PUBLIC Document Version: 1.0 07/2011 · names of installation, upgrade and database tools. Example...

PUBLIC

Document Version: 1.0 – 07/2011

© Copyright 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice. Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p,

System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390,

OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,

Power Architecture, POWER6+, POWER6, POWER5+, POWER5,

POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks,

OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner,

WebSphere, Netfinity, Tivoli and Informix are trademarks or

registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and

other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems Incorporated in

the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered

trademarks of W3C®, World Wide Web Consortium, Massachusetts

Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used

under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, and other SAP products and services

mentioned herein as well as their respective logos are trademarks or

registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of

Business Objects Software Ltd. in the United States and in other

countries.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of

Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may

vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional

warranty.

Disclaimer Some components of this product are based on Java™. Any

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is

only to be used by SAP’s Support Services and may not be

modified or altered in any way.

Terms for Included Open

Source Software

This SAP software contains also the third party open source software products listed below. Please note that for these third party products

the following special terms and conditions shall apply.

1. domainname-parser (http://code.google.com/p/domainname-parser/)

Copyright (c)

Permission is hereby granted, free of charge, to any person obtaining a

copy of this software and associated documentation files (the

"Software"), to deal in the Software without restriction, including

without limitation the rights to use, copy, modify, merge, publish,

distribute, sublicense, and/or sell copies of the Software, and to permit

persons to whom the Software is furnished to do so, subject to the

following conditions:

The above copyright notice and this permission notice shall be

included in all copies or substantial portions of the Software.

SAP AG

Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com

Typographic Conventions

Type Style Description

Example Text Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu

options.

Cross-references to other

documentation

Example text Emphasized words or phrases in body text, graphic titles, and

table titles

EXAMPLE TEXT Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and

INCLUDE.

Example text Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade

and database tools.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the

documentation.

<Example text> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the

system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 or ENTER.

Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more

information, see Help on Help General Information Classes and Information Classes for Business Information Warehouse on the

first page of any version of SAP Library.

User Guide: Enterprise Single Sign-On

4 July 2011

Contents

1 Introduction ......................................................................................... 6

1.1 About this Document ................................................................................ 6

2 Preparation .......................................................................................... 7

2.1 Initial Soft Token Logon............................................................................ 7

2.2 Local Management Console (LMC) ......................................................... 8

2.3 Applications ............................................................................................. 10 2.3.1 Using the E-SSO Learning Wizard to Register and Update Application Controls ..... 11 2.3.2 Register a New Application ..................................................................................... 12 2.3.3 Register a Password Change Dialog ...................................................................... 16 2.3.4 Register a Predefined Application ........................................................................... 19 2.3.5 Register a Terminal Emulator Application ............................................................... 22 2.3.6 Register IBM Personal Communicator for an IBM Series System ............................ 23 2.3.7 View and Edit Single Sign-On Options for an Application ........................................ 27

2.4 Credentials................................................................................................ 29 2.4.1 Add a New Credential............................................................................................. 31 2.4.2 View and Edit Credential Details ............................................................................. 32

2.5 Drag and Drop Credentials ..................................................................... 34 2.5.1 Add a New Drag and Drop Credential ..................................................................... 36 2.5.2 View and Edit Drag and Drop Credential Details ..................................................... 37

2.6 Policies ...................................................................................................... 39 2.6.1 Add a New Password Policy ................................................................................... 40 2.6.2 Edit the Attributes of a Password Policy .................................................................. 41

2.7 Blacklist .................................................................................................... 43

2.8 Authentication .......................................................................................... 44 2.8.1 Token Type Switching ............................................................................................ 45 2.8.2 Enterprise Single Sign-On Soft-Token Utility ........................................................... 46 2.8.3 Import/Export Soft Token (Soft Token Mode) .......................................................... 47 2.8.4 Certificates (Smart Card Mode) .............................................................................. 49

2.9 Enterprise Single Sign-On to Web Applications (Web SSO) ............. 50 2.9.1 Enterprise Single Sign-On Web Toolbar and Icons ................................................. 51 2.9.2 Register a Website and Credential Information ....................................................... 51 2.9.3 Password Change for a Website............................................................................. 54 2.9.4 How to Activate or Deactivate the Enterprise Single Sign-On Web Toolbar ............. 55

2.10 Enable or Disable Enterprise Single Sign-On .................................... 55

2.11 Enable or Disable E-SSO Learning Wizard ........................................ 56

2.12 Log In To or Log Out From Enterprise Single Sign-On (Soft Token Only) .................................................................................................... 56

3 Usage.................................................................................................. 57

3.1 Log on to Windows (Smart Card only) ................................................. 57 3.1.1 Log on to Windows XP ........................................................................................... 57 3.1.2 Log on to Windows Vista or Windows 7 .................................................................. 58

3.2 Log on to Citrix Presentation Server .................................................... 59

3.3 Log on to a Windows Application ......................................................... 60

3.4 Log on to IBM Personal Communicator ............................................... 60

3.5 Using Web E-SSO .................................................................................... 61

3.6 Log on to Special Applications Using the Drag & Drop Feature ...... 62

July 2011 5

3.7 E-SSO Card Configuration Tool............................................................. 63

4 Additional Information ...................................................................... 64

4.1 Soft Token Troubleshooting .................................................................. 64 4.1.1 Reset the E-SSO Password.................................................................................... 65 4.1.2 Change the E-SSO Password ................................................................................ 66 4.1.3 Change Security Question ...................................................................................... 66

1 Introduction

6 July 2011

1 Introduction Enterprise Single Sign-On (E-SSO) helps end users log on to multiple systems or applications without the need to remember every password or logon dialog. Once a user has successfully authenticated to the Enterprise Single Sign-On application, further logon to

applications running under the system’s control are carried out automatically.

Enterprise Single Sign-On supports the following methods of signing-on to an application:

Windows logon (for smart card-based authentication only)

This method can either be certificate-based or can use a user ID/password combination

stored on the smart card.

Certificate-based authentication (for smart card-based authentication only)

Certificate-based authentication is provided via the standard interfaces such as Microsoft Crypto-API, RSA PKCS#11 or the GSS-API. The requirements of most application logon requirements can be fulfilled via these interfaces, such as Internet browsers, e-mail

clients, VPN clients, and so on.

Windows logon and certificate-based authentication are not available for

operation with a soft token.

Logon to Windows applications

This feature allows you to use single sign-on for password-protected Windows, .NET,

terminal emulator, and Java applications.

Logon to Websites (Web Single Sign-On)

This feature allows you to log on to password-protected Websites using single sign-on. A toolbar for Microsoft Internet Explorer and Mozilla Firefox enables the registration and

management of sites for single sign-on.

1.1 About this Document

Purpose

This document describes how to use Enterprise Single Sign-On on Windows XP, Windows

Vista, and Windows 7.

Constraints

This guide does not provide information about how to install, modify, remove, and configure Enterprise Single Sign-On. For such information, see the Enterprise Single Sign-On

Installation and Configuration Guide.

2 Preparation

July 2011 7

2 Preparation

2.1 Initial Soft Token Logon

Use

After the initial installation of Enterprise Single Sign-On, and a subsequent restart, an initialization dialog will appear prompting the user to enter a specific password for Enterprise Single Sign-On (E-SSO) to capture, encrypt, and safely store all your credentials, as well as

choosing a password recovery question and appropriate answer.

Procedure

1. When you start Windows for the first time after Enterprise Single Sign-On installation, the Initialize Soft Token Password dialog appears:

2. Enter a password into the E-SSO Password field. The password must be at least 8 charcters long. To achieve a higher level of security, it is recommended to use a mix of

upper- and lower-case characters, numbers, and special characters.

3. Optionally check Enable automatic logon to E-SSO when logged into Windows session (can be deactivated via Local Management Console) to allow Windows to automatically log on to the Enterprise Single Sign-On application after successful Windows logon. This option can be activated or deactivated at any time via the Password Options feature in the Local Management Console. This feature uses the Windows Data Protection API

(DPAPI) to protect the password.

4. Under Question/Answer for E-SSO Password Recovery:

Select a question from the Question drop-down menu.

Enter the corresponding, individual answer into the Answer field.

5. This information will now be used to access, and recover, Enterprise Single Sign-On from

this point onwards. The Enterprise Single Sign-On icon will appear in the taskbar ( ).

2 Preparation

8 July 2011

For automatic logon only: If a Windows password is reset by the System Administrator, the user will be prompted to enter the Enterprise Single Sign-On password after Windows logon to re-enable the automatic logon feature (DPAPI):

2.2 Local Management Console (LMC)

Use

Enterprise Single Sign-On has a Local Management Console (LMC) in which all aspects of the application can be configured. This section details how to open the Local Management

Console and details the GUI.

Procedure

1. The Local Management Console can be open via one of the following options:

Via Start menu: click Start > All Programs > SAP > signon > Local Management

Console.

Double-click the Enterprise Single Sign-On icon in the system tray.

Right-click the Enterprise Single Sign-On icon in the system tray and choose Local Management Console in the context menu:

In your Internet browser (Internet Explorer or Firefox), click the Local Management

Console icon on the Enterprise Single Sign-On Web toolbar:

For more information about the Enterprise Single Sign-On Web toolbar, see Enterprise Single Sign-On Web Single Sign-On (Web E-SSO) [page 50] or Using Web E-SSO [page 61].

2 Preparation

July 2011 9

2. The Local Management Console appears:

The Search box and button located at the top of the left pane can be used to look for a specific term with the whole naviagtion tree in the left pane. Enter search

criteria and click Search; use F3 on your keyboard to go to the next search result.

The navigation tree in the left pane allows a user to view and configure each of the aspects for the application. Clicking a node will display the details for that node

either in the right pane or in a pop-up window. The following nodes are available:

Node Description

Applications Applications allows you to register, view, edit or delete a Windows or Web application. For more information about Applications, see

Applications [page 10].

Credentials Credentials allows you to add, view, edit and delete the credentials contained with the soft token or smart card. For more information

about Credentials, see Credentials [page 29].

Drag & Drop Credentials

Drag & Drop Credentials allows you to add, view, edit and delete credentials used for drag & drop. The drag & drop feature is provided to allow single sign-on to applications or Websites that cannot be registered to Enterprise Single Sign-On. For more information on Drag & Drop Credentials, see Drag & Drop

Credentials [page 34].

Policies Policies allows you to add, view, edit and delete password policies. A Password Policy is a set of rules that govern the characters to be used as well as the password length for Windows- or web-based passwords that are created in Enterprise Single Sign-On. For more

information about password policies, see Policies [page 39].

Blacklist Blacklist allows you to view and delete applications from the blacklist. The blacklist is a list of applications for which Enterprise Single Sign-On functions are disabled. For more information about

the blacklist, see Blacklist [page 43].

2 Preparation

10 July 2011

Authentication Authentication allows you to access authentication-related tools and features, specifically Token Switching (Soft Token/Smart Card), Token Utility, and Certificates. For more information about authentication, see Authentication [page 44] .

Depending on which node is clicked a menu will appear above the information in the right pane - indicated by a row of icons. Depending on task, one or more of the following icons will

be available:

Icon Description

Add a new entry to the selected node.

Modify an existing entry on the selected node.

Remove an existing entry from the selected node.

View an entry from the selected node.

Create an application file <*.api> to be imported to the Enterprise

Single Sign-On Management Console (coming soon).

2.3 Applications The following information appears when you click the Applications node:

The Applications node in the left pane of the Local Management Console has the following

sub-nodes:

2 Preparation

July 2011 11

Sub-node Description

Windows Displays all the Windows applications currently registered to E-SSO (for

example, Skype)

Web Displays all the Web applications or Websites currently registered to E-

SSO (for example, mail.yahoo.com)

Terminal Emulator

Displays all the terminal emulator applications currently registered to E-SSO.

If you click the Applications, Windows, Web or Terminal Emulator nodes, the right pane of the Local Management Console displays the following information for registered applications or

Websites:

Details Description

Name Displays the names of the registered applications

Type Displays the type of application; can either display Windows or Web

Default Credentials Displays the default credential for each of the registered application

The Applications node and subnodes allow you to perform the following actions:

Click to open the E-SSO Learning Wizard to register and update application controls. You can also right-click Applications on the left pane of the Local Management Console and select Add in the context menu. For more information, see Using the E-SSO

Learning Wizard to Register and Update Application Controls [page 11].

Click to modify single sign-on options for an application. For more information, see

View and Edit Single Sign-On Options for an Application [page 27].

Click or press Del on your keyboard to delete an application from single sign-

on. You can also right-click the application that you want to delete on the left pane of the

Local Management Console and select Delete in the context menu.

Click to create an application file <*.api> to be imported to the Enterprise


2.3.1 Using the E-SSO Learning Wizard to Register and Update Application Controls

Use

If you intend to use Enterprise Single Sign-On for a Windows application (for example, Skype), you will first need to register the application. The E-SSO Learning Wizard is an Enterprise Single Sign-On component that helps you register and update Windows application controls.

The E-SSO Learning Wizard only applies to Windows applications. To register a Web application or Website, use the Enterprise Single Sign-On Web toolbar. See

Register a Website and Credential Information [page 51].

Open E-SSO Learning Wizard

1. When you start a Windows application for the first time after Enterprise Single Sign-On installation, Enterprise Single Sign-On detects if the application requires authentication

and automatically launches the E-SSO Learning Wizard:

2 Preparation

12 July 2011

2. The application registration dialog allows you to perform the following:

Click Register to register the application and, optionally, the credentials (proceed to

the next section).

Click Later to register at a later time and close the application registration dialog.

Click Never to disable single sign-on functions for this application and close the application registration dialog. The application will be added to the blacklist. For more

information about managing the blacklist, see Blacklist [page 43].

3. If the E-SSO Learning Wizard is not automatically launched, you can open the wizard

either:

Via the Local Management Console, see Local Management Console (LMC) [page 8]: select Applications from the left pane of the dialog and click . You can also right-click Applications on the left pane of the Local Management Console and select Add in the context menu.

Via the system tray: Right-click the Enterprise Single Sign-On icon in the system tray and select Register New application.

Disable E-SSO Learning Wizard

To disable the E-SSO Learning Wizard, right-click the Enterprise Single Sign-On icon in the system tray and click Disable E-SSO Learning Wizard in the context menu.

2.3.2 Register a New Application

Use

If you intend to use Enterprise Single Sign-On for a Windows application (for example, Skype), you will first need to register the application. The E-SSO Learning Wizard is an Enterprise Single Sign-On component that helps you register and update Windows

application controls.

Procedure

1. Open the E-SSO Learning Wizard. See Open E-SSO Learning Wizard [page 11].

2 Preparation

July 2011 13

2. The Welcome to the E-SSO Learning Wizard dialog appears. Select Register a New

Application and click Next.

3. The Select Window Function dialog appears: Select Login Dialog and click Next.

2 Preparation

14 July 2011

4. The Select the login dialog you want to register dialog appears: Drag the Select Dialog

icon to the Windows application dialog that you want to register and click Next.

5. The logon parameters dialog appears displaying the Field icon next to each logon parameter:

6. If the application logon dialog has only one field, select Check if login dialog has only one

password field.

7. Drag the Field icon for each logon parameter to the specific field in the application dialog that you want to register.

The User Name, Password and Submit (OK) Button are required fields. For logon dialogs with only one password field, the Password and Submit (OK) Button are

required fields.

8. The logon fields in the application will be highlighted and a checkmark icon is displayed next to the parameter to confirm that it has been linked. If you link the incorrect

field, you can click the remove icon to remove the link.

9. Click Next.

2 Preparation

July 2011 15

10. The Enter Credentials dialog appears:

11. The Application field displays the name of the application.

12. In the succeeding fields, either:

Select a credential that has been previously added (for example, you use the same and password for Skype, Yahoo and company intranet) in the Credential name field. The entries for the User Name and Password fields will be automatically entered.

Or…

Add a new credential by entering information into the Credential name, User Name or Password fields.

13. In the Preferences area:

Click Automatic login if you want to be automatically logged into the application when

it is launched.

During first time registration, the Default Credential is selected and cannot be edited;

this option will be enabled if you add another credential to this application.

14. Click Next.

While entering information in this dialog is optional, Enterprise Single Sign-On will require you to link a credential to the application. You can do this by

performing any of the following actions:

Modify the application and link it to a credential. See View and Edit Single

Sign-On Options for an Application [page 27].

Add a new credential and link it to the application. See Add a New

Credential [page 29].

Modify a credential and link it to the application. See View and Edit

Credential Details [page 32].

When you launch a registered application, Enterprise Single Sign-On automatically detects if the application is not linked to a credential. Click Yes to add a credential for the application:

2 Preparation

16 July 2011

15. The completion dialog appears; click Finish to close the dialog. The application and, optionally, the credentials are now registered to Enterprise Single Sign-On and are displayed on the Local Management Console. You can now use single sign-on to log on

to this application. For more information, see Log In to a Windows Application [page 60].

16. To add another credential to an application, follow step 2 of this section. You are prompted with a message asking if you want to update the application. Click Yes then

proceed with the rest of the steps in this section.

2.3.3 Register a Password Change Dialog

Use

Register password change dialogs. This section is only applicable for applications already

registered with Enterprise Single Sign-On.

Procedure

1. When an application password change dialog is launched, Enterprise Single Sign-On detects if the application requires registration. Enterprise Single Sign-On automatically launches the E-SSO Learning Wizard:

Click Yes to register the password change dialog and, optionally, change the

credentials (proceed to step 6).

If the E-SSO Learning Wizard is not automatically launched, you can open the wizard

via the system tray: Right-click the Enterprise Single Sign-On icon in the system tray and select Register New application.

2. The Welcome to the E-SSO Learning Wizard dialog appears. Select Register a New

Application and click Next.

3. The Select Window Function dialog appears. Select Change Password Dialog and click

Next.

2 Preparation

July 2011 17

4. The Select the Login Dialog you want to register dialog appears:

5. Drag the Select Dialog icon to the password change dialog that you want to register and

click Next.

6. The logon parameters dialog appears displaying the Field icon next to each logon

parameter:

7. Drag the Field icon for each logon parameter to the specific field in the application dialog that you want to register.

8. The logon fields in the application will be highlighted and a checkmark icon is displayed next to the parameter to confirm that it has been linked. If you link the incorrect

field, you can click the remove icon to remove the link.

9. Click Next.

2 Preparation

18 July 2011

10. The Enter the New and Confirmation Password dialog appears; the old password is

entered per default:

11. In the Manual Change Password area, optionally enter a new password into the New

Password and Confirm Password fields to change your password now.

12. The Auto Change Password area deals with future password changes. The following

options are available:

Option Description

Automatically change password in the

future

E-SSO automatically generates a new password every time the application password change dialog is launched.

To enable this option:

1. In the Auto Change Password area, check the option Auto password

change in future.

2. The drop-down menu Select Password Policy appears. Select the password policy for this credential. For more information on password

policies, see Policies [page 39].

Inform me of automatic password

changes

If you select this option, a message dialog is displayed every time E-SSO automatically generates a new password.

To enable this option:

1. In the Auto Change Password area, check the option Notify me of

auto password changes.

2. The option Automatically change password in the future will also be enabled. If you have not selected the password policy for this

credential, do it now.

13. After selecting the options, click Next. If you have entered a new password in the Manual Change Password area, proceed to the next step. If you have not entered a new

password, proceed to step 15.

2 Preparation

July 2011 19

14. If you have entered a new password in the previous dialog, you are prompted to confirm if the password has been validated by the application. Click Next to confirm or Failed to

go back to the previous dialog and enter a new password.

’

15. The completion dialog appears; click Finish to close the dialog. The password change dialog and, optionally the credentials, are now registered to Enterprise Single Sign-On and is displayed on the Local Management Console. You can now continue using single sign-on to log on to this application. For more information, see Log In to a Windows

Application [page 60].

2.3.4 Register a Predefined Application

Use

Enterprise Single Sign-On has built-in predefined applications (for example, Yahoo Messenger and Google Talk). You have to define the credentials for the specific applications

that you want to use.

Prerequisites

For System Administrators: Use a predefined applications file to distribute applications to Enterprise Single Sign-On. To start using the predefined applications, the application

definition should be added to the predefined application file.

Procedure

1. Open the E-SSO Learning Wizard. See Open E-SSO Learning Wizard [page 11].

2. The Welcome to the E-SSO Learning Wizard dialog appears. Select Register a Predefined Application and click Next.

2 Preparation

20 July 2011

3. The Select the predefined application dialog appears.

4. Select the predefined application that you want to define and link to a credential and click

Next and proceed to step 6.

5. For System Administrators: The Select the predefined application dialog allows you to

perform the following actions:

Option Description

Add Register and store the predefined application definition in the predefined

application file. Click Next and proceed to the next step.

Export Export a predefined application file from the default location to another

location (for example, <C:\\temp\admin.pda>). Click Cancel to exit

the dialog.

Import Copy a predefined application file from another location (for example, <C:\\temp\admin.pda>) to the predefined application file location.

Click Cancel to exit.

Per default, the PDA files are stored, exported from and imported to

%ALLUSERSPROFILE%\SAP\Signon\Predef\PreDefAp.pda.


2 Preparation

July 2011 21

7. In the Login info area:

The Application field displays the name of the application.

In the next fields, either:

Select a credential that has been previously added from the drop-down box (recommended if you use the same user name and password for more than one application) in the Credential name field. The entries for the User Name and

Password fields will be automatically entered. Or…

Add a new credential by entering information into the Credential name, User Name

or Password fields.

8. In the Preferences area:

Click Automatic login if you want to be automatically logged into the application when

it is launched.

During first time registration, the Default Credential is selected and cannot be edited;

this option will be enabled if you add another credential to this application.

9. Click Next.

While entering information in this dialog is optional, Enterprise Single Sign-On will require you to link a credential to the application. You can do this by

performing any of the following actions:

Modify the application and link it to a credential. See View and Edit Single

Sign-On Options for an Application [page 27].

Add a new credential and link it to the application. See Add a New

Credential [page 29].

Modify a credential and link it to the application. See View and Edit

Credential Details [page 32].

When you launch a registered application, Enterprise Single Sign-On automatically detects if the application is not linked to a credential. Click Yes to

add a credential for the application:

10. The completion dialog appears. Click Finish to close the dialog. The application and, optionally, the credentials are now registered to Enterprise Single Sign-On and can be

viewed, edited or removed via the Local Management Console.

2 Preparation

22 July 2011

2.3.5 Register a Terminal Emulator Application

Use

Enterprise Single Sign-On automatically detects a terminal emulator application logon dialog

and launches the wizard to register for single sign-on use.

Procedure

1. Launch the terminal emulator application and connect to the server.

2. When a terminal emulator application logon dialog is launched, Enterprise Single Sign-On detects that the application requires registration. Enterprise Single Sign-On

automatically launches the E-SSO Learning Wizard:

3. The application registration dialog allows you to perform the following:

Click Register to register the terminal emulator application and, optionally, the

credentials (proceed to the next step).


Click Never to disable single sign-on functions for this application and close the application registration dialog. The application will also be added to the blacklist. For

more information on managing the blacklist, see Blacklist [page 43].



6. The Host field displays the IP address of the server.

7. You can optionally enter information in the succeeding fields; to do this, either:

Select a credential that has been previously added (for example, you use the same user name and password for Skype, Yahoo and company intranet) in the Credential name field. The entries for the User Name and Password fields will be automatically

entered. Or…

Add a new credential by entering information into the Credential name, User Name or

Password fields.

2 Preparation

July 2011 23

8. In the Terminal Application Install Path area, click the button. The file explorer dialog appears:

9. Locate the folder where the terminal emulator application installer is located (for example,

<C:\Program Files\PASSPORT>) and click OK.

You need to specify the exact location of the installation package. Otherwise, you

cannot successfully register the application.

10. The Enter Credentials dialog re-appears; click Finish to complete the configuration. You

can now use single sign-on to log on to this terminal emulator application. For more

information, see Register a Terminal Emulator Application [page 22].

2.3.6 Register IBM Personal Communicator for an IBM Series System

Use

This section details how to register IBM Personal Communicator for an IBM Series System

for E-SSO.

Prerequisites

For System Administrators: There is a scenario when the host is not displayed on the IBM iSeries status bar on the bottom of the logon dialog. If this scenario occurs, perform the

following operations on the client and server.

1. On the server:

Add the ADM file Signon.adm from the Enterprise Single Sign-On package.

Configure the parameters of the terminal emulator host as follows:

2 Preparation

24 July 2011

One of the hosts should reference the name of the Hostname or IP that user will be

connecting to (for example, the first host is referenced as Pub1.rzkh.de).

One of the hosts should reference ‘*’ as the Hostname. This is important for scenarios

when the host is not displayed on IBM iSeries status bar on the bottom of the logon

dialog (for example, the second host is referenced as ‘*’).

Run the command gpupdate /force to apply the policy to the client.

For more information about terminal emulator host configuration, see the Enterprise

Single Sign-On Installation and Configuration Guide.

2 Preparation

July 2011 25

2. On the client computer: Make sure that the settings have been properly configured prior to registration and the Host Terminal for AS/400 is configured on the Registry Editor,

folder HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\signon\Terminal:

Procedure

1. Start a new session on IBM Personal Communications. In the Configuration dialog, select the appropriate host and click OK. In the Account Information dialog, type the

appropriate logon.

2. Enterprise Single Sign-On detects if the application requires registration. Enterprise

Single Sign-On automatically launches the E-SSO Learning Wizard:

Click Register to register IBM Personal Communications.







Select a credential that has been previously added in the Credential name field. The

entries for the User Name and Password fields will be automatically entered. Or…


Password fields.

6. Click Finish.

7. The first logon dialog is successfully registered.

2 Preparation

26 July 2011

8. Enterprise Single Sign-On will now detect the second logon dialog:

In the scenario displayed in the figure above, the string I902 is displayed on the bottom of the dialog. Enterprise Single Sign-On therefore detects the host with

the Hostname ‘*’.

Click Register to register IBM Personal Communications.







Select a credential that has been previously added in the Credential name field. The

entries for the User Name and Password fields will be automatically entered. Or…


Password fields.

12. In the Terminal Application Install Path area, click the button. Locate the folder where

the terminal emulator application installer is located and click OK.

2 Preparation

July 2011 27

You need to specify the exact location of the installation package. Otherwise, you

will not be able to successfully register the application.

13. Click Finish. The IBM Personal Communicator displays that the logon is successful.

14. You can now exit the window. You are prompted to save the session. It is recommended

that you save the session for future logons.

2.3.7 View and Edit Single Sign-On Options for an Application

Use

View and edit an application entry.

Procedure

1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Applications from the left pane of the dialog. All registered applications is

displayed in the right pane of the dialog.

2. To view single sign-on options for an application, either:

Double-click the application entry in the right pane, or…

Expand the Windows, Web and/or Terminal Emulator nodes in the left pane to display

applications according to type and select the specific application.

3. The right pane displays application-specific details:

4. To edit the single sign-on options for an application, click . The following options appears:

2 Preparation

28 July 2011

Option Description

Detail area (for Windows and Web applications)

Application name: To edit, click the application name. A blinking cursor that indicates that you can edit the application name.

Enabled: Check this option to allow the E-SSO functions to run on the

selected application.

Auto Logon: Check this option to facilitate an automatic application

logon without having to click the submit button.

Auto Change Password: When the password change dialog is

launched, the system automatically generates a new password.

Notify me of Auto Password Changes: If you select this option, a message dialog is displayed every time E-SSO automatically

generates a new password.

Apply Password Policy: Check this box if you want to apply a password policy to this application, and select the policy from the drop-down menu. Per default, the Windows password policy is applied to Windows applications and the Web password policy is applied to Web applications. For more information on password

policies, see Policies [page 39].

Terminal application install path (for terminal emulator applications

only): To change the install path, click the button. Locate the folder where the terminal emulator application installer is located (for

example, <C:\Program Files\PASSPORT>) and click OK.

Linked Credentials area

The Linked Credentials area displays the list of credentials that are linked to the selected application. If the selected application does not have any credentials linked to it, the Name field is blank.

Name: Name of the credentials that are linked to the selected

application.

Default: If there is only one credential linked to the selected application, this is the default credential. If there is more than one credential linked to the selected application, check the Default box

corresponding to the credential that you want to assign as default.

Link icon : Use this icon to link the selected application to a credential.

Unlink icon : Select the credential that you want to unlink from the Name list and click the Unlink icon. The credential that you have

unlinked is removed from the Name list.

5. Click Apply to save the changes.

2 Preparation

July 2011 29

2.4 Credentials The following information appears when you click the Credentials node:

If you expand Credentials in the left pane of the Local Management Console, all credentials stored within Enterprise Single Sign-On is displayed. Click the Credentials node to display the

following credential details in the right pane:

Details Description

Name Displays the credential names

User Name Displays the User Name for each credential

If you click the credential entry (either in the left or right pane), the right pane displays the following details of the registered credentials:

2 Preparation

30 July 2011

Parameter Description

Detail area Name: A name that defines the credential.

User Name: User name of the credential. The field next to User Name

defines the key that terminates the User Name field.

Password: Password for the credential. The field next to Password

defines the key that terminates the Password field.

Parameter 1/Parameter 2/Parameter 3: These are optional fields for

additional credential parameters other than user name and password.

Protected entry: If checked, the entry is protected from being deleted

from the smart card or soft token.

Hidden entry: If checked, you cannot use the credential for drag &

drop. This parameter is checked per default.

If you modify and uncheck this parameter, the credential entry is categorized as a drag & drop credential. For more information on the drag

& drop feature, Drag & Drop Credentials [page 34].

Linked Applications

area

The Linked Applications area shows the list of applications to which the selected credential is linked to.

Link icon : Use this icon to link the selected credential to an application

Unlink icon : Select the application that you want to unlink from the Name list and click the Unlink icon. The credential that you have

unlinked is removed from the Name list.

The Credentials node and subnodes allow you to perform the following actions:

2 Preparation

July 2011 31

Click to add a credential. You can also right-click Credentials on the left pane of the Local Management Console and select Add in the context menu. For more

information, see Add a New Credential [page 31].

Click to modify credential details (applied to subnodes). For more information, see

View and Edit Credential Details [page 32].

Click or press Del on your keyboard to delete a credential. You can also right-

click the credential that you want to delete on the left pane of the Local Management

Console and select Delete in the context menu.

2.4.1 Add a New Credential

Use

Credentials are normally added in the E-SSO Learning Wizard during application registration (see Register a New Application [page 12]). However, you can need to add a credential prior to application registration if you are going to link it to several applications (for example, you

want to link the same credential to Skype, Yahoo, and company intranet).

Procedure

1. Open the Local Management Console (see Local Management Console (LMC) [page 8]), select Credentials from the options in the left pane of the dialog and click . You can also right-click Credentials on the left pane of the Local Management Console and

select in the context menu.

2. The New Credential dialog appears.

Enter credential parameters (see Credentials [page 29]).

3. In the Linked Applications area, use the following buttons to link and unlink applications

and credentials:

Add: Select the application from the Available Applications box and click the Add

button.

2 Preparation

32 July 2011

Remove: Select the application from the Linked Applications box and click the

Remove button.

4. Click OK to save changes.

2.4.2 View and Edit Credential Details

Use

View and edit credential options.

Procedure

1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Credentials from the left pane of the dialog. All existing credentials is

displayed in the right pane of the dialog.

2. To view credential information, click the credential entry (either on the left or right pane).

3. The dialog displays specific credential details:

4. Select the credential entry to be edited from the left or right pane, and click .

5. The Edit Credential dialog appears:

2 Preparation

July 2011 33

For more information on these credential parameters, see Credentials [page 29].

6. To change single sign-on password, click Modify button.

7. You are prompted to enter your PIN. Enter your PIN and click OK.

8. The Modify Password dialog appears:

9. Enter your new password into the New Password and Confirmation fields and click OK.

10. The Edit Credential dialog re-appears. Click the Apply button to save the changes.

2 Preparation

34 July 2011

2.5 Drag and Drop Credentials The following information appears when you click the Drag & Drop Credentials node:

If you expand Drag & Drop Credentials in the left pane of the Local Management Console, all the Drag & Drop Credentials stored within Enterprise Single Sign-On are displayed. Click the

Drag & Drop Credentials node to display the following credential details in the right pane:

Details Description

Name Displays the drag & drop credential names

User Name Displays the user name for each drag & drop credential

If you click the drag & drop credential entry (either in the left or right pane), the right pane displays the following details of the registered Drag & Drop Credentials:

2 Preparation

July 2011 35

Parameter Description

Detail area Name: A name that defines the drag & drop credential

User Name: User name of the drag & drop credential. The field next

to User Name defines the key that terminates the User Name field.

Password: Password for the drag & drop credential. The field next to

Password defines the key that terminates the Password field.

Parameter 1/Parameter 2/Parameter 3: These are optional fields for additional drag & drop credential parameters other than user name

and password.

Protected entry: If checked, the entry is protected from being deleted

from the smart card or soft token.

Hidden entry: This parameter is unchecked per default.

If you modify and check this parameter, the credential entry is categorized

as a regular credential and you cannot use the credential for drag & drop.

For more information on credentials, see Credentials [page 29].

Linked Applications

area

The Linked Applications box shows the list of applications to which the

selected drag & drop credential is linked to.

The Credentials node and subnodes allow you to perform the following actions:

Click to create a new credential. You can also right-click Credentials on the left pane of the Local Management Console and select Add in the context menu. For more

information, see Add a New Drag and Drop Credential [page 36].

2 Preparation

36 July 2011

Click to modify credential details (applied to subnodes). For more information, see

View and Edit Drag and Drop Credential Details [page 37].

Click or press press Del on your keyboard to delete a credential. You can also

right-click the credential that you want to delete on the left pane of the Local Management

Console and select Delete in the context menu.

Use the (User Name), (Password), (Parameters) and (Drag & Drop Credentials) icons for single sign-on to special applications and Websites. For more

information, see Log In to Special Applications Using the Drag & Drop Feature [page 62].

Click in the Linked Applications area to link an application to the selected credential.

To un-link an application to the selected credential, select the application in the Linked

Applications area and click .

2.5.1 Add a New Drag and Drop Credential

Use

Add a new drag and drop credential.

Procedure

1. Open the Local Management Console (see Local Management Console (LMC) [page 8]), select Drag & Drop Credentials from the options in the left pane of the dialog and click . You can also right-click Drag & Drop Credentials on the left pane of the Local

Management Console and select in the context menu.

2. The New Credential dialog appears:

Enter credential parameters (see Drag & Drop Credentials [page 34]).

You cannot uncheck the Hidden entry option.

3. In the Linked Applications area, use the following buttons to link and unlink applications

and credentials:

2 Preparation

July 2011 37

Add: Select the application from the Available Applications box and click the Add

button.

Remove: Select the application from the Linked Applications box and click the

Remove button.

4. Click OK to save changes.

2.5.2 View and Edit Drag and Drop Credential Details

Use

View and edit drag and drop credential options.

Procedure

1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Drag & Drop Credentials from the left pane of the dialog. All existing Drag &

Drop Credentials is displayed in the right pane of the dialog.

2. To view drag & drop credential information, click the drag & drop credential entry (either

on the left or right pane).

3. The dialog displays specific drag & drop credential details:

4. Select the drag & drop credential entry to be edited from the left or right pane, and click

.

2 Preparation

38 July 2011

5. The Edit Credential dialog appears:

For more information on these drag & drop credential parameters, see Drag & Drop

Credentials [page 34].

6. To change single sign-on password, click Modify button.

7. You are prompted to enter your PIN. Enter your PIN and click OK.

8. The Modify Password dialog appears:

9. Enter your new password into the New Password and Confirmation fields and click OK.

10. The Edit Credential dialog re-appears. Click the Apply button to save the changes.

2 Preparation

July 2011 39

2.6 Policies The following information appears when you click the Policies node:

If you expand Policies in the left pane of the Local Management Console, it displays the

Password Policies subnode.

If you expand the Password Policies subnode, all the password policies stored within Enterprise Single Sign-On is displayed on the left and right panes. Per default, the Microsoft Windows Password Policy is applied to Windows applications and the Web

Password Policy is applied to Web applications/Websites.

The Policies node and subnodes allow you to perform the following actions:

Click to add a password policy. You can also right-click Password Policies on the left pane of the Local Management Console and select Add in the context menu. For

more information, see Add a New Policy [page 40].

Click to modify the values of the password policy attributes. For more information,

see Edit the Attributes of a Password Policy [page 41].

Click or press Del on your keyboard to delete a password policy. You can also

right-click the policy that you want to delete on the left pane of the Local Management

Console and select Delete on the in the context menu.

Click to create a password policy file <*.PLC> to be imported to the Enterprise


2 Preparation

40 July 2011

2.6.1 Add a New Password Policy

Use

Add a new password policy.

Procedure

1. Open the Local Management Console (see Local Management Console (LMC) [page 8]), select Policies > Password Policies from the options in the left pane of the dialog and

click .

2. The New Policy dialog appears prompting you to enter a policy name:

3. Enter a policy name to describe the new password policy and click OK.

4. The dialog displays specific policy attributes:

5. The password attributes of the new policy are set with default values. To modify the

values of these attributes, click . See Edit the Attributes of a Password Policy [page 41] for details on how to edit the attributes of a password policy.

2 Preparation

July 2011 41

2.6.2 Edit the Attributes of a Password Policy

Use

Edit the attributes of a password policy.

Procedure

1. Open the Local Management Console (see Local Management Console (LMC) [page 8]), select Policies > Password Policies from the options in the left pane of the dialog. To view the password policy attributes, click the password policy entry on the left pane or double-click the entry in the right pane.

2. The dialog displays specific policy attributes. Click .

3. The dialog displays the fields in editable mode:

The following attributes are available and can be edited:

Attribute Value Details

Password length

min,max Enter allowed min value.

Enter allowed max value. The system automatically sets the maximum password length if the sum of all minimum values of the character sets is greater than the entered

maximum password length.

Upper case characters [A,Z]

Forbidden/ Allowed/

Mandatory

min

A character set maybe forbidden, allowed or mandatory:

Forbidden – User cannot use any character in this character set for the

password.

Lower case characters [a,z]

Number

2 Preparation

42 July 2011

characters [0,9] Allowed – User can optionally use any character in this character set for the

password.

Mandatory – User is required to use characters in this character set for the password. If Mandatory is selected, enter the minimum number of characters

required for the character set.

Special characters

Allowed special characters

All special characters in the

English keyboard

User can use any special character entered in this string. The following special characters

are allowed: !@#$%^&*()_-+=?><,./:;'~`\|{}[]

Begin with uppercase

character

Enabled/ Disabled

If this attribute is enabled, the user is required to enter a password that begins with an

uppercase character.

Allow sequential

characters

Enabled/

Disabled

If this attribute is enabled, the user can enter a password that contains an ordered list of ASCII characters (for example, 1234 and

ABCD).

Allow duplicate

characters

Enabled/

Disabled

If this attribute is enabled, the user can use a duplicate character (not case sensitive) in the password (for example, ACDA contains

duplicate characters and ACDa does not).

Allow repeated characters

Enabled/ Disabled

If this attribute is enabled, the user can use a consecutively repeated character in the password (for example, AA19 contains

repeated characters and A19A does not).

4. Click the Apply button to save the changes. You can now link this password policy to an application. For more information, see Register a Password Change Dialog [page 16].

2 Preparation

July 2011 43

2.7 Blacklist

Use

A blacklist is a list of applications where single sign-on functions are disabled.

Procedure

The following information appears when you click the Blacklist node:

The Blacklist node allows you to:

View the list of applications and Websites on the blacklist.

Click or press press Del on your keyboard to remove an application or Website

from the blacklist.

Click to create a blacklist file <*.BLL> to be imported to the Enterprise Single

Sign-On Management Console (coming soon).

To add applications and Websites to the blacklist: To blacklist an application, see Using the E-SSO Learning Wizard to Register and Update Application Controls [page 11] and

Register a Website and Credential Information [page 51] .

2 Preparation

44 July 2011

2.8 Authentication

Use

The Authentication node contains the tools for managing your smart card and soft token.

Procedure

Access the following tolls via the Authentication node:

Subnode Description

Soft Token/Smart Card

Allows you to switch token in use from smart card to soft token or soft token to smart card. See Token Type Switching [page 45] for more

information.

Copy Token Contents

Allows you to synchronize the contents of smart card and the contents of the soft token. See Enterprise Single Sign-On Soft-Token

Utility [page 45] for more information.

Smart Card > Certificates

Allows you to view certificates on the smart card, install certificates to the certificate store and export certificates to a system folder. For

more information, see Certificates [page 49].

Soft Token > Import/Export Soft

Token

Export soft token: Export a soft token to a user-defined location from the credential store. For more information, see Export Soft

Token [page 47].

Import soft token: Import a soft token from a user-defined location to the credential store. For more information, see Import Soft

Token [page 48].

2 Preparation

July 2011 45

Soft Token > Password Options

Troubleshoot soft token-related problems.

2.8.1 Token Type Switching

Use

The Token Switching (Soft Token/Smart Card) feature allows you to change the token in use (for example, switch from a smart card to a soft token or switch from soft token to smart

card).

Prerequisites

Windows XP: You need administrator rights to use this feature.

Windows Vista/Windows 7: The User Account Control dialog appears (providing User Account Control is active). To continue the installation process, select the option Allow – I trust this program. I know where it’s from or I’ve used it before. The installation

automatically continues.

Procedure

1. To open the Token Type dialog, select Authentication > Token Type on the Local

Management Console.

2. The Token Type dialog appears:

3. Select the token type that you want to use and click Apply.

4. You are prompted to restart your system:

5. Click Yes to restart your computer.

When switching from smart card to soft token and you have two smart card readers connected to your computer, you can be prompted with the error Smart card is not available. This happens when the card reader name is changed

according to the USB slot number.

If you receive this error message, restart your computer and go to the E-SSO Card Configuration Tool to set the correct smart card reader. See E-SSO Card

Configuration Tool [page 63].

2 Preparation

46 July 2011

2.8.2 Enterprise Single Sign-On Soft-Token Utility

Use

The Enterprise Single Sign-On Soft-Token Utility allows you to synchronize soft token

credential entries with smart card credential entries.

Procedure

1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Authentication > Enterprise Single Sign-On Soft-Token Utility from the left pane.

2. You are asked to enter your smart card and/or soft token PIN.

PIN pad users: If smart card authentication is required, you are prompted to enter

your smart card PIN using the PIN pad:

3. The Enterprise Single Sign-On Soft Token Utility appears, displaying the credential

entries stored on the smart card and soft token:

4. Select the credential entry and click or icon to synchronize a specific entry.

5. Click Refresh to update the list of currently synchronized credential entries.

6. Click Exit to close the dialog.

2 Preparation

July 2011 47

2.8.3 Import/Export Soft Token (Soft Token Mode)

Use

Export soft token: Export a soft token to a user-defined location from the credential store.

For more information, see Export Soft Token [page 47].

Import soft token: Import a soft token from a user-defined location to the credential store.

For more information, see Import Soft Token [page 48].

Export Soft Token

1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Authentication > Soft Token > Import/Export Soft Token from the left pane.

2. The Import/Export Soft Token dialog appears:

3. Select Export soft token then click the Browse button.

4. The Select soft token file dialog appears:

Navigate to the folder where the soft token is exported to.

Enter a soft token file name into the File name field and click Open.

5. The Import/Export Soft Token Credentials dialog re-appears displaying the selected

soft token file location. Click OK.

6. You are prompted to enter the E-SSO password. See Initial Soft Token Logon [page 7] for information on assigning your E-SSO password.

7. Enter the password and click OK to export the soft token to the specified location.

2 Preparation

48 July 2011

Import Soft Token

1. Open the Local Management Console (see Local Management Console (LMC) [page 8])

and select Authentication > Soft Token > Import/Export Soft Token from the left pane.

2. The Import/Export Soft Token Credentials dialog appears:

3. Select Import soft token and click the Browse button.

4. The Select soft token file dialog appears:

5. Navigate to the folder and select the soft token to be imported.

6. Click Open.

7. The Import/Export Soft Token Credentials dialog re-appears displaying the selected

soft token file location. Click OK.

8. You are prompted to enter the E-SSO password. See Initial Soft Token Logon [page 7]

for information on assigning your E-SSO password.

9. Enter the password and click OK to import the specified soft token.

2 Preparation

July 2011 49

2.8.4 Certificates (Smart Card Mode) To open the Certificates subnode, select Authentication > Smart Card > Certificates on the Local Management Console. The following information appears when you click the

Certificates subnode:

Use this dialog to view certificates, install certificates to the certificate store and export certificates to a system folder. The right pane displays all the certificates stored on the smart card. This dialog allows you to perform the following actions:

Click to view certificates. For more information, see View Certificates [page 49].

Install a certificate into the Microsoft Certificate Store and export a certificate to a system

folder. For more information, see Where to Get Other Information [page 50].

2.8.4.1 View Certificates on Smart Card

Use

View and examine certificates.

Procedure

1. Open the Local Management Console (see Local Management Console (LMC) [page 8]) and select Authentication > Smart Card > Certificates from the left pane. All certificates stored on the smart card is displayed in the right pane of the dialog. Select a certificate from the list and click View (you can also double-click the certificate to view).

2 Preparation

50 July 2011

2. The Certificates dialog appears:

3. Examine the certificate by clicking the tabs General, Details, and Certificate Path. For more information on these tabs, see the Microsoft proprietary documentation, or click the

certificates link at the bottom of the General tab to view online help.

4. Click OK to close the dialog.

2.8.4. 2 Where to Get Other Information

View Certificates

For viewing, importing, and exporting certificates under Windows XP, Windows Vista, and

Windows 7, see http://www.microsoft.com.

2.9 Enterprise Single Sign-On to Web Applications (Web SSO)

Use

Enterprise Single Sign-On allows you to log on to Web applications or Websites that use a logon dialog (for example, http://mail.yahoo.com/). To allow for this functionality, Enterprise Single Sign-On integrates a toolbar into the Internet browser and is automatically activated

after completing Enterprise Single Sign-On installation.

Supported Browsers

The following browsers are supported by Web E-SSO:

Internet Explorer (versions 6, 7 and 8)

Firefox (version 3)

http://www.microsoft.com/

2 Preparation

July 2011 51

2.9.1 Enterprise Single Sign-On Web Toolbar and Icons

Use

To use Enterprise Single Sign-On Web E-SSO, a toolbar is integrated into the browser and is

automatically activated after completing Enterprise Single Sign-On installation.

Procedure

When you launch a browser, the Enterprise Single Sign-On Web toolbar is presented on the

top right side of the browser:

The Enterprise Single Sign-On Web toolbar allows you to perform the following actions:

Click to launch the Local Management Console. For more information, see Local Management Console (LMC) [page 8].

Click to automatically fill the logon fields. This icon is only enabled if the credentials are stored on your token and if the Automatic Login feature is disabled. For

more information, see Using Web E-SSO [page 61].

Click to register the Website for single sign-on. For more information, see Register a Website and Credential Information [page 51].

Click or to enable or disable the Automatic Login feature. The Automatic Login feature allows you to log on to a Website without having to

enter the credentials and click the logon button.

Click to view the list of Websites that are registered to Web single sign-on.

For more information, see Using Web E-SSO [page 61].

2.9.2 Register a Website and Credential Information

Use

If you intend to use Enterprise Single Sign-On for a Web application or Website (for example,

http://mail.yahoo.com/), you first need to register the Website and credential information.

Procedure

1. When you start a Web application for the first time after Enterprise Single Sign-On installation, Enterprise Single Sign-On detects if the Website requires authentication. Enterprise Single Sign-On automatically launches the Web E-SSO registration dialog:

2 Preparation

52 July 2011

2. Perform any of the following:

Register the Website and credentials (see the next step to proceed).

Click Later to register at a later time and close the Web E-SSO registration dialog.

Click Never to disable single sign-on functions for this application and close the application registration dialog. The application is also be added to the blacklist. For more information on managing the blacklist, see Blacklist [page 43].

Depending on the settings set by your system administrator, the Web E-SSO registration dialog cannot launch automatically. You can open the dialog by clicking the Enterprise Single Sign-On Web toolbar. Enterprise Single Sign-On

launches the Web E-SSO registration dialog:

3. On the Register this webpage area, select any of the following options:

Option Description

Domain name Select this option to register the domain (for example, http://yahoo.com). By selecting this option, Enterprise Single Sign-On automatically logs on

2 Preparation

July 2011 53

to a Website, all its sub-domains, and URLs using the same credentials.

For example, the same user credentials is used to log on to http://yahoo.com and its sub-domains http://mail.yahoo.com and http://webmessenger.yahoo.com/).

Fully qualified domain name

Select this option to register the fully qualified domain name or sub-domain (for example, http://mail.yahoo.com). In this case, Enterprise Single Sign-On automatically logs on to a Website and URLs using the

same credentials.

For example, user registered sub-domain http://mail.yahoo.com and its

respective credentials. Now, if:

User logs in to URL https://login.yahoo.com/config/login_verify2?&.src=ym, the same

credentials will be used to automatically sign in.

User logs in to domain http://yahoo.com, user will need to register a

new credential (step 1 of this section).

URL Select this option to register the whole URL without the query string. It is recommended to use this option if you need to register two different URLs

with the same domain name and same fully qualified domain name.

To add a domain name, fully qualified domain name, or full URL to the blacklist,

select an option from the Register this webpage area and click Never.

4. Enter the credentials. To do this, either:

Select a credential that has been previously added (for example, you use the same user name and password for more Skype, Yahoo and company intranet) in the Credential name field. The entries for the User Name and Password fields will be

automatically entered. Or…

Add a new credential by entering information into the Credential name, User name or Password fields.

5. Select Automatic Login to enable the Automatic Login feature for this Website and

credential.

6. Click Register or OK to save the credential.

7. If the credentials entered are correct, you will be automatically logged in to the Website. You can view, edit and delete the Websites and credentials registered to single sign-on in

the Local Management Console. For more information, see the following sections:

To view, edit or delete a Web application or Website, see Applications [page 10].

To view, edit or delete a credential for a Website, see Credentials [page 29].

2 Preparation

54 July 2011

To register another credential for the same Website: On the Website logon page,

click on the Enterprise Single Sign-On Web toolbar. The Web E-SSO registration dialog appears:

Enter credentials as described in step 3 of this section. Select the Use as Default

option if you want this credential to be the default login for this Website.

2.9.3 Password Change for a Website

Use


http://mail.yahoo.com/), you will first need to register the Website and credential information.

Procedure

1. When an application password change dialog is launched, Enterprise Single Sign-On detects if the application requires registration. Enterprise Single Sign-On automatically

launches the Web E-SSO change password dialog.

2. If the Web E-SSO Change Password dialog is not automatically launched, you can open

the dialog by clicking on the Enterprise Single Sign-On Web toolbar.

3. The Web E-SSO Change Password dialog appears:

4. The following options are available:

Manual: Enter a new password into the New Password and Confirm Password fields

and click Change.

Automatic: To generate a password based on the defined password policy, select

Auto Generate and click Change.

The generated password will be based on the password policy for the

application.

5. You can set the password policy by editing the application single sign-on options. See for

more information.

2 Preparation

July 2011 55

2.9.4 How to Activate or Deactivate the Enterprise Single Sign-On Web Toolbar

Use


http://mail.yahoo.com/), you will first need to register the Website and credential information.

Procedure

1. Right-click the command bar at the top right side of the browser.

2. Check or uncheck Enterprise Single Sign-On to activate or deactivate the Enterprise

Single Sign-On Web toolbar.

Firefox users: The Web E-SSO plug-in will not be available if you installed Enterprise Single Sign-On before installing Firefox. To enable your Enterprise Single Sign-On Web toolbar, contact your system administrator to install the Web

Single Sign-On Firefox Support component.

2.10 Enable or Disable Enterprise Single Sign-On 1. Right-click the Enterprise Single Sign-On icon in the system tray:

2. Select Enable Single Sign-On or Disable Single Sign-On.

2 Preparation

56 July 2011

2.11 Enable or Disable E-SSO Learning Wizard 1. Right-click the Enterprise Single Sign-On icon in the system tray:

2. Select Disable E-SSO Learning Wizard. Enterprise Single Sign-On will not detect any application that requires E-SSO registration. Alternately, you can select Enable E-SSO

Learning Wizard to detect if an application requires E-SSO registration.

Disabling the E-SSO Learning Wizard does not interrupt other single sign-on operations. You can still use Enterprise Single Sign-On for applications that have been previously registered. However, launching unregistered applications will not

display the E-SSO Learning Wizard.

You can still register a new application, a pre-defined application or a change password dialog if the E-SSO Learning Wizard is disabled. To do this, right-click

the Enterprise Single Sign-On icon in the system tray and click Register New Application in the context menu.

2.12 Log In To or Log Out From Enterprise Single Sign-On (Soft Token Only) 1. Right-click the Enterprise Single Sign-On icon in the system tray:

2. Select Log in to authenticate to E-SSO or Log Out to prevent access to the E-SSO credentials via the Local Management Console as well as credential entry in applications

or websites.

3 Usage

July 2011 57

3 Usage

3.1 Log on to Windows (Smart Card only) Log in to Windows using single sign-on. Windows logon applies when you start/restart the

system, switch user or logoff user.

You can use either a password credential or a certificate credential when logging on to

Windows:

Password credential: Use the password credential to log on to the local account or a

domain account.

Certificate credential: Use the certificate credential to log on with a valid certificate stored on the smart card. You will be required to join a domain when using the certificate

credential.

3.1.1 Log on to Windows XP

Use

Log on to Windows XP using single sign-on.

Prerequisites

Make sure that the smart card has been enabled for Windows XP Logon. For more information on initializing smart cards for E-SSO, see the Enterprise Single Sign-On


Procedure

1. After starting your system, the Welcome to Windows dialog appears:

2. Insert your smart card.

3. The Unlock Computer dialog appears:

4. Enter your PIN into the PIN field.

3 Usage

58 July 2011

5. To log on with certificate credential, select Log on with certificate on the bottom left of the

dialog.

6. Click OK. You will now be logged in to Windows.

3.1.2 Log on to Windows Vista or Windows 7

Use

Log on to Windows Vista or Windows 7 using single sign-on.

Prerequisites

Make sure that the smart card has been enabled for Windows Vista or Windows 7 Logon. For more information on initializing smart cards for E-SSO, see the Enterprise Single Sign-On


Procedure

1. After starting the system, the Welcome to Windows dialog appears,

If you have not yet inserted your smart card, do it now.

Click Switch User button or press the ESC key on your keyboard.

2. The Windows logon options appears:

The following logon options are available:

Option Description

Microsoft Vista

logon tile

Use this icon if you intend to log on without using the smart card.

Logon with smart card (certificate credential)

Use the certificate credential to log on with a valid certificate stored on the smart card. A certificate icon is displayed on the tile to indicate logon with certificate credential. You will be required to join a domain when using the

certificate credential.

3 Usage

July 2011 59

Logon with smart card (password credential)

Use the password credential to log on to the local account or a domain

account. You are prompted to enter PIN and a domain name to log on.

Depending on the policy settings defined by the system administrator, you might not see all the tiles for the Vista logon. It can be possible that you can only log on

with a smart card.

3. Depending on the option that you have selected, you are prompted to enter the following

information:

Certificate credential: Enter your token PIN and click to log on to Windows.

Password credential: Enter your token PIN and the domain name. Click to log on

to Windows.

4. You will now be logged in to Windows.

3.2 Log on to Citrix Presentation Server

Use

To use Enterprise Single Sign-On in Citrix environment, simply start the Citrix ICA Client and

use Enterprise Single Sign-On as usual.

This version of Enterprise Single Sign-On only supports soft token for Citrix use.

Prerequisites

System Administrator: Make sure that all preparation steps have been completed prior to using Enterprise Single Sign-On in the Citrix environment. For more information, see the

Enterprise Single Sign-On Installation and Configuration Guide.

3 Usage

60 July 2011

3.3 Log on to a Windows Application

Use

Log on to a Window, Java, and terminal emulator applications.

Procedure

To use single sign-on for Windows applications, either:

Start the application and you are automatically logged in. Or…

If the Select a credential to login dialog appears, select the credential from the drop-

down menu and click OK:

Depending on the policy settings defined by the system administrator, you might not see the Select Credential dialog. System administrators can enable this

feature via the ShowCedentialDialog policy setting in the signon.adm file (via

Group Policy Editor). For more information, see the Enterprise Single Sign-On


PIN pad users: If smart card authentication is required, you are prompted to enter

your smart card PIN using the PIN pad:

3.4 Log on to IBM Personal Communicator

Use

Log on to IBM Personal Communicator.

Prerequisites

Make sure that you have registered IBM Personal Communicator with E-SSO and linked its credentials before proceeding with this section. For more information on how to get started with IBM Personal communicator, see Register IBM Personal Communicator for an IBM

Series System [page 23].

Procedure

To use single sign-on for IBM Personal Communicator, simply launch the application, select the previously saved profile and click Start:

3 Usage

July 2011 61

3.5 Using Web E-SSO

Use

Log on to a Website using Web single sign-on.

Prerequisites

Make sure that you have registered the Website with E-SSO and linked its credentials before proceeding to this section. For more information on how to get started with Web E-SSO, see

Enterprise Single Sign-On Web Single Sign-On (Web E-SSO) [page 50].

Procedure

1. Open Internet Explorer or Firefox. The following are options on browsing a Website:

Type the URL into the Address bar.

On the Enterprise Single Sign-On Web toolbar, click to view the list of Websites that are registered to Web single sign-on. Select the Website that you want

to log on to.

2. The Website is now launched.

If Automatic Login feature is enabled, you are automatically logged on to the Website.

The icon indicates that the feature is enabled.

If the logon credentials are not displayed, click .

If Automatic Login is disabled, click the Submit button. The icon indicates that the feature is disabled. You will now be logged in to the Website.

3 Usage

62 July 2011

3.6 Log on to Special Applications Using the Drag & Drop Feature

Use

The drag & drop feature is provided to allow single sign-on to applications or Websites that

cannot be registered to Enterprise Single Sign-On.

Prerequisites

Make sure that you have registered the Website and linked its credentials to the Website before proceeding to this section. For more information on how to get started with Web E-

SSO, see Drag & Drop Credentials [page 34].

Procedure

1. Open or browse to the logon dialog or logon page application or Website.

2. You can use the drag & drop feature via the Local Management Console or the Drag &

Drop Credentials dialog:

Local Management Console: Display the details pane of the credential that is linked to the special Website by expanding the Drag & Drop Credentials node in the Local

Management Console (for more information, see Drag & Drop Credentials [page 34])

Drag & Drop Credentials dialog: Right-click the Enterprise Single Sign-On icon in

the system tray and click Drag & Drop Credentials in the context menu:

3. The Drag & Drop Credentials dialog appears:

4. The following are options on using the drag & drop feature:

Individually drag & drop , and to the corresponding logon fields (via the Drag & Drop Credentials dialog or Local Management Console) and click the

corresponding logon or submit button.

Collectively drag all logon parameters using the (via Local Management Console)

or (via the Drag & Drop Credentials dialog) to the first logon field.

3 Usage

July 2011 63

3.7 E-SSO Card Configuration Tool

Use

If you have more than one smart card reader connected and you intend to use them with Enterprise Single Sign-On, you must use the E-SSO Card Configuration Tool to define the card reader. You can configure the card reader any time after installing Enterprise Single

Sign-On.

Procedure

1. Start the E-SSO Card Configuration Tool as follows:

Windows XP: Start > All Programs > SAP > signon > E-SSO Card Configuration Tool

Windows Vista and Windows 7: Windows logo > All Programs > SAP > signon > E-

SSO Card Configuration Tool

2. The E-SSO Card Configuration Tool dialog appears:

The active card reader configuration is listed in the upper field Current Configuration.

Click Refresh to update the list of currently connected card readers in the Available

PC/SC smart card readers combo-box.

Enable Favour readers with inserted smart card if you want to view only those readers

that currently have a smart card inserted in them (click Refresh first!).

Click Reset in the lower left corner to erase the active settings.

3. Select the card reader you want to use with Enterprise Single Sign-On and click OK. The E-SSO Card Configuration Tool dialog closes.

4. To complete card reader configuration:

Windows XP: Restart your system.

Windows Vista and Windows 7: Log off and log back in to the system.

4 Additional Information

64 July 2011


4.1 Soft Token Troubleshooting

Use

The Soft Token Password Reset is an Enterprise Single Sign-On feature that helps you

troubleshoot soft token-related problems.

Procedure

1. To open the Soft Token Password Reset tool, either:

Select Authentication > Soft Token > Password Options on the Local Management

Console.

Right-click the Enterprise Single Sign-On icon in the system tray and click Password Options in the context menu:

2. The Soft Token Password Reset dialog appears:

3. The following options are available:

Option Description

Reset E-SSO

password

Use this option to reset your E-SSO password if it has been forgotten. For

more information, see Reset the E-SSO Password [page 65].

Change E-SSO

password

Use this option to change your E-SSO password if it has been compromised or company policy dictates that you change your PIN on a regular basis. For more information, see Change Soft Token Unlock (SSO

password) [page 66].


July 2011 65

Change Question Answer for E-SSO Password

Reset

Use this option to change your question and answer/pass phrase that was defined along with the initial E-SSO password (see Initial Soft Token Logon [page 7]) if it has been compromised or company policy dictates that you change your pass phrase on a regular basis. The answer should always be at least 8 characters. For more information, see Change

Security Question [page 66].

Disable/Enable Automatic Logon to

E-SSO

You can either enable or disable automatic logon to the Enterprise Single Sign-On application after logging into Windows:

If you disable automatic logon, you are required to enter the E-SSO password after Windows logon. This provides a higher level of

security.

If you enable automatic logon, you are not required to enter the E-SSO password after Windows logon. The password will be protected

via the Windows Data Protection API (DPAPI).

The Enter E-SSO Password dialog appears whenever you enable or

disable automatic logon to E-SSO. Enter your current E-SSO password to

confirm the changes.

Exit Clicking Exit closes the Soft Token Password Reset dialog.

4.1.1 Reset the E-SSO Password

Use

Reset the E-SSO password. This applies to the soft token only.

Procedure

1. Open the E-SSO Password Options dialog. See Soft Token Troubleshooting [page 64].

2. Click Reset E-SSO Password.

3. The Reset SSO Password dialog appears:

4. Select the question from the drop-down list that was defined during the initial Enterprise Single Sign-On soft token logon, and enter the correct answer into the Answer field. The

answer must be between 8 to 20 characters. See Initial Soft Token Logon [page 7].

5. Enter your new password into the New Password and Confirm New Password fields. The new password must be between 8 to 20 characters. It is recommended to use a mix of

upper-/lower-case characters, special characters, and numbers.

6. Click OK.

7. Your new password is stored in the soft token.


66 July 2011

4.1.2 Change the E-SSO Password

Use

Change the soft token password. This applies to the soft token only.

Procedure


2. Click Change E-SSO Password.

3. The Change E-SSO Password dialog appears:

4. Enter your current E-SSO password into the Old Password field.

5. Enter a new password into the New Password and Confirm New Password fields. The new password must be between 8 to 20 characters. It is recommended to use a mix of

upper-/lower-case characters, special characters, and numbers.

6. Click OK.

7. Your new password is stored in the soft token.

4.1.3 Change Security Question

Use

Change question and answer/passphrase used to recover the E-SSO password in an

emergency scenario.

Procedure


2. The E-SSO Password Options dialog appears. Click Change Security Question for

Resetting E-SSO Password.

3. The Change Security Question for Resetting E-SSO Password dialog appears:

4. Enter the current E-SSO password into the E-SSO Password field.

5. Select a question from the Question drop-down menu and type the corresponding answer/pass phrase into the Answer field. The answer must be between 8 to 20

characters.

6. Click OK. The new question and answer is stored in the soft token.

Date post:	08-Jun-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

PUBLIC Document Version: 1.0 07/2011 · names of installation, upgrade and database tools. Example...

Documents