Single sign-on simplified
Enterprise Single Sign-on enables your organization to streamline both end-user management and enterprise-wide administration of single sign-on (SSO). It bases application and system user logins on your existing Active Directory identities, so there’s no infrastructure for you to manage.
- Active Directory-based single sign-on – Enables you to use the current identities, groups and policies built into your existing Active Directory deployment for basing single sign-on and access control for the entire enterprise, without requiring additional authentication methods or a metadirectory.
- Security & access policy enforcement – Allows you to apply similar controls to client-based single sign-on for the entire enterprise-wide range of applications and systems to which a user may need access using established access policies and Active Directory rules.
- Single point of strong authentication – Permits a single point of user login/authentication to any of your organization’s systems and applications, including standard username/password logins and the entire range of strong authentication options, such as biometrics, smart cards or token-based two-factor authentication.
- IT & end-user efficiency – Increases your productivity and eliminates the need for your IT staff to manage user access and reset passwords across a wide range of applications because there’s no need to remember passwords for multiple systems and applications.
- Compliance support – Achieve common compliance requirements for access control, strong authentication and secure delegation of access rights by implementing a consistent, strong, Active Directory-based infrastructure for access policy enforcement.
- Audit reporting – Enables you to generate audit reports from sign-on or LDAP data and also gives you the option of producing reports showing statistics.
- Drag-and-drop configuration –: Allows you to easily adapt applications to your unique environment, without requiring modification or custom connectors.
- Optional fast user switching– Enables you to share a physical workstation using real-time context switching and individual authentication.
- Optional Password Reset: Enables you to manage your own network password resets by answering secret questions, either through a Web interface or via a Windows login interface.
Before installing ESSO, ensure your system meets the following minimum hardware and software requirements:
Operating System Prerequisites
ESSO agents can be installed on the OS platforms detailed in the tables below. That concerns the following agents:
- Enterprise SSO.
- Authentication Manager.
- User Access Console.
|Operating System||Service Packs 32bit||Service Packs 64bit|
|Windows 7||Original and SP1||Original and SP1|
|Windows 8 Pro/Windows 8 Enterprise||Original and 8.1||Original and 8.1|
|Windows Server 2012||Original and R2||Original and R2|
|Windows Server 2008||Original SP2||R2 Original and R2 SP1, SP2|
|Windows Server 2003||Original, SP1, SP2, R1 and R2||R2 SP2|
ESSO Controllers can be installed on the OS platforms detailed in the tables below:
|Operating System||Service Packs 32bit||Service Packs 64bit||Web Browser Supported|
|Windows Server 2003||Original, SP1, R1 and R2||R2 SP2||Internet Explorer 6.0, 7.0 or 8.0|
|Windows Server 2008||Original and R2||R2||Internet Explorer 7.0, 8.0 or 9.0|
|Windows Server 2012||Original and R2||Original and R2|
*support for Windows Server 2003 will terminate in late June 2016
Citrix / Xenapp
Citrix XenApp (Citrix Presentation Server) 4.5, 5.0, 6.0,6.5, 7.5 and 7.6 are supported
- Enterprise SSO, Advanced Login
The ESSO agents do not require significant resources on modern computers. The recommended minimal configuration on a Windows workstation is the following:
Processor Memory 1 GHz Intel processor 512 MB RAM
- ESSO Console and controller
The ESSO Console and controller must run on a recent configuration in order to access the audit base with satisfactory performance. The recommended minimal configuration is the following:
Processor Memory Intel Core 2 Duo processor 2 GB RAM
The size of the hard drive hosting the audit base depends on how long you want to keep the log on-line before archiving it. (The audit base does not need to reside on the Enterprise SSO server itself.). For a rough estimate use the following:
One log entry = 1000 bytes (including database index and other overhead)
Typical log activity = 20 log entries per user per day
LDAP Directories and Databases Versions
LDAP Directory Versions
Quest Enterprise SSO can access user information located in LDAP directories and use these directories to store SSO and security data. The directories supported by Quest Enterprise SSO are:
|Sun Java System Directory Server|
|Fedora Directory Server|
|IBM Tivoli Directory Server|
Using Enterprise SSO with Samba
Enterprise SSO can be installed in an environment where Samba is used as an authentication server and domain controller. The prerequisites are:
- Samba must be in version 3.0.x
- Samba must use OpenLDAP (see version above)
Audit database versions
Quest ESSO controller can store a “master” audit base on a relational database. Enterprise SSO has been validated with the following database versions running on Windows 2003/2008 Server Enterprise Edition:
- Oracle from 22.214.171.124
- Microsoft SQL Server 2005 and up
- MySQL Server 5.0
- IBM DB2 version 9.0
The audit cache base can also be one of the database types listed here.
If you want to use another type of relational database, please contact Quest for the feasibility and a cost evaluation.
Supported Authentication Devices
Smart Cards and USB Tokens
The following middleware and authentication devices are compatible with these specific Enterprise SSO modules:
- Advanced Login can use the devices for user authentication
- Quest ESSO Console can manage these devices and use them for the administrators’ authentication
|Gemalto||No middleware||Cryptoflex e-gate 32K, Cryptoflex .NET V2+|
|Gemalto||ACS 5.6.4||Cyberflex 32K or 64K with PC/SC readers|
|Gemalto||Classic Client 6||Cyberflex 32K or 64K with PC/SC readers|
|ActivIdentity||ActivClient 5.3.1||Cyberflex and Oberthur smart cards|
|Oberthur||AWP (Authentic Web Pack) 126.96.36.199||Cosmo 64 v5|
Please note that when using smart cards, you must use PC/SC smart card readers that are compatible with both the cards and the middleware detailed above.
The only Certification Authority that is supported at the moment is the Microsoft Windows 2000/2003/2008 Certification Authority in an Active Directory configuration. Other Certification Authorities can be used via the PKCS import feature of the Quest ESSO Console.
Using Precise Biometrics
Biometrics support requires that you purchase from Precise Biometrics™ a license of Precise BioMatch Pro Toolkit 2.3.0 for each workstation where biometric authentication will be performed.
The list of biometric devices supported by Precise BioMatch™ Pro Toolkit 2.3.0 is currently the following
Warning: Some of these devices require a specific license of the Precise Biometrics software. Determine with the vendor which license is appropriate
- Precise 100 A/AX/SC/MC/XS/BioKeyboard/PC-Card
- Precise 200 MC
- Precise 250 MC
- IRIS BCR100T
- IRIS Mobile SmartTerm St4E
- AuthenTec AES4000 API-based readers
- AuthenTec AES2501 API-based readers
- Cherry FingerTIP Keyboards
- UPEK ST1
- UPEK ST2
- Silex FUS-200N
- Silex MUSB-200COMBO
- Silex COMBO-Mini
For an up-to-date list, contact your Dell representative
Advanced Login uses BSAPI 3.6. This API supports:
- All UPEK swipe sensors. An exhaustive list doesn’t exist.This offers compatibility with select laptop models from Lenovo, Toshiba, Panasonic, Dell, Acer, Asus, NEC and other notebook makers. Also, UPEK is the only fingerprint sensor supplier for all Sony laptops.
- Cherry ID mouse with a UPEK area sensor: http://www.cherrycorp.com/english/keyboards/Security/M_4200/index.htm
- the Eikon (TCRD4C) and Eikon To Go (TCRG4C)
Advanced Login can use the BIO-key Biometric Service Provider (BSP) version 01.09.290 or later.
Install the BSP 01.09.290 and see on the BIO-Key web site, the list of supported devices you can use with this provider.
XyLoc support requires that you obtain from Ensure Technologies the Software Development Kit in order to deploy on each workstation the ETSecure.dll.
Xyloc devices are not supported with Microsoft RDP
Advanced Login has been tested with the following MIFARE components:
- SAGEMYpsid S1-IAS
- Sagem Ypsid MatchOnCard
- Classic TPC
- Cyberflex 64k
- Crypto.NET v2+
These tests have been done with the following reader: CardMan 5321, these RFID devices are natively supported (no middleware needed)
Advanced Login is pre-configured with the following ATR (Answer To Reset):
|3b8f8001804f0ca000000306030001000000006a||Mifare Standard 4K|
|3b8f8001804f0ca0000003060300020000000069||Mifare Standard 1K|
|Start with 3b05||HID Prox 125kHz format H10320|
|Start with 3b06||HID Prox 125kHz format H10301|
|Start with 3b07||HID Prox 125kHz format H10302, H10304 and Corp 1k|
Enterprise SSO Plug-in Requirements
Plug-ins are extensions of Enterprise SSO. They provide SSO authentication methods for specific types of applications.
These plug-ins are delivered with Enterprise SSO. Plug-ins are available for:
- Microsoft Internet Explorer (for Internet Explorer 5.5, 6.0, 7.0, 8.0 and 9.0)
- Firefox 1.5, 2.0, 3.04 and higher (warning, due to an issue Firefox 3.0.0 to 3.0.3 are not supported) and 4.0
- Sun Java SE Runtime Environment (JRE) 1.4, 1.5 and 1.6
- Lotus Notes versions 4.x, 5.x and 6.5
- Microsoft Telnet
- HLLAPI (see 4.7 “Configuring the HLLAPI plug-in” for supported emulators).
Script environment for Windows and HTML applications that are not covered by the standard Enterprise SSO process.
SAP R/3 Plug-in Requirements
The table below shows the supported versions of SAP R/3 components:
|Enterprise SSO Window Type||SAP R/3 Client Version||SAP R/3 Server Version (Minimum Kernel Patch Level)|
|SAPGUI Scripting||6.10 (360)|
|SAP GUI 6.20||4.6D (948)|
|SAP GUI 6.40||4.0B (903)|
|SAP GUI 7.10||3.1I (650)|
|SAP GUI 7.20|
|SAP GUI 7.30|
The SAP web-based Start Center is compatible with Enterprise SSO, but you need to upgrade to SAPGUI Version 6.40 with Patch level 23
The SAPLogin and SAPExpired window types defined in version 3.71 of SSOWatch remain available to ensure the continuity of deployed configurations.
Configuring the HLLAPI plug-in
The HLLAPI plug-in communicates with a terminal emulator through a DLL. Each emulator provides a different DLL for that purpose.
To tell Enterprise SSO how to communicate with your terminal emulator, you need to edit the Microsoft Windows Registry and enter three values located under
- HllLibrary – the name of the emulator’s DLL (file name or full path) that gives access to the HLLAPI feature.
- HllEntryPoint – the name of the relevant function in the DLL file.
- HLLAPI-32bit – indicates whether the HLLAPI is in 32-bit mode (value=1) or not (value=0)
|Attachmate EXTRA!® Entreprise 2000||ehlapi32.dll||hllapi||1|
|Values used by the plug-in if the registry entries do not exist||PCSHLL32.dll||hllapi||0|
The Registry entry and associated values are not created during installation. You need to manually create the Registry entry:
and the three values “HllLibrary”, “HllEntryPoint” and “HLLAPI-32bit"