Tivoli Access Manager for Enterprise Single Sign-On

Similar documents
Tivoli Access Manager for Enterprise Single Sign-On

IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter Version 6.00 September, 2006

Tivoli Access Manager for Enterprise Single Sign-On

Tivoli Access Manager for Enterprise Single Sign-On

Tivoli Access Manager for Enterprise Single Sign-On

Tivoli Access Manager for Enterprise Single Sign-On

Tivoli Access Manager for Enterprise Single Sign-On

Tivoli Access Manager for Enterprise Single Sign-On

Oracle Enterprise Single Sign-on Authentication Manager

Release Notes. IBM Tivoli Identity Manager Rational ClearQuest Adapter for TDI 7.0. Version First Edition (January 15, 2011)

Release Notes. IBM Tivoli Identity Manager Universal Provisioning Adapter. Version First Edition (June 14, 2010)

Release Notes. IBM Tivoli Identity Manager GroupWise Adapter. Version First Edition (September 13, 2013)

Release Notes. IBM Security Identity Manager GroupWise Adapter. Version First Edition (September 13, 2013)

Workplace Designer. Installation and Upgrade Guide. Version 2.6 G

IBM Tivoli OMEGAMON XE for R/3

IBM Tivoli OMEGAMON DE for Distributed Systems

Release Notes. IBM Tivoli Identity Manager Oracle PeopleTools Adapter. Version First Edition (May 29, 2009)

IBM Tivoli Directory Server Version 5.2 Client Readme

iscsi Configuration Manager Version 2.0

Tivoli Access Manager for Enterprise Single Sign-On

IBM Tivoli Monitoring for Databases. Release Notes. Version SC

Limitations and Workarounds Supplement

Netcool/Impact Version Release Notes GI

Migrating Classifications with Migration Manager

IBM Tivoli Identity Manager Authentication Manager (ACE) Adapter for Solaris

IBM WebSphere Sample Adapter for Enterprise Information System Simulator Deployment and Testing on WPS 7.0. Quick Start Scenarios

IBM Tivoli AF/Remote

IBM License Metric Tool Version Readme File for: IBM License Metric Tool, Fix Pack TIV-LMT-FP0001

IBM Tivoli OMEGAMON XE for Databases

IBM Rational Synergy DCM-GUI

Getting Started with InfoSphere Streams Quick Start Edition (VMware)

Platform LSF Version 9 Release 1.1. Migrating on Windows SC

Release Notes. IBM Tivoli Identity Manager I5/OS Adapter. Version First Edition (January 9, 2012)

Patch Management for Solaris

Tivoli Access Manager for Enterprise Single Sign-On

IBM Maximo for Aviation MRO Version 7 Release 6. Installation Guide IBM

Integrated use of IBM WebSphere Adapter for Siebel and SAP with WPS Relationship Service. Quick Start Scenarios

IBM Directory Server 4.1 Release Notes

Platform LSF Version 9 Release 1.3. Migrating on Windows SC

Build integration overview: Rational Team Concert and IBM UrbanCode Deploy

Tivoli Access Manager for Enterprise Single Sign-On

IBM Endpoint Manager Version 9.1. Patch Management for Ubuntu User's Guide

IBM Maximo for Service Providers Version 7 Release 6. Installation Guide

CONFIGURING SSO FOR FILENET P8 DOCUMENTS

Networking Bootstrap Protocol

IBM Operations Analytics - Log Analysis: Network Manager Insight Pack Version 1 Release 4.1 GI IBM

IBM Cognos Dynamic Query Analyzer Version Installation and Configuration Guide IBM

Printing Systems Division. Infoprint Manager for AIX NLV Release Notes

Best practices. Starting and stopping IBM Platform Symphony Developer Edition on a two-host Microsoft Windows cluster. IBM Platform Symphony

Configuring IBM Rational Synergy to use HTTPS Protocol

Development tools System i5 Debugger

Installation and User s Guide

Tivoli Switch Analyzer

Release 6.2 Installation Guide

Limitations and Workarounds Supplement

Application and Database Protection in a VMware vsphere Environment

Limitations and Workarounds Supplement

IBM BladeCenter Chassis Management Pack for Microsoft System Center Operations Manager 2007 Release Notes

Tivoli Endpoint Manager for Patch Management - AIX. User s Guide

IBM. Tivoli Usage and Accounting Manager (ITUAM) Release Notes. Version GI

IBM Directory Integrator 5.1.2: Readme Addendum

Installing Watson Content Analytics 3.5 Fix Pack 1 on WebSphere Application Server Network Deployment 8.5.5

Chapter 1. Fix Pack 0001 overview

Version 9 Release 0. IBM i2 Analyst's Notebook Premium Configuration IBM

Version 1.2 Tivoli Integrated Portal 2.2. Tivoli Integrated Portal Customization guide

Lotus Forms Designer 3. What s New

IBM Spectrum LSF Process Manager Version 10 Release 1. Release Notes IBM GI

Printing Systems Division. Infoprint Manager for Windows NLV Release Notes

Version 9 Release 0. IBM i2 Analyst's Notebook Configuration IBM

Express Edition for IBM x86 Getting Started

IBM Maximo Calibration Version 7 Release 5. Installation Guide

IBM Security QRadar Version Customizing the Right-Click Menu Technical Note

IBM Integration Designer Version 8 Release 5. Hello World for WebSphere DataPower Appliance IBM

IBM License Metric Tool Enablement Guide

IBM Storage Driver for OpenStack Version Installation Guide SC

IBM Decision Server Insights. Installation Guide. Version 8 Release 6

Performance Toolbox for AIX Version 3.1

Using application properties in IBM Cúram Social Program Management JUnit tests

RSE Server Installation Guide: AIX and Linux on IBM Power Systems

Version Release Notes GI

IBM Storage Management Pack for Microsoft System Center Operations Manager (SCOM) Version Release Notes

IBM emessage Version 8.x and higher. Account Startup Overview

IBM Copy Services Manager Version 6 Release 1. Release Notes August 2016 IBM

IBM OpenPages GRC Platform Version 7.0 FP2. Enhancements

IBM Kenexa LCMS Premier on Cloud. Release Notes. Version 9.3

IBM Security QRadar Version Forwarding Logs Using Tail2Syslog Technical Note

Using Client Security with Policy Director

IBM Maximo Spatial Asset Management Version 7 Release 6. Installation Guide IBM

IBM Maximo Spatial Asset Management Version 7 Release 5. Installation Guide

IBM Storage Driver for OpenStack Version Release Notes

IBM Netcool/OMNIbus 8.1 Web GUI Event List: sending NodeClickedOn data using Netcool/Impact. Licensed Materials Property of IBM

IBM Maximo Spatial Asset Management Version 7 Release 5. Installation Guide

A Quick Look at IBM SmartCloud Monitoring. Author: Larry McWilliams, IBM Tivoli Integration of Competency Document Version 1, Update:

Tivoli Access Manager for Enterprise Single Sign-On

IBM Operational Decision Manager. Version Sample deployment for Operational Decision Manager for z/os artifact migration

IBM Operational Decision Manager Version 8 Release 5. Configuring Operational Decision Manager on Java SE

IBM SmartCloud for Social Business. Sametime Chat and Meetings mobile User's Guide

IBM LoadLeveler Version 5 Release 1. Documentation Update: IBM LoadLeveler Version 5 Release 1 IBM

IBM Optim. Compare Introduction. Version7Release3

SMASH Proxy Version 1.0

Transcription:

Tivoli Access Manager for Enterprise Single Sign-On Version 6.0 Authentication Adapter Installation and Setup Guide SC32-1999-00

Tivoli Access Manager for Enterprise Single Sign-On Version 6.0 Authentication Adapter Installation and Setup Guide SC32-1999-00

Note: Before using this information and the product it supports, read the information in Notices, on page 26. First Edition (September 2006) This edition applies to version 6, release 0, modification 0 of IBM Tivoli Access Manager for Enterprise Single Sign-On (product number 5724-N70) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2006. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Table of Contents Welcome to TAM E-SSO: Authentication Adapter... 2 TAM E-SSO: Authentication Adapter Features... 3 Multiple Authenticator Support... 3 Graded Authentication... 4 Installation Overview... 6 System Requirements... 7 Minimum System Requirements... 7 Installation Steps... 8 First Time Use Scenarios...18 Usage Flows Scenarios...21 Usage Flows Scenarios...21 Upgrade Notes...25 Uninstalling TAM E-SSO: Authentication Adapter...25

Welcome to TAM E-SSO: Authentication Adapter Welcome to the IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter (TAM E-SSO: Authentication Adapter) Installation and Setup Guide. TAM E-SSO: Authentication Adapter, an add-on module to IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO), enables organizations to seamlessly bridge strong authentication to all of their applications, including smart cards, biometrics and entrust authenticators. Users can employ different authenticators at different times and application access can be controlled based upon the authenticator used. TAM E-SSO: Authentication Adapter adds three capabilities to TAM E-SSO: 1. Strong authentication support from a variety of strong authenticators, including smart cards and biometric devices, for all authentication events: initial authentication, re-authentication and forced authentication. 2. Multiple Authenticator support allows multiple logon methods to be used to authenticate an end-user and provides an authenticator that is capable of supporting graded authentication as well as alternative logon methods. This allows end-users the ability to mix and match multiple logon methods on-thefly. 3. Administrators can define grades or levels to authentication methods and to applications. This provides the ability to control what functions of TAM E-SSO: Authentication Adapter users can execute based upon the type of authenticator presented. Note: TAM E-SSO: Authentication Adapter files and components are installed directly into the TAM E-SSO directory. A separate TAM E-SSO: Authentication Adapter directory does not exist. Since TAM E-SSO: Authentication Adapter is an add-on module to TAM E- SSO, TAM E-SSO: Authentication Adapter Help is part of the TAM E-SSO Help Documentation. 2

TAM E-SSO: Authentication Adapter Features Multiple Authenticator Support Multiple Authentication supports the use of multiple logon methods to authenticate an end-user. This feature provides an authenticator that is capable of supporting graded authentication as well as alternative authentication methods. TAM E-SSO: Authentication Adapter's Multiple Authenticator: Accepts authentication using different authenticators. Supports Graded Authentication. Allows multiple authenticators to be used interchangeably during a user session, i.e. between the initial logon and the logout. Allows multiple authenticators to be used interchangeably between sessions. Provides administrators the ability to: 1. Allow or disallow the use of multiple authenticators. 2. Specify which authenticator is the default primary authenticator. 3. Specify which authenticators are required for enrollment. 4. Restrict access to applications based upon the strength of the authenticator used. 5. Allow or disallow the use of multiple authenticators interchangeably during a single session. 6. Allow or disallow the use of multiple authenticators interchangeably between sessions.

Graded Authentication Graded Authentication lets you define grades or levels to authentication in TAM E- SSO: Authentication Adapter. Graded Authentication controls what functions of TAM E-SSO: Authentication Adapter users can execute based upon the type of authenticator presented. Levels, or grades, can be applied and used to ensure the correct level of authentication has been performed for specific events/activities. TAM E-SSO: Authentication Adapter s Graded Authentication: Supports an unbounded number of authentication grades or levels. Supports setting required authentication grades on a per application basis. Supports setting required authentication grades on SSO processes that require re-authentication. Supports administration setup for the authentication level for every application. Supports administration setup for the authenticator grade. Supports logging of graded authentication events. Provides administrators the ability to: a. Enable graded authentication support to be turned on or off. b. Configure graded authentication on a per-application basis. How does TAM E-SSO: Authentication Adapter work with Graded Authentication? TAM E-SSO: Authentication Adapter controls application logons, which can be initiated by the user, based upon the authenticator used by the end user on the most recent authentication request. The most recent authentication request may be the initial logon, the last re-authentication, or the forced authentication requested by TAM E-SSO: Authentication Adapter. TAM E-SSO: Authentication Adapter has an authentication grading scheme to which different authenticators are mapped and, separately, to which application logons are mapped. TAM E-SSO: Authentication Adapter only allows users to logon to an application when the grade of the authenticator used equals or exceeds that of the application logon. When a user does not respond to an authentication request with an authenticator of sufficiently high grade, TAM E-SSO: Authentication Adapter prompts the use to either re-authenticate with an authenticator of sufficiently high grade or cancel the requested logon. If a user repeatedly attempts to initiate a logon or function with an authenticator of insufficient grade, TAM E-SSO: Authentication Adapter locks out the user, logs an event in the Event Manager, and notifies the user and administrator. If a user does not have TAM E-SSO: Authentication Adapter installed, but their application logons have been configured to require strong 4

authentication, the user does not have access to those applications (i.e. strong authentication is deployed in the enterprise, but not to that user). Logon Manager only displays the application logons that are currently available, based upon the authenticator used in the most recent authentication request. The following TAM E-SSO: Authentication Adapter functions can be configured to be accessible or inaccessible based upon the grade of authenticator used in the most recent authentication request: a. System Tray: Logon Manager b. Logon Manager: Delete, Properties, and Reveal All functions c. Logon Manager Properties Page: Reveal Password function d. If the Reveal All function is accessible based upon a grade of authentication used, it only reveals passwords for those applications whose grade is equal to or lower than the grade used to authenticate for that function.

Installation Overview Since TAM E-SSO: Authentication Adapter is installed as an add-on component to TAM E-SSO, TAM E-SSO must be installed prior to installing TAM E-SSO: Authentication Adapter. TAM E-SSO automatically recognizes TAM E-SSO: Authentication Adapter once it is installed. The following is a brief overview of the steps that must be taken in order to successfully install TAM E-SSO: Authentication Adapter. Each step is explained in detail later in this guide, Installation Steps. Review System Requirements Install TAM E-SSO Install TAM E-SSO: Authentication Adapter Agent o If upgrading from TAM E-SSO: Authentication Adapter 5.0, please refer to the Upgrade Notes. Install TAM E-SSO: Authentication Adapter Console Adjust settings in the TAM E-SSO Administrative Console First Time Use Scenarios 6

System Requirements In order for TAM E-SSO: Authentication Adapter to install and function properly, your system must meet at least the following requirements. Minimum System Requirements TAM E-SSO Agent version 5.0 and above TAM E-SSO Administrative Console version 6.0 Microsoft Windows 2000 (SP1+), Windows XP, Windows Server 2003 Microsoft.NET 1.1 Internet Explorer 6.0 or higher with 128-bit encryption Pentium III 733 MHz ~ 1 MB disk space Installation via MSI package requires Windows Installer 2.0 or higher The client software for each authenticator must be installed. Strong authenticator clients likely have their own system requirements, which may differ from TAM E-SSO: Authentication Adapter s requirements. Please refer to the strong authenticator s documentation to review the system requirements.

Installation Steps Follow these steps to install and configure TAM E-SSO: Authentication Adapter. Step 1: Review System Requirements Make sure you have carefully reviewed the system requirements. Step 2: Install TAM E-SSO TAM E-SSO: Authentication Adapter works with TAM E-SSO version 5.0 and above only. When the TAM E-SSO Client (Agent) is installed, the Authentication Manager feature must be installed. This feature is located on the Custom Setup panel under Logon Methods. If TAM E-SSO is already installed, go to Control Panel > Add/Remove Programs > TAM E-SSO and click Change. Modify the installation to install the Authentication Manager. Note: Please refer to the TAM E-SSO Installation and Setup Guide for detailed instructions. 8

Step 3: Install TAM E-SSO: Authentication Adapter Agent Follow these steps to install and configure the TAM E-SSO: Authentication Adapter Agent. If upgrading from TAM E-SSO: Authentication Adapter 5.0x, please refer to the Upgrade Notes. 1. Close all programs. 2. Open the TAM E-SSO AA directory on the CD-ROM. 3. Double-click the TAM E-SSO Authentication Adapter.msi file to begin the installation. 4. The Welcome Panel appears. Click Next. 5. The License Agreement panel appears. Read the license agreement carefully. Select I accept the terms in the license agreement and click Next to continue. 6. The Custom Setup panel appears prompting you to select exactly which logon methods to install. Click the [+] next to Logon Methods. Smart Card, Entrust, SAFLINK SAFAuthenticator for TAM E-SSO, DigitalPersona Authenticator, and Xyloc logon methods are available. Select which one you want to install by clicking the red [x] next to the logon method and clicking This feature will be installed on local hard drive. Perform the same steps to install the SoftID Helper to install SoftID support. When all features have been selected, click Next. 7. TAM E-SSO: Authentication Adapter is ready to be installed. Click Install. 8. Wait for the installation to complete. When it is done, click Finish.

Step 4: Install TAM E-SSO: Authentication Adapter Console Follow these steps to install and configure the TAM E-SSO: Authentication Adapter Console. 1. Close all programs. 2. Open the TAM E-SSO AA directory on the CD-ROM. 3. Double-click the TAM E-SSO Admin Console.msi file to begin the installation. 4. The Welcome Panel appears. Click Next. 5. The License Agreement panel appears. Read the license agreement carefully. Select I accept the terms in the license agreement and click Next to continue. 6. The Setup Type Panel appears. Select Complete or Custom. Complete installs all program files. Custom allows you to choose what program files are installed and the location. Custom installations are only recommended for advanced users. Click Next. 7. TAM E-SSO: Authentication Adapter is ready to be installed. Click Install. 8. Wait for the installation to complete. When it is done, click Finish. 10

Step 5: Adjust settings in the TAM E-SSO Administrative Console Once TAM E-SSO: Authentication Adapter is installed, it is automatically integrated with TAM E-SSO's Agent and Console. you must configure the TAM E-SSO: Authentication Adapter settings in the TAM E-SSO Administrative Console. Click Start > Programs > IBM > TAM E-SSO > TAM E-SSO Console. The Administrative Console opens: Note: Help topics for TAM E-SSO: Authentication Adapter are included in the TAM E-SSO s Agent and Console Help system. 1. Right-click the Global Agent Settings icon to display a shortcut menu, point to Import and click From Live HKLM. 2. Once the list has been imported, expand Live, expand Primary Logon Methods, and then expand Authentication Manager. 2. There are 3 sections to configure for the Authentication Manager: Enrollment, Grade, and Order. 3. If using DigitalPersona or Smart Cards, configure these settings. 4. Also see Configuring Applicationlevel Authentication Grades. Important Note: A potential security problem exists with Graded Authentication and Multiple Primary Logon Methods. If multiple authenticators are setup with different grades, a user with a lower grade authenticator has the ability to change their primary logon method from multiple authentication to single authentication, thereby giving themselves access to logons that require higher grades. This potential issue can be avoided through settings in the Console. Expand Global Agent Settings > Live > End User Experience > Setup Wizard. Set the Selected Primary Logon (Registry Location: AUI:Selected) setting to Authentication Manager. As long as this is selected, the user can no longer change the primary logon method.

Authentication Manager > Enrollment The Enrollment settings specify the primary logon methods (authenticators) that can be used with the Authentication Manager. Node path: Global Agent Settings > Live > Primary Logon Methods > Authentication Manager > Enrollment The settings on this page determine whether a user will be required to set up a specific logon method during the First Time Use (FTU) Wizard, if Authentication Manager is chosen as the primary logon method. For each primary logon method, select one of the following: Optional: User will have the option to configure this logon, or to skip it. Required: User will be required to configure this logon. Disabled: This logon method will not be presented to the user during the FTU wizard. 12

Authentication Manager > Grade The Grade settings specify an authentication grade for each primary logon method. Set a number grade value (>=1) for each logon method. Node path: Global Agent Settings > Live > Primary Logon Methods > Authentication Manager > Grade Authentication Grades are numeric values. An authentication grade will automatically default to grade level 1 if authentication grading is turned on and no grade level is specified. The higher the grade level specified, the stronger the authentication level that is being requested. You can arbitrarily configure the grading scale. For example, an expected normal scenario would be a scale of 1-3, but you have the flexibility to make this 1-5 or 1-n, as you require. To be consistent, any grade less than 1 will be converted to 1. TAM E-SSO: Authentication Adapter supports the authentication grades by mapping the grades to the authentication methods used. By default, most authenticators require a specific authenticator to manage grade levels, as they do not support this on their own. If a user tries to access credentials with a grade level that is too low, they will be asked to authenticate at a higher grade and only gain access if successful. Lockouts occur as per normal TAM E-SSO authentication lockout policy. Since graded authentication uses the core SSO authentication process, this will happen naturally. To set the authenticator grade for specific applications, use the Authenticator Level Grade setting.

Authentication Manager > Order The Order settings specify the sequence that the installed logon methods will be presented to the end user during reauthentication scenarios, if Authentication Manager is chosen as the primary logon method. Node path: Global Agent Settings > Live > Primary Logon Methods > Authentication Manager > Order The Allowed number of logon methods setting allows you to set the maximum number of logon methods that will be presented to a user during the First Time Use scenario. Once this number of logon methods have been presented (and skipped) to the user, a "Choose Logon" dialog is displayed. For each primary logon method, select or type a number to indicate the logon method's position during a reauthentication scenario. "1" indicates the most preferred logon method. 14

DigitalPersona > Required The Digital Persona settings are the primary controls for enabling standard Digital Persona authentication. This setting must be configured in order for the Agent to use Digital Persona as a primary logon method. Node path: Global Agent Settings > Live > Primary Logon Methods > DigitalPersona > Required User Account Type DigitalPersona requires a Windows account to be used in order to match fingerprints. Select whether to use the local machine account (current logged on user) or the sync account to retrieve fingerprints. The sync account option is typically used in kiosk environments and on shared computers. Options: Local Machine Account (default) Sync Account Note: In order for TAM E-SSO: Authentication Adapter to function work with Digital Persona, the following two configuration items are required: The DigitalPersona SDK is required for the DigitalPersona biometric sensor to operate with TAM E-SSO: Authentication Adapter. This SDK must be installed. Please consult your DigitalPersona documentation to find out which SDK works with your version of the software. The DigitalPersona One Touch Internet option must NOT be installed as this conflicts with TAM E-SSO: Authentication Adapter. This can be uninstalled from DigitalPersona through the Control Panel s Add/Remove Programs. Navigate to the Custom Setup panel and uncheck One Touch Internet.

Smart Card > Advanced The Smart Card settings control special-case options for smart card authentication. These settings are not required. Node path: Global Agent Settings > Live > Primary Logon Methods > Smart Card > Advanced Passphrase Use the default certificate for authentication Windows Subtitle Name Windows Title Name Whether to store the PIN Enables the passphrase challenge for additional security. The passphrase can be supplied either by the user entering the passphrase in a dialog box (the default setting), or by the newest non-default encryption certificate on the card itself. Note: The default setting requires users to provide a passphrase answer during First Time Use. Options: Disable Enable using a dialog box (default) Enable using the card's certificate Use the default logon certificate (provided by the administrator) on the card for authentication. If not enabled (the default), use (and create if necessary) the public/private keys in the SSO container on the card. Options: Use SSO-generated keys (default) Use the default logon certificate Use this setting to customize the Window subtitle name for this authenticator. Note: This entry is not required. Use this setting to customize the Window title name for this authenticator. Note: This entry is not required. Whether to store the smart card PIN (and thus the Agent may prompt for the PIN), or to let the smart card drivers deal with requesting the PIN. Options: Do not store PIN (default) Store PIN 16

Configuring Application-level Authentication Grades Authentication Tab (for selected Application) Node path: Applications > Select any application > Authentication tab Use this tab to set the minimum authentication grade required for the selected application. The user's Primary Logon Method used must have a Authentication Grade equal to or higher than this value in order for TAM E-SSO to log the user on to the selected application. If the end-user's Primary Logon Method has an authentication grade lower that the minimum set for this application, when the application is requested, a message appears requesting the user to authenticate at a higher grade and they will only gain access if successful. Select or type the numeric value of the lowest Authentication Grade the end user's Primary Logon Method must have. The default is 1. Authentication Grades are numeric values. An authentication grade will automatically default to grade level 1 if authentication grading is turned on and no grade level is specified. The higher the grade level specified, the stronger the authentication level that is being requested. You can arbitrarily configure the grading scale. For example, an expected normal scenario would be a scale of 1-3, but you have the flexibility to make this 1-5 or 1-n, as you require. To be consistent, any grade less than 1 will be converted to 1. To set the authenticator grade for primary logon methods, use the Authenticator Grade setting.

First Time Use Scenarios In the setup phase, the user will go through the normal TAM E-SSO First Time Use (FTU) wizard until the Select Primary Logon Method dialog. The user now has the option to select Authentication Manager as the primary logon method. The behavior of this setup wizard is configured through the TAM E-SSO Administrative Console. Setup Flow Example: 1. The first panel in the Setup Wizard lists the Setup tasks necessary for the local installation of TAM E-SSO. Click Next to begin setup. 2. The panel lists the Setup tasks necessary for your local installation of TAM E- SSO, choosing your primary logon method and supplying the credentials for that method. Click Next. 3. The Primary Logon Method panel appears and prompts you to select a logon method. Select Authentication Manager and click Next. 18

4. You now set up all installed authenticators in sequential order. For example, if a smart card authenticator is installed, you will see this dialog: If you click Cancel, the smart card authenticator will be skipped as long as it is optional. Clicking Cancel for a required authenticator cancels the Setup Wizard. 5. Insert smart card. You are then prompted to enter your PIN. Click OK. A successful message appears. Click OK. 6. You may be prompted to enter a passphrase with a minimum answer length of 8 characters. Enter an answer, confirm it, and click OK.

7. Enter your password for Microsoft Windows and click OK. 8. The TAM E-SSO Setup Wizard is complete and TAM E-SSO: Authentication Adapter is ready for use. Click Finish to complete. 20

Usage Flows Scenarios Scenario 1: One or more required authenticators have not been configured. Scenario 2: All required authenticators are configured and there is only one authenticator that can satisfy the requested authentication grade. Scenario 3: All required authenticators are configured and there is more than one authenticator that can satisfy the requested authentication grade. Scenario 4: None of the authenticators can satisfy the requested authentication grade. Scenario 1: One or more required authenticators have not been configured The following scenario occurs if there are one or more required authenticators that have not been setup and you are trying to authenticate to an application or web site: 1. You are asked to authenticate using the most preferred authenticator that is installed. Clicking [Cancel] for this authenticator brings up the next preferred authenticator. This will continue until the allowed number of logon methods is reached. For example: 2. If the allowed number of logon methods is reached, the Authentication Manager dialog appears and prompts you to select another logon method. For example: 3. Set up the new authenticator. If setting up a new authenticator in the flow of creating a logon, the authentication request is automatically submitted.

Scenario 2: All required authenticators are configured and only one authenticator can satisfy the requested authentication grade. The following scenario occurs if all required authenticators are configured but only one of those authenticators can satisfy the requested authentication grade: 1. You are asked to authenticate with the only authenticator that will satisfy the authentication grade. For example, smart card. 2. If the requested authentication fails or is canceled, the authentication process will be terminated. The only way to authenticate to this application is with a smart card. 22

Scenario 3: All required authenticators are configured and there is more than one authenticator that can satisfy the requested authentication grade. The following scenario occurs if all required authenticators are configured and there is more than one of those authenticators that can satisfy the requested authentication grade: 1. You are asked to authenticate using the most preferred authenticator that can satisfy the required authentication grade. Clicking [Cancel] for this authenticator brings up the next preferred authenticator. This will continue until the allowed number of logon methods is reached. For example: 2. If the allowed number of logon methods is reached, the Authentication Manager dialog appears and prompts you to select another logon method. For example:

Scenario 4: There is no installed authenticator that can satisfy the requested authentication grade. The following scenario occurs if there is no installed authenticators that can satisfy the requested authentication grade. 1. Authentication Manager fails and displays the failure message: 24

Upgrade Notes If you are performing an upgrade from TAM E-SSO: Authentication Adapter 5.0x to 6.0, install TAM E-SSO: Authentication Adapter 6.0 as detailed in this document. TAM E-SSO will preserve the behavior of previously enabled authenticators and automatically recognize the new authenticators. If TAM E-SSO: Kiosk Adapter is installed: If you also have TAM E-SSO: Kiosk Adapter 5.0x or 6.0 installed, certain steps will need to be taken to ensure a successful upgrade. The following steps apply to an environment where the following are installed: TAM E-SSO: Authentication Adapter 5.0x TAM E-SSO: Kiosk Adapter 5.0x/6.0 TAM E-SSO 5.0x 1. Uninstall TAM E-SSO: Kiosk Adapter 5.0x/6.0. Please see the TAM E-SSO: Kiosk Adapter Installation and Setup Guide for more information. 2. Install TAM E-SSO: Authentication Adapter 6.0 Agent. 3. Install TAM E-SSO: Authentication Adapter Console. 4. Reinstall TAM E-SSO: Kiosk Adapter. Please see the TAM E-SSO: Kiosk Adapter Installation and Setup Guide for more information. Uninstalling TAM E-SSO: Authentication Adapter Follow these steps to uninstall TAM E-SSO: Authentication Adapter. 1. Close All Programs. 2. Open the Control Panel and select Add/Remove Programs. Scroll down until you see TAM E-SSO. 3. Select IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter v6.0 and click [Remove]. 4. Follow the prompts to uninstall TAM E-SSO: Authentication Adapter.

Appendix. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user s responsibility to evaluate and verify the operation of any non-ibm product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Copyright IBM Corp. 2006 26

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: AIX DB2 developerworks eserver IBM iseries Lotus Passport Advantage pseries RACF Rational Redbooks Tivoli WebSphere zseries Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. 27 IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter Installation and Setup Guide

Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the U.S., other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others. Appendix. Notices 28

29 IBM Tivoli Access Manager for Enterprise Single Sign-On: Authentication Adapter Installation and Setup Guide

Printed in USA SC32-1999-00

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback