Notice: quest.com will be retired soon. Please visit our new site at software.dell.com
Tech Brief
Enterprise Single Sign-on: The Holy Grail of Computing" outlines the challenges of authentication in diverse environments in detail and how Dell One Identity approaches enterprise single sign-on with a unique solution that addresses nearly all facets of the challenges
Read now »
Dell IAM White Board Video: Single Sign-on
Learn about the four single sign-on offerings from Dell One Identity and how they differ, so you can make the best choice for your environment.
Watch now »
Tech Brief
Learn about the challenges of single sign-on in a diverse environment and how Quest’s blended approach delivers the best option for the entire enterprise.
Read now »

Enterprise Single Sign-on

Single Sign-on Made Simple

Enterprise Single Sign-on is the industry’s leading enterprise single sign-on (SSO) solution, basing application and system user logins on existing Active Directory identities. It requires no hard-to-manage infrastructure and streamlines both end-user management and enterprise-wide administration of single sign-on.

Features

  • Active Directory-based Single Sign-on: Base single sign-on and access control for the entire enterprise on the existing identities, groups and policies built into your existing Active Directory deployment, without requiring additional authentication methods or a metadirectory.
  • Security & Access Policy Enforcement: Use established access policies and Active Directory rules to apply similar controls to client-based single sign-on for the entire enterprise-wide range of applications and systems to which a user may need access.
  • Single Point of Strong Authentication: Provide a single point of user login/authentication to any system and application. This includes standard username/password logins as well as the entire range of strong authentication options, such as smart cards, biometrics or token-based two-factor authentication.
  • IT & End-user Efficiency: Relieve IT staff of the burden of managing user access and resetting passwords across a wide range of applications. End-user productivity is enhanced by not having to remember passwords for multiple systems and applications.
  • Compliance Support: Achieve common compliance requirements for access control, strong authentication and secure delegation of access rights by implementing a consistent, strong, Active Directory-based infrastructure for access policy enforcement.
  • Audit Reporting: Generate audit reports from sign-on or LDAP data with the option to produce reports showing statistics as well.
  • Drag-and-drop Configuration: Adapt applications to your unique environment with ease, without modification or custom connectors.
  • Optional Fast User Switching:  Enable users to share a physical workstation using individual authentication and real-time context switching.
  • Optional Password Reset: Enable users to manage their own network password resets by answering secret questions. This is available as a Web interface or via a Windows login interface.

Sys Reqs

Before installing Enterpise Single Sign-on (ESSO), ensure your system meets the following minimum hardware and software requirements:

Agents Environment

ESSO agents can be installed on the OS platforms detailed in the tables below. That concerns the following agents:

  • Advanced Login
  • SSOWatch
  • Quest ESSO Console
 
  
 
Operating SystemService Packs 32bitService Packs 64bitWeb Browser Supported
Windows XP (Home or Professional Edition)SP1, SP2 and SP3SP2 (cluster mode is not supported)Internet Explorer 6.0, 7.0 or 8.0
Vista (all editions)SP1 and SP2OriginalInternet Explorer 7.0 or 8.0
Windows 7Original and SP1Original and SP1Internet Explorer 8.0 or 9.0
Windows Server 2003Original, SP1, R1 and R2R2 SP2Internet Explorer 6.0, 7.0 or 8.0
Windows Server 2008Original and R2R2Internet Explorer 7.0, 8.0 or 9.0

Remarks:
ESSO agents are not supported with virtualization software such as VMware Workstation or Microsoft Virtual PC.

Controllers Environment

ESSO Controllers can be installed on the OS platforms detailed in the tables below:

 
  
 
Operating SystemService Packs 32bitService Packs 64bitWeb Browser Supported
Windows Server 2003Original, SP1, R1 and R2R2 SP2Internet Explorer 6.0, 7.0 or 8.0
Windows Server 2008Original and R2R2Internet Explorer 7.0, 8.0 or 9.0

Remarks:
Enterprise SSO Controllers are supported with the virtualization software such as VMware Workstation or Microsoft Virtual PC.

Citrix / Xenapp

Citrix XenApp (Citrix Presentation Server) 4.5 et 5.0 are supported and can be used with Internet Explorer 6.0, 7.0 or 8.0

Hardware Prerequisites

  • Enterprise SSO, Advanced Login
    The Quest ESSO agents do not require significant resources on modern computers. The recommended minimal configuration on Windows XP, Vista and Windows 7 is the following:
    • 1 GHz Intel processor
    • 512 MB RAM
  • ESSO Console and controller
    The Quest ESSO Console and controller must run on a recent configuration in order to access the audit base with satisfactory performance. The recommended minimal configuration is the following:
    • Intel Core 2 Duo processor
    • 2 GB RAM
      The size of the hard drive hosting the audit base depends on how long you want to keep the log on-line before archiving it. (The audit base does not need to reside on the Enterprise SSO server itself.). For a rough estimate use the following:
      • One log entry = 1000 bytes (including database index and other overhead)
      • Typical log activity = 20 log entries per user per day

LDAP Directories and Databases Versions

LDAP Directory Versions

Enterprise SSO can access user information located in LDAP directories and use these directories to store SSO and security data. The directories supported by Enterprise SSO are:

Active Directory
  • Windows 2000 Server SP4
  • Windows Server 2003 SP1 and SP2
  • Windows Server 2003 R2 SP1 and SP2
  • Windows Server 2008 SP1, SP2 and R2
AD LDS
  • Windows Server 2008 SP1, SP2 and R2
Sun Java System Directory Server
  • Sun Java System Directory Server 5.2
Fedora Directory Server
  • Fedora Directory Server 1.0.1 on Red Hat Linux
  • Fedora Directory Server 1.2 on Red Hat Linux
OpenLDAP
  • OpenLDAP Directory 2.4.X
    The configuration of the Quest ESSO Services with an OpenLDAP repository requires advanced skills and integration service is required.
Novell eDirectory
  • Version 8.7.3 minimum
IBM Tivoli Directory Server
  • Version 5.2 with Fix Pack 003 Version 6.0

Enterprise SSO can use Microsoft AD LDS or ADAM to store SSO and security data.
Enterprise SSO requires at least ADAM version 1.1 (SP1) or later.

Using Enterprise SSO with Samba

Enterprise SSO can be installed in an environment where Samba is used as an authentication server and domain controller. The prerequisites are:

  • Samba must be in version 3.0.x
  • Samba must use OpenLDAP (see version above)

Database Versions

ESSO controller can store a “master” audit base on a relational database. Enterprise SSO has been validated with the following database versions running on Windows 2003/2008 Server Enterprise Edition:

  • Oracle from 8.1.7.4
  • Microsoft SQL Server 2000 and 2005
  • MySQL Server 5.0
  • IBM DB2 version 9.0

The audit cache base can also be one of the database types listed here.

If you want to use another type of relational database, please contact Dell for the feasibility and a cost evaluation.

Supported Authentication Devices

Smart Cards and USB Tokens

The following middleware and authentication devices are compatible with these specific Enterprise SSO modules:

  • Advanced Login can use the devices for user authentication
  • ESSO Console can manage these devices and use them for the administrators’ authentication
 
 
 
VendorMiddlewareTokens
GemaltoNo middlewareCryptoflex e-gate 32K, Cryptoflex .NET V2+
GemaltoACS 5.6.4Cyberflex 32K or 64K with PC/SC readers
GemaltoClassic Client 6Classic TPC, IAS ECC
ActivIdentityActivClient 5.3.1Cyberflex and Oberthur smart cards
OberthurAWP (Authentic Web Pack) 3.6.2.2Cosmo 64 v5

Please note that when using smart cards, you must use PC/SC smart card readers that are compatible with both the cards and the middleware detailed above.

The only Certification Authority that is supported at the moment is the Microsoft Windows 2000/2003/2008 Certification Authority in an Active Directory configuration. Other Certification Authorities can be used via the PKCS import feature of the ESSO Console.

Biometric Devices

Using Precise Biometrics

Biometrics support requires that you purchase from Precise Biometrics™ a license of Precise BioMatch Pro Toolkit 2.3.0 for each workstation where biometric authentication will be performed.

The list of biometric devices supported by Precise BioMatch™ Pro Toolkit 2.3.0 is currently the following

Warning:
Some of these devices require a specific license of the Precise Biometrics software. Determine with the vendor which license is appropriate

  • Precise 100 A/AX/SC/MC/XS/BioKeyboard/PC-Card
  • Precise 200 MC
  • Precise 250 MC
  • IRIS BCR100T
  • IRIS Mobile SmartTerm St4E
  • AuthenTec AES4000 API-based readers
  • AuthenTec AES2501 API-based readers
  • Cherry FingerTIP Keyboards
  • UPEK ST1
  • UPEK ST2
  • Silex FUS-200N
  • Silex MUSB-200COMBO
  • Silex COMBO-Mini

Warning:
For an up-to-date list, contact your Dell representative

Using UPEK

Advanced Login uses BSAPI 3.6. This API supports:

  • All UPEK swipe sensors. An exhaustive list doesn’t exist. Some models are listed at http://www.upek.com/solutions/rsa/se_notebooks.asp, but this list is not complete. This offers compatibility with select laptop models from Lenovo, Toshiba, Panasonic, Dell, Acer, Asus, NEC and other notebook makers. Also, UPEK is the only fingerprint sensor supplier for all Sony laptops.
  • Cherry ID mouse with a UPEK area sensor: http://www.cherrycorp.com/english/keyboards/Security/M_4200/index.htm
  • the Eikon (TCRD4C) and Eikon To Go (TCRG4C)

Using BIO-Key

Advanced Login can use the BIO-key Biometric Service Provider (BSP) version 01.09.290 or later.

Install the BSP 01.09.290 and see on the BIO-Key web site, the list of supported devices you can use with this provider.

RFID/HID devices

XyLoc support requires that you obtain from Ensure Technologies the Software

Development Kit in order to deploy on each workstation the ETSecure.dll.

Warning:
Xyloc devices are not supported with Microsoft RDP

Advanced Login has been tested with the following MIFARE components:

  • SAGEMYpsid S1-IAS
  • Sagem Ypsid MatchOnCard
  • Classic TPC
  • Oberthur
  • Cyberflex 64k
  • Crypto.NET v2+
  • CPS3

These tests have been done with the following reader: CardMan 5321, these RFID devices are natively supported (no middleware needed)

Advanced Login is pre-configured with the following ATR (Answer To Reset):

  
ATRBAGDE
3b8f80010031b86404b0ecc1739401808290000eCPS3
3b8f8001804f0ca000000306030001000000006aMifare Standard 4K
3b8f8001804f0ca0000003060300020000000069Mifare Standard 1K
3b8f8001804f0ca0000003060a001c000000007eHID iCLASS
Start with 3b05HID Prox 125kHz format H10320
Start with 3b06HID Prox 125kHz format H10301
Start with 3b07HID Prox 125kHz format H10302, H10304 and Corp 1k

Enterprise SSO Plug-in Requirements

Plug-ins are extensions of Enterprise SSO. They provide SSO authentication methods for specific types of applications.

These plug-ins are delivered with Enterprise SSO. Plug-ins are available for:

  • Microsoft Internet Explorer (for Internet Explorer 5.5, 6.0, 7.0, 8.0 and 9.0)
  • Firefox 1.5, 2.0, 3.04 and higher (warning, due to an issue Firefox 3.0.0 to 3.0.3 are not supported) and 4.0
  • Sun Java SE Runtime Environment (JRE) 1.4, 1.5 and 1.6
  • Lotus Notes versions 4.x, 5.x and 6.5
  • Microsoft Telnet
  • HLLAPI (see 4.7 “Configuring the HLLAPI plug-in” for supported emulators).

Script environment for Windows and HTML applications that are not covered by the standard Enterprise SSO process.

SAP R/3 Plug-in Requirements

The table below shows the supported versions of SAP R/3 components:

 
 
 
Enterprise SSO Window TypeSAP R/3 Client VersionSAP R/3 Server Version (Minimum Kernel Patch Level)
SAPGUI ScriptingSAP GUI 6.206.10 (360)
SAP GUI 6.404.6D (948)
SAP GUI 7.104.5B (753)
4.0B (903)
3.1I (650)

Warning:
The SAP web-based Start Center is compatible with Enterprise SSO, but you need to upgrade to SAPGUI Version 6.40 with Patch level 23

Remark:
The SAPLogin and SAPExpired window types defined in version 3.71 of SSOWatch remain available to ensure the continuity of deployed configurations.

Configuring the HLLAPI plug-in

The HLLAPI plug-in communicates with a terminal emulator through a DLL. Each emulator provides a different DLL for that purpose.

To tell Enterprise SSO how to communicate with your terminal emulator, you need to edit the Microsoft Windows Registry and enter three values located under

HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HLLAPI

  • HllLibrary – the name of the emulator’s DLL (file name or full path) that gives access to the HLLAPI feature.
  • HllEntryPoint – the name of the relevant function in the DLL file.
  • HLLAPI-32bit – indicates whether the HLLAPI is in 32-bit mode (value=1) or not (value=0)
 
  
 
HllLibraryHllEntryPointHLLAPI­32bit
Attachmate EXTRA!® Entreprise 2000ehlapi32.dllhllapi1
Values used by the plug-in if the registry entries do not existPCSHLL32.dllhllapi0

Warning:
The Registry entry and associated values are not created during installation. You need to manually create the Registry entry:

“HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HLLAPI”

and the three values “HllLibrary”, “HllEntryPoint” and “HLLAPI-32bit"

Videos