Adding a web page to your Single Sign-On solution

Evidian Enterprise SSO

Demonstration of how to add a web page to your Single Sign-On solution

With Evidian Enterprise SSO, a user enters only one password or even none with a strong authentication method. After that, application passwords are automatically entered, on behalf of the user.

Evidian comes with a SSO studio which allows you to detect login prompts of new applications, either web based, desktop as well as legacy applications. The goal of the studio is to be easily configurable by anyone inside the organization.

This video shows how to use the SSO studio to enter password of a web application on behalf of the user.

Why over 5 million employees are using Evidian Enterprise SSO today?

Reinforce access to applications

A user enters only one password or even none with Evidian Authentication Manager and a strong authentication method. Evidian SSO can change transparently hardened passwords for each application. It allows the management of enterprise access policies (which user can access to which application) and centrally audit the user access.

Reduce up to 30% helpdesk calls

There are no more calls to the call desk to reset passwords because users no longer manage application passwords. Moreover, a Self-Service Password request (SSPR) function allows users who have forgotten their single password, or their access card, to unlock their accesses - even offline without the helpdesk.

Never reveal passwords

Users can share the same generic accounts securely, or delegate their access to each other while being away. Users don’t need to reveal their passwords and are audited by name. Thanks to a web portal, a user who is already on leave can remotely delegate all or part of his accounts, via a simple web page and fully comply with the security policy.

Satisfy regulatory constraints

By creating an obligatory passage point between a user and his applications, an organization can effectively control the accesses. Moreover, a log of these accesses and administration operations is kept centrally, which facilitates audit. Evidian SSO facilitates compliance with confidentiality, integrity and availability requirements.

Evidian SSO Single Sign-On

Evidian Enterprise SSO provides single sign-on to all users, businesses and organizations.

Free your users from remembering and typing passwords and drive your security policy by automating password management.

Examples of single sign-on solutions with Evidian Enterprise SSO and Authentication Manager

Typical use of SSO by over 5 million employees

Employees use a passwordless strong authentication method. After that, application passwords are automatically entered, on behalf of the employee, during application login prompts. This works either with web based, desktop as well as legacy applications without modifying them. Evidian gives an access to the applications to which the employee is entitled. And it transparently modifies and manages strong passwords for each application. An access log is centralized to facilitate audits, to know which employee uses which application and to meet regulatory constraints.

One PC - used by several users

Branch employees, sales staff in outlets, workers in manufacturing industry and others share a same PC in their Enterprise. They use a shared account with autologon to access the Windows session without password to save time. However, knowing who authenticated to the PC and at what time cannot be audited. Evidian with its multi-user desktop solves this problem with a fast user switching in a few seconds and a strong authentication method like a RFID badge to unlock the shared session.

One user – using multiple PCs successively

The day-to-day tasks of some employees may require them to move around within a site, such as doctors in a hospital, production managers at an industrial site, store vendors, and others. On each PC, they must log in to access their session and log out. As it takes time, an alternative solution must be found. Evidian offers a simple solution with a roaming session avoiding multiple login.

One user – using multiple PCs at once

Some employees need multiple PCs and monitors in order to work. These may include trading room workers, control room operators in industry, in transport, in video surveillance and others. It is unrealistic to ask these employees a multiple login to all PCs. Evidian offers a solution with a single login to multiple computers at once.

Are you looking for another solution?

Evidian offers many other solutions that will certainly meet your needs. Do not hesitate to contact us.

Passwordless, contactless and handsfree authentication with the Nymi band

Evidian SSO configuration guide for a web application

Main Window Interface

Enterprise SSO Studio presents target application parameters as SSO objects organized in a tree structure.

Enterprise SSO Studio enables you to create, modify or delete objects and to store them in an LDAP directory (LDAP mode) or in an Enterprise SSO configuration file (local storage mode). It is a "single-document" application (only one configuration can be edited at a time):

  • In Enterprise SSO Studio used in LDAP storage mode, the displayed tree corresponds to the associated LDAP directory defined at initialization time.

    The following screenshot illustrates an interface example of Enterprise SSO Studio used in LDAP storage with Controller.

    Example of Enterprise SSO Studio used in LDAP storage with Controller

    In LDAP mode, the objects can be created anywhere the administrator has object-creation rights.

    The LDAP administrator is responsible for ensuring that the structure has a branch reserved for the management of EAM objects.

    As the objects are created directly in the LDAP directory, the directory must be accessible when Enterprise SSO Studio is being used.

  • In Enterprise SSO Studio used in local storage mode, or in Personal SSO Studio, the tree displayed is not linked to an LDAP directory.

    The following screenshot illustrates an interface example of Personal SSO Studio.

    Example of Personal SSO Studio

    In local storage mode, the configuration is defined with a root node called Local Enterprise SSO Configuration, to which two other nodes are attached: Applications and Configuration Objects, used for EAM object declarations.

Main Window Areas

The Enterprise SSO Studio main window is composed of:

  • A menu bar.
  • A toolbar offering shortcuts to some menu bar options, as described in the following table. The toolbar appearance depends on the SSO Studio mode used (Without and with Controller, LDAP/File storage, Personal/Enterprise).
  • A workspace showing a tree structure that allows you to select elements and to perform actions directly by double-clicking the objects or using a popup menu for each object.

Defining Applications and Technical Definition Objects

  • Without Controller, SSO Studio allows you to entirely configure Application objects.

An application object implies the definition of:

  • An application name as shown in Enterprise SSO Studio and in Enterprise SSO, and some options regarding the access rights for this object.
  • Parameters that associate this application with the SSO data in the security system.
  • Access strategy (in registry or personal configuration modes), or assignment to user groups (in LDAP mode); the application profile should be defined for each association to a user group.

Enterprise SSO Studio allows you to create application objects with some predefined parameters for SAP and Windows applications

  • With Controller, Enterprise SSO Studio allows you to configure Technical Definitions.
    A Technical definition object is a technical description of an application, and particularly to produce single sign-on in a EAM environment. The application configuration must then be completed in the administration console (see Evidian EAM Console - Guide de l'administrateur).

Creating a New Application Object or Technical Definition

Subject

For Application objects, Enterprise SSO Studio allows you to use templates to create SAP and Windows application objects.

The Template Application item allows you to create an Application object with a number of pre-defined parameters. They are used for specific authentication scenarios. The predefined template applications are:

  • SAP, for SAP R/3 application authentication.
  • Windows, for authentication to an external LDAP directory.

Template applications are managed in the same way as Application objects. They enable the Single Sign-On feature for specific authentication procedures. An application template has a number of predefined parameters.

The following procedure explains how to create a new technical definition or application (with or without template).

Procedure

  • In the Enterprise SSO Studio main window, do one of the following:
  • To create a new application or technical definition: Right-click the node where you want to create a new Application or Technical Definition and click New Application or New Technical Definition.
  • To create a new application using a template: Click the node where you want to create a new template application and in the Edit menu, click New Template-based Application/SAP or Windows.
  • The Application properties window appears.
  • Fill-in the Application properties window (or modify it in case of template application)

Modifying an Application Object or Technical Definition Configuration

Subject

The following procedure explains how to modify the properties of an existing Application Object or Technical Definition.

Procedure

  • In the Enterprise SSO Studio main window, right-click the Application or Technical Definition you want to modify and click Properties.
  • The Application properties window appears.

Fill-in the Application properties window

"Properties" Tab of an Application Object

The Properties tab described in this section only appears if you use Enterprise SSO Studio without Controller, or Personal SSO Studio.

The Properties tab of an Application Object allows you to define the basic parameters of an Application.

  • Application Name and Account label
  • Application name: this field will be displayed in the objects tree of Enterprise SSO Studio and in the data collection and account management dialog boxes of Enterprise SSO.
  • Account label: fill-in this field for this label to be suggested when the account is first created and at first collection. This field will be displayed in Enterprise SSO as well as in all the SSO data collection windows and in the user account management window.
  • Session management
    Indicates whether all the application’s windows depend on the same application instance.
  • OLE/Automation
    Grants OLE/Automation access to this application (and all the associated security objects) through the OLE/Automation interface of Enterprise SSO. For greater security, you can enter a password. This password will have to be provided by the OLE client.
  • Options
  • Enable this application (this option is selected by default)
    If this option is cleared, Enterprise SSO will ignore this application. This is used to temporarily disable an application without deleting it from the configuration file.
  • Try previous password when "bad password" windows detected
    If this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not immediately taken into account by the application).
  • User must provide credentials
    This check box only appears in Access Collector mode.
    If this check box is cleared, the user will be able to cancel the collect (or the BadPassword) window that appears when he launches an application.

"Properties" Tab of a Technical Definition Object

The Properties tab described in this section only appears if you use Enterprise SSO Studio with Controller.

Enterprise SSO - Properties tab of a Technical Definition object

The Properties tab of a Technical Definition object allows you to define the basic parameters of a Technical definition.

  • Identification
    The Technical Definition name. This field will be displayed in the objects tree of Enterprise SSO Studio.
  • Session management
    Indicates whether all the application’s windows depend on the same application instance.
  • Try previous password when "bad password" windows detected
    If this option is selected, the fields are filled with the last valid password at "bad password" detection (this can be useful if the password change is not immediately taken into account by the application).

Defining Window Objects

Since window objects are subordinated to Application or Technical definition objects, the window objects can only exist if they are associated with an application object.

Procedure

  • In the Enterprise SSO Studio main window, right-click the application for which you want to define a window object and click New Window.
  • The Window Properties window appears.
  • Fill-in the Window Properties window as described in the following sections:
  • The Detection and Actions tabs are described in the sections of this guide that are related to the "plug-in types", as their content depends on the selected window type.

The "General" Tab

The General tab allows you to give a name to the window object and to set its type (the type cannot be modified once the window has been created).

  • Window Name
    By default, this field is automatically filled-in with the name of the selected Window Type. It is recommended to enter a name clearer than the default name.
  • Window Type
    Displayed Window types are loaded from the different Enterprise SSO plug-ins. The following table shows the window types provided by the different plug-ins and their associated technology:

The Window Type Description area displays the description of the selected window type.

The "Options" Tab

The Options tab allows you to define the following elements:

  • Specific detection conditions to trigger the SSO when the window appears (Detection criteria area).
  • Enterprise SSO execution options to carry out SSO (Execution Options area).
  • Advanced SSO options (Advanced options area).

Evidian Products - Protect your company from cyber attacks by unauthorized users

Identity as-a-service

Evidian takes care of everything related to your Identity and Access Management with IDaaS

Learn more   >

Identity Governance and Administration

Manage access and authorization of all your users in your company

Learn more   >

Web Access Manager

Gateway for web apps with SSO, multi-factor authentication, identity federation

Learn more   >

Analytics & Intelligence

Monitoring and powerful reporting for regulatory compliance

Learn more   >

Authentication Manager

Authentication Manager

Enterprise multi-factor & passwordless authentication on Windows PCs

Learn more   >

Enterprise Single Sign-On (SSO)

Secure access to legacy and web apps on PCs & mobiles with SSO

Learn more   >

Self Service Password Reset (SSPR)

Reset Windows passwords online and offline

Learn more   >

SafeKit

High availability software for Evidian and partner applications

Learn more   >

Evidian IAM leader in the French and German markets and in U.S. Public Sector

What are IAM cyber security tools and solutions?