts should reference the name of the Hostname or IP that user will beconnecting to (for example, the first host is referenced as Pub1.rzkh.de ).

One of the hosts should reference ‘ * ’ as the Hostname. This is important for scenarioswhen the host is not displayed on IBM iSeries status bar on the bottom of the logondialog (for example, the second host is referenced as ‘*’).

Run the command gpupdate /force to apply the policy to the client.

For more information about terminal emulator host configuration, see the EnterpriseSingle Sign-On Installation and Configuration Guide .

8/13/2019 plzz1FR6


2 Preparation

12/2011 25

2. On the client computer: Make sure that the settings have been properly configured priorto registration and the Host Terminal for AS/400 is configured on the Registry Editor,folder HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\signon\Terminal :

Procedure1. Start a new session on IBM Personal Communications. In the Configuration dialog,

select the appropriate host and click OK . In the Account Information dialog, type theappropriate logon.

2. Enterprise Single Sign-On detects if the application requires registration. EnterpriseSingle Sign-On automatically launches the E-SSO Learning Wizard:

Click Register to register IBM Personal Communications. Click Later to register at a later time and close the application registration dialog. Click Never to disable single sign-on functions for this application and close the



4. The Application field displays the name of the application.5. You can optionally enter information in the succeeding fields; to do this, either:

Select a credential that has been previously added in the Credential name field. Theentries for the User Name and Password fields will be automatically entered. Or…


6. Click Finish .7. The first logon dialog is successfully registered.

8/13/2019 plzz1FR6


2 Preparation

26 12/2011

8. Enterprise Single Sign-On will now detect the second logon dialog:

In the scenario displayed in the figure above, the string I902 is displayed on thebottom of the dialog. Enterprise Single Sign-On therefore detects the host withthe Hostname ‘ * ’.

Click Register to register IBM Personal Communications. Click Later to register at a later time and close the application registration dialog. Click Never to disable single sign-on functions for this application and close the



10. The Application field displays the name of the application.11. You can optionally enter information in the succeeding fields; to do this, either:

Select a credential that has been previously added in the Credential name field. Theentries for the User Name and Password fields will be automatically entered. Or…

Add a new credential by entering information into the Credential name, User Name orPassword fields.

12. In the Terminal Application Install Path area, click the button. Locate the folder wherethe terminal emulator application installer is located and click OK .

8/13/2019 plzz1FR6


2 Preparation

12/2011 27

You need to specify the exact location of the installation package. Otherwise, youwill not be able to successfully register the application.

13. Click Finish . The IBM Personal Communicator displays that the logon is successful.14. You can now exit the window. You are prompted to save the session. It is recommended

that you save the session for future logons.

2.3.7 View and Edit Single Sign-On Options for anApplicationUseView and edit an application entry.

Procedure1. Open the Local Management Console (see Local Management Console (LMC) [page 8])

and select Applications from the left pane of the dialog. All registered applications isdisplayed in the right pane of the dialog.

2. To view single sign-on options for an application, either: Double-click the application entry in the right pane , or… Expand the Windows , Web and/or Terminal Emulator nodes in the left pane to display

applications according to type and select the specific application.3. The right pane displays application-specific details:

4. To edit the single sign-on options for an application, click . The following options

appears:

8/13/2019 plzz1FR6


2 Preparation

28 12/2011

Option Description

Detail area (forWindows andWebapplications)

Application name : To edit, click the application name. A blinkingcursor that indicates that you can edit the application name.

Enabled : Check this option to allow the E-SSO functions to run on theselected application. Auto Logon : Check this option to facilitate an automatic application

logon without having to click the submit button. Auto Change Password : When the password change dialog is

launched, the system automatically generates a new password. Notify me of Auto Password Changes : If you select this option, a

message dialog is displayed every time E-SSO automaticallygenerates a new password.

Apply Password Policy : Check this box if you want to apply apassword policy to this application, and select the policy from thedrop-down menu. Per default, the Windows password policy isapplied to Windows applications and the Web password policy isapplied to Web applications. For more information on passwordpolicies, see Policies [page 39].

Terminal application install path (for terminal emulator applications

only): To change the install path, click the button. Locate thefolder where the terminal emulator application installer is located (forexample, <C:\Program Files\PASSPORT> ) and click OK .

LinkedCredentials area

The Linked Credentials area displays the list of credentials that are linkedto the selected application. If the selected application does not have anycredentials linked to it, the Name field is blank.

Name : Name of the credentials that are linked to the selectedapplication. Default : If there is only one credential linked to the selected

application, this is the default credential. If there is more than onecredential linked to the selected application, check the Default boxcorresponding to the credential that you want to assign as default.

Link icon : Use this icon to link the selected application to acredential.

Unlink icon : Select the credential that you want to unlink from theName list and click the Unlink icon. The credential that you haveunlinked is removed from the Name list.

5. Click Apply to save the changes.

8/13/2019 plzz1FR6


2 Preparation

12/2011 29

2.4 CredentialsThe following information appears when you click the Credentials node:

If you expand Credentials in the left pane of the Local Management Console, all credentialsstored within Enterprise Single Sign-On is displayed. Click the Credentials node to display thefollowing credential details in the right pane:

Details Description

Name Displays the credential names

User Name Displays the User Name for each credential

If you click the credential entry (either in the left or right pane), the right pane displays thefollowing details of the registered credentials:

8/13/2019 plzz1FR6


2 Preparation

30 12/2011

Parameter Description

Detail area Name : A name that defines the credential. User Name : User name of the credential. The field next to User Name

defines the key that terminates the User Name field. Password : Password for the credential. The field next to Password

defines the key that terminates the Password field. Parameter 1 /Parameter 2 /Parameter 3 : These are optional fields for

additional credential parameters other than user name and password. Protected entry : If checked, the entry is protected from being deleted

from the smart card or soft token. Hidden entry : If checked, you cannot use the credential for drag &

drop. This parameter is checked per default.

If you modify and uncheck this parameter, the credential entry iscategorized as a drag & drop credential. For more information on the drag& drop feature, Drag & Drop Credentials [page 34] .

Linked Applications area

The Linked Applications area shows the list of applications to which theselected credential is linked to.

Link icon : Use this icon to link the selected credential to anapplication

Unlink icon : Select the application that you want to unlink from theName list and click the Unlink icon. The credential that you haveunlinked is removed from the Name list.

The Credentials node and subnodes allow you to perform the following actions:

8/13/2019 plzz1FR6


2 Preparation

12/2011 31

Click to add a credential. You can also right-click Credentials on the left pane ofthe Local Management Console and select Add in the context menu. For moreinformation, see Add a New Credential [page 31] .

Click to modify credential details (applied to subnodes). For more information, see

View and Edit Credential Details [page 32] . Click or press Del on your keyboard to delete a credential. You can also right-

click the credential that you want to delete on the left pane of the Local ManagementConsole and select Delete in the context menu.

2.4.1 Add a New CredentialUseCredentials are normally added in the E-SSO Learning Wizard during application registration(see Register a New Application [page 12] ). However, you can need to add a credential priorto application registration if you are going to link it to several applications (for example, you

want to link the same credential to Skype, Yahoo, and company intranet).Procedure1. Open the Local Management Console (see Local Management Console (LMC) [page 8]),

select Credentials from the options in the left pane of the dialog and click . Youcan also right-click Credentials on the left pane of the Local Management Console andselect in the context menu.

2. The New Credential dialog appears.

Enter credential parameters (see Credentials [page 29] ).3. In the Linked Applications area, use the following buttons to link and unlink applications

and credentials: Add : Select the application from the Available Applications box and click the Add

button.

8/13/2019 plzz1FR6


2 Preparation

32 12/2011

Remove : Select the application from the Linked Applications box and click theRemove button.

4. Click OK to save changes.

2.4.2 View and Edit Credential DetailsUseView and edit credential options.


and select Credentials from the left pane of the dialog. All existing credentials isdisplayed in the right pane of the dialog.

2. To view credential information, click the credential entry (either on the left or right pane).3. The dialog displays specific credential details:

4. Select the credential entry to be edited from the left or right pane, and click .

8/13/2019 plzz1FR6


2 Preparation

12/2011 33

5. The Edit Credential dialog appears:

For more information on these credential parameters, see Credentials [page 29].6. To change single sign-on password, click Modify button.7. You are prompted to enter your PIN . Enter your PIN and click OK .8. The Modify Password dialog appears:

9. Enter your new password into the New Password and Confirmation fields and click OK .10. The Edit Credential dialog re-appears. Click the Apply button to save the changes.

8/13/2019 plzz1FR6


2 Preparation

34 12/2011

2.5 Drag and Drop CredentialsThe following information appears when you click the Drag & Drop Credentials node:

If you expand Drag & Drop Credentials in the left pane of the Local Management Console, allthe Drag & Drop Credentials stored within Enterprise Single Sign-On are displayed. Click theDrag & Drop Credentials node to display the following credential details in the right pane:

Details Description

Name Displays the drag & drop credential names

User Name Displays the user name for each drag & drop credential

If you click the drag & drop credential entry (either in the left or right pane), the right panedisplays the following details of the registered Drag & Drop Credentials:

8/13/2019 plzz1FR6


2 Preparation

12/2011 35

Parameter Description

Detail area Name : A name that defines the drag & drop credential (Max. 20characters).

User Name : User name of the drag & drop credential. The field nextto User Name defines the key that terminates the User Name field(Max. 128 characters).

Password : Password for the drag & drop credential. The field next toPassword defines the key that terminates the Password field.

Parameter 1 /Parameter 2 /Parameter 3 : These are optional fields foradditional drag & drop credential parameters other than user nameand password.

Protected entry : If checked, the entry is protected from being deleted

from the smart card or soft token. Hidden entry : This parameter is unchecked per default.

If you modify and check this parameter, the credential entry is categorizedas a regular credential and you cannot use the credential for drag & drop.For more information on credentials, see Credentials [page 29] .

Linked Applications area

The Linked Applications box shows the list of applications to which theselected drag & drop credential is linked to.

The Drag & Drop Credentials node and subnodes allow you to perform the following actions: Click to create a new Drag & Drop credential. You can also right-click Drag &

Drop Credentials on the left pane of the Local Management Console and select Add in

8/13/2019 plzz1FR6


2 Preparation

36 12/2011

the context menu. For more information, see Add a New Drag and Drop Credential [page36].

Click to modify credential details (applied to subnodes). For more information, seeView and Edit Drag and Drop Credential Details [page 37].

Click or press press Del on your keyboard to delete a credential. You can alsoright-click the credential that you want to delete on the left pane of the Local ManagementConsole and select Delete in the context menu.

Use the ( User Name ), (Password ), (Parameters ) and ( Drag & Drop Credentials ) icons for single sign-on to special applications and Websites. For moreinformation, see Log In to Special Applications Using the Drag & Drop Feature [page 63] .

Click in the Linked Applications area to link an application to the selected credential. To un-link an application to the selected credential, select the application in the Linked

Applications area and click .

2.5.1 Add a New Drag and Drop CredentialUse

Add a new drag and drop credential.

Procedure1. Open the Local Management Console (see Local Management Console (LMC) [page 8]),

select Drag & Drop Credentials from the options in the left pane of the dialog and click .You can also right-click Drag & Drop Credentials on the left pane of the LocalManagement Console and select in the context menu.

2. The New Credential dialog appears:

Enter credential parameters (see Drag & Drop Credentials [page 34] ).

8/13/2019 plzz1FR6


2 Preparation

12/2011 37

You cannot uncheck the Hidden entry option.3. In the Linked Applications area, use the following buttons to link and unlink applications

and credentials: Add : Select the application from the Available Applications box and click the Add

button. Remove : Select the application from the Linked Applications box and click the

Remove button.4. Click OK to save changes.

2.5.2 View and Edit Drag and Drop Credential DetailsUseView and edit drag and drop credential options.


and select Drag & Drop Credentials from the left pane of the dialog. All existing Drag &Drop Credentials is displayed in the right pane of the dialog.

2. To view drag & drop credential information, click the drag & drop credential entry (eitheron the left or right pane).

3. The dialog displays specific drag & drop credential details:

4. Select the drag & drop credential entry to be edited from the left or right pane, and click.

8/13/2019 plzz1FR6


2 Preparation

38 12/2011

5. The Edit Credential dialog appears:

For more information on these drag & drop credential parameters, see Drag & DropCredentials [page 34] .

6. To change single sign-on password, click Modify button.7. You are prompted to enter your PIN or E-SSO password. Enter it and click OK .

8. The Modify Password dialog appears:

9. Enter your new password into the New Password and Confirm New Password fields andclick OK .

10. The Edit Credentials dialog re-appears. Click the Apply button to save the changes.

8/13/2019 plzz1FR6


2 Preparation

12/2011 39

2.6 PoliciesThe following information appears when you click the Policies node:

If you expand Policies in the left pane of the Local Management Console, it displays thePassword Policies subnode.

If you expand the Password Policies subnode, all the password policies stored withinEnterprise Single Sign-On is displayed on the left and right panes. Per default, theMicrosoft Windows Password Policy is applied to Windows applications and the WebPassword Policy is applied to Web applications/Websites.

The Policies node and subnodes allow you to perform the following actions: Click to add a password policy. You can also right-click Password Policies on the

left pane of the Local Management Console and select Add in the context menu. Formore information, see Add a New Policy [page 40] .

Click to modify the values of the password policy attributes. For more information,see Edit the Attributes of a Password Policy [page 41] .

Click or press Del on your keyboard to delete a password policy. You can alsoright-click the policy that you want to delete on the left pane of the Local ManagementConsole and select Delete on the in the context menu.

Click to create a password policy file <*.PLC> to be imported to the EnterpriseSingle Sign-On Management Console (coming soon).

8/13/2019 plzz1FR6


2 Preparation

40 12/2011

2.6.1 Add a New Password PolicyUse

Add a new password policy.


select Policies > Password Policies from the options in the left pane of the dialog andclick .

2. The New Policy dialog appears prompting you to enter a policy name:

3. Enter a policy name to describe the new password policy and click OK .4. The dialog displays specific policy attributes:

5. The password attributes of the new policy are set with default values. To modify thevalues of these attributes, click . See Edit the Attributes of a Password Policy [page41] for details on how to edit the attributes of a password policy.

8/13/2019 plzz1FR6


2 Preparation

12/2011 41

2.6.2 Edit the Attributes of a Password PolicyUseEdit the attributes of a password policy.


select Policies > Password Policies from the options in the left pane of the dialog. Toview the password policy attributes, click the password policy entry on the left pane ordouble-click the entry in the right pane.

2. The dialog displays specific policy attributes. Click .3. The dialog displays the fields in editable mode:

The following attributes are available and can be edited:

Attribute Value Details

Passwordlength

Min, Max Enter allowed min value (no less than 6).Enter allowed max value (no more than 128).The system automatically sets the maximumpassword length if the sum of all minimumvalues of the character sets is greater thanthe entered maximum password length.

8/13/2019 plzz1FR6


2 Preparation

42 12/2011

Upper casecharacters [A,Z]

Forbidden/ Allowed/Mandatory

A character set maybe forbidden, allowed ormandatory: Forbidden – User cannot use any

character in this character set for thepassword.

Allowed – User can optionally use anycharacter in this character set for thepassword.

Mandatory – User is required to usecharacters in this character set for thepassword. If Mandatory is selected, enterthe minimum number of charactersrequired for the character set.

Lower casecharacters [a,z]

Numbercharacters [0,9]

Specialcharacters

Allowed specialcharacters

All specialcharacters in theEnglish keyboard

User can use any special character entered inthis string. The following special charactersare allowed: !@#$%^&*()_-+=?><,./:;'~`\|{}[]

Begin withuppercasecharacter

Enabled/Disabled

If this attribute is enabled, the user is requiredto enter a password that begins with anuppercase character.

Allowsequentialcharacters

Enabled/Disabled

If this attribute is enabled, the user can entera password that contains an ordered list of

ASCII characters (for example, 1234 and ABCD).

Allow duplicatecharacters

Enabled/Disabled

If this attribute is enabled, the user can use aduplicate character (not case sensitive) in thepassword (for example, ACDA containsduplicate characters and ACDa does not).

Allow repeatedcharacters

Enabled/Disabled

If this attribute is enabled, the user can use aconsecutively repeated character in thepassword (for example, AA19 containsrepeated characters and A19A does not).

4. Click the Apply button to save the changes. You can now link this password policy to anapplication. For more information, see Register a Password Change Dialog [page 16] .

8/13/2019 plzz1FR6


2 Preparation

12/2011 43

2.7 BlacklistUse

A blacklist is a list of applications where single sign-on functions are disabled.

ProcedureThe following information appears when you click the Blacklist node:

The Blacklist node allows you to: View the list of applications and Websites on the blacklist.

Click or press press Del on your keyboard to remove an application or Websitefrom the blacklist.

Click to create a blacklist file <*.BLL> to be imported to the Enterprise SingleSign-On Management Console (coming soon).

To add applications and Websites to the blacklist: To blacklist an application, see Usingthe E-SSO Learning Wizard to Register and Update Application Controls [page 11] and Register a Website and Credential Information [page 52] .

8/13/2019 plzz1FR6


2 Preparation

44 12/2011

2.8 AuthenticationUseThe Authentication node contains the tools for managing your smart card and soft token.

Procedure Access the following tools via the Authentication node:

Subnode Description

Soft Token/SmartCard

Allows you to switch token in use from smart card to soft token or softtoken to smart card. See Token Type Switching [page 45] for moreinformation.

Copy TokenContents

Allows you to synchronize the contents of smart card and thecontents of the soft token. See Enterprise Single Sign-On Soft-TokenUtility [page 45] for more information.

Smart Card >Certificates

Allows you to view certificates on the smart card, install certificates tothe certificate store and export certificates to a system folder. Formore information, see Certificates [page 49] .

Soft Token >Import/Export SoftToken

Export soft token: Export a soft token to a user-defined locationfrom the credential store. For more information, see Export SoftToken [page 47].

Import soft token: Import a soft token from a user-defined locationto the credential store. For more information, see Import SoftToken [page 48].

8/13/2019 plzz1FR6


2 Preparation

12/2011 45

Soft Token >Password Options

Troubleshoot soft token-related problems.

2.8.1 Token Type SwitchingUseThe Token Switching (Soft Token/Smart Card) feature allows you to change the token in use(for example, switch from a smart card to a soft token or switch from soft token to smartcard).

Prerequisites Windows XP: You need administrator rights to use this feature. Windows Vista/Windows 7: The User Account Control dialog appears (providing User

Account Control is active). To continue the installation process, select the option Allow – Itrust this program. I know where it’s from or I’ve used it before. The installation

automatically continues.Procedure1. To open the Token Type dialog, select Authentication > Token Type on the Local

Management Console.2. The Token Type dialog appears:

3. Select the token type that you want to use and click Apply .4. You are prompted to restart your system:

5. Click Yes to restart your computer.

When switching from smart card to soft token and you have two smart cardreaders connected to your computer, you can be prompted with the error Smartcard is not available. This happens when the card reader name is changedaccording to the USB slot number.If you receive this error message, restart your computer and go to the E-SSOCard Configuration Tool to set the correct smart card reader. See E-SSO CardConfiguration Tool [page 64] .

8/13/2019 plzz1FR6


2 Preparation

46 12/2011

2.8.2 Enterprise Single Sign-On Soft-Token UtilityUseThe Enterprise Single Sign-On Soft-Token Utility allows you to synchronize soft tokencredential entries with smart card credential entries.Procedure1. Open the Local Management Console (see Local Management Console (LMC) [page 8])

and select Authentication > Enterprise Single Sign-On Soft-Token Utility from the leftpane.

2. You are asked to enter your smart card and/or soft token PIN.

PIN pad users: If smart card authentication is required, you are prompted to enteryour smart card PIN using the PIN pad:

3. The Enterprise Single Sign-On Soft Token Utility appears, displaying the credentialentries stored on the smart card and soft token:

4. Select the credential entry and click or icon to synchronize a specific entry.5. Click Refresh to update the list of currently synchronized credential entries.6. Click Exit to close the dialog.

8/13/2019 plzz1FR6


2 Preparation

12/2011 47

2.8.3 Import/Export Soft Token (Soft Token Mode)Use Export soft token: Export a soft token to a user-defined location from the credential store.

For more information, see Export Soft Token [page 47] . Import soft token: Import a soft token from a user-defined location to the credential store.

For more information, see Import Soft Token [page 48] .

Export Soft Token1. Open the Local Management Console (see Local Management Console (LMC) [page 8])

and select Authentication > Soft Token > Import/Export Soft Token from the left pane.2. The Import/Export Soft Token dialog appears:

3. Select Export soft token then click the Browse button.4. The Select soft token file dialog appears:

Navigate to the folder where the soft token is exported to. Enter a soft token file name into the File name field and click Open .

5. The Import/Export Soft Token Credentials dialog re-appears displaying the selectedsoft token file location. Click OK .

6. You are prompted to enter the E-SSO password. See Initial Soft Token Logon [page 7] for information on assigning your E-SSO password.

7. Enter the password and click OK to export the soft token to the specified location.

8/13/2019 plzz1FR6


2 Preparation

48 12/2011

Import Soft Token1. Open the Local Management Console (see Local Management Console (LMC) [page 8])

and select Authentication > Soft Token > Import/Export Soft Token from the left pane.2. The Import/Export Soft Token Credentials dialog appears:

3. Select Import soft token and click the Browse button.

4. The Select soft token file dialog appears:

5. Navigate to the folder and select the soft token to be imported.6. Click Open .7. The Import/Export Soft Token Credentials dialog re-appears displaying the selected

soft token file location. Click OK .8. You are prompted to enter the E-SSO password. See Initial Soft Token Logon [page 7]

for information on assigning your E-SSO password.9. Enter the password and click OK to import the specified soft token.

8/13/2019 plzz1FR6


2 Preparation

12/2011 49

2.8.4 Certificates (Smart Card Mode)To open the Certificates subnode, select Authentication > Smart Card > Certificates on theLocal Management Console. The following information appears when you click theCertificates subnode:

Use this dialog to view certificates, install certificates to the certificate store and exportcertificates to a system folder. The right pane displays all the certificates stored on the smartcard. This dialog allows you to perform the following actions:

Click to view certificates. For more information, see View Certificates [page 49]. Install a certificate into the Microsoft Certificate Store and export a certificate to a system

folder. For more information, see Where to Get Other Information [page 50] .

2.8.4.1 View Certificates on Smart Card

UseView and examine certificates.


and select Authentication > Smart Card > Certificates from the left pane. All certificatesstored on the smart card is displayed in the right pane of the dialog. Select a certificatefrom the list and click View (you can also double-click the certificate to view).

8/13/2019 plzz1FR6


2 Preparation

50 12/2011

2. The Certificates dialog appears:

3. Examine the certificate by clicking the tabs General , Details , and Certificate Path . Formore information on these tabs, see the Microsoft proprietary documentation, or click thecertificates link at the bottom of the General tab to view online help.

4. Click OK to close the dialog.

2.8.4. 2 Where to Get Other InformationView CertificatesFor information about viewing, importing, and exporting certificates under Windows XP,Windows Vista, and Windows 7, see http://www.microsoft.com .

2.9 Enterprise Single Sign-On to WebApplications (Web SSO)

UseEnterprise Single Sign-On allows you to log on to Web applications or Websites that use alogon dialog (for example, http://mail.yahoo.com/). To allow for this functionality, EnterpriseSingle Sign-On integrates a toolbar into the Internet browser and is automatically activatedafter completing Enterprise Single Sign-On installation.

Supported BrowsersThe following browsers are supported by Web E-SSO: Internet Explorer (versions 6, 7 and 8) Firefox (version 3, 4, 6)

http://www.microsoft.com/




8/13/2019 plzz1FR6


2 Preparation

12/2011 51

2.9.1 Enterprise Single Sign-On Web Toolbar andIconsUseTo use Enterprise Single Sign-On Web E-SSO, a toolbar is integrated into the browser and isautomatically activated after completing Enterprise Single Sign-On installation.

ProcedureWhen you launch a browser, the Enterprise Single Sign-On Web toolbar is presented on thetop right side of the browser:

The Enterprise Single Sign-On Web toolbar allows you to perform the following actions: Click Local Management Console to launch the Local Management Console. For more

information, see Local Management Console (LMC) [page 8].

Click Fill to automatically fill the logon fields. This icon is only enabled if the credentialsare stored on your token and if the Automatic Login feature is disabled. For moreinformation, see Using Web E-SSO [page 62].

Click Save to register the Website for single sign-on. For more information, see Registera Website and Credential Information [page 52] .

Click Automatic Login to enable (green icon) or disable (red icon) the Automatic Loginfeature. The Automatic Login feature allows you to log on to a Website without having toenter the credentials and click the submit button.

Click Favorites to view the list of Websites that are registered to Web single sign-on. Formore information, see Using Web E-SSO [page 62] .

Favorites only apply to web forms, not for web-basic authentication. Click Reload to reload a page if E-SSO has problems recognizing a change password

page. For more information, see Using Web E-SSO [page 62].

8/13/2019 plzz1FR6


2 Preparation

52 12/2011

2.9.2 Register a Website and Credential InformationUseIf you intend to use Enterprise Single Sign-On for a Web application or Website you first needto register the Website and credential information.Procedure1. When you start a Web application for the first time after Enterprise Single Sign-On

installation, Enterprise Single Sign-On detects if the Website requires authentication.Enterprise Single Sign-On automatically launches the Web E-SSO registration dialog:

2. Perform any of the following: Register the Website and credentials (see the next step to proceed). Click Later to register at a later time and close the Web E-SSO registration dialog. Click Never to disable single sign-on functions for this application and close the

application registration dialog. The application is also be added to the blacklist. Formore information on managing the blacklist, see Blacklist [page 43] .

8/13/2019 plzz1FR6


2 Preparation

12/2011 53

Depending on the settings set by your system administrator, the Web E-SSOregistration dialog cannot launch automatically. You can open the dialog byclicking the Save button on the Enterprise Single Sign-On Web toolbar.

Enterprise Single Sign-On launches the Web E-SSO registration dialog:

3. On the Register this webpage area, select any of the following options:

Option Description

Domain name Select this option to register the domain (for example, http://yahoo.com).By selecting this option, Enterprise Single Sign-On automatically logs on

to a Website, all its sub-domains, and URLs using the same credentials.For example, the same user credentials is used to log on tohttp://yahoo.com and its sub-domains http://mail.yahoo.com andhttp://webmessenger.yahoo.com/).

Fully qualifieddomain name

Select this option to register the fully qualified domain name or sub-domain (for example, http://mail.yahoo.com). In this case, EnterpriseSingle Sign-On automatically logs on to a Website and URLs using thesame credentials.For example, user registered sub-domain http://mail.yahoo.com and itsrespective credentials. Now, if: User logs in to URL

https://login.yahoo.com/config/login_verify2?&.src=ym, the samecredentials will be used to automatically sign in.

User logs in to domain http://yahoo.com, user will need to register anew credential (step 1 of this section).

URL Select this option to register the whole URL without the query string. It isrecommended to use this option if you need to register two different URLswith the same domain name and same fully qualified domain name.

To add a domain name, fully qualified domain name, or full URL to the blacklist,select an option from the Register this webpage area and click Never .

8/13/2019 plzz1FR6


2 Preparation

54 12/2011

4. Enter the credentials. To do this, either: Select a credential that has been previously added (for example, you use the same

user name and password for more Skype, Yahoo and company intranet) in theCredential name field. The entries for the User Name and Password fields will be

automatically enter ed. Or… Add a new credential by entering information into the Credential name , User name or

Password fields.5. Select Automatic Login to enable the Automatic Login feature for this Website and

credential.6. Click Register or OK to save the credential.7. If the credentials entered are correct, you will be automatically logged in to the Website.

You can view, edit and delete the Websites and credentials registered to single sign-on inthe Local Management Console. For more information, see the following sections: To view, edit or delete a Web application or Website, see Applications [page 10] . To view, edit or delete a credential for a Website, see Credentials [page 29].

To register another credential for the same Website (should Automatic login bedisabled on the Enterprise Single Sign-On Web toolbar): On the Website logonpage, click the Save button on the Enterprise Single Sign-On Web toolbar. TheWeb E-SSO registration dialog appears:

Enter credentials as described in step 3 of this section. Select the Use as Defaultoption if you want this credential to be the default login for this Website.

2.9.3 Password Change for a WebsiteUseIf you intend to use Enterprise Single Sign-On for a Web application or Website you will firstneed to register the Website and credential information.

Procedure1. When a user opens a password change page on a website, Enterprise Single Sign-On

detects if the password change feature for this web site has already been registered. Ifnot, Enterprise Single Sign-On automatically launches the Web E-SSO change passworddialog.

2. If the Web E-SSO Change Password dialog is not automatically launched, you can open

the dialog by clicking on the Enterprise Single Sign-On Web toolbar.

If you the Save button is not active then click the Reload button on the E-SSO toolbar

to reload the page.

8/13/2019 plzz1FR6


2 Preparation

12/2011 55

3. The Web E-SSO Change Password dialog appears:

4. The following options are available: Manual: Enter a new password into the New Password and Confirm Password fields

and click Change . Automatic: To generate a password based on the defined password policy, select

Auto Generate and click Change .

The generated password will be based on the password policy assigned to thatwebsite – providing a policy has been assigned.

5. You can set the password policy by editing the application single sign-on options. Forfurther information see section 2.3.7 View and Edit Single Sign-On Options for an

Application .

2.9.4 How to Activate or Deactivate the EnterpriseSingle Sign-On Web Toolbar

UseIf you intend to use Enterprise Single Sign-On for a Web application or Website, you will firstneed to register the Website and credential information.

Procedure1. Right-click the command bar at the top right side of the browser.2. Check or uncheck Enterprise Single Sign-On to activate or deactivate the Enterprise

Single Sign-On toolbar.

Mozilla Firefox users: The Web E-SSO plug-in will not be available if you

installed Enterprise Single Sign-On before installing Firefox. To enable your

8/13/2019 plzz1FR6


2 Preparation

56 12/2011

Enterprise Single Sign-On Web toolbar, contact your system administrator toinstall the Web Single Sign-On Firefox Support component.

2.10 Enable or Disable Enterprise Single Sign-On1. Right-click the Enterprise Single Sign-On icon in the system tray:

2. Select Enable Single Sign-On or Disable Single Sign-On .

2.11 Enable or Disable E-SSO Learning Wizard1. Right-click the Enterprise Single Sign-On icon in the system tray:

2. Select Disable E-SSO Learning Wizard . Enterprise Single Sign-On will not detect anyapplication that requires E-SSO registration. Alternately, you can select Enable E-SSOLearning Wizard to detect if an application requires E-SSO registration.

Disabling the E-SSO Learning Wizard does not interrupt other single sign-onoperations. You can still use Enterprise Single Sign-On for applications that havebeen previously registered. However, launching unregistered applications will notdisplay the E-SSO Learning Wizard.

You can still register a new application, a pre-defined application or a changepassword dialog if the E-SSO Learning Wizard is disabled. To do this, right-clickthe Enterprise Single Sign-On icon in the system tray and click Register New

Application in the context menu.

8/13/2019 plzz1FR6


2 Preparation

12/2011 57

2.12 Log In To or Log Out From EnterpriseSingle Sign-On (Soft Token Only)1. Right-click the Enterprise Single Sign-On icon in the system tray:

2. Select Log in to authenticate to E-SSO or Log Out to prevent access to the E-SSO

credentials via the Local Management Console as well as credential entry in applicationsor websites.

8/13/2019 plzz1FR6


3 Usage

58 12/2011

3 Usage

3.1 Log on to Windows (Smart Card only)Log in to Windows using single sign-on. Windows logon applies when you start/restart thesystem, lock the PC, switch users, or log off.You can use either a password credential or a certificate credential when logging on toWindows: Password credential: Use the password credential to log on to the local account or a

domain account. Certificate credential: Use the certificate credential to log on with a valid certificate stored

on the smart card. You will be required to join a domain when using the certificatecredential.

3.1.1 Log on to Windows XPUseLog on to Windows XP using single sign-on.

PrerequisitesMake sure that the smart card has been enabled for Windows XP Logon. For moreinformation on initializing smart cards for E-SSO, see the Enterprise Single Sign-OnInstallation and Configuration Guide .

Procedure1. After starting your system, the Welcome to Windows dialog appears:

2. Insert your smart card.3. The Unlock Computer-Windows Logon dialog appears:

8/13/2019 plzz1FR6


3 Usage

12/2011 59

4. Enter your PIN into the PIN field.5. To log on with certificate credential, select Log on with certificate on the bottom left of the

dialog.6. Click OK . You will now be logged in to Windows.

3.1.2 Log on to Windows Vista or Windows 7UseLog on to Windows Vista or Windows 7 using single sign-on.

PrerequisitesMake sure that the smart card has been enabled for Windows Vista or Windows 7 Logon. Formore information on initializing smart cards for E-SSO, see the Enterprise Single Sign-OnInstallation and Configuration Guide .

Procedure1. After starting the system, the Welcome to Windows dialog appears,

If you have not yet inserted your smart card, do it now. Click Switch User button or press the ESC key on your keyboard.

2. The Windows logon options appears:

The following logon options are available:

Option Description

Microsoft logontile

Use this icon if you intend to log on without using the smart card.

Logon with smart card (certificate credential)Use the certificate credential to log on with a valid certificate stored on thesmart card. A certificate icon is displayed on the tile to indicate logon withcertificate credential. You will be required to join a domain when using thecertificate credential.

8/13/2019 plzz1FR6


3 Usage

60 12/2011

Logon with smart card (password credential)Use the password credential to log on to the local account or a domainaccount. You are prompted to enter PIN and a domain name to log on.

Depending on the policy settings defined by the system administrator, you mightnot see all the tiles for the Vista logon. It can be possible that you can only log onwith a smart card.

3. Depending on the option that you have selected, you are prompted to enter the followinginformation:

Certificate credential: Enter your token PIN and click to log on to Windows.

Password credential: Enter your token PIN and the domain name. Click to log onto Windows.

4. You will now be logged in to Windows.

8/13/2019 plzz1FR6


8/13/2019 plzz1FR6


3 Usage

62 12/2011

ProcedureTo use single sign-on for IBM Personal Communicator, simply launch the application, selectthe previously saved profile and click Start :

3.4 Using Web E-SSOUseLog on to a Website using Web single sign-on.

If multiple credentials have been assigned to a website, the default credential willbe used for login. The user will not be prompted by the Multiple CredentialsDialog (if enabled via ADM) to choose a credential for single sign-on (as is thecase with Windows applications or web-forms). This does not apply to web-basicdialogs.If you want to change the default credential for a website then please do so viathe Local Management Console.

PrerequisitesMake sure that you have registered the Website with E-SSO and linked its credentials beforeproceeding to this section. For more information on how to get started with Web E-SSO, seeEnterprise Single Sign-On Web Single Sign-On (Web E-SSO) [page 50] .

Procedure1. Open Microsoft Internet Explorer or Mozilla Firefox. Use one of the following options to

open a website:

Type the URL into the Address bar, or... On the Enterprise Single Sign-On Web toolbar, click to view the list of

Websites that are registered to E-SSO. Select the Website that you want to log on to.

2. The Website is now launched. If Automatic Login feature is enabled, you are automatically logged on to the Website.

The icon indicates that the feature is enabled.

If the logon credentials are not displayed, click . If Automatic Login is disabled, click the Submit button. The icon

indicates that the feature is disabled. You will now be logged in to the Website.

8/13/2019 plzz1FR6


3 Usage

12/2011 63

3.5 Log on to Applications or Websites Usingthe Drag & Drop Feature

UseThe drag & drop feature is provided to allow single sign-on to applications or Websites thatcannot be registered to Enterprise Single Sign-On via the standard recognition mechanisms.

PrerequisitesMake sure that you have registered the Website and linked its credentials to the Websitebefore proceeding to this section. For more information on how to get started with Web E-SSO, see Drag & Drop Credentials [page 34] .

Procedure1. Open or browse to the logon dialog or logon page application or Website.2. You can use the drag & drop feature via the Local Management Console or the Drag &

Drop Credentials dialog: Local Management Console: Display the details pane of the credential that is linked to

the special Website by expanding the Drag & Drop Credentials node in the LocalManagement Console (for more information, see Drag & Drop Credentials [page 34] )

Drag & Drop Credentials dialog: Right-click the Enterprise Single Sign-On icon inthe system tray and click Drag & Drop Credentials in the context menu:

3. The Drag & Drop Credentials dialog appears:

4. The following are options on using the drag & drop feature: Individually drag & drop , and to the corresponding logon fields (via the

Drag & Drop Credentials dialog or Local Management Console) and click thecorresponding logon or submit button.

Collectively drag all logon parameters using the (via Local Management Console)or (via the Drag & Drop Credentials dialog) to the first logon field.

8/13/2019 plzz1FR6


3 Usage

64 12/2011

3.6 E-SSO Card Configuration ToolUseIf you have more than one smart card reader connected and you intend to use them withEnterprise Single Sign-On, you must use the E-SSO Card Configuration Tool to define thecard reader. You can configure the card reader any time after installing Enterprise SingleSign-On.

Procedure1. Start the E-SSO Card Configuration Tool as follows:

Windows XP: Start > All Programs > SAP > signon > E-SSO Card Configuration Tool Windows Vista and Windows 7: Windows logo > All Programs > SAP > signon > E-

SSO Card Configuration Tool 2. The E-SSO Card Configuration Tool dialog appears:

The active card reader configuration is listed in the upper field Current Configuration . Click Refresh to update the list of currently connected card readers in the Available

PC/SC smart card readers combo-box.

Enable Favour readers with inserted smart card if you want to view only those readersthat currently have a smart card inserted in them (click Refresh first!). Click Reset in the lower left corner to erase the active settings.

3. Select the card reader you want to use with Enterprise Single Sign-On and click OK . TheE-SSO Card Configuration Tool dialog closes.

4. To complete card reader configuration: Windows XP: Restart your system. Windows Vista and Windows 7: Log off and log back in to the system.

8/13/2019 plzz1FR6


4 Additional Information

12/2011 65


4.1 Soft Token TroubleshootingUseThe Soft Token Password Reset is an Enterprise Single Sign-On feature that helps youtroubleshoot soft token-related problems.

Procedure1. To open the Soft Token Password Reset tool, either:

Select Authentication > Soft Token > Password Options on the Local ManagementConsole.

Right-click the Enterprise Single Sign-On icon in the system tray and clickPassword Options in the context menu:

2. The Soft Token Password Reset dialog appears:

3. The following options are available:

Option Description

Reset E-SSO password

Use this option to reset your E-SSO password if it has been forgotten. Formore information, see Reset the E-SSO Password [page 66] .

Change E-SSO password

Use this option to change your E-SSO password if it has beencompromised or company policy dictates that you change your E-SSOpassword on a regular basis. For more information, see Change SoftToken Unlock (SSO password) [page 67] .

8/13/2019 plzz1FR6



66 12/2011

ChangeQuestion

Answer for E-SSO Password

Reset

Use this option to change your question and answer/pass phrase thatwas defined along with the initial E-SSO password (see Initial Soft TokenLogon [page 7]) if it has been compromised or company policy dictatesthat you change your pass phrase on a regular basis. The answer should

always be at least 8 characters. For more information, see ChangeSecurity Question [page 67] .

Disable/Enable AutomaticLogon toE-SSO

You can either enable or disable automatic logon to the Enterprise SingleSign-On application after logging into Windows: If you disable automatic logon, you are required to enter the E-SSO

password after Windows logon. This provides a higher level ofsecurity.

If you enable automatic logon, you are not required to enter the E-SSO password after Windows logon. The password will be protectedvia the Windows Data Protection API (DPAPI).

The Enter E-SSO Password dialog appears whenever you enable ordisable automatic logon to E-SSO. Enter your current E-SSO password toconfirm the changes.

Exit Clicking Exit closes the Soft Token Password Reset dialog.

4.1.1 Reset the E-SSO PasswordUseReset the E-SSO password. This applies to the soft token only.

Procedure1. Open the E-SSO Password Options dialog. See Soft Token Troubleshooting [page 65] .

2. Click Reset E-SSO Password .3. The Reset SSO Password dialog appears:

4. Select the question from the drop-down list that was defined during the initial EnterpriseSingle Sign-On soft token logon, and enter the correct answer into the Answer field. Theanswer must be between 8 to 20 characters. See Initial Soft Token Logon [page 7].

5. Enter your new password into the New Password and Confirm New Password fields. Thenew password must be between 8 to 20 characters. It is recommended to use a mix ofupper-/lower-case characters, special characters, and numbers.

6. Click OK .7. Your new password is stored in the soft token.

8/13/2019 plzz1FR6



4.1.2 Change the E-SSO PasswordUseChange the soft token password. This applies to the soft token only.

Procedure1. Open the E-SSO Password Options dialog. See Soft Token Troubleshooting [page 65] .2. Click Change E-SSO Password .3. The Change E-SSO Password dialog appears:

4. Enter your current E-SSO password into the Old Password field.5. Enter a new password into the New Password and Confirm New Password fields. The

new password must be between 8 to 20 characters. It is recommended to use a mix ofupper-/lower-case characters, special characters, and numbers.

6. Click OK .7. Your new password is stored in the soft token.

4.1.3 Change Security Question

UseChange question and answer/passphrase used to recover the E-SSO password in anemergency scenario.

Procedure1. Open the E-SSO Password Options dialog. See Soft Token Troubleshooting [page 65] .2. The E-SSO Password Options dialog appears. Click Change Security Question for

Rese tting E-SSO Password .3. The Change Security Question for Resetting E-SSO Password dialog appears:

Date post:	04-Jun-2018
Category:	Documents
Upload:	srinivas-rentala
View:	218 times
Download:	0 times

plzz1FR6

Documents