Wednesday, May 12, 2010

vGO-SSO-PM.

Passlogix v-GO Provisioning Manager provides the ability for an administrator to automatically provision v-GO SSO with a user’s ID and password by using a provisioning system.

An administrator is able to add, modify and delete IDs and passwords for particular applications within the provisioning system and have the changes reflected in v-GO SSO. From the provisioning system, all usernames and passwords inside of SSO can also be deleted so that a user’s access to all protected applications is eliminated.

Installation Overview

Provisioning Manager is installed as an add-on component to v-GO SSO. SSO must be installed prior to installing Provisioning Manager.

System Requirements and Supported Applications

In order for Provisioning Manager to install and function properly, your system must meet at least the following requirements.

Pentium III class processor at 900MHZh

512MB RAM

Disk Space: a complete Installation requires ~3MB

Provisioning Manager Support for SSO Agent needs < 1 MB of additional disk space

Software Requirements

In order for Provisioning Manager to install and function properly, your system must have the following applications installed:

Internet Explorer 6.0 or higher with 128-bit encryption

Microsoft® .NET Framework 1.1 (installed by Provisioning Manager installer)

Microsoft Web Services Enhancements (WSE) 2.0 SP3 for Microsoft .NET (installed by Provisioning Manager installer)

Provisioning Manager Support for SSO Agent

In order for the Provisioning Manager support for the SSO Agent to function properly, v-GO SSO must be installed.

Provisioning Manager Server

In order for Provisioning Manager Server to function properly, your system have the following applications installed:

  • Microsoft Windows® 2000 Server, or Windows Server 2003
  • Microsoft Internet Information Server 5.x or 6.x (6.x recommended)
  • Microsoft Active Directory®, Microsoft ADAM, Sun Java System Directory, or IBM LDAP Directory

Microsoft SQL Server 2000 or Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) (only required if using Event Logging)

IIS Requirements:

Microsoft Internet Information Server (IIS), version 5.0 or later. Provisioning Manager uses the IIS Web server to provide a browser-based interface for user enrollment, general setup and administrative tasks.

Note: If Active Directory or ADAM is used, the IIS account must have Administrative privileges and must be in the same domain.

Provisioning Manager Repository Requirements:

Provisioning Manager can use any the following as the repository:

Microsoft Active Directory or Active Directory Application Mode (ADAM). The Active Directory server or ADAM instance (that is, Active Directory running as a user service) can be on any server and in the same domain.

Sun Java System Directory

IBM LDAP Directory

Installer Requirements

To install Provisioning Manager, you need to have Administrative privileges for the PM/IIS server. You need to provide the following information to configure a Directory server:

localhost

Host name of the server for Directory server instance.

port

Port number of Directory server instance.

In my Virtual Machine environment i will use two servers (SSOLABDC, SSOLABMEM) and one client machine (CLIENT).

  • SSOLABDC
    • Domain controller for SSOLAB Domain acting as repository for SSO Configuration
    • Enterprise Root Certificate Authority
  • SSOLABMEM
    • Member server in SSOLAB Domain
    • IIS 6.0 Server
  • CLIENT
    • Member of SSOLAB Domain
    • SSO Admin Console tasks performed from here
    • SSO Agent installed

1.1 Installation of the Passlogix v-GO Provisioning Manager Server program files

1. On SSOLABMEM, click Start | Run, enter & click OK.

2. Navigate to the Passlogix\v-GO PM\Server folder.

3. Double-click the v-GO PM Server.exe file to begin the installation.

4. The Welcome Panel appears. Click Next.

clip_image001

clip_image002

clip_image003

clip_image004

The License Agreement panel appears. Read the license agreement carefully. Click the I accept the terms in the license agreement button and click Next to continue

clip_image001[5]

The Setup Type Panel appears. Select Complete or Custom. Complete installs all program files. Custom allows you to choose what program files are installed and the location. Custom installations are only recommended for advanced users. Click Next

clip_image002[6]

Provisioning Manager is ready to be installed. Click Install. Wait for the installation to complete. When it is done, click Finish.

clip_image001[7]

clip_image002[8]

Click on finish button

clip_image003[6]

Create or identify a user account for anonymous login

A dedicated Anonymous User account through which Provisioning Manager users and administrators access Provisioning Manager Web Services must be created or identified. This Anonymous User account should be a member of the Administrators group.

Because the default Anonymous User account for a Web service, IUSR_<MACHINE_NAME>, is not a member of the Administrator group, you must create or choose a domain user account that is an Administrator; this will allow the account to perform these tasks

To create a new user account or assign Administrator rights to an existing account,

use the Active Directory Users and Computers    ----------------console (for an Active Directory domain) or the Computer Management console (for non-AD domains).

The user account you create or choose is specified as the Anonymous User dialog of the Services tool during this step.

clip_image004[5]

clip_image005

Click Start, point to Program Files, point to Administrative Tools, and click Internet Information Services.

2. Locate the Provisioning Manager Console node in the tree, right-click on it, and click Properties.

clip_image006

clip_image007

clip_image008

Click the Directory Security tab and

clip_image009

click the Edit button next to Anonymous Access

Check the Anonymous Access checkbox and type in the username and password of the anonymous user. The anonymous user must have local Administrative access.

clip_image010

Granting Special Permissions within AD to the Provisoning Manager SERVICE Account here(SSOPM).

clip_image011

The next procedure is to grant special rights to specific containers within Active Directory to the PMSERVICE account. Remember that, to Active Directory, the PMSERVICE account is simply an ordinary user account.

To grant the special permissions:
1. In the Permission Entry for SSOConfig dialog box, grant the PMSERVICE account advanced full control of the SSOConfig container (the container where the application templates are stored) as shown in the following illustration:

clip_image012

clip_image013

clip_image014

clip_image015

clip_image016

Configuring the PM Server Settings

Access the PA Site by entering the following link on SSOLABMEM

http://localhost/v-GO%20PM%20Console/logon.aspx

clip_image017

Enter SSOLABMEM/ssopmadmin for the Username and ********** for the Password and click Log On.

3. When logged in properly, you should see a screen like the one in the graphic below:

clip_image018

clip_image019

From the Settings page, click on Storage.

Select AD from the dropdown list and enter the settings displayed below to configure storage

clip_image020

Click Save Changes and this will return you to the login screen.

Log back into the Provisioning Manager program and click on Users. If you have properly configured the storage settings, you should see the following screen with all of the application templates you created in the SSO DC when you click on Users.

clip_image021

VG-SSO

image 

What is SSO

•Agent loaded on workstation, monitoring the events and responding to specific events using configuration objects (SSO Templates)
Process injecting credentials to all targeted applications on a workstation with minimal user input

image 

•SSO utilizes unique authentication process to connect to multiple applications. No password lost or forgotten, you can even remember multiple password for an application.

•Less Help Desk calls for password change. As the user no longer manages the password the agent logs them automatically to the applications.

•Password are more secure. Because users no longer have to remember their password, the complexity of the password can be raised to strong password requirements and frequent changes.

•Increased user satisfaction, user no longer have the burden to manage credentials and automatically log on to application

image

•SSOMHO.EXE
SSO Mainframe Helper object. This component connects to HLLAPI or to the windows console to capture host events: Mainframe, Windows console / cmd.exe or any supported Hllapi host base product.

•SSOBHO.EXE
SSO Browser Helper Object. This components monitors Internet Explorer based events and connects to web pages

•SSOMOZHO.EXE (if needed and selected at install)
SSO Mozilla Helper Object. This components monitors Mozilla based events and connects to web pages

SSOSHELL.EXE
It connects to the Win32 applications. This is the base component, it synchronizes with the selected repository and provide GUI for v-GO. This is the only component that you can have multiple instances in memory.

image

•When the sso agent initialize on the workstation, it checks for an SSO profile in HKCU and in %username%\appdata%

–No SSO profile local, the software checks if the user has already enrolled to SSO, if yes it will download the SSO profile from AD. If no profile exist in AD, the agent creates a local SSO profile who is automatically synched with AD.

–Existing SSO profile local. Client will validate if the objects are up to date with the ones in AD , a timestamp will validate which object is newer and update these objects if needed.

–•Users can roam and have access to SSO as long as the machine has the agent installed

image

image

image

•When the SSO agent detects an authorized application, a wizard prompts the user to enter his credentials

image

•This credential becomes a logon entry

image

When the SSO agent injects credentials too often in a short period of time, a looping box opens and ask if it is correct to enter the credentials again

•With this box the user can:

–Stop the process

–Modify his credentials

Log back in again

image

•This process can be adjusted to fit the requirements of the application. This process avoid locking out an account with frequent retries of a non working credential

image

Symptoms

Solution

SSO agent shortcut is grayed out

User is not an authorized member of the SSO group. Either add the user to the security group or advise him he is not authorized to use the software

SSO agent not in the task bar

Is ssoshell.exe running in memory ? If not, launch it from the application shortcut.

If yes, try to kill the ssoshell.exe and launch it again

SSO agent not responding to the application

•Is there a template for this application ?

•Is this only for this application ?

•Is it possible to reveal the credentials in Logon Manager

• Auto prompt / Auto enter must be checked both in the application and in the template

•If you pause the agent, can you log in manually ?

Credentials grayed out in Logon Manager

It means the template is not available

Press Refresh and wait a few seconds. Check if the template still exists an AD SSOconfig

Key in the Synchronizers do not match

The user has two profiles. Try deleting the local SSO cache and restart v-GO