Enterprise Single Sign-on

Single sign-on simplified

Utilize existing Active Directory identities to simplify single sign-on

Enterprise Single Sign-on enables your organization to streamline both end-user management and enterprise-wide administration of single sign-on (SSO). It bases application and system user logins on your existing Active Directory identities, so there’s no infrastructure for you to manage.

For single sign-on to federated, web-based, and cloud applications visit our Cloud Access Manager page.


  • Active Directory-based single sign-on – Enables you to use the current identities, groups and policies built into your existing Active Directory deployment for basing single sign-on and access control for the entire enterprise, without requiring additional authentication methods or a metadirectory.
  • Security & access policy enforcement – Allows you to apply similar controls to client-based single sign-on for the entire enterprise-wide range of applications and systems to which a user may need access using established access policies and Active Directory rules.
  • Single point of strong authentication –  Permits a single point of user login/authentication to any of your organization’s systems and applications, including standard username/password logins and the entire range of strong authentication options, such as biometrics, smart cards or token-based two-factor authentication.
  • IT & end-user efficiency – Increases your productivity and eliminates the need for your IT staff to manage user access and reset passwords across a wide range of applications because there’s no need to remember passwords for multiple systems and applications.
  • Compliance support – Achieve common compliance requirements for access control, strong authentication and secure delegation of access rights by implementing a consistent, strong, Active Directory-based infrastructure for access policy enforcement.
  • Audit reporting – Enables you to generate audit reports from sign-on or LDAP data and also gives you the option of producing reports showing statistics.
  • Drag-and-drop configuration –: Allows you to easily adapt applications to your unique environment, without requiring modification or custom connectors.
  • Optional fast user switching Enables you to share a physical workstation using real-time context switching and individual authentication.
  • Optional Password Reset: Enables you to manage your own network password resets by answering secret questions, either through a Web interface or via a Windows login interface.


Before installing ESSO, ensure your system meets the following minimum hardware and software requirements:

Operating System Prerequisites

Agents Environment

ESSO agents can be installed on the OS platforms detailed in the tables below. That concerns the following agents:

  • Enterprise SSO.
  • Authentication Manager.
  • User Access Console.
Operating SystemService Packs 32bitService Packs 64bit
Windows 7Original and SP1Original and SP1
Windows 8 Pro/Windows 8 EnterpriseOriginal and 8.1Original and 8.1
Windows Server 2012Original and R2Original and R2
Windows Server 2008Original SP2R2 Original and R2 SP1, SP2
Windows Server 2003Original, SP1, SP2, R1 and R2R2 SP2

Controllers Environment

ESSO Controllers can be installed on the OS platforms detailed in the tables below:

Operating SystemService Packs 32bitService Packs 64bitWeb Browser Supported
Windows Server 2003Original, SP1, R1 and R2R2 SP2Internet Explorer 6.0, 7.0 or 8.0
Windows Server 2008Original and R2R2Internet Explorer 7.0, 8.0 or 9.0
Windows Server 2012Original and R2Original and R2 

*support for Windows Server 2003 will terminate in late June 2016

Citrix / Xenapp

Citrix XenApp (Citrix Presentation Server) 4.5, 5.0, 6.0,6.5, 7.5 and 7.6 are supported

Hardware Prerequisites

Hardware Prerequisites

  • Enterprise SSO, Advanced Login
    The ESSO agents do not require significant resources on modern computers. The recommended minimal configuration on a Windows workstation is the following:
    1 GHz Intel processor512 MB RAM
  • ESSO Console and controller
    The ESSO Console and controller must run on a recent configuration in order to access the audit base with satisfactory performance. The recommended minimal configuration is the following:
    Intel Core 2 Duo processor2 GB RAM

    The size of the hard drive hosting the audit base depends on how long you want to keep the log on-line before archiving it. (The audit base does not need to reside on the Enterprise SSO server itself.). For a rough estimate use the following:
    One log entry = 1000 bytes (including database index and other overhead)
    Typical log activity = 20 log entries per user per day

LDAP Directories and Databases Versions

LDAP Directory Versions

Quest Enterprise SSO can access user information located in LDAP directories and use these directories to store SSO and security data. The directories supported by Quest Enterprise SSO are:

Active Directory
  • Windows Server 2003 SP1 and SP2
  • Windows Server 2003 R2 SP1 and SP2
  • Windows Server 2008 SP1, SP2 and R2
  • Windows Server 2012 and R2
  • Windows Server 2008 SP1, SP2 and R2
  • Windows Server 2012 and R2
Sun Java System Directory Server
  • Sun Java System Directory Server 5.2
Fedora Directory Server
  • Fedora Directory Server 1.0.1 on Red Hat Linux
  • Fedora Directory Server 1.2 on Red Hat Linux
  • OpenLDAP Directory 2.4.X
    The configuration of the Quest ESSO Services with an OpenLDAP repository requires advanced skills and integration service is required.
Novell eDirectory
  • Version 8.7.3 minimum
IBM Tivoli Directory Server
  • Version 5.2 with Fix Pack 003 Version 6.0

Using Enterprise SSO with Samba

Enterprise SSO can be installed in an environment where Samba is used as an authentication server and domain controller. The prerequisites are:

  • Samba must be in version 3.0.x
  • Samba must use OpenLDAP (see version above)

Audit database versions

Quest ESSO controller can store a “master” audit base on a relational database. Enterprise SSO has been validated with the following database versions running on Windows 2003/2008 Server Enterprise Edition:

  • Oracle from
  • Microsoft SQL Server 2005 and up
  • MySQL Server 5.0
  • IBM DB2 version 9.0

The audit cache base can also be one of the database types listed here.
If you want to use another type of relational database, please contact Quest for the feasibility and a cost evaluation.

Supported Authentication Devices

Smart Cards and USB Tokens

The following middleware and authentication devices are compatible with these specific Enterprise SSO modules:

  • Advanced Login can use the devices for user authentication
  • Quest ESSO Console can manage these devices and use them for the administrators’ authentication
GemaltoNo middlewareCryptoflex e-gate 32K, Cryptoflex .NET V2+
GemaltoACS 5.6.4Cyberflex 32K or 64K with PC/SC readers
GemaltoClassic Client 6Cyberflex 32K or 64K with PC/SC readers
ActivIdentityActivClient 5.3.1Cyberflex and Oberthur smart cards
OberthurAWP (Authentic Web Pack) 64 v5

Please note that when using smart cards, you must use PC/SC smart card readers that are compatible with both the cards and the middleware detailed above.

The only Certification Authority that is supported at the moment is the Microsoft Windows 2000/2003/2008 Certification Authority in an Active Directory configuration. Other Certification Authorities can be used via the PKCS import feature of the Quest ESSO Console.

Biometric Devices

Using Precise Biometrics

Biometrics support requires that you purchase from Precise Biometrics™ a license of Precise BioMatch Pro Toolkit 2.3.0 for each workstation where biometric authentication will be performed.
The list of biometric devices supported by Precise BioMatch™ Pro Toolkit 2.3.0 is currently the following
Warning: Some of these devices require a specific license of the Precise Biometrics software. Determine with the vendor which license is appropriate

  • Precise 100 A/AX/SC/MC/XS/BioKeyboard/PC-Card
  • Precise 200 MC
  • Precise 250 MC
  • IRIS BCR100T
  • IRIS Mobile SmartTerm St4E
  • AuthenTec AES4000 API-based readers
  • AuthenTec AES2501 API-based readers
  • Cherry FingerTIP Keyboards
  • UPEK ST1
  • UPEK ST2
  • Silex FUS-200N
  • Silex MUSB-200COMBO
  • Silex COMBO-Mini

For an up-to-date list, contact your Dell representative
Using UPEK
Advanced Login uses BSAPI 3.6. This API supports:

  • All UPEK swipe sensors. An exhaustive list doesn’t exist.This offers compatibility with select laptop models from Lenovo, Toshiba, Panasonic, Dell, Acer, Asus, NEC and other notebook makers. Also, UPEK is the only fingerprint sensor supplier for all Sony laptops.
  • Cherry ID mouse with a UPEK area sensor: http://www.cherrycorp.com/english/keyboards/Security/M_4200/index.htm
  • the Eikon (TCRD4C) and Eikon To Go (TCRG4C)

Using BIO-Key
Advanced Login can use the BIO-key Biometric Service Provider (BSP) version 01.09.290 or later.
Install the BSP 01.09.290 and see on the BIO-Key web site, the list of supported devices you can use with this provider.

RFID/HID devices

XyLoc support requires that you obtain from Ensure Technologies the Software Development Kit in order to deploy on each workstation the ETSecure.dll.

Xyloc devices are not supported with Microsoft RDP

Advanced Login has been tested with the following MIFARE components:

  • SAGEMYpsid S1-IAS
  • Sagem Ypsid MatchOnCard
  • Classic TPC
  • Oberthur
  • Cyberflex 64k
  • Crypto.NET v2+
  • CPS3

These tests have been done with the following reader: CardMan 5321, these RFID devices are natively supported (no middleware needed)

Advanced Login is pre-configured with the following ATR (Answer To Reset):

3b8f8001804f0ca000000306030001000000006aMifare Standard 4K
3b8f8001804f0ca0000003060300020000000069Mifare Standard 1K
3b8f8001804f0ca0000003060a001c000000007eHID iCLASS
Start with 3b05HID Prox 125kHz format H10320
Start with 3b06HID Prox 125kHz format H10301
Start with 3b07HID Prox 125kHz format H10302, H10304 and Corp 1k

Enterprise SSO Plug-in Requirements

Plug-ins are extensions of Enterprise SSO. They provide SSO authentication methods for specific types of applications.

These plug-ins are delivered with Enterprise SSO. Plug-ins are available for:

  • Microsoft Internet Explorer (for Internet Explorer 5.5, 6.0, 7.0, 8.0 and 9.0)
  • Firefox 1.5, 2.0, 3.04 and higher (warning, due to an issue Firefox 3.0.0 to 3.0.3 are not supported) and 4.0
  • Sun Java SE Runtime Environment (JRE) 1.4, 1.5 and 1.6
  • Lotus Notes versions 4.x, 5.x and 6.5
  • Microsoft Telnet
  • HLLAPI (see 4.7 “Configuring the HLLAPI plug-in” for supported emulators).

    Script environment for Windows and HTML applications that are not covered by the standard Enterprise SSO process.

SAP R/3 Plug-in Requirements

The table below shows the supported versions of SAP R/3 components:

Enterprise SSO Window TypeSAP R/3 Client VersionSAP R/3 Server Version (Minimum Kernel Patch Level)
SAPGUI Scripting 6.10 (360)
 SAP GUI 6.204.6D (948)
  4.5B (753)
 SAP GUI 6.404.0B (903)
 SAP GUI 7.103.1I (650)
 SAP GUI 7.20 
 SAP GUI 7.30 

The SAP web-based Start Center is compatible with Enterprise SSO, but you need to upgrade to SAPGUI Version 6.40 with Patch level 23

The SAPLogin and SAPExpired window types defined in version 3.71 of SSOWatch remain available to ensure the continuity of deployed configurations.

Configuring the HLLAPI plug-in

The HLLAPI plug-in communicates with a terminal emulator through a DLL. Each emulator provides a different DLL for that purpose.

To tell Enterprise SSO how to communicate with your terminal emulator, you need to edit the Microsoft Windows Registry and enter three values located under

  • HllLibrary – the name of the emulator’s DLL (file name or full path) that gives access to the HLLAPI feature.
  • HllEntryPoint – the name of the relevant function in the DLL file.
  • HLLAPI-32bit – indicates whether the HLLAPI is in 32-bit mode (value=1) or not (value=0)
Attachmate EXTRA!® Entreprise 2000ehlapi32.dllhllapi 1 
Values used by the plug-in if the registry entries do not existPCSHLL32.dllhllapi0

The Registry entry and associated values are not created during installation. You need to manually create the Registry entry:
and the three values “HllLibrary”, “HllEntryPoint” and “HLLAPI-32bit"