PUBLIC
Document Version: 1.0 – 07/2011
© Copyright 2011 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice. Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p,
System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,
OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,
Power Architecture, POWER6+, POWER6, POWER5+, POWER5,
POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,
OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,
WebSphere, Netfinity, Tivoli and Informix are trademarks or
registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and
other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems Incorporated in
the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered
trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, and other SAP products and services
mentioned herein as well as their respective logos are trademarks or
registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of
Business Objects Software Ltd. in the United States and in other
countries.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of
Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may
vary.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
Disclaimer Some components of this product are based on Java™. Any
code change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.
Any Java™ Source Code delivered with this product is
only to be used by SAP’s Support Services and may not be
modified or altered in any way.
Terms for Included Open
Source Software
This SAP software contains also the third party open source software products listed below. Please note that for these third party products
the following special terms and conditions shall apply.
1. domainname-parser (http://code.google.com/p/domainname-parser/)
Copyright (c)
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the
following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
SAP AG
Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
Typographic Conventions
Type Style Description
Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu
options.
Cross-references to other
documentation
Example text Emphasized words or phrases in body text, graphic titles, and
table titles
EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and
INCLUDE.
Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade
and database tools.
Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the
documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
Icons
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more
information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the
first page of any version of SAP Library.
User Guide: Enterprise Single Sign-On
4 July 2011
Contents
1 Introduction ......................................................................................... 6
1.1 About this Document ................................................................................ 6
2 Preparation .......................................................................................... 7
2.1 Initial Soft Token Logon............................................................................ 7
2.2 Local Management Console (LMC) ......................................................... 8
2.3 Applications ............................................................................................. 10 2.3.1 Using the E-SSO Learning Wizard to Register and Update Application Controls ..... 11 2.3.2 Register a New Application ..................................................................................... 12 2.3.3 Register a Password Change Dialog ...................................................................... 16 2.3.4 Register a Predefined Application ........................................................................... 19 2.3.5 Register a Terminal Emulator Application ............................................................... 22 2.3.6 Register IBM Personal Communicator for an IBM Series System ............................ 23 2.3.7 View and Edit Single Sign-On Options for an Application ........................................ 27
2.4 Credentials................................................................................................ 29 2.4.1 Add a New Credential............................................................................................. 31 2.4.2 View and Edit Credential Details ............................................................................. 32
2.5 Drag and Drop Credentials ..................................................................... 34 2.5.1 Add a New Drag and Drop Credential ..................................................................... 36 2.5.2 View and Edit Drag and Drop Credential Details ..................................................... 37
2.6 Policies ...................................................................................................... 39 2.6.1 Add a New Password Policy ................................................................................... 40 2.6.2 Edit the Attributes of a Password Policy .................................................................. 41
2.7 Blacklist .................................................................................................... 43
2.8 Authentication .......................................................................................... 44 2.8.1 Token Type Switching ............................................................................................ 45 2.8.2 Enterprise Single Sign-On Soft-Token Utility ........................................................... 46 2.8.3 Import/Export Soft Token (Soft Token Mode) .......................................................... 47 2.8.4 Certificates (Smart Card Mode) .............................................................................. 49
2.9 Enterprise Single Sign-On to Web Applications (Web SSO) ............. 50 2.9.1 Enterprise Single Sign-On Web Toolbar and Icons ................................................. 51 2.9.2 Register a Website and Credential Information ....................................................... 51 2.9.3 Password Change for a Website............................................................................. 54 2.9.4 How to Activate or Deactivate the Enterprise Single Sign-On Web Toolbar ............. 55
2.10 Enable or Disable Enterprise Single Sign-On .................................... 55
2.11 Enable or Disable E-SSO Learning Wizard ........................................ 56
2.12 Log In To or Log Out From Enterprise Single Sign-On (Soft Token Only) .................................................................................................... 56
3 Usage.................................................................................................. 57
3.1 Log on to Windows (Smart Card only) ................................................. 57 3.1.1 Log on to Windows XP ........................................................................................... 57 3.1.2 Log on to Windows Vista or Windows 7 .................................................................. 58
3.2 Log on to Citrix Presentation Server .................................................... 59
3.3 Log on to a Windows Application ......................................................... 60
3.4 Log on to IBM Personal Communicator ............................................... 60
3.5 Using Web E-SSO .................................................................................... 61
3.6 Log on to Special Applications Using the Drag & Drop Feature ...... 62
July 2011 5
3.7 E-SSO Card Configuration Tool............................................................. 63
4 Additional Information ...................................................................... 64
4.1 Soft Token Troubleshooting .................................................................. 64 4.1.1 Reset the E-SSO Password.................................................................................... 65 4.1.2 Change the E-SSO Password ................................................................................ 66 4.1.3 Change Security Question ...................................................................................... 66
1 Introduction
6 July 2011
1 Introduction Enterprise Single Sign-On (E-SSO) helps end users log on to multiple systems or applications without the need to remember every password or logon dialog. Once a user has successfully authenticated to the Enterprise Single Sign-On application, further logon to
applications running under the system’s control are carried out automatically.
Enterprise Single Sign-On supports the following methods of signing-on to an application:
Windows logon (for smart card-based authentication only)
This method can either be certificate-based or can use a user ID/password combination
stored on the smart card.
Certificate-based authentication (for smart card-based authentication only)
Certificate-based authentication is provided via the standard interfaces such as Microsoft Crypto-API, RSA PKCS#11 or the GSS-API. The requirements of most application logon requirements can be fulfilled via these interfaces, such as Internet browsers, e-mail
clients, VPN clients, and so on.
Windows logon and certificate-based authentication are not available for
operation with a soft token.
Logon to Windows applications
This feature allows you to use single sign-on for password-protected Windows, .NET,
terminal emulator, and Java applications.
Logon to Websites (Web Single Sign-On)
This feature allows you to log on to password-protected Websites using single sign-on. A toolbar for Microsoft Internet Explorer and Mozilla Firefox enables the registration and
management of sites for single sign-on.
1.1 About this Document
Purpose
This document describes how to use Enterprise Single Sign-On on Windows XP, Windows
Vista, and Windows 7.
Constraints
This guide does not provide information about how to install, modify, remove, and configure Enterprise Single Sign-On. For such information, see the Enterprise Single Sign-On
Installation and Configuration Guide.
2 Preparation
July 2011 7
2 Preparation
2.1 Initial Soft Token Logon
Use
After the initial installation of Enterprise Single Sign-On, and a subsequent restart, an initialization dialog will appear prompting the user to enter a specific password for Enterprise Single Sign-On (E-SSO) to capture, encrypt, and safely store all your credentials, as well as
choosing a password recovery question and appropriate answer.
Procedure
1. When you start Windows for the first time after Enterprise Single Sign-On installation, the Initialize Soft Token Password dialog appears:
2. Enter a password into the E-SSO Password field. The password must be at least 8 charcters long. To achieve a higher level of security, it is recommended to use a mix of
upper- and lower-case characters, numbers, and special characters.
3. Optionally check Enable automatic logon to E-SSO when logged into Windows session (can be deactivated via Local Management Console) to allow Windows to automatically log on to the Enterprise Single Sign-On application after successful Windows logon. This option can be activated or deactivated at any time via the Password Options feature in the Local Management Console. This feature uses the Windows Data Protection API
(DPAPI) to protect the password.
4. Under Question/Answer for E-SSO Password Recovery:
Select a question from the Question drop-down menu.
Enter the corresponding, individual answer into the Answer field.
5. This information will now be used to access, and recover, Enterprise Single Sign-On from
this point onwards. The Enterprise Single Sign-On icon will appear in the taskbar ( ).
2 Preparation
8 July 2011
For automatic logon only: If a Windows password is reset by the System Administrator, the user will be prompted to enter the Enterprise Single Sign-On password after Windows logon to re-enable the automatic logon feature (DPAPI):
2.2 Local Management Console (LMC)
Use
Enterprise Single Sign-On has a Local Management Console (LMC) in which all aspects of the application can be configured. This section details how to open the Local Management
Console and details the GUI.
Procedure
1. The Local Management Console can be open via one of the following options:
Via Start menu: click Start > All Programs > SAP > signon > Local Management
Console.
Double-click the Enterprise Single Sign-On icon in the system tray.
Right-click the Enterprise Single Sign-On icon in the system tray and choose Local Management Console in the context menu:
In your Internet browser (Internet Explorer or Firefox), click the Local Management
Console icon on the Enterprise Single Sign-On Web toolbar:
For more information about the Enterprise Single Sign-On Web toolbar, see Enterprise Single Sign-On Web Single Sign-On (Web E-SSO) [page 50] or Using Web E-SSO [page 61].
2 Preparation
July 2011 9
2. The Local Management Console appears:
The Search box and button located at the top of the left pane can be used to look for a specific term with the whole naviagtion tree in the left pane. Enter search
criteria and click Search; use F3 on your keyboard to go to the next search result.
The navigation tree in the left pane allows a user to view and configure each of the aspects for the application. Clicking a node will display the details for that node
either in the right pane or in a pop-up window. The following nodes are available:
Node Description
Applications Applications allows you to register, view, edit or delete a Windows or Web application. For more information about Applications, see
Applications [page 10].
Credentials Credentials allows you to add, view, edit and delete the credentials contained with the soft token or smart card. For more information
about Credentials, see Credentials [page 29].
Drag & Drop Credentials
Drag & Drop Credentials allows you to add, view, edit and delete credentials used for drag & drop. The drag & drop feature is provided to allow single sign-on to applications or Websites that cannot be registered to Enterprise Single Sign-On. For more information on Drag & Drop Credentials, see Drag & Drop
Credentials [page 34].
Policies Policies allows you to add, view, edit and delete password policies. A Password Policy is a set of rules that govern the characters to be used as well as the password length for Windows- or web-based passwords that are created in Enterprise Single Sign-On. For more
information about password policies, see Policies [page 39].
Blacklist Blacklist allows you to view and delete applications from the blacklist. The blacklist is a list of applications for which Enterprise Single Sign-On functions are disabled. For more information about
the blacklist, see Blacklist [page 43].
2 Preparation
10 July 2011
Authentication Authentication allows you to access authentication-related tools and features, specifically Token Switching (Soft Token/Smart Card), Token Utility, and Certificates. For more information about authentication, see Authentication [page 44] .
Depending on which node is clicked a menu will appear above the information in the right pane - indicated by a row of icons. Depending on task, one or more of the following icons will
be available:
Icon Description
Add a new entry to the selected node.
Modify an existing entry on the selected node.
Remove an existing entry from the selected node.
View an entry from the selected node.
Create an application file <*.api> to be imported to the Enterprise
Single Sign-On Management Console (coming soon).
2.3 Applications The following information appears when you click the Applications node:
The Applications node in the left pane of the Local Management Console has the following
sub-nodes:
2 Preparation
July 2011 11
Sub-node Description
Windows Displays all the Windows applications currently registered to E-SSO (for
example, Skype)
Web Displays all the Web applications or Websites currently registered to E-
SSO (for example, mail.yahoo.com)
Terminal Emulator
Displays all the terminal emulator applications currently registered to E-SSO.
If you click the Applications, Windows, Web or Terminal Emulator nodes, the right pane of the Local Management Console displays the following information for registered applications or
Websites:
Details Description
Name Displays the names of the registered applications
Type Displays the type of application; can either display Windows or Web
Default Credentials Displays the default credential for each of the registered application
The Applications node and subnodes allow you to perform the following actions:
Click to open the E-SSO Learning Wizard to register and update application controls. You can also right-click Applications on the left pane of the Local Management Console and select Add in the context menu. For more information, see Using the E-SSO
Learning Wizard to Register and Update Application Controls [page 11].
Click to modify single sign-on options for an application. For more information, see
View and Edit Single Sign-On Options for an Application [page 27].
Click or press Del on your keyboard to delete an application from single sign-
on. You can also right-click the application that you want to delete on the left pane of the
Local Management Console and select Delete in the context menu.
Click to create an application file <*.api> to be imported to the Enterprise
Single Sign-On Management Console (coming soon).
2.3.1 Using the E-SSO Learning Wizard to Register and Update Application Controls
Use
If you intend to use Enterprise Single Sign-On for a Windows application (for example, Skype), you will first need to register the application. The E-SSO Learning Wizard is an Enterprise Single Sign-On component that helps you register and update Windows application controls.
The E-SSO Learning Wizard only applies to Windows applications. To register a Web application or Website, use the Enterprise Single Sign-On Web toolbar. See
Register a Website and Credential Information [page 51].
Open E-SSO Learning Wizard
1. When you start a Windows application for the first time after Enterprise Single Sign-On installation, Enterprise Single Sign-On detects if the application requires authentication
and automatically launches the E-SSO Learning Wizard:
2 Preparation
12 July 2011
2. The application registration dialog allows you to perform the following:
Click Register to register the application and, optionally, the credentials (proceed to
the next section).
Click Later to register at a later time and close the application registration dialog.
Click Never to disable single sign-on functions for this application and close the application registration dialog. The application will be added to the blacklist. For more
information about managing the blacklist, see Blacklist [page 43].
3. If the E-SSO Learning Wizard is not automatically launched, you can open the wizard
either:
Via the Local Management Console, see Local Management Console (LMC) [page 8]: select Applications from the left pane of the dialog and click . You can also right-click Applications on the left pane of the Local Management Console and select Add in the context menu.
Via the system tray: Right-click the Enterprise Single Sign-On icon in the system tray and select Register New application.
Disable E-SSO Learning Wizard
To disable the E-SSO Learning Wizard, right-click the Enterprise Single Sign-On icon in the system tray and click Disable E-SSO Learning Wizard in the context menu.
2.3.2 Register a New Application
Use
If you intend to use Enterprise Single Sign-On for a Windows application (for example, Skype), you will first need to register the application. The E-SSO Learning Wizard is an Enterprise Single Sign-On component that helps you register and update Windows
application controls.
Procedure
1. Open the E-SSO Learning Wizard. See Open E-SSO Learning Wizard [page 11].
2 Preparation
July 2011 13
2. The Welcome to the E-SSO Learning Wizard dialog appears. Select Register a New
Application and click Next.
3. The Select Window Function dialog appears: Select Login Dialog and click Next.
2 Preparation
14 July 2011
4. The Select the login dialog you want to register dialog appears: Drag the Select Dialog
icon to the Windows application dialog that you want to register and click Next.
5. The logon parameters dialog appears displaying the Field icon next to each logon parameter:
6. If the application logon dialog has only one field, select Check if login dialog has only one
password field.
7. Drag the Field icon for each logon parameter to the specific field in the application dialog that you want to register.
The User Name, Password and Submit (OK) Button are required fields. For logon dialogs with only one password field, the Password and Submit (OK) Button are
required fields.
8. The logon fields in the application will be highlighted and a checkmark icon is displayed next to the parameter to confirm that it has been linked. If you link the incorrect
field, you can click the remove icon to remove the link.
9. Click Next.
2 Preparation
July 2011 15
10. The Enter Credentials dialog appears:
11. The Application field displays the name of the application.
12. In the succeeding fields, either:
Select a credential that has been previously added (for example, you use the same and password for Skype, Yahoo and company intranet) in the Credential name field. The entries for the User Name and Password fields will be automatically entered.
Or…
Add a new credential by entering information into the Credential name, User Name or Password fields.
13. In the Preferences area:
Click Automatic login if you want to be automatically logged into the application when
it is launched.
During first time registration, the Default Credential is selected and cannot be edited;
this option will be enabled if you add another credential to this application.
14. Click Next.
While entering information in this dialog is optional, Enterprise Single Sign-On will require you to link a credential to the application. You can do this by
performing any of the following actions:
Modify the application and link it to a credential. See View and Edit Single
Sign-On Options for an Application [page 27].
Add a new credential and link it to the application. See Add a New
Credential [page 29].
Modify a credential and link it to the application. See View and Edit
Credential Details [page 32].
When you launch a registered application, Enterprise Single Sign-On automatically detects if the application is not linked to a credential. Click Yes to add a credential for the application:
2 Preparation
16 July 2011
15. The completion dialog appears; click Finish to close the dialog. The application and, optionally, the credentials are now registered to Enterprise Single Sign-On and are displayed on the Local Management Console. You can now use single sign-on to log on
to this application. For more information, see Log In to a Windows Application [page 60].
16. To add another credential to an application, follow step 2 of this section. You are prompted with a message asking if you want to update the application. Click Yes then
proceed with the rest of the steps in this section.
2.3.3 Register a Password Change Dialog
Use
Register password change dialogs. This section is only applicable for applications already
registered with Enterprise Single Sign-On.
Procedure
1. When an application password change dialog is launched, Enterprise Single Sign-On detects if the application requires registration. Enterprise Single Sign-On automatically launches the E-SSO Learning Wizard:
Click Yes to register the password change dialog and, optionally, change the
credentials (proceed to step 6).
If the E-SSO Learning Wizard is not automatically launched, you can open the wizard
via the system tray: Right-click the Enterprise Single Sign-On icon in the system tray and select Register New application.
2. The Welcome to the E-SSO Learning Wizard dialog appears. Select Register a New
Application and click Next.
3. The Select Window Function dialog appears. Select Change Password Dialog and click
Next.
2 Preparation
July 2011 17
4. The Select the Login Dialog you want to register dialog appears:
5. Drag the Select Dialog icon to the password change dialog that you want to register and
click Next.
6. The logon parameters dialog appears displaying the Field icon next to each logon
parameter:
7. Drag the Field icon for each logon parameter to the specific field in the application dialog that you want to register.
8. The logon fields in the application will be highlighted and a checkmark icon is displayed next to the parameter to confirm that it has been linked. If you link the incorrect
field, you can click the remove icon to remove the link.
9. Click Next.
2 Preparation
18 July 2011
10. The Enter the New and Confirmation Password dialog appears; the old password is
entered per default:
11. In the Manual Change Password area, optionally enter a new password into the New
Password and Confirm Password fields to change your password now.
12. The Auto Change Password area deals with future password changes. The following
options are available:
Option Description
Automatically change password in the
future
E-SSO automatically generates a new password every time the application password change dialog is launched.
To enable this option:
1. In the Auto Change Password area, check the option Auto password
change in future.
2. The drop-down menu Select Password Policy appears. Select the password policy for this credential. For more information on password
policies, see Policies [page 39].
Inform me of automatic password
changes
If you select this option, a message dialog is displayed every time E-SSO automatically generates a new password.
To enable this option:
1. In the Auto Change Password area, check the option Notify me of
auto password changes.
2. The option Automatically change password in the future will also be enabled. If you have not selected the password policy for this
credential, do it now.
13. After selecting the options, click Next. If you have entered a new password in the Manual Change Password area, proceed to the next step. If you have not entered a new
password, proceed to step 15.
2 Preparation
July 2011 19
14. If you have entered a new password in the previous dialog, you are prompted to confirm if the password has been validated by the application. Click Next to confirm or Failed to
go back to the previous dialog and enter a new password.
’
15. The completion dialog appears; click Finish to close the dialog. The password change dialog and, optionally the credentials, are now registered to Enterprise Single Sign-On and is displayed on the Local Management Console. You can now continue using single sign-on to log on to this application. For more information, see Log In to a Windows
Application [page 60].
2.3.4 Register a Predefined Application
Use
Enterprise Single Sign-On has built-in predefined applications (for example, Yahoo Messenger and Google Talk). You have to define the credentials for the specific applications
that you want to use.
Prerequisites
For System Administrators: Use a predefined applications file to distribute applications to Enterprise Single Sign-On. To start using the predefined applications, the application
definition should be added to the predefined application file.
Procedure
1. Open the E-SSO Learning Wizard. See Open E-SSO Learning Wizard [page 11].
2. The Welcome to the E-SSO Learning Wizard dialog appears. Select Register a Predefined Application and click Next.
2 Preparation
20 July 2011
3. The Select the predefined application dialog appears.
4. Select the predefined application that you want to define and link to a credential and click
Next and proceed to step 6.
5. For System Administrators: The Select the predefined application dialog allows you to
perform the following actions:
Option Description
Add Register and store the predefined application definition in the predefined
application file. Click Next and proceed to the next step.
Export Export a predefined application file from the default location to another
location (for example, <C:\\temp\admin.pda>). Click Cancel to exit
the dialog.
Import Copy a predefined application file from another location (for example, <C:\\temp\admin.pda>) to the predefined application file location.
Click Cancel to exit.
Per default, the PDA files are stored, exported from and imported to
%ALLUSERSPROFILE%\SAP\Signon\Predef\PreDefAp.pda.
6. The Enter Credentials dialog appears:
2 Preparation
July 2011 21
7. In the Login info area:
The Application field displays the name of the application.
In the next fields, either:
Select a credential that has been previously added from the drop-down box (recommended if you use the same user name and password for more than one application) in the Credential name field. The entries for the User Name and
Password fields will be automatically entered. Or…
Add a new credential by entering information into the Credential name, User Name
or Password fields.
8. In the Preferences area:
Click Automatic login if you want to be automatically logged into the application when
it is launched.
During first time registration, the Default Credential is selected and cannot be edited;
this option will be enabled if you add another credential to this application.
9. Click Next.
While entering information in this dialog is optional, Enterprise Single Sign-On will require you to link a credential to the application. You can do this by
performing any of the following actions:
Modify the application and link it to a credential. See View and Edit Single
Sign-On Options for an Application [page 27].
Add a new credential and link it to the application. See Add a New
Credential [page 29].
Modify a credential and link it to the application. See View and Edit
Credential Details [page 32].
When you launch a registered application, Enterprise Single Sign-On automatically detects if the application is not linked to a credential. Click Yes to
add a credential for the application:
10. The completion dialog appears. Click Finish to close the dialog. The application and, optionally, the credentials are now registered to Enterprise Single Sign-On and can be
viewed, edited or removed via the Local Management Console.
2 Preparation
22 July 2011
2.3.5 Register a Terminal Emulator Application
Use
Enterprise Single Sign-On automatically detects a terminal emulator application logon dialog
and launches the wizard to register for single sign-on use.
Procedure
1. Launch the terminal emulator application and connect to the server.
2. When a terminal emulator application logon dialog is launched, Enterprise Single Sign-On detects that the application requires registration. Enterprise Single Sign-On
automatically launches the E-SSO Learning Wizard:
3. The application registration dialog allows you to perform the following:
Click Register to register the terminal emulator application and, optionally, the
credentials (proceed to the next step).
Click Later to register at a later time and close the application registration dialog.
Click Never to disable single sign-on functions for this application and close the application registration dialog. The application will also be added to the blacklist. For
more information on managing the blacklist, see Blacklist [page 43].
4. The Enter Credentials dialog appears:
5. The Application field displays the name of the application.
6. The Host field displays the IP address of the server.
7. You can optionally enter information in the succeeding fields; to do this, either:
Select a credential that has been previously added (for example, you use the same user name and password for Skype, Yahoo and company intranet) in the Credential name field. The entries for the User Name and Password fields will be automatically
entered. Or…
Add a new credential by entering information into the Credential name, User Name or
Password fields.
2 Preparation
July 2011 23
8. In the Terminal Application Install Path area, click the button. The file explorer dialog appears:
9. Locate the folder where the terminal emulator application installer is located (for example,
<C:\Program Files\PASSPORT>) and click OK.
You need to specify the exact location of the installation package. Otherwise, you
cannot successfully register the application.
10. The Enter Credentials dialog re-appears; click Finish to complete the configuration. You
can now use single sign-on to log on to this terminal emulator application. For more
information, see Register a Terminal Emulator Application [page 22].
2.3.6 Register IBM Personal Communicator for an IBM Series System
Use
This section details how to register IBM Personal Communicator for an IBM Series System
for E-SSO.
Prerequisites
For System Administrators: There is a scenario when the host is not displayed on the IBM iSeries status bar on the bottom of the logon dialog. If this scenario occurs, perform the
following operations on the client and server.
1. On the server:
Add the ADM file Signon.adm from the Enterprise Single Sign-On package.
Configure the parameters of the terminal emulator host as follows:
2 Preparation
24 July 2011
One of the hosts should reference the name of the Hostname or IP that user will be
connecting to (for example, the first host is referenced as Pub1.rzkh.de).
One of the hosts should reference ‘*’ as the Hostname. This is important for scenarios
when the host is not displayed on IBM iSeries status bar on the bottom of the logon
dialog (for example, the second host is referenced as ‘*’).
Run the command gpupdate /force to apply the policy to the client.
For more information about terminal emulator host configuration, see the Enterprise
Single Sign-On Installation and Configuration Guide.
2 Preparation
July 2011 25
2. On the client computer: Make sure that the settings have been properly configured prior to registration and the Host Terminal for AS/400 is configured on the Registry Editor,
folder HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\signon\Terminal:
Procedure
1. Start a new session on IBM Personal Communications. In the Configuration dialog, select the appropriate host and click OK. In the Account Information dialog, type the
appropriate logon.
2. Enterprise Single Sign-On detects if the application requires registration. Enterprise
Single Sign-On automatically launches the E-SSO Learning Wizard:
Click Register to register IBM Personal Communications.
Click Later to register at a later time and close the application registration dialog.
Click Never to disable single sign-on functions for this application and close the application registration dialog. The application will also be added to the blacklist. For
more information on managing the blacklist, see Blacklist [page 43].
3. The Enter Credentials dialog appears:
4. The Application field displays the name of the application.
5. You can optionally enter information in the succeeding fields; to do this, either:
Select a credential that has been previously added in the Credential name field. The
entries for the User Name and Password fields will be automatically entered. Or…
Add a new credential by entering information into the Credential name, User Name or
Password fields.
6. Click Finish.
7. The first logon dialog is successfully registered.
2 Preparation
26 July 2011
8. Enterprise Single Sign-On will now detect the second logon dialog:
In the scenario displayed in the figure above, the string I902 is displayed on the bottom of the dialog. Enterprise Single Sign-On therefore detects the host with
the Hostname ‘*’.
Click Register to register IBM Personal Communications.
Click Later to register at a later time and close the application registration dialog.
Click Never to disable single sign-on functions for this application and close the application registration dialog. The application will also be added to the blacklist. For
more information on managing the blacklist, see Blacklist [page 43].
9. The Enter Credentials dialog appears:
10. The Application field displays the name of the application.
11. You can optionally enter information in the succeeding fields; to do this, either:
Select a credential that has been previously added in the Credential name field. The
entries for the User Name and Password fields will be automatically entered. Or…
Add a new credential by entering information into the Credential name, User Name or
Password fields.
12. In the Terminal Application Install Path area, click the button. Locate the folder where
the terminal emulator application installer is located and click OK.
2 Preparation
July 2011 27
You need to specify the exact location of the installation package. Otherwise, you
will not be able to successfully register the application.
13. Click Finish. The IBM Personal Communicator displays that the logon is successful.
14. You can now exit the window. You are prompted to save the session. It is recommended
that you save the session for future logons.
2.3.7 View and Edit Single Sign-On Options for an Application
Use
View and edit an application entry.
Procedure
1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Applications from the left pane of the dialog. All registered applications is
displayed in the right pane of the dialog.
2. To view single sign-on options for an application, either:
Double-click the application entry in the right pane, or…
Expand the Windows, Web and/or Terminal Emulator nodes in the left pane to display
applications according to type and select the specific application.
3. The right pane displays application-specific details:
4. To edit the single sign-on options for an application, click . The following options appears:
2 Preparation
28 July 2011
Option Description
Detail area (for Windows and Web applications)
Application name: To edit, click the application name. A blinking cursor that indicates that you can edit the application name.
Enabled: Check this option to allow the E-SSO functions to run on the
selected application.
Auto Logon: Check this option to facilitate an automatic application
logon without having to click the submit button.
Auto Change Password: When the password change dialog is
launched, the system automatically generates a new password.
Notify me of Auto Password Changes: If you select this option, a message dialog is displayed every time E-SSO automatically
generates a new password.
Apply Password Policy: Check this box if you want to apply a password policy to this application, and select the policy from the drop-down menu. Per default, the Windows password policy is applied to Windows applications and the Web password policy is applied to Web applications. For more information on password
policies, see Policies [page 39].
Terminal application install path (for terminal emulator applications
only): To change the install path, click the button. Locate the folder where the terminal emulator application installer is located (for
example, <C:\Program Files\PASSPORT>) and click OK.
Linked Credentials area
The Linked Credentials area displays the list of credentials that are linked to the selected application. If the selected application does not have any credentials linked to it, the Name field is blank.
Name: Name of the credentials that are linked to the selected
application.
Default: If there is only one credential linked to the selected application, this is the default credential. If there is more than one credential linked to the selected application, check the Default box
corresponding to the credential that you want to assign as default.
Link icon : Use this icon to link the selected application to a credential.
Unlink icon : Select the credential that you want to unlink from the Name list and click the Unlink icon. The credential that you have
unlinked is removed from the Name list.
5. Click Apply to save the changes.
2 Preparation
July 2011 29
2.4 Credentials The following information appears when you click the Credentials node:
If you expand Credentials in the left pane of the Local Management Console, all credentials stored within Enterprise Single Sign-On is displayed. Click the Credentials node to display the
following credential details in the right pane:
Details Description
Name Displays the credential names
User Name Displays the User Name for each credential
If you click the credential entry (either in the left or right pane), the right pane displays the following details of the registered credentials:
2 Preparation
30 July 2011
Parameter Description
Detail area Name: A name that defines the credential.
User Name: User name of the credential. The field next to User Name
defines the key that terminates the User Name field.
Password: Password for the credential. The field next to Password
defines the key that terminates the Password field.
Parameter 1/Parameter 2/Parameter 3: These are optional fields for
additional credential parameters other than user name and password.
Protected entry: If checked, the entry is protected from being deleted
from the smart card or soft token.
Hidden entry: If checked, you cannot use the credential for drag &
drop. This parameter is checked per default.
If you modify and uncheck this parameter, the credential entry is categorized as a drag & drop credential. For more information on the drag
& drop feature, Drag & Drop Credentials [page 34].
Linked Applications
area
The Linked Applications area shows the list of applications to which the selected credential is linked to.
Link icon : Use this icon to link the selected credential to an application
Unlink icon : Select the application that you want to unlink from the Name list and click the Unlink icon. The credential that you have
unlinked is removed from the Name list.
The Credentials node and subnodes allow you to perform the following actions:
2 Preparation
July 2011 31
Click to add a credential. You can also right-click Credentials on the left pane of the Local Management Console and select Add in the context menu. For more
information, see Add a New Credential [page 31].
Click to modify credential details (applied to subnodes). For more information, see
View and Edit Credential Details [page 32].
Click or press Del on your keyboard to delete a credential. You can also right-
click the credential that you want to delete on the left pane of the Local Management
Console and select Delete in the context menu.
2.4.1 Add a New Credential
Use
Credentials are normally added in the E-SSO Learning Wizard during application registration (see Register a New Application [page 12]). However, you can need to add a credential prior to application registration if you are going to link it to several applications (for example, you
want to link the same credential to Skype, Yahoo, and company intranet).
Procedure
1. Open the Local Management Console (see Local Management Console (LMC) [page 8]), select Credentials from the options in the left pane of the dialog and click . You can also right-click Credentials on the left pane of the Local Management Console and
select in the context menu.
2. The New Credential dialog appears.
Enter credential parameters (see Credentials [page 29]).
3. In the Linked Applications area, use the following buttons to link and unlink applications
and credentials:
Add: Select the application from the Available Applications box and click the Add
button.
2 Preparation
32 July 2011
Remove: Select the application from the Linked Applications box and click the
Remove button.
4. Click OK to save changes.
2.4.2 View and Edit Credential Details
Use
View and edit credential options.
Procedure
1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Credentials from the left pane of the dialog. All existing credentials is
displayed in the right pane of the dialog.
2. To view credential information, click the credential entry (either on the left or right pane).
3. The dialog displays specific credential details:
4. Select the credential entry to be edited from the left or right pane, and click .
5. The Edit Credential dialog appears:
2 Preparation
July 2011 33
For more information on these credential parameters, see Credentials [page 29].
6. To change single sign-on password, click Modify button.
7. You are prompted to enter your PIN. Enter your PIN and click OK.
8. The Modify Password dialog appears:
9. Enter your new password into the New Password and Confirmation fields and click OK.
10. The Edit Credential dialog re-appears. Click the Apply button to save the changes.
2 Preparation
34 July 2011
2.5 Drag and Drop Credentials The following information appears when you click the Drag & Drop Credentials node:
If you expand Drag & Drop Credentials in the left pane of the Local Management Console, all the Drag & Drop Credentials stored within Enterprise Single Sign-On are displayed. Click the
Drag & Drop Credentials node to display the following credential details in the right pane:
Details Description
Name Displays the drag & drop credential names
User Name Displays the user name for each drag & drop credential
If you click the drag & drop credential entry (either in the left or right pane), the right pane displays the following details of the registered Drag & Drop Credentials:
2 Preparation
July 2011 35
Parameter Description
Detail area Name: A name that defines the drag & drop credential
User Name: User name of the drag & drop credential. The field next
to User Name defines the key that terminates the User Name field.
Password: Password for the drag & drop credential. The field next to
Password defines the key that terminates the Password field.
Parameter 1/Parameter 2/Parameter 3: These are optional fields for additional drag & drop credential parameters other than user name
and password.
Protected entry: If checked, the entry is protected from being deleted
from the smart card or soft token.
Hidden entry: This parameter is unchecked per default.
If you modify and check this parameter, the credential entry is categorized
as a regular credential and you cannot use the credential for drag & drop.
For more information on credentials, see Credentials [page 29].
Linked Applications
area
The Linked Applications box shows the list of applications to which the
selected drag & drop credential is linked to.
The Credentials node and subnodes allow you to perform the following actions:
Click to create a new credential. You can also right-click Credentials on the left pane of the Local Management Console and select Add in the context menu. For more
information, see Add a New Drag and Drop Credential [page 36].
2 Preparation
36 July 2011
Click to modify credential details (applied to subnodes). For more information, see
View and Edit Drag and Drop Credential Details [page 37].
Click or press press Del on your keyboard to delete a credential. You can also
right-click the credential that you want to delete on the left pane of the Local Management
Console and select Delete in the context menu.
Use the (User Name), (Password), (Parameters) and (Drag & Drop Credentials) icons for single sign-on to special applications and Websites. For more
information, see Log In to Special Applications Using the Drag & Drop Feature [page 62].
Click in the Linked Applications area to link an application to the selected credential.
To un-link an application to the selected credential, select the application in the Linked
Applications area and click .
2.5.1 Add a New Drag and Drop Credential
Use
Add a new drag and drop credential.
Procedure
1. Open the Local Management Console (see Local Management Console (LMC) [page 8]), select Drag & Drop Credentials from the options in the left pane of the dialog and click . You can also right-click Drag & Drop Credentials on the left pane of the Local
Management Console and select in the context menu.
2. The New Credential dialog appears:
Enter credential parameters (see Drag & Drop Credentials [page 34]).
You cannot uncheck the Hidden entry option.
3. In the Linked Applications area, use the following buttons to link and unlink applications
and credentials:
2 Preparation
July 2011 37
Add: Select the application from the Available Applications box and click the Add
button.
Remove: Select the application from the Linked Applications box and click the
Remove button.
4. Click OK to save changes.
2.5.2 View and Edit Drag and Drop Credential Details
Use
View and edit drag and drop credential options.
Procedure
1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Drag & Drop Credentials from the left pane of the dialog. All existing Drag &
Drop Credentials is displayed in the right pane of the dialog.
2. To view drag & drop credential information, click the drag & drop credential entry (either
on the left or right pane).
3. The dialog displays specific drag & drop credential details:
4. Select the drag & drop credential entry to be edited from the left or right pane, and click
.
2 Preparation
38 July 2011
5. The Edit Credential dialog appears:
For more information on these drag & drop credential parameters, see Drag & Drop
Credentials [page 34].
6. To change single sign-on password, click Modify button.
7. You are prompted to enter your PIN. Enter your PIN and click OK.
8. The Modify Password dialog appears:
9. Enter your new password into the New Password and Confirmation fields and click OK.
10. The Edit Credential dialog re-appears. Click the Apply button to save the changes.
2 Preparation
July 2011 39
2.6 Policies The following information appears when you click the Policies node:
If you expand Policies in the left pane of the Local Management Console, it displays the
Password Policies subnode.
If you expand the Password Policies subnode, all the password policies stored within Enterprise Single Sign-On is displayed on the left and right panes. Per default, the Microsoft Windows Password Policy is applied to Windows applications and the Web
Password Policy is applied to Web applications/Websites.
The Policies node and subnodes allow you to perform the following actions:
Click to add a password policy. You can also right-click Password Policies on the left pane of the Local Management Console and select Add in the context menu. For
more information, see Add a New Policy [page 40].
Click to modify the values of the password policy attributes. For more information,
see Edit the Attributes of a Password Policy [page 41].
Click or press Del on your keyboard to delete a password policy. You can also
right-click the policy that you want to delete on the left pane of the Local Management
Console and select Delete on the in the context menu.
Click to create a password policy file <*.PLC> to be imported to the Enterprise
Single Sign-On Management Console (coming soon).
2 Preparation
40 July 2011
2.6.1 Add a New Password Policy
Use
Add a new password policy.
Procedure
1. Open the Local Management Console (see Local Management Console (LMC) [page 8]), select Policies > Password Policies from the options in the left pane of the dialog and
click .
2. The New Policy dialog appears prompting you to enter a policy name:
3. Enter a policy name to describe the new password policy and click OK.
4. The dialog displays specific policy attributes:
5. The password attributes of the new policy are set with default values. To modify the
values of these attributes, click . See Edit the Attributes of a Password Policy [page 41] for details on how to edit the attributes of a password policy.
2 Preparation
July 2011 41
2.6.2 Edit the Attributes of a Password Policy
Use
Edit the attributes of a password policy.
Procedure
1. Open the Local Management Console (see Local Management Console (LMC) [page 8]), select Policies > Password Policies from the options in the left pane of the dialog. To view the password policy attributes, click the password policy entry on the left pane or double-click the entry in the right pane.
2. The dialog displays specific policy attributes. Click .
3. The dialog displays the fields in editable mode:
The following attributes are available and can be edited:
Attribute Value Details
Password length
min,max Enter allowed min value.
Enter allowed max value. The system automatically sets the maximum password length if the sum of all minimum values of the character sets is greater than the entered
maximum password length.
Upper case characters [A,Z]
Forbidden/ Allowed/
Mandatory
min
A character set maybe forbidden, allowed or mandatory:
Forbidden – User cannot use any character in this character set for the
password.
Lower case characters [a,z]
Number
2 Preparation
42 July 2011
characters [0,9] Allowed – User can optionally use any character in this character set for the
password.
Mandatory – User is required to use characters in this character set for the password. If Mandatory is selected, enter the minimum number of characters
required for the character set.
Special characters
Allowed special characters
All special characters in the
English keyboard
User can use any special character entered in this string. The following special characters
are allowed: !@#$%^&*()_-+=?><,./:;'~`\|{}[]
Begin with uppercase
character
Enabled/ Disabled
If this attribute is enabled, the user is required to enter a password that begins with an
uppercase character.
Allow sequential
characters
Enabled/
Disabled
If this attribute is enabled, the user can enter a password that contains an ordered list of ASCII characters (for example, 1234 and
ABCD).
Allow duplicate
characters
Enabled/
Disabled
If this attribute is enabled, the user can use a duplicate character (not case sensitive) in the password (for example, ACDA contains
duplicate characters and ACDa does not).
Allow repeated characters
Enabled/ Disabled
If this attribute is enabled, the user can use a consecutively repeated character in the password (for example, AA19 contains
repeated characters and A19A does not).
4. Click the Apply button to save the changes. You can now link this password policy to an application. For more information, see Register a Password Change Dialog [page 16].
2 Preparation
July 2011 43
2.7 Blacklist
Use
A blacklist is a list of applications where single sign-on functions are disabled.
Procedure
The following information appears when you click the Blacklist node:
The Blacklist node allows you to:
View the list of applications and Websites on the blacklist.
Click or press press Del on your keyboard to remove an application or Website
from the blacklist.
Click to create a blacklist file <*.BLL> to be imported to the Enterprise Single
Sign-On Management Console (coming soon).
To add applications and Websites to the blacklist: To blacklist an application, see Using the E-SSO Learning Wizard to Register and Update Application Controls [page 11] and
Register a Website and Credential Information [page 51] .
2 Preparation
44 July 2011
2.8 Authentication
Use
The Authentication node contains the tools for managing your smart card and soft token.
Procedure
Access the following tolls via the Authentication node:
Subnode Description
Soft Token/Smart Card
Allows you to switch token in use from smart card to soft token or soft token to smart card. See Token Type Switching [page 45] for more
information.
Copy Token Contents
Allows you to synchronize the contents of smart card and the contents of the soft token. See Enterprise Single Sign-On Soft-Token
Utility [page 45] for more information.
Smart Card > Certificates
Allows you to view certificates on the smart card, install certificates to the certificate store and export certificates to a system folder. For
more information, see Certificates [page 49].
Soft Token > Import/Export Soft
Token
Export soft token: Export a soft token to a user-defined location from the credential store. For more information, see Export Soft
Token [page 47].
Import soft token: Import a soft token from a user-defined location to the credential store. For more information, see Import Soft
Token [page 48].
2 Preparation
July 2011 45
Soft Token > Password Options
Troubleshoot soft token-related problems.
2.8.1 Token Type Switching
Use
The Token Switching (Soft Token/Smart Card) feature allows you to change the token in use (for example, switch from a smart card to a soft token or switch from soft token to smart
card).
Prerequisites
Windows XP: You need administrator rights to use this feature.
Windows Vista/Windows 7: The User Account Control dialog appears (providing User Account Control is active). To continue the installation process, select the option Allow – I trust this program. I know where it’s from or I’ve used it before. The installation
automatically continues.
Procedure
1. To open the Token Type dialog, select Authentication > Token Type on the Local
Management Console.
2. The Token Type dialog appears:
3. Select the token type that you want to use and click Apply.
4. You are prompted to restart your system:
5. Click Yes to restart your computer.
When switching from smart card to soft token and you have two smart card readers connected to your computer, you can be prompted with the error Smart card is not available. This happens when the card reader name is changed
according to the USB slot number.
If you receive this error message, restart your computer and go to the E-SSO Card Configuration Tool to set the correct smart card reader. See E-SSO Card
Configuration Tool [page 63].
2 Preparation
46 July 2011
2.8.2 Enterprise Single Sign-On Soft-Token Utility
Use
The Enterprise Single Sign-On Soft-Token Utility allows you to synchronize soft token
credential entries with smart card credential entries.
Procedure
1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Authentication > Enterprise Single Sign-On Soft-Token Utility from the left pane.
2. You are asked to enter your smart card and/or soft token PIN.
PIN pad users: If smart card authentication is required, you are prompted to enter
your smart card PIN using the PIN pad:
3. The Enterprise Single Sign-On Soft Token Utility appears, displaying the credential
entries stored on the smart card and soft token:
4. Select the credential entry and click or icon to synchronize a specific entry.
5. Click Refresh to update the list of currently synchronized credential entries.
6. Click Exit to close the dialog.
2 Preparation
July 2011 47
2.8.3 Import/Export Soft Token (Soft Token Mode)
Use
Export soft token: Export a soft token to a user-defined location from the credential store.
For more information, see Export Soft Token [page 47].
Import soft token: Import a soft token from a user-defined location to the credential store.
For more information, see Import Soft Token [page 48].
Export Soft Token
1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Authentication > Soft Token > Import/Export Soft Token from the left pane.
2. The Import/Export Soft Token dialog appears:
3. Select Export soft token then click the Browse button.
4. The Select soft token file dialog appears:
Navigate to the folder where the soft token is exported to.
Enter a soft token file name into the File name field and click Open.
5. The Import/Export Soft Token Credentials dialog re-appears displaying the selected
soft token file location. Click OK.
6. You are prompted to enter the E-SSO password. See Initial Soft Token Logon [page 7] for information on assigning your E-SSO password.
7. Enter the password and click OK to export the soft token to the specified location.
2 Preparation
48 July 2011
Import Soft Token
1. Open the Local Management Console (see Local Management Console (LMC) [page 8])
and select Authentication > Soft Token > Import/Export Soft Token from the left pane.
2. The Import/Export Soft Token Credentials dialog appears:
3. Select Import soft token and click the Browse button.
4. The Select soft token file dialog appears:
5. Navigate to the folder and select the soft token to be imported.
6. Click Open.
7. The Import/Export Soft Token Credentials dialog re-appears displaying the selected
soft token file location. Click OK.
8. You are prompted to enter the E-SSO password. See Initial Soft Token Logon [page 7]
for information on assigning your E-SSO password.
9. Enter the password and click OK to import the specified soft token.
2 Preparation
July 2011 49
2.8.4 Certificates (Smart Card Mode) To open the Certificates subnode, select Authentication > Smart Card > Certificates on the Local Management Console. The following information appears when you click the
Certificates subnode:
Use this dialog to view certificates, install certificates to the certificate store and export certificates to a system folder. The right pane displays all the certificates stored on the smart card. This dialog allows you to perform the following actions:
Click to view certificates. For more information, see View Certificates [page 49].
Install a certificate into the Microsoft Certificate Store and export a certificate to a system
folder. For more information, see Where to Get Other Information [page 50].
2.8.4.1 View Certificates on Smart Card
Use
View and examine certificates.
Procedure
1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Authentication > Smart Card > Certificates from the left pane. All certificates stored on the smart card is displayed in the right pane of the dialog. Select a certificate from the list and click View (you can also double-click the certificate to view).
2 Preparation
50 July 2011
2. The Certificates dialog appears:
3. Examine the certificate by clicking the tabs General, Details, and Certificate Path. For more information on these tabs, see the Microsoft proprietary documentation, or click the
certificates link at the bottom of the General tab to view online help.
4. Click OK to close the dialog.
2.8.4. 2 Where to Get Other Information
View Certificates
For viewing, importing, and exporting certificates under Windows XP, Windows Vista, and
Windows 7, see http://www.microsoft.com.
2.9 Enterprise Single Sign-On to Web Applications (Web SSO)
Use
Enterprise Single Sign-On allows you to log on to Web applications or Websites that use a logon dialog (for example, http://mail.yahoo.com/). To allow for this functionality, Enterprise Single Sign-On integrates a toolbar into the Internet browser and is automatically activated
after completing Enterprise Single Sign-On installation.
Supported Browsers
The following browsers are supported by Web E-SSO:
Internet Explorer (versions 6, 7 and 8)
Firefox (version 3)
2 Preparation
July 2011 51
2.9.1 Enterprise Single Sign-On Web Toolbar and Icons
Use
To use Enterprise Single Sign-On Web E-SSO, a toolbar is integrated into the browser and is
automatically activated after completing Enterprise Single Sign-On installation.
Procedure
When you launch a browser, the Enterprise Single Sign-On Web toolbar is presented on the
top right side of the browser:
The Enterprise Single Sign-On Web toolbar allows you to perform the following actions:
Click to launch the Local Management Console. For more information, see Local Management Console (LMC) [page 8].
Click to automatically fill the logon fields. This icon is only enabled if the credentials are stored on your token and if the Automatic Login feature is disabled. For
more information, see Using Web E-SSO [page 61].
Click to register the Website for single sign-on. For more information, see Register a Website and Credential Information [page 51].
Click or to enable or disable the Automatic Login feature. The Automatic Login feature allows you to log on to a Website without having to
enter the credentials and click the logon button.
Click to view the list of Websites that are registered to Web single sign-on.
For more information, see Using Web E-SSO [page 61].
2.9.2 Register a Website and Credential Information
Use
If you intend to use Enterprise Single Sign-On for a Web application or Website (for example,
http://mail.yahoo.com/), you first need to register the Website and credential information.
Procedure
1. When you start a Web application for the first time after Enterprise Single Sign-On installation, Enterprise Single Sign-On detects if the Website requires authentication. Enterprise Single Sign-On automatically launches the Web E-SSO registration dialog:
2 Preparation
52 July 2011
2. Perform any of the following:
Register the Website and credentials (see the next step to proceed).
Click Later to register at a later time and close the Web E-SSO registration dialog.
Click Never to disable single sign-on functions for this application and close the application registration dialog. The application is also be added to the blacklist. For more information on managing the blacklist, see Blacklist [page 43].
Depending on the settings set by your system administrator, the Web E-SSO registration dialog cannot launch automatically. You can open the dialog by clicking the Enterprise Single Sign-On Web toolbar. Enterprise Single Sign-On
launches the Web E-SSO registration dialog:
3. On the Register this webpage area, select any of the following options:
Option Description
Domain name Select this option to register the domain (for example, http://yahoo.com). By selecting this option, Enterprise Single Sign-On automatically logs on
2 Preparation
July 2011 53
to a Website, all its sub-domains, and URLs using the same credentials.
For example, the same user credentials is used to log on to http://yahoo.com and its sub-domains http://mail.yahoo.com and http://webmessenger.yahoo.com/).
Fully qualified domain name
Select this option to register the fully qualified domain name or sub-domain (for example, http://mail.yahoo.com). In this case, Enterprise Single Sign-On automatically logs on to a Website and URLs using the
same credentials.
For example, user registered sub-domain http://mail.yahoo.com and its
respective credentials. Now, if:
User logs in to URL https://login.yahoo.com/config/login_verify2?&.src=ym, the same
credentials will be used to automatically sign in.
User logs in to domain http://yahoo.com, user will need to register a
new credential (step 1 of this section).
URL Select this option to register the whole URL without the query string. It is recommended to use this option if you need to register two different URLs
with the same domain name and same fully qualified domain name.
To add a domain name, fully qualified domain name, or full URL to the blacklist,
select an option from the Register this webpage area and click Never.
4. Enter the credentials. To do this, either:
Select a credential that has been previously added (for example, you use the same user name and password for more Skype, Yahoo and company intranet) in the Credential name field. The entries for the User Name and Password fields will be
automatically entered. Or…
Add a new credential by entering information into the Credential name, User name or Password fields.
5. Select Automatic Login to enable the Automatic Login feature for this Website and
credential.
6. Click Register or OK to save the credential.
7. If the credentials entered are correct, you will be automatically logged in to the Website. You can view, edit and delete the Websites and credentials registered to single sign-on in
the Local Management Console. For more information, see the following sections:
To view, edit or delete a Web application or Website, see Applications [page 10].
To view, edit or delete a credential for a Website, see Credentials [page 29].
2 Preparation
54 July 2011
To register another credential for the same Website: On the Website logon page,
click on the Enterprise Single Sign-On Web toolbar. The Web E-SSO registration dialog appears:
Enter credentials as described in step 3 of this section. Select the Use as Default
option if you want this credential to be the default login for this Website.
2.9.3 Password Change for a Website
Use
If you intend to use Enterprise Single Sign-On for a Web application or Website (for example,
http://mail.yahoo.com/), you will first need to register the Website and credential information.
Procedure
1. When an application password change dialog is launched, Enterprise Single Sign-On detects if the application requires registration. Enterprise Single Sign-On automatically
launches the Web E-SSO change password dialog.
2. If the Web E-SSO Change Password dialog is not automatically launched, you can open
the dialog by clicking on the Enterprise Single Sign-On Web toolbar.
3. The Web E-SSO Change Password dialog appears:
4. The following options are available:
Manual: Enter a new password into the New Password and Confirm Password fields
and click Change.
Automatic: To generate a password based on the defined password policy, select
Auto Generate and click Change.
The generated password will be based on the password policy for the
application.
5. You can set the password policy by editing the application single sign-on options. See for
more information.
2 Preparation
July 2011 55
2.9.4 How to Activate or Deactivate the Enterprise Single Sign-On Web Toolbar
Use
If you intend to use Enterprise Single Sign-On for a Web application or Website (for example,
http://mail.yahoo.com/), you will first need to register the Website and credential information.
Procedure
1. Right-click the command bar at the top right side of the browser.
2. Check or uncheck Enterprise Single Sign-On to activate or deactivate the Enterprise
Single Sign-On Web toolbar.
Firefox users: The Web E-SSO plug-in will not be available if you installed Enterprise Single Sign-On before installing Firefox. To enable your Enterprise Single Sign-On Web toolbar, contact your system administrator to install the Web
Single Sign-On Firefox Support component.
2.10 Enable or Disable Enterprise Single Sign-On 1. Right-click the Enterprise Single Sign-On icon in the system tray:
2. Select Enable Single Sign-On or Disable Single Sign-On.
2 Preparation
56 July 2011
2.11 Enable or Disable E-SSO Learning Wizard 1. Right-click the Enterprise Single Sign-On icon in the system tray:
2. Select Disable E-SSO Learning Wizard. Enterprise Single Sign-On will not detect any application that requires E-SSO registration. Alternately, you can select Enable E-SSO
Learning Wizard to detect if an application requires E-SSO registration.
Disabling the E-SSO Learning Wizard does not interrupt other single sign-on operations. You can still use Enterprise Single Sign-On for applications that have been previously registered. However, launching unregistered applications will not
display the E-SSO Learning Wizard.
You can still register a new application, a pre-defined application or a change password dialog if the E-SSO Learning Wizard is disabled. To do this, right-click
the Enterprise Single Sign-On icon in the system tray and click Register New Application in the context menu.
2.12 Log In To or Log Out From Enterprise Single Sign-On (Soft Token Only) 1. Right-click the Enterprise Single Sign-On icon in the system tray:
2. Select Log in to authenticate to E-SSO or Log Out to prevent access to the E-SSO credentials via the Local Management Console as well as credential entry in applications
or websites.
3 Usage
July 2011 57
3 Usage
3.1 Log on to Windows (Smart Card only) Log in to Windows using single sign-on. Windows logon applies when you start/restart the
system, switch user or logoff user.
You can use either a password credential or a certificate credential when logging on to
Windows:
Password credential: Use the password credential to log on to the local account or a
domain account.
Certificate credential: Use the certificate credential to log on with a valid certificate stored on the smart card. You will be required to join a domain when using the certificate
credential.
3.1.1 Log on to Windows XP
Use
Log on to Windows XP using single sign-on.
Prerequisites
Make sure that the smart card has been enabled for Windows XP Logon. For more information on initializing smart cards for E-SSO, see the Enterprise Single Sign-On
Installation and Configuration Guide.
Procedure
1. After starting your system, the Welcome to Windows dialog appears:
2. Insert your smart card.
3. The Unlock Computer dialog appears:
4. Enter your PIN into the PIN field.
3 Usage
58 July 2011
5. To log on with certificate credential, select Log on with certificate on the bottom left of the
dialog.
6. Click OK. You will now be logged in to Windows.
3.1.2 Log on to Windows Vista or Windows 7
Use
Log on to Windows Vista or Windows 7 using single sign-on.
Prerequisites
Make sure that the smart card has been enabled for Windows Vista or Windows 7 Logon. For more information on initializing smart cards for E-SSO, see the Enterprise Single Sign-On
Installation and Configuration Guide.
Procedure
1. After starting the system, the Welcome to Windows dialog appears,
If you have not yet inserted your smart card, do it now.
Click Switch User button or press the ESC key on your keyboard.
2. The Windows logon options appears:
The following logon options are available:
Option Description
Microsoft Vista
logon tile
Use this icon if you intend to log on without using the smart card.
Logon with smart card (certificate credential)
Use the certificate credential to log on with a valid certificate stored on the smart card. A certificate icon is displayed on the tile to indicate logon with certificate credential. You will be required to join a domain when using the
certificate credential.
3 Usage
July 2011 59
Logon with smart card (password credential)
Use the password credential to log on to the local account or a domain
account. You are prompted to enter PIN and a domain name to log on.
Depending on the policy settings defined by the system administrator, you might not see all the tiles for the Vista logon. It can be possible that you can only log on
with a smart card.
3. Depending on the option that you have selected, you are prompted to enter the following
information:
Certificate credential: Enter your token PIN and click to log on to Windows.
Password credential: Enter your token PIN and the domain name. Click to log on
to Windows.
4. You will now be logged in to Windows.
3.2 Log on to Citrix Presentation Server
Use
To use Enterprise Single Sign-On in Citrix environment, simply start the Citrix ICA Client and
use Enterprise Single Sign-On as usual.
This version of Enterprise Single Sign-On only supports soft token for Citrix use.
Prerequisites
System Administrator: Make sure that all preparation steps have been completed prior to using Enterprise Single Sign-On in the Citrix environment. For more information, see the
Enterprise Single Sign-On Installation and Configuration Guide.
3 Usage
60 July 2011
3.3 Log on to a Windows Application
Use
Log on to a Window, Java, and terminal emulator applications.
Procedure
To use single sign-on for Windows applications, either:
Start the application and you are automatically logged in. Or…
If the Select a credential to login dialog appears, select the credential from the drop-
down menu and click OK:
Depending on the policy settings defined by the system administrator, you might not see the Select Credential dialog. System administrators can enable this
feature via the ShowCedentialDialog policy setting in the signon.adm file (via
Group Policy Editor). For more information, see the Enterprise Single Sign-On
Installation and Configuration Guide.
PIN pad users: If smart card authentication is required, you are prompted to enter
your smart card PIN using the PIN pad:
3.4 Log on to IBM Personal Communicator
Use
Log on to IBM Personal Communicator.
Prerequisites
Make sure that you have registered IBM Personal Communicator with E-SSO and linked its credentials before proceeding with this section. For more information on how to get started with IBM Personal communicator, see Register IBM Personal Communicator for an IBM
Series System [page 23].
Procedure
To use single sign-on for IBM Personal Communicator, simply launch the application, select the previously saved profile and click Start:
3 Usage
July 2011 61
3.5 Using Web E-SSO
Use
Log on to a Website using Web single sign-on.
Prerequisites
Make sure that you have registered the Website with E-SSO and linked its credentials before proceeding to this section. For more information on how to get started with Web E-SSO, see
Enterprise Single Sign-On Web Single Sign-On (Web E-SSO) [page 50].
Procedure
1. Open Internet Explorer or Firefox. The following are options on browsing a Website:
Type the URL into the Address bar.
On the Enterprise Single Sign-On Web toolbar, click to view the list of Websites that are registered to Web single sign-on. Select the Website that you want
to log on to.
2. The Website is now launched.
If Automatic Login feature is enabled, you are automatically logged on to the Website.
The icon indicates that the feature is enabled.
If the logon credentials are not displayed, click .
If Automatic Login is disabled, click the Submit button. The icon indicates that the feature is disabled. You will now be logged in to the Website.
3 Usage
62 July 2011
3.6 Log on to Special Applications Using the Drag & Drop Feature
Use
The drag & drop feature is provided to allow single sign-on to applications or Websites that
cannot be registered to Enterprise Single Sign-On.
Prerequisites
Make sure that you have registered the Website and linked its credentials to the Website before proceeding to this section. For more information on how to get started with Web E-
SSO, see Drag & Drop Credentials [page 34].
Procedure
1. Open or browse to the logon dialog or logon page application or Website.
2. You can use the drag & drop feature via the Local Management Console or the Drag &
Drop Credentials dialog:
Local Management Console: Display the details pane of the credential that is linked to the special Website by expanding the Drag & Drop Credentials node in the Local
Management Console (for more information, see Drag & Drop Credentials [page 34])
Drag & Drop Credentials dialog: Right-click the Enterprise Single Sign-On icon in
the system tray and click Drag & Drop Credentials in the context menu:
3. The Drag & Drop Credentials dialog appears:
4. The following are options on using the drag & drop feature:
Individually drag & drop , and to the corresponding logon fields (via the Drag & Drop Credentials dialog or Local Management Console) and click the
corresponding logon or submit button.
Collectively drag all logon parameters using the (via Local Management Console)
or (via the Drag & Drop Credentials dialog) to the first logon field.
3 Usage
July 2011 63
3.7 E-SSO Card Configuration Tool
Use
If you have more than one smart card reader connected and you intend to use them with Enterprise Single Sign-On, you must use the E-SSO Card Configuration Tool to define the card reader. You can configure the card reader any time after installing Enterprise Single
Sign-On.
Procedure
1. Start the E-SSO Card Configuration Tool as follows:
Windows XP: Start > All Programs > SAP > signon > E-SSO Card Configuration Tool
Windows Vista and Windows 7: Windows logo > All Programs > SAP > signon > E-
SSO Card Configuration Tool
2. The E-SSO Card Configuration Tool dialog appears:
The active card reader configuration is listed in the upper field Current Configuration.
Click Refresh to update the list of currently connected card readers in the Available
PC/SC smart card readers combo-box.
Enable Favour readers with inserted smart card if you want to view only those readers
that currently have a smart card inserted in them (click Refresh first!).
Click Reset in the lower left corner to erase the active settings.
3. Select the card reader you want to use with Enterprise Single Sign-On and click OK. The E-SSO Card Configuration Tool dialog closes.
4. To complete card reader configuration:
Windows XP: Restart your system.
Windows Vista and Windows 7: Log off and log back in to the system.
4 Additional Information
64 July 2011
4 Additional Information
4.1 Soft Token Troubleshooting
Use
The Soft Token Password Reset is an Enterprise Single Sign-On feature that helps you
troubleshoot soft token-related problems.
Procedure
1. To open the Soft Token Password Reset tool, either:
Select Authentication > Soft Token > Password Options on the Local Management
Console.
Right-click the Enterprise Single Sign-On icon in the system tray and click Password Options in the context menu:
2. The Soft Token Password Reset dialog appears:
3. The following options are available:
Option Description
Reset E-SSO
password
Use this option to reset your E-SSO password if it has been forgotten. For
more information, see Reset the E-SSO Password [page 65].
Change E-SSO
password
Use this option to change your E-SSO password if it has been compromised or company policy dictates that you change your PIN on a regular basis. For more information, see Change Soft Token Unlock (SSO
password) [page 66].
4 Additional Information
July 2011 65
Change Question Answer for E-SSO Password
Reset
Use this option to change your question and answer/pass phrase that was defined along with the initial E-SSO password (see Initial Soft Token Logon [page 7]) if it has been compromised or company policy dictates that you change your pass phrase on a regular basis. The answer should always be at least 8 characters. For more information, see Change
Security Question [page 66].
Disable/Enable Automatic Logon to
E-SSO
You can either enable or disable automatic logon to the Enterprise Single Sign-On application after logging into Windows:
If you disable automatic logon, you are required to enter the E-SSO password after Windows logon. This provides a higher level of
security.
If you enable automatic logon, you are not required to enter the E-SSO password after Windows logon. The password will be protected
via the Windows Data Protection API (DPAPI).
The Enter E-SSO Password dialog appears whenever you enable or
disable automatic logon to E-SSO. Enter your current E-SSO password to
confirm the changes.
Exit Clicking Exit closes the Soft Token Password Reset dialog.
4.1.1 Reset the E-SSO Password
Use
Reset the E-SSO password. This applies to the soft token only.
Procedure
1. Open the E-SSO Password Options dialog. See Soft Token Troubleshooting [page 64].
2. Click Reset E-SSO Password.
3. The Reset SSO Password dialog appears:
4. Select the question from the drop-down list that was defined during the initial Enterprise Single Sign-On soft token logon, and enter the correct answer into the Answer field. The
answer must be between 8 to 20 characters. See Initial Soft Token Logon [page 7].
5. Enter your new password into the New Password and Confirm New Password fields. The new password must be between 8 to 20 characters. It is recommended to use a mix of
upper-/lower-case characters, special characters, and numbers.
6. Click OK.
7. Your new password is stored in the soft token.
4 Additional Information
66 July 2011
4.1.2 Change the E-SSO Password
Use
Change the soft token password. This applies to the soft token only.
Procedure
1. Open the E-SSO Password Options dialog. See Soft Token Troubleshooting [page 64].
2. Click Change E-SSO Password.
3. The Change E-SSO Password dialog appears:
4. Enter your current E-SSO password into the Old Password field.
5. Enter a new password into the New Password and Confirm New Password fields. The new password must be between 8 to 20 characters. It is recommended to use a mix of
upper-/lower-case characters, special characters, and numbers.
6. Click OK.
7. Your new password is stored in the soft token.
4.1.3 Change Security Question
Use
Change question and answer/passphrase used to recover the E-SSO password in an
emergency scenario.
Procedure
1. Open the E-SSO Password Options dialog. See Soft Token Troubleshooting [page 64].
2. The E-SSO Password Options dialog appears. Click Change Security Question for
Resetting E-SSO Password.
3. The Change Security Question for Resetting E-SSO Password dialog appears:
4. Enter the current E-SSO password into the E-SSO Password field.
5. Select a question from the Question drop-down menu and type the corresponding answer/pass phrase into the Answer field. The answer must be between 8 to 20
characters.
6. Click OK. The new question and answer is stored in the soft token.