Oracle Enterprise Single Sign-on Authentication Manager Installation and Setup Guide Release 10.1.4.0.4 E10559-01 November 2007
, Release 10.1.4.0.4 E10559-01 Copyright 2006-2007, Oracle. All rights reserved. The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065. The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs. Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.
Table of Contents Preface... 4 Audience... 4 Related Documentation... 4 Conventions and Terminology... 5 About ESSO-AM... 7 ESSO-AM Features... 8 Installation Introduction...11 Installing ESSO-AM...12 Installing ESSO-LM Agent and Administrative Console...12 Installing the ESSO-AM Agent...13 Adjusting the settings in the ESSO-LM Administrative Console...15 First Time Use Scenarios...23 Usage Flows Scenarios...27 Upgrade Notes...31 Uninstalling ESSO-AM...32 3
Preface This document describes the functionality of Oracle Enterprise Single Sign-on Authentication Manager (ESSO-AM) and provides instructions on how to install and configure ESSO-AM. This document also describes ESSO-AM usage flow scenarios. The following topics are covered in the preface: Audience Related Documentation Conventions and Terminology Support Information Audience This document is intended for experienced administrators responsible for the planning, implementation and deployment of ESSO-AM. Administrators are expected to understand single sign-on concepts as well as be familiar with strong authenticators. The person completing the installation and configuration procedure should also be familiar with the company s system standards. Readers should be able to perform routine security administration tasks. Related Documentation Documentation provided with this product includes: ESSO-AM Release Notes ESSO-AM Installation and Setup Guide 4
Conventions and Terminology This document uses various conventions and icons to help you identify special terms and important topics quickly. Not all conventions are used in every manual. Convention Bold font Connotation Within text, references to the following: Dialog box/gui element names Dialog box/gui section labels Dialog box/gui tab names or labels Dialog box/gui field names Any button that is clicked within procedures and on GUIs Italic font Variable text within a command or path References to other technical publications Courier New font Registry keys Command line Code examples Icon Connotation Description Important task Essential to the completion of a procedure. Note or tip Best Practice Additional valuable information about task or topic. Not essential to completion of task. Recommended method to perform a procedure. Caution New in this release If step or procedure is not followed exactly, the result could be loss of data or data corruption. Indicates new features introduced in this release. 5
Acronym or Abbreviation SSO Agent SSO Administrative Console ESSO-LM ESSO-AM ESSO-KM ESSO-PG ESSO-PR SSO FTU Full Name ESSO Logon Manager Agent ESSO Administrative Console Oracle Enterprise Single Sign-on Logon Manager Oracle Enterprise Single Sign-on Authentication Manager Oracle Enterprise Single Sign-on Kiosk Manager Oracle Enterprise Single Sign-on Provisioning Gateway Oracle Enterprise Single Sign-on Password Reset ESSO-LM First Time Use 6
About ESSO-AM ESSO-AM, an add-on module to Oracle Enterprise Single Sign-on Logon Manager (ESSO-LM), enables organizations to seamlessly bridge strong authentication to all of their applications, including smart cards, biometrics, and entrust authenticators. Users can employ different authenticators at different times and application access can be controlled based upon the authenticator used. ESSO-AM adds three capabilities to ESSO-LM: 1. Strong authentication support from a variety of strong authenticators, including smart cards and biometric devices, for all authentication events: initial authentication, re-authentication, and forced authentication. 2. Multiple Authenticator support allows multiple logon methods to be used to authenticate an end user and provides an authenticator that is capable of supporting graded authentication, as well as alternative logon methods. This support enables end users to mix and match multiple logon methods on-thefly. 3. Administrators can define grades or levels to authentication methods and applications. Defining grades enables administrators to control which functions of ESSO-AM users can execute based upon the type of authenticator presented. ESSO-AM files and components are installed directly into the ESSO-LM directory. A separate ESSO-AM directory does not exist. Because ESSO-AM is an add-on module to ESSO-LM, the ESSO-AM help is part of the ESSO-LM help file. 7
ESSO-AM Features Multiple Authenticator Support ESSO-AM supports the use of multiple logon methods to authenticate an end user. This feature provides an authenticator that is capable of supporting graded authentication, as well as alternative authentication methods. Multiple authenticator support: Accepts authentication using different authenticators Supports graded authentication Allows multiple authenticators to be used interchangeably during a user session (between the initial logon and the logout) Allows multiple authenticators to be used interchangeably between sessions Enables administrators to: o o o o o o Allow or disallow the use of multiple authenticators Specify which authenticator is the default primary authenticator Specify which authenticators are required for enrollment Restrict access to applications based upon the strength of the authenticator used Allow or disallow the use of multiple authenticators interchangeably during a single session Allow or disallow the use of multiple authenticators interchangeably between sessions 8
Graded Authentication Graded authentication allows you to define grades or levels to authenticate in ESSO- AM. Graded authentication controls which functions of ESSO-AM that users can execute based upon the type of authenticator presented. Grades can be applied and used to ensure that the correct level of authentication has been performed for specific events and activities. Graded authentication: Supports an unbounded number of authentication grades or levels Supports setting required authentication grades on a per-application basis Supports setting required authentication grades on SSO processes that require re-authentication Supports administration setup for the authentication level for every application Supports administration setup for the authenticator grade Supports logging of graded authentication events Enables administrators to: o o Turn graded authentication support on or off Configure graded authentication on a per-application basis 9
How does ESSO-AM work with graded authentication? ESSO-AM controls application logons, which can be initiated by the end user, based upon the authenticator used by the end user on the most recent authentication request. The most recent authentication request can be the initial logon, the last re-authentication, or the forced authentication requested by ESSO-AM. ESSO-AM has an authentication grading scheme to which different authenticators are mapped and, separately, to which application logons are mapped. ESSO-AM allows users to log on to an application only when the grade of the authenticator used equals or exceeds that of the application logon. When a user does not respond to an authentication request with an authenticator of sufficiently high grade, ESSO-AM prompts the user to either re-authenticate with an authenticator of sufficiently high grade or cancel the requested logon. If a user repeatedly attempts to initiate a logon or function with an authenticator of insufficient grade, ESSO-AM locks out the user, logs an event in the Event Manager, and notifies the user and administrator. If a user does not have ESSO-AM installed, but has application logons that have been configured to require strong authentication, the user does not have access to those applications (in other words, strong authentication is deployed in the enterprise, but not to that user). Logon Manager only displays the application logons that are currently available, based upon the authenticator used in the most recent authentication request. The following ESSO-AM functions can be configured to be accessible or inaccessible based upon the grade of authenticator used in the most recent authentication request: o o o System Tray: Logon Manager Logon Manager: Delete, Properties, and Reveal All functions Logon Manager Properties Page: Reveal Password function If the Reveal All function is accessible based upon a grade of authentication used, it only reveals passwords for those applications whose grade is equal to or lower than the grade used to authenticate for that function. 10
Installation Introduction Because ESSO-AM is installed as an add-on component to ESSO-LM, ESSO-LM must be installed first. ESSO-LM automatically recognizes ESSO-AM after it is installed. The following procedures must be completed in order to successfully install ESSO- AM: Installing ESSO-LM Installing the ESSO-AM Agent If upgrading from earlier versions of ESSO-AM, refer to the Upgrade Notes Adjusting the settings in the ESSO-LM Administrative Console First-Time-Use Scenarios 11
Installing ESSO-AM To install and configure ESSO-AM, you must complete several procedures: Install the ESSO-LM Agent and Administrative Console Install the ESSO-AM Agent Adjust the settings in the ESSO-LM Administrative Console Installing ESSO-LM Agent and Administrative Console ESSO-AM requires ESSO-LM version 10.1.4.0.1 or later. When the ESSO-LM Agent is installed, the Authentication Manager feature must be installed at the same time. This feature is located on the Custom Setup dialog box under Logon Methods. If ESSO-LM is already installed, go to Control Panel > Add/Remove Programs > Oracle Enterprise Single Sign-on Logon Manager and click Change. Modify the installation to install the Authentication Manager. For more information, see the ESSO-LM Installation and Setup Guide. 12
Installing the ESSO-AM Agent If you are upgrading from earlier versions of ESSO-AM, refer to the Upgrade Notes. To install and configure the ESSO-AM Agent: 1. Close all programs. 2. Start the installation from a shared network drive or the CD. 3. The Welcome dialog box opens. Click Next. 4. Read the License Agreement carefully. If you agree to the terms in the license agreement, select I accept the terms in the license agreement and click Next to continue. 5. The Custom Setup dialog box prompts you to select the features to be installed. Select which ones you want to install by clicking the red [x] next to the feature and clicking This feature will be installed on local hard drive: 13
Features that you can install include: Languages: If you will be using localized language support to display ESSO-AM in other languages, click the [+] next to Languages and select the language pack. Logon Methods: Choose the logon method by clicking the [+] Logon Methods. Smart Card, Entrust, SAFLINK SAFAuthenticator for ESSO-LM, DigitalPersona Authenticator, Xyloc, Sphinx, and HID ISO Proximity Card Auth logon methods are available. Click the [+] next to Smart Card to install support for storing user s synchronization credentials on Gemplus smart cards. SoftID Helper: Select to install SoftID support. Gemplus Smart Card support for LDAP Sync Prep with ESSO-KM Integration Support is available for storing a user s synchronization credentials on Gemplus smart cards. This feature integrates with Oracle Enterprise Single Sign-on Kiosk Manager (ESSO-KM). With this feature installed and working with ESSO-KM, users will be automatically prompted to enter their smart card PINs instead of their synchronization credentials when inserting a smart card to start a ESSO-KM session. In order for this feature to work, the user s synchronization credentials must first be stored on the smart card. This is accomplished by performing an authentication to ESSO-LM with the smart card on any workstation that has this feature installed. ESSO-LM must also be configured to synchronize with a repository, such as LDAP or Active Directory. 6. When you have selected all necessary, click Next. 7. ESSO-AM is ready to be installed. Click Install. 8. When the installation is complete, click Finish. 14
Adjusting the settings in the ESSO-LM Administrative Console After ESSO-AM is installed, it automatically integrates with the ESSO-LM Agent and Administrative Console. You must configure the ESSO-AM settings in the ESSO-LM Administrative Console. Help topics for ESSO-AM are included in the ESSO-LM Agent and Console Help system. To configure the ESSO-AM settings: 1. Click Start > Programs > Oracle > ESSO-LM > ESSO-LM Console. The Administrative Console opens. 2. Right-click the Global Agent Settings icon to display a shortcut menu, point to Import and click From Live HKLM. 3. After the list has been imported, expand Live, expand Primary Logon Methods, and then expand Authentication Manager. 4. There are three sections to configure for the Authentication Manager: Enrollment, Grade, and Order. 5. If using DigitalPersona or Smart Cards, configure these settings. 6. Also see Configuring Application-level Authentication Grades. 15
A potential security problem exists with graded authentication and multiple primary logon methods. If multiple authenticators are set up with different grades, a user with a lower grade authenticator has the ability to change his primary logon method from multiple authentication to single authentication, thereby giving himself access to logons that require higher grades. This potential issue can be avoided through settings in the ESSO-LM Administrative Console. Expand Global Agent Settings > Live > End User Experience > Setup Wizard. Set the Selected Primary Logon (Registry Location: AUI: Selected) setting to Authentication Manager. As long as this is selected, the user can no longer change the primary logon method. 16
Configuring Authentication Manager: Enrollment The enrollment settings specify the primary logon methods (authenticators) that can be used with the Authentication Manager. To access the enrollment settings, click Global Agent Settings > Live > Primary Logon Methods > Authentication Manager > Enrollment. The settings on this page determine whether a user will be required to set up a specific logon method during the First Time Use (FTU) Wizard, if Authentication Manager is chosen as the primary logon method. For each primary logon method, the following options are available: Optional: User has the option to configure this logon, or to skip it. If the user defers the logon request, ESSO-LM will not ask again. Incremental: User has the option to configure this logon, or to skip it. If the user defers the logon request, ESSO-LM will ask for credentials each time the application starts. Required: User is required to configure this logon. If this logon is not configured, the user will not be able to complete enrollment. Disabled: This logon method is not presented to the user during the FTU wizard. 17
Configuring Authentication Manager: Grade The grade settings specify an authentication grade for each primary logon method. Set a number grade value (>=1) for each logon method. To access the grade settings, click Global Agent Settings > Live > Primary Logon Methods > Authentication Manager > Grade. Authentication Grades are numeric values. An authentication grade automatically defaults to grade level 1 if authentication grading is turned on and no grade level is specified. The higher the grade level specified, the stronger the authentication level that is being requested. You can arbitrarily configure the grading scale. For example, an expected normal scenario would be a scale of 1 to 3, but you have the flexibility to make this 1 to 5 or 1 to n, as you require. To be consistent, any grade lower than 1 will be converted to 1. ESSO-AM supports the authentication grades by mapping the grades to the authentication methods used. By default, most authenticators require a specific authenticator to manage grade levels, as they do not support this on their own. If a user tries to access credentials with a grade level that is too low, he or she will be asked to authenticate at a higher grade and only gain access if successful. Lockouts occur as per normal ESSO-LM authentication lockout policy. Because graded authentication uses the core SSO authentication process, this will happen naturally. To set the authenticator grade for specific applications, use the Authenticator Level Grade setting. 18
Configuring Authentication Manager: Order The order settings specify the sequence that the installed logon methods will be presented to the end user during re-authentication scenarios, if Authentication Manager is chosen as the primary logon method. To access the grade settings, click Global Agent Settings > Live > Primary Logon Methods > Authentication Manager > Order. The Allowed number of logon methods setting allows you to set the maximum number of logon methods that will be presented to a user during the FTU scenario. After this number of logon methods has been presented, a Choose Logon dialog box opens. The user can then select their logon method from this dialog box. For each primary logon method, select or type a number to indicate the logon method s position during a re-authentication scenario. A 1 indicates the most preferred logon method. 19
DigitalPersona: Required The DigitalPersona settings are the primary controls for enabling standard DigitalPersona authentication. This setting must be configured in order for the ESSO-LM Agent to use DigitalPersona as a primary logon method. To access the DigitalPersona settings, click Global Agent Settings > Live > Primary Logon Methods > DigitalPersona > Required. User Account Type DigitalPersona requires that a Windows account be used in order to match fingerprints. Select whether to use the local workstation account (current logged-on user) or the sync account to retrieve fingerprints. The sync account option is typically used in kiosk environments and on shared computers. Options Local Machine Account (default) Sync Account In order for ESSO-AM to work with DigitalPersona, the following two configuration items are required: The DigitalPersona SDK is required for the DigitalPersona biometric sensor to operate with ESSO-AM. This SDK must be installed. Consult your DigitalPersona documentation to find out which SDK works with your version of the software. The DigitalPersona One Touch Internet option must not be installed because it conflicts with ESSO-AM. This option can be uninstalled from DigitalPersona using the Add/Remove Programs option on the Control Panel. Navigate to the Custom Setup dialog box and clear One Touch Internet. 20
Smart Card: Advanced The smart card settings control special-case options for smart-card authentication. These settings are not required. To access the smart card settings, click Global Agent Settings > Live > Primary Logon Methods > Smart Card > Advanced. Passphrase Enables the passphrase challenge for additional security. The passphrase can be supplied either by the user entering the passphrase in a dialog box (the default setting) or by the newest non-default encryption certificate on the card itself. Note: The default setting requires users to provide a passphrase answer during First Time Use. Options: Disable Enable using a dialog box (default) Enable using the card s certificate Use the default certificate for authentication Use the default logon certificate (provided by the administrator) on the card for authentication. If not enabled (the default), use (and create if necessary) the public or private keys in the SSO container on the card. Options: Use SSO-generated keys (default) Use the default logon certificate Windows Subtitle Name Windows Title Name Whether to store the PIN Use this setting to customize the Window subtitle name for this authenticator. This entry is not required. Use this setting to customize the Window title name for this authenticator. This entry is not required. Whether to store the smart card PIN (and thus the Agent prompts for the PIN) or to require that the smart-card drivers request the PIN. Options: Do not store PIN (default) Store PIN 21
Configuring Application-Level Authentication Grades Authentication Tab (for selected application) To access the application-level settings, click Applications > Select any application > Authentication tab. Use the Authentication tab to set the Minimum Authentication Grade Required for the selected application. The user s primary logon method used must have an Authentication Grade equal to or higher than this value in order for ESSO-LM to log the user on to the selected application. If the end user s primary logon method has an authentication grade lower than the minimum set for this application, access to the selected application will not be successful. When the user requests the application, a message appears requesting that he authenticate at a higher grade in order to gain access to the application. Select or type the numeric value of the lowest authentication grade that the end user s primary logon method can be. The default is 1. Authentication Grades are numeric values. An authentication grade will automatically default to grade level 1 if authentication grading is turned on and no grade level is specified. The higher the grade level specified, the stronger the authentication level that is being requested. You can arbitrarily configure the grading scale. For example, an expected normal scenario would be a scale of 1 to 3, but you have the flexibility to make this 1 to 5 or 1 to n, as you require. To be consistent, any grade less than 1 will be converted to 1. To set the authentication grade for primary logon methods, use the Authenticator Grade setting. 22
First Time Use Scenarios In the setup phase, the user will go through the normal ESSO-LM First Time Use (FTU) wizard until the Select Primary Logon Method dialog box is displayed. The user now has the option to select Authentication Manager as the primary logon method. The behavior of this setup wizard is configured through the ESSO-LM Administrative Console. Setup Flow Example 1. The first dialog box in the Setup Wizard dialog box lists the setup tasks necessary for the local installation of ESSO-LM. Click Next to begin setup. 23
2. The dialog box lists the setup tasks necessary for your local installation of ESSO-LM, choosing your primary logon method and supplying the credentials for that method. Click Next. 3. The Primary Logon dialog box prompts you to select a logon method. Select Authentication Manager and click Next. 4. Set up all installed authenticators in sequential order. For example, if a smart card authenticator is installed, you will see this dialog: If you click Cancel, the smart card authenticator will be skipped as long as it is optional. Clicking Cancel for a required authenticator cancels the Setup Wizard. 24
5. Insert your smart card. You are prompted to enter your PIN. Click OK. A successful message appears. Click OK. 6. You might be prompted to enter a passphrase with a minimum answer length of eight characters. Enter an answer, confirm (re-enter) it, and click OK. 7. Enter your password for Microsoft Windows and click OK. 25
8. The Setup Wizard indicates that the process is complete and ESSO-LM is ready for use. Click Finish to complete. 26
Usage Flows Scenarios Scenario 1: One or more required authenticators have not been configured The following scenario occurs if there are one or more required authenticators that have not been set up and you are trying to authenticate to an application or website: 1. You are asked to authenticate using the most preferred authenticator that is installed. Clicking Cancel for this authenticator brings up the next preferred authenticator. This process continues until the allowed number of logon methods is reached. 2. If the allowed number of logon methods is reached, the Authentication Manager dialog box appears and prompts you to select another logon method as shown: 3. Set up the new authenticator. If you are setting up a new authenticator in the flow of creating a logon, the authentication request is submitted automatically. 27
Scenario 2: All required authenticators are configured and only one authenticator can satisfy the requested authentication grade. The following scenario occurs if all required authenticators are configured but only one of those authenticators can satisfy the requested authentication grade: 1. You are asked to authenticate with the only authenticator that will satisfy the authentication grade, for example, a smart card. 2. If the requested authentication fails or is canceled, the authentication process is terminated. The only way to authenticate to this application is with a smart card. 28
Scenario 3: All required authenticators are configured and there is more than one authenticator that can satisfy the requested authentication grade. The following scenario occurs if all required authenticators are configured and there is more than one of those authenticators that can satisfy the requested authentication grade: 1. You are asked to authenticate using the most preferred authenticator that can satisfy the required authentication grade. Clicking Cancel for this authenticator brings up the next preferred authenticator. This process continues until the allowed number of logon methods is reached. 2. If the allowed number of logon methods is reached, the Authentication Manager dialog appears and prompts you to select another logon method as shown: 29
Scenario 4: There is no installed authenticator that can satisfy the requested authentication grade. The following scenario occurs if there are no installed authenticators that can satisfy the requested authentication grade. Authentication Manager fails and displays the failure message: 30
Upgrade Notes If you are performing an upgrade from an earlier version of ESSO-AM, install ESSO- AM according to the procedures contained in this document. ESSO-AM will preserve the behavior of previously enabled authenticators and automatically recognize the new authenticators. If ESSO-KM is installed If you have also installed ESSO-KM, you must take certain steps to ensure a successful upgrade. 1. Uninstall ESSO-KM. For more information, see the ESSO-KM Installation and Setup Guide for more information. 2. Install ESSO-AM. 3. Reinstall ESSO-KM. 31
Uninstalling ESSO-AM To uninstall ESSO-AM: 1. Close all programs. 2. Open the Control Panel and select Add/Remove Programs. 3. Select Oracle Enterprise Single Sign-on Authentication Manager and click Remove. 4. Follow the prompts to uninstall ESSO-AM. 32