Enterprise Single Sign-On 8.0 - us-downloads.quest.com

Enterprise Single Sign-On 8.0.3

Getting Started with SSOWatch

Copyright © 1998-2009 Quest Software and/or its Licensors
ALL RIGHTS RESERVED.

This publication contains proprietary information protected by copyright. The software described in
this publication is furnished under a software license or nondisclosure agreement. This software
may be used or copied only in accordance with the terms of the applicable agreement. No part of
this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical or otherwise without the prior written permission of the publisher.

DISCLAIMER

The information in this publication is provided in connection with Quest branded products from
Evidian. No license, express or implied, by estoppel or otherwise, to any intellectual property right is
granted by this publication. EXCEPT AS OTHERWISE SPECIFIED IN THE END USER LICENSE
AGREEMENT FOR THIS PRODUCT, EVIDIAN AND QUEST ASSUME NO LIABILITY
WHATSOEVER AND DISCLAIM ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY
RELATING TO THIS PRODUCT, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTY
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
IN NO EVENT SHALL EVIDIAN OR QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS PUBLICATION, EVEN
IF EVIDIAN OR QUEST HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Evidian and Quest make no representations or warranties with respect to the accuracy or
completeness of the contents of this publication and reserve the right to make changes to
specifications and product descriptions at any time without notice. Evidian and Quest do not make
any commitment to update the information contained in this publication. The information and
specifications in this publication are subject to change without notice.

Trademarks

Quest, Quest Software, the Quest Software logo, Aelita, AppAssure, Benchmark Factory, Big
Brother, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, I/Watch, Imceda, InLook,
IntelliProfile, InTrust, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg,
NBSpool, NetBase, Npulse, PerformaSure, PL/Vision, Quest Central, RAPS, SharePlex, Sitraka,
SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, Stat!,
StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, Vintela, Virtual DBA, Xaffire, and XRT
are trademarks and registered trademarks of Quest Software, Inc in the United States of America
and other countries. The terms Evidian, AccessMaster, SafeKit, OpenMaster, SSOWatch,
WiseGuard, Enatel and CertiPass are trademarks registered by Evidian. All other trademarks
mentioned in this document are the propriety of their respective owners.

World Headquarters, 5 Polaris Way, Aliso Viejo, CA 92656
Website: www.quest.com
Please refer to our website for regional and international office information.

Quest Enterprise SSO
Updated – January 2010
Software version – 8.0.3

CONTENTS

About This Guide ...................................................................................................... 3
Access Management ......................................................................................................... 3
Conventions ............................................................................................................... 4

1. Overview................................................................................................................. 5
2. Installing SSOWatch ............................................................................................. 6

2.1 Starting the "Administration Tools" Interface............................................................... 6
2.2 Configuring the Workstation ........................................................................................ 8
2.3 Installing SSOWatch on the Workstation .................................................................... 9
3. Configuring SSOWatch to Enable Single Sign-On –
A Step by Step Tutorial........................................................................................... 12
3.1 Enabling SSO for Yahoo! Mail Using the SSOWatch Wizard................................... 12
3.2 Enabling SSO for Lotus Notes Application Using SSOStudio .................................. 16

3.2.1 Starting SSOStudio Personal ......................................................................... 17
3.2.2 Enabling SSO for Lotus Notes ....................................................................... 17
3.2.3 Saving the Configuration ................................................................................ 22
3.3 Going Further............................................................................................................. 23
4. Using SSOWatch Engine .................................................................................... 24
4.1 Session Opening ....................................................................................................... 24
4.2 SSO Data Collection.................................................................................................. 25
4.2.1 First Start of an SSO enabled application ...................................................... 25
4.2.2 Password Update Request............................................................................. 26
4.3 Displaying the SSOWatch Engine Popup Menu ....................................................... 26
4.4 The SSOWatch Engine Management Module .......................................................... 27
4.4.1 Opening the SSOWatch Engine Management Module.................................. 28
4.4.2 User Account Management ............................................................................ 29
4.5 Activating, Suspending, Resetting the SSOWatch Engine ....................................... 30
4.6 Exiting SSOWatch ..................................................................................................... 32
4.7 Initializing the Emergency Access............................................................................. 32
4.8 Using the Reset Password Feature .......................................................................... 33
4.8.1 Importing the Enterprise SSO Sample Certification Authority
(First-Time Use) ....................................................................................................... 33
4.8.2 Resetting Your Primary Password ................................................................. 33
About Quest Software, Inc. .................................................................................... 35
Contacting Quest Software.............................................................................................. 35
Contacting Quest Support ............................................................................................... 35

i



Getting Started with SSOWatch

About This Guide

Access Management

Subject This guide explains how to begin with SSOWatch. It describes how
to install SSOWatch, how to quickly enable SSO and perform basic
Intended Reader SSO operations.
Software/Hardware
Required This guide does not apply to SSOWatch used in Access Collector
mode.
Supported Operating
Systems End-users.

Enterprise SSO - SSOWatch 8.0 evolution 3 and later versions.

For further information about the operating systems and other
software solutions mentioned in this guide, please refer to the
Quest Enterprise SSO Release Notes.

Enterprise SSO SSOWatch runs only on Windows systems.

3

Quest Enterprise SSO 8.0.3

Conventions

In order to help you get the most out of this guide, we have used specific formatting
conventions. These conventions apply to procedures, icons, keystrokes and cross-
references.

ELEMENT CONVENTION

Select This word refers to actions such as choosing or highlighting various
interface elements, such as files and radio buttons.
Bolded text
Interface elements that appear in Quest products, such as menus and
Italic text commands.
Bold Italic text
Blue text Used for comments.

Introduces a series of procedures.

Indicates a cross-reference. When viewed in Adobe® Acrobat®, this format
can be used as a hyperlink.

Used to highlight additional information pertinent to the process being
described.

Used to provide Best Practice information. A best practice details the
recommended course of action for the best result.

Used to highlight processes that should be performed with care.

+ A plus sign between two keystrokes means that you must press them at
the same time.

| A pipe sign between elements means that you must select the elements in
that particular sequence.

4

Getting Started with SSOWatch

1. Overview

Single Sign-On (SSO) is the functionality that allows users to sign-in (authenticate) only
once during a whole session, no matter how many applications are being accessed.
They can then access their data transparently, without the constraint of retyping a new
user name/password couple.
SSOWatch performs the SSO functionality by interfacing itself between a security
system, where the security data is stored (in the form of user name/password couples)
and the applications that require an authentication. It consists of two technical
components:

• SSOWatch Engine, which performs single sign-on.
• SSOStudio, which allows you to configure SSOWatch. You will use it to

"teach" SSOWatch Engine how to recognize the authentication windows of
your web and Windows applications.

For more information on SSOStudio, see Enterprise SSO - SSOWatch
Administrator Guide.
The present guide explains how to begin with SSOWatch. It describes how to install
SSOWatch, how to quickly enable SSO and perform basic SSO operations with the
SSOWatch Engine.

5

Quest Enterprise SSO 8.0.3

2. Installing SSOWatch

Subject
SSOWatch is installable on a single workstation or deployable on all the workstations of
an enterprise network. This section introduces the interactive installation on a single
workstation.
For information on implementing the directory mode and on enterprise-wide installation,
see Enterprise SSO Advanced Installation and Configuration Guide.

Before Starting
• Make sure you have a supported Windows version.
• Make sure you have a strong authentication device (smartcard, USB key, or

biometrics).
For details on the supported Windows versions and on the supported strong
authentication devices, see Quest Enterprise SSO Release Notes.

• Make sure you have 25MB of available hard disk space.
• Make sure you have the license information supplied with the software.
• Close all running applications.
• Download the Enterprise SSO installation package from the Quest support

website (http://www.quest.com/support).

2.1 Starting the "Administration Tools" Interface

Subject
The Enterprise SSO Administration Tools is a task-oriented interface that allows you
to configure and install your Enterprise SSO solution.

6

Getting Started with SSOWatch

Procedure
1. Log on as system administrator.
2. Once you have downloaded the Enterprise SSO Installation Package, run
start.hta.
The following window appears:

If the window does not appear, do the following: from the E-SSO Installation
Package; browse the Tools directory and run WGAdSetup\WGADSetup.exe and
go to Step 3 of the current procedure.
3. In the E-SSO Advanced Installation area, click one of the following, depending
on your Windows system processor:

• Enterprise SSO: for 32 bits processors.
• Enterprise SSO - x64: for 64 bits processors.
• The Administration Tools window appears.

7

Quest Enterprise SSO 8.0.3

Each tool that you can run from the Administration Tools window is a wizard that
allows you to perform a specific operation during the installation process of the
Enterprise SSO databases.

2.2 Configuring the Workstation

Subject
Before installing SSOWatch, you must configure the workstation so that it runs in
standalone mode.
Procedure

1. Start the Administration Tools interface (see Section 2.1, Starting the
"Administration Tools" Interface).
To open the Configuration Assistant if the Administration Tools does not work
properly, browse the installation package folder, double-click
TOOLS\WGConfig\WGConfig.exe and go to step 4 of the current procedure.

2. In the Select a task list, select Install software modules.
3. In the Software Installation task list, click Configure workstation.

The Configuration Assistant appears.

8

Getting Started with SSOWatch

4. Follow the instructions displayed in the wizard windows with the following
guidelines:

WHEN THIS WINDOW APPEARS DO THE FOLLOWING

1. Select Standalone.
2. Click Next.

1. Select Stand-alone Windows
workstation.

2. Click Next.

2.3 Installing SSOWatch on the Workstation

Subject
Once you have configured the workstation so that it runs in standalone mode, you can
install SSOWatch as explained in the following procedure.

Before Starting

• Configure the workstation to run in standalone mode (see Section 2.2,
Configuring the Workstation).

• Install Microsoft Redistributables if it is not already set up on your workstation:
in the Administration Tools interface, click Install Microsoft
Redistributables.

• If you plan to install the SSOJava plug-in (which is an installation feature of
SSOWatch, as shown in step 5 in the following procedure), a supported Java
version must imperatively be already installed on your workstation (for more
details about the supported JRE versions, see Quest Enterprise SSO
Release Notes).

9

Quest Enterprise SSO 8.0.3

Procedure
1. Start the Administration Tools interface (see Section 2.1, Starting the
"Administration Tools" Interface).
To run the SSOWatch installation wizard if the Administration Tools does not
work properly, browse the installation package folder, double-click
INSTALL\SSOWatch.msi, and go to step 4 of the current procedure.
2. In the Select a task list, select Install software modules.
3. In the Software Installation task list, click Install E-SSO Client.
The E-SSO Client installation wizard appears.
4. Follow the displayed instructions.
5. When the wizard prompts you to choose the installation type, choose Custom,
click Next, and fill in the Select Features window as follows:

• Biometrics Enrollment tool: installs the biometrics enrollment wizard on the
computer, which allows a user to enroll his/her biometric data for fingerprint
authentication. For more information on the Enterprise SSO biometrics
feature, see Enterprise SSO Advanced Login for Windows User Guide.

• Integration with Windows Authentication: launches transparently
SSOWatch Engine at session startup using the user Windows credentials. If
this feature is not installed, SSOWatch will be launched automatically, but it
will ask the user for their credentials.

• Old IE Plugin: deprecated Internet Explorer plug-in that must only be
installed for compatibility reasons with the previous WiseGuard versions.

• Java plugin: allows SSOWatch to access Java applications.

10

Getting Started with SSOWatch

• If you select this feature, make sure a supported Java version is already
installed on your workstation before launching the installation of SSOWatch.

• SSOStudio Personal: allows a single user to configure the applications for
which he wants to enable SSO.

• SSOStudio Enterprise: dedicated to administrators: the SSO configuration
is shared by a number of users.

• Fast User Switching: installs the Fast User Switching option, which allows
authorized users to access their session from a workstation that has been
locked by another user.

6. Restart the workstation.
The SSOWatch Engine icon appears in your Windows' system tray, which is
located on the far right end of your task bar.

11

Quest Enterprise SSO 8.0.3

3. Configuring SSOWatch to Enable
Single Sign-On – A Step by Step
Tutorial

This section explains how to quickly enable SSO. We guide you through the steps
required to configure SSO for a standard Windows application.
To register an application for SSO, you can use one of the following SSOWatch tools:

• The SSOWatch Wizard, which is the easiest way to enable SSO for standard
application windows.

• You will find a step-by-step tutorial to register the Yahoo! Mail example
application in Section 3.1, Enabling SSO for Yahoo! Mail Using the SSOWatch
Wizard.

• SSOStudio, which is the SSOWatch personal configuration editor for
applications that cannot be configured with SSOWatch Wizard, or that require
advanced settings.

• You will find a step-by-step tutorial to register the Lotus Notes example
application in Section 3.2, Enabling SSO for Lotus Notes Application Using
SSOStudio.

3.1 Enabling SSO for Yahoo! Mail Using the
SSOWatch Wizard

Subject
The SSOWatch Wizard is the easiest way to enable SSO. It helps you to declare the
applications' authentication windows that must be automatically filled in by SSOWatch
Engine. The parameters of applications defined this way make up a configuration for
SSOWatch Engine.

The SSOWatch wizard is suitable for standard authentication windows. For
applications that cannot be configured through the SSOWatch wizard, you must
use SSOStudio.

We use Yahoo! Mail as an example, but you can follow the same procedure for almost
all web applications.

12

Getting Started with SSOWatch

Before Starting

Start Yahoo !Mail so that the authentication window appears, as shown in the following
picture:

Procedure

1. In the Windows system tray, right-click the SSOWatch icon (in the notification
area) and select Add application.
The SSOWatch wizard appears.

2. Fill in the wizard as follows:

ACTION ILLUSTRATION

Step 1:
Select New Application

13

Quest Enterprise SSO 8.0.3 ILLUSTRATION

ACTION

Step 2:
Select Windows, and type in the name
of your application.

Step 3:
Drag and drop the target button (1) onto
login field (as this is a web application) of
the Yahoo! Mail authentication window
(2) to fill in this window (3).

14

ACTION Getting Started with SSOWatch
ILLUSTRATION
Step 4:
Continue drag and drop operations to fill
in this window, as shown opposite.

Step 5: -
Click Finish.

The following window appears:

3. Click Yes.
The SSOWatch – Security Data Collect windows appears.

15

Quest Enterprise SSO 8.0.3

4. Fill in this window as follows and click OK:

Yahoo! Mail starts automatically. SSOWatch is now configured to detect and
automatically fill in your Yahoo! Mail authentication window.

If you mistyped the user name or password in the above window, the application
does not start. In this case, you need to modify the credentials for the application,
as explained in Section 4.4.2.1, Change Password.
Why does the Security Data Collect window appear?
At this step of the procedure, the SSOWatch Engine is running, and your
Yahoo! Mail authentication window is still displayed. Although SSOWatch can
detect the window it cannot fill it in as you have not provided your authentication
information yet. That is the reason why the Security Data Collect window
appears: the first time you start a declared application, SSOWatch requests your
user name and password. This data is stored in a secured way by SSOWatch so it
will be able to reuse it afterwards, without requesting any new data.

3.2 Enabling SSO for Lotus Notes Application
Using SSOStudio

Subject
SSOStudio Personal is the SSOWatch personal configuration editor. It provides an
easy-to-use graphical interface for declaring the applications for which you want to
enable single sign-on.
You need to use SSOStudio for applications that cannot be configured with SSOWatch
Wizard, but you can also use it for applications that have already been configured using
SSOWatch Wizard, to modify or enhance their configurations.

16

Getting Started with SSOWatch

Restriction
The following example works only with Lotus Notes 5 and later.

3.2.1 Starting SSOStudio Personal

Subject
The following procedure explains how to start SSOStudio Personal.
Procedure
To start SSOStudio Personal, do one of the following:

• Click Start | Programs | Quest Software | Enterprise SSO | Personal
SSOStudio

• Right-click the SSOWatch icon (in the notification area) and select Open
SSOStudio.
The Personal SSOStudio window appears.

The application that we shall use as an example is Lotus Notes.

3.2.2 Enabling SSO for Lotus Notes

The following sub-sections describe how to register the Lotus Notes application using
SSOStudio Personal.
We use Lotus Notes as an example, but you can follow the same procedure for almost
all authorized applications.

3.2.2.1 Creating the Lotus Notes "Application" Object

Subject
This section describes how to quickly create the Lotus Notes Application object in your
SSOStudio configuration.

17

Quest Enterprise SSO 8.0.3

Procedure
1. In the SSOStudio main window, right-click the Applications node and select
New Application.
The Application properties window appears.
2. In the Properties tab, type "Lotus Notes" in the Application Name field:

3. You do not have to change any other options. Click OK.
The Lotus Notes Application object appears under the Applications node.

3.2.2.2 Creating the Lotus Notes Authentication "Window" Object

Subject
This section describes how to quickly declare the Lotus Notes logon window in your
SSOStudio configuration.

18

Getting Started with SSOWatch

Before Starting
Start Lotus Notes to display the authentication window, as shown in the following picture:

Procedure
1. In the SSOStudio main window, right-click the Lotus Notes Application object
that you have just created and select New Window.
The Window properties window appears.
2. Fill in the General tab as follows:
• In the Window name field, type Notes Logon.
• In the Window type field, select NotesLogin.

19

Quest Enterprise SSO 8.0.3

3. Fill in the Detection tab as follows:
All the fields are already pre-configured for Lotus Notes, and you would
normally not have anything further to do. However, to show you how it works,
we will describe how to configure the window manually.

a) Launch the Lotus Notes application.
b) In the Detection tab, click the target button and "drag’n drop" it onto

the title bar of your Lotus Notes authentication window.
c) As many authentication windows could have the same title, we are going

to configure an additional text that will be looked for in one of the fields of
the window, to distinguish the Lotus Notes authentication window from
the other ones:
• Select Look for text, and click the In Field sub-option.
• Using the small target button , indicate the field containing the text Enter

the password of, as you did for the title detection window.
The content of the field Look for text is automatically updated with the content
of the selected field. In our case: Enter the password of John
Smith/QUEST.
• Depending on your needs, you can erase the user’s name to only keep the
text Enter the password of. If it is not erased, SSO will only be enabled
for the user connected during this detection session.

20

Getting Started with SSOWatch

4. Fill in the Actions tab as follows:
All the fields are already pre-configured for Lotus Notes, and you would
normally not have anything further to do. However, to show you how it works,
we will describe how to configure the window manually.

a) Using the upper small target icon , select the field containing the text
Enter the password of, as you did during the detection configuration.
The text in the following field is automatically updated.

b) In this field, select the Lotus Notes identifier (First name/Last name/
Unit/Organization) and click the button.

c) Using the second small target icon , select the field where the
password will have to be entered.

d) Using the last small target icon select the OK button.
5. Click OK.

The Notes Logon Window object appears under the Lotus Notes Application
object.
6. See Section 3.2.3, Saving the Configuration.

21

Quest Enterprise SSO 8.0.3

3.2.3 Saving the Configuration

Subject
Once you have saved your configuration, SSOWatch can detect the window you have
just configured, as explained in the following procedure.
Procedure

1. Click the (Save) button located in the SSOStudio toolbar.
The following window appears:

2. Click Yes.
The SSOWatch – Security Data Collect windows appears.

3. Fill in this window as follows and click OK:

Lotus Notes starts automatically. SSOWatch is now configured to detect and
automatically fill in your Lotus Notes authentication window.

If you mistyped the user name or password in the above window, the application
does not start. In this case, you need to modify the credentials for the application,
as explained in Section 4.4.2.1, Change Password.

22

Getting Started with SSOWatch

Why does the Security Data Collect window appear?
At this step of the procedure, the SSOWatch Engine is running, and your Lotus
Notes authentication window is still displayed. Although SSOWatch can detect the
window it cannot fill it in, as you have not provided your authentication information
yet. That is the reason why the Security Data Collect window appears: the first
time you start a declared application, SSOWatch requests your user name and
password. This data is stored in a secure way by SSOWatch, so it will be able to
reuse it afterwards, without requesting any new data.

3.3 Going Further

There you are! You have configured and enabled your first SSO using SSOWatch
Wizard and the SSOWatch SSOStudio Configuration Editor.
Using the same steps and procedures, you can configure other types of application and
authentication windows.

The detection modes for other applications are different. For more details, see
Enterprise SSO - SSOWatch Administrator Guide.

23

Quest Enterprise SSO 8.0.3

4. Using SSOWatch Engine

This section describes SSOWatch from the user point of view. This covers basic SSO
operations: SSO data collection, and SSO engine management.

4.1 Session Opening

If you have installed SSOWatch as described in Section 2, Installing SSOWatch, the
SSOWatch engine starts automatically when you open a session.
Otherwise, SSOWatch may prompt you to authenticate through the following window:

Once the engine is started, an icon is displayed in the Windows notification area:
This indicates that the SSO engine is running.

24

Getting Started with SSOWatch

4.2 SSO Data Collection

4.2.1 First Start of an SSO enabled application

During its standard utilization, SSOWatch is almost invisible to the user. However, when
it starts for the first time, or when some particular events occur such as password
update requests, you will have to provide some information.

At the first launch of an SSO enabled application, when the application requests the
user’s authentication, the SSOWatch collect window appears in foreground (the
application is temporarily disabled) and requests the user name and password for the
application:

Simply provide your usual user name for this application, your password (and confirm it
to avoid mistype errors), and validate by clicking the OK button.
This data will be stored in a secured way by SSOWatch so it will be able to reuse it
afterwards, without requesting any new data. It has enabled the Single Sign-On
function.

25

Quest Enterprise SSO 8.0.3

4.2.2 Password Update Request

When an SSO enabled application asks for password update, this request is intercepted
by SSOWatch, which displays the following window:

Simply type in a new password (and confirm it to avoid mistype errors) and validate it by
clicking the OK button.
This data will be updated and securely stored in the security database, by SSOWatch,
so that it will be able to reuse it afterwards, without requesting any new data.

4.3 Displaying the SSOWatch Engine Popup Menu

Subject
The SSOWatch Engine popup menu allows you to control the SSOWatch Engine. This
popup menu is associated with the SSOWatch Engine taskbar icon:

26

Getting Started with SSOWatch

From this popup menu, you can:

• Emergency Access: Initialize your primary password or PIN code reset
(Emergency Access). This feature runs only with the LDAP configuration
storage mode, as described in Section 4.7, Initializing the Emergency Access.

• Biometric Enrollment: Enroll your biometric data using the biometrics scan
wizard (a biometric authentication device must be installed on your computer).

For more information, see Enterprise SSO Advanced Login for Windows User
Guide.

• Open the management module of SSOWatch: SSOEngine.
• Add application: Enable SSO applications with SSOWatch Wizard.
• Open SSOStudio to add an application with SSOStudio, as described in

Section 3, Configuring SSOWatch to Enable Single Sign-On – A Step by Step
Tutorial.
• Suspend and Activate the SSOWatch Engine.
• Reset the configuration.
• Exit SSOWatch: Stop the SSO Engine.

Procedure

To display this popup menu, right-click the SSOWatch Engine icon in the taskbar.

Double-clicking the SSOWatch Engine icon performs the default action (in bold):
Open.

4.4 The SSOWatch Engine Management Module

The administration module of SSOEngine provides the following functions:

• Managing the SSOWatch Engine.
• Management of user accounts.

27

Quest Enterprise SSO 8.0.3

4.4.1 Opening the SSOWatch Engine Management Module

Procedure
1. To open the SSOWatch engine management module, right click the
SSOWatch icon in the taskbar, and click Open, or simply double-click the
SSOWatch icon itself.
The following window appears:

2. Do one of the following:
• To manage your accounts, click the button:
see Section 4.4.2, User Account Management.
• To manage the SSO Engine, click the button: see Section 4.5, Activating,
Suspending, Resetting the SSOWatch Engine.

28

Getting Started with SSOWatch

4.4.2 User Account Management

You can see (and update) your user accounts using the User accounts option in the
SSOEngine module by clicking on the icon in the SSOWatch Engine management
module.

4.4.2.1 Change Password

The button allows you to change your password for the selected account, but only
in the security database: the password is not changed in the security base of the
target application. This action can be used to manually deal with BadPasswords.

This option may be disabled in the configuration file or with a centralized
parameter.

4.4.2.2 New Account

The button allows you to create a new account for the selected application.
When you create an account, you enter security information associated with this
account. This operation will be done automatically for the first account defined in the
configuration (for an application).
User Roles
If you have defined several accounts, you will have to manually create the other
accounts, through the user account management interface.
This is designed for those users who have a number of accounts on the same
application(s). An account name designates a role.
If a role is shown in the text box of the SSOEngine screen, the corresponding SSO
applications will be launched using the security data associated with this role.

29

Quest Enterprise SSO 8.0.3

If no role has been selected for multiple account applications, you will be prompted to
choose an account on connection.

4.4.2.3 Delete Account

The button allows you to delete security information (user name, password and
optional parameters) associated with an account. If many accounts are associated with
an application, the account line will be deleted. If you delete the only remaining account,
<not registered> will be displayed in place of the user name.

4.4.2.4 Show Password

The button allows the owner of an account to see the password associated with the
account. Using this feature always requires the user to authenticate.

4.4.2.5 Delegate Account

The icon is only available if you use SSOWatch in standalone and LDAP storage
mode. It allows the owner of an account to delegate access to other users.

4.4.2.6 Hide Applications without Credentials

This option is available by right-clicking an account. It allows you to display only the
applications for which you have an account.

4.4.2.7 Enable/Disable an Application or all Applications

This command is available by right-clicking an account. It allows you to deactivate (and
activate again) the SSO function for the specified application.

4.5 Activating, Suspending, Resetting the
SSOWatch Engine

Subject
The Suspend, Activate, Reset Configuration commands allow you to manage the
SSOWatch Engine.
You can use this commands either from the SSOWatch engine popup menu, or through
the SSOWatch management module, using the Home button.

30

Getting Started with SSOWatch

• The Suspend command allows you to suspend the use of SSO. When
suspended, the SSOWatch engine does not carry out single sign-on.
You can prevent the user from disabling the SSO engine through the configuration
options.
SSOWatch Engine automatically suspends itself when the smart card or USB key
used for authentication is removed.

• The Reset Configuration command allows you to load the modifications
performed in your SSOWatch configuration file and reset the applications and
windows states (those windows and applications which have been disabled
will be reactivated).You can use this menu when the engine is running or when
it is suspended. Once the reset action is complete, the SSO Engine will be in a
running state.

• The Activate command allows you to resume the SSOWatch Engine and
enable again the use of SSO.

Procedure
• To suspend the SSOWatch engine, right-click the SSOWatch engine icon and
select Suspend.
The SSOWatch engine icon changes to .
• To activate the SSOWatch engine, right-click the SSOWatch engine icon and
select Activate.
The SSOWatch engine icon changes to .
• To reset the SSOWatch engine configuration, right-click the SSOWatch engine
icon and select Reset Configuration .
If your SSOWatch engine was suspended, its icon changes to .

31

Quest Enterprise SSO 8.0.3

4.6 Exiting SSOWatch

To exit SSOWatch, right-click the SSOWatch engine icon and select Exit SSOWatch.

The SSOWatch engine icon disappears and single sign-on is disabled.

The Exit SSOWatch command can be disabled through the configuration file.

4.7 Initializing the Emergency Access

Subject

The Emergency Access feature allows you to reset your password or your PIN code in
case you lost or forgot it.

Initializing the Emergency Access feature consists in choosing a set of questions and
recording the associated answers (if you want to reset your password or PIN code, you
will have to answer the question you have chosen).

This feature runs only with the LDAP configuration storage mode.
To know your configuration storage mode, right-click the SSOWatch Engine icon
(located on the taskbar), select About SSOWatch, and in the displayed window,
check the value of the Configuration storage mode field.

When the Emergency Access feature is enabled, you can define your questions
(optional) and answers the first time that your SSOWatch engine is activated. Then you
may need to modify this data in the following cases:

• The questions have changed, so you have to update your answers.
• You must enter your answers periodically.
• You want to change your questions/answers.

Procedure

1. Right-click the SSOWatch icon located in the notification area, and select
Emergency Access.
The Authentication window appears.

2. Enter your ID and Password and click OK.
The Emergency Access wizard appears.

3. Follow the displayed instructions.
You may have restrictions to define your questions/answers, as for example a
minimum/maximum number of characters, words that you cannot use… If you do
not know why your questions/answers are not accepted, contact your Enterprise
SSO administrator.

32

Getting Started with SSOWatch

4.8 Using the Reset Password Feature

4.8.1 Importing the Enterprise SSO Sample Certification
Authority (First-Time Use)

Subject
To avoid Security Alert messages when connecting to the Reset Password portal, you
must import the Sample Certification Authority (CA) in your Internet Explorer web
browser, as explained in the following procedure.
Procedure

1. Start Internet Explorer and enter in the address bar the URL corresponding to
the Reset Password web server followed by /ca.crt (example:
http://MyResetPasswordServer/ca.crt)
The following window appears:

2. Click Open, and in the displayed window, click Install Certificate.
3. Follow the instruction of the Import Certificate wizard.

It is recommended to keep the default selected options. Just click the Next and
Finish buttons to install the file.
4. Click OK to close the Certificate window.
The Sample CA is imported.

4.8.2 Resetting Your Primary Password

Subject
This section describes how to securely reset your primary password from any
workstation using Internet Explorer.
If you can no longer log on any workstation, reset your primary password as explained
in the following procedure.

33

Quest Enterprise SSO 8.0.3

Before Starting
The Emergency Access feature must be initialized: you must have chosen a set of
questions and answers (see Section 4.7, Initializing the Emergency Access).
Procedure

1. Start your Internet Explorer web browser and enter in the address bar the URL
corresponding to the Reset Password web server (example:
http://MyResetPasswordServer).
If you do not know this URL, contact your Enterprise SSO administrator.

2. In the displayed page, click the reset your primary password link.
3. Type your identifier and click the Submit button.

The Password reinitialization page appears.

4. Answer each question, depending on the answers you gave while initializing
the Password Reset functionality and type your new primary password twice.

5. Click the Submit button.
After a certain number of wrong answers, the process may be blocked and you will
not be able to try again. In this case, contact your Enterprise SSO administrator.

You can now use your new password to connect to your workstation.

34