5.2 Setting Up Application SSO

5.2.1 Prerequisites

  • Application SSO is an add-on option provided by PAM. To use this capability, you must purchase additional license. For more information please contact the NetIQ customer support.

  • Review the platforms supported for Application SSO before installing. For information about the supported platforms, see the System Requirements in PAM Documentation website.

CAUTION:Ensure that you disable Sticky Keys and Keyboard Shortcut keys for Task Manager in Windows while configuring Remote Application SSO feature. For more information, see Disabling Task Manager Keyboard Shortcut Keys and Sticky Keys in Windows.

5.2.2 Disabling Task Manager Keyboard Shortcut Keys and Sticky Keys in Windows

You can disable Sticky keys using Group Policy or through Control Panel for Windows.

To disable the Keyboard Shortcut keys for Task Manager, you can use Group policy or one of the following methods:

  1. Access the Windows Registry by typing regedit in the Windows search box on the taskbar and press Enter.

  2. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System.

  3. Create a new DWORD(32-bit) value with Name as DisableTaskMgr and Data value as 1.

To disable the use of Keyboard Shortcut Keys for Task Manager, using a script, follow the below procedure:

  1. Copy the following text in a notepad:

    Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=dword:00000001
  2. Save the file with a.reg extension.

    For example:

    DisableCtrlShiftEscape.reg
  3. In a different notepad, copy REGEDIT /s \\servername\share\filename.reg. Replace the servername, share, and reg file information appropriately.

  4. Save the file with a.bat extension.

  5. Double-click on the saved batch file and the registry key will be imported.

  6. Verify the procedure by entering the key combination Ctrl + Shift + Esc.

5.2.3 Installations for Application SSO

Installations for RemoteApp Mode

  • Install the following Remote Desktop (RD) role services in the domain:

    • RD Connection Broker

    • RD Gateway

    • RD Licensing

    • RD Session Host

    For more information about installing the remote desktop role services, see the Microsoft documentation.

  • Install the applications for which you want to allow SSO in all the session hosts.

    Ensure that all the session hosts and applications used for Application SSO are part of the same RD session collection. For more information about configuring the RD session collection, see the Microsoft documentation.

  • Install the PAM agent on all the session hosts that will be used for Application SSO and register the agent with PAM. These are the Application SSO agents.

    For more information about installing and registering the agent, see Installing and Registering a Framework Agent.

Installations for Direct Access Mode

  • Install the PAM agent on all the remote Windows servers that will be used for Application SSO and register the agent with PAM. These are the Application SSO agents.

    For more information about installing and registering the agent, see Installing and Registering a Framework Agent.

  • Install the applications for which you want to allow SSO on all the remote Windows servers.

  • You must get appropriate Windows terminal license for the remote Windows server based on the number of concurrent connections to the server.

5.2.4 Creating an Active Directory User

PAM uses a service account to perform SSO to the target enterprise application. You must create this account as a domain user and add this account to the domain admins group of the Active Directory.

If you are using RemoteApp mode, ensure that the user has privileges to publish the remoteapp.

5.2.5 Extending the Schema and Assigning User Rights

Privileged Account Manager requires Active Directory (AD) or Active Directory Lightweight Directory Service (AD LDS) to store Application SSO scripts. To store the Application SSO script, you must extend the AD or the AD LDS schema. After extending the schema, you must assign user rights to these AD or AD LDS objects to allow the AD user created for SSO to update these objects.

Extending the AD Schema and Assigning User Rights

  1. Log in to any server in the domain as a domain administrator.

  2. Copy \Utilities\Schema_Extension_Utility\ADS folder from the PAM ISO to the server.

  3. To extend the AD Schema:

    1. Run the ADS\adSchema.exe file.

    2. Select Extend Active Directory Schema.

    3. Click OK.

    For more information about extending the AD schema, see Extending the Active Directory Schema section in the NetIQ SecureLogin Installation Guide.

  4. To assign user rights to the newly added AD objects:

    1. Run the ADS\adSchema.exe file.

    2. Select Assign User Rights and click OK.

    3. (Conditional) If you have configured secure LDAP(LDAPS) for Active Directory, you must select AES Encryption.

    4. (Conditional) If you have configured LDAP for Active Directory, you must deselect AES Encryption

    5. Specify the AD user that is created for SSO.

      For example, if ssouser is the user created for SSO, then you must specify cn=ssouser, cn=user, dc=machine, dc=com.

    6. Click OK.

      For more information about assigning user rights to AD objects, see Extending the Active Directory Schema section in the NetIQ SecureLogin Installation Guide.

Extending the AD LDS Schema and Assigning User Rights

  1. Log into the AD LDS server as a domain administrator.

  2. Copy \Utilities\Schema_Extension_Utility\ADAM from the PAM ISO to the server.

  3. Run the ADAM\AdamConfig.exe file and follow the on-screen prompts to extend the AD LDS schema.

    For more information about extending the AD LDS schema, see Extending the Schema by Using ADAM Configuration Wizard section in the NetIQ SecureLogin Installation Guide.

  4. Run the ADAM\SyncAdam.cmd file to synchronize AD data with AD LDS instance.

    For more information about synchronizing AD and AD LDS instances, see Synchronizing Data from Active Directory to an ADAM Instance section in the NetIQ SecureLogin Installation Guide.

5.2.6 Configuring Application SSO

Create an SSO Credential Vault

You must create a credential vault for the AD and add the AD user that is created for SSO.

For more information about creating a credential vault and adding credentials, see the Contextual Help of Credential Vault.

Configuring Installation Attributes

You must configure the following installation attributes before installing AppSSO package:

  1. Log in to the PAM administration console.

  2. Click Hosts > Application SSO.

  3. Select the following:

    • Install Mode:

      Select Microsoft Active Directory (AD), if you are using AD to store Application SSO scripts.

      Select Microsoft Active Directory Lightweight Directory Services (AD LDS), if you are using AD LDS to store Application SSO scripts.

    • Enable SSO to JAVA Applications: Select this option when you want to enable SSO to Java applications.

      If you are enabling SSO to JAVA applications, ensure that JRE1.7 or later is installed in the Application SSO agent.

    • Account Domain: Select the appropriate credential vault.

    • Credential: Select the AD user created for SSO.

  4. Click Finish.

Installing Application SSO Package

You must install the appsso package on all the servers that are used for Application SSO. The first server on which you install the appsso package becomes the primary Application SSO agent. The primary Application SSO agents contains the SecureLogin Manager component.

NOTE:Installing AppSSO package requires computer reboot at several stages of the installation. You must plan for a downtime before installing AppSSO package.

To install appsso package:

  1. Add the appsso package to the package manager.

    For steps to download and add packages to the package manager, see Publishing Packages on the Package Manager.

  2. Install appsso on all the Application SSO agents.

    For more information about installing a package on the Application SSO agent, see the Installing Packages on a Hostsection of the Privileged Account Manager Administration Guide.

Configuring the Passphrase

Passphrases are unique question and answer combinations created to verify and authenticate the identity of a user. Passphrases protect user credentials from unauthorized use. For more information about passphrase, see the Setting Up a PassPhrase section in the NetIQ SecureLogin Installation Guide.

To setup the passphrase:

  1. Log into the primary Application SSO agent as a domain administrator.

  2. Launch SecureLogin.

  3. In the Passphrase Setup dialog box, specify the required details.

  4. Click OK.

Configuring Application SSO Scripts

Application SSO scripts are used to identify the application authentication fields for SSO. PAM provides sample scripts for a few applications that you can import easily. In addition, you can also create application SSO scripts for any enterprise application using the wizard provided by PAM.

Importing Application SSO Scripts

PAM provides sample application scripts for a few applications that you can import. After importing these scripts, you must assign these scripts to the AD user created for SSO.

To import application SSO scripts and assign scripts to the AD user created for SSO:

  1. Log into the primary Application SSO agent as a domain administrator.

  2. Copy the sample SSO scripts Sample_Scripts\SSO\SSO_Sample_Scripts.xml from the PAM ISO to the Application SSO agent.

  3. Launch SecureLogin.

  4. Launch SecureLogin Manager.

  5. Expand the domain.

  6. Expand the appropriate organizational unit (OU), then select the AD user created for SSO.

  7. Select Distribution > Load > OK.

  8. Select All Files (*.*), then select the appropriate XML file for importing the SSO script.

  9. Click Open.

  10. Click Yes in the warning message to upgrade the datastore version.

  11. Click Ok.

For more information about importing Application SSO scripts, see the Exporting and Importing Predefined Applications and Application Definitions section of the NetIQ SecureLogin Application Definition Guide.

Creating Application SSO Scripts

If you do not have a script for an application, you can create the Application SSO script using the wizard provided by PAM. After creating the script, you must assign the script to the AD user created for SSO.

To create an Application SSO script and assign script to the AD user created for SSO:

  1. Log into the primary Application SSO agent as a domain administrator.

  2. Launch SecureLogin.

  3. Creating an Application SSO script:

    1. Launch the application for which you need to create the Application SSO script.

    2. Click the notification that appears in the system tray and select Yes, I want to single sign enable the screen using the wizard.

    3. Follow the on screen prompts to create the Application SSO script and click Apply.

      For more information about creating an Application SSO script using the wizard, see the Using Application Definition Wizard section of the NetIQ SecureLogin Application Definition Wizard Administration Guide.

    4. Double-click the SecureLogin icon in the notification area.

    5. Click Applications and double-click the required application.

    6. Click Definition > Convert to Application Definition

    7. Specify SetRestPlat -method "PAM" before the command to include credentials. For some applications, such as Remote Desktop Connections, you must provide the host name, port, and then you must provide the login credentials. In such scenario, you must include SetRestPlat -method "PAM" command for every dialog box.

      For example,

      SetRestPlat -method "PAM"
      Type #21 $host
      Type #22 $port
      
      SetRestPlat -method "PAM"
      Type #40 $username
      Type #44 $password

      For more information about editing Application SSO scripts, see the Modifying Predefined Applications and Application Definitions section of the NetIQ SecureLogin Application Definition Guide.

    8. Click OK.

  4. Assigning the Application SSO scripts to the AD user created for SSO:

    1. Launch SecureLogin Manager.

    2. Click Distribution > Copy.

    3. Specify the AD user object created for SSO in the Destination Object. For example, if the AD user is ssouser, you must specify the user object as CN=ssouser,CN=Users,DC=mycompany,DC=com.

    4. Click OK and select the application scripts that must be copied.

    5. Click OK.

Configuring the User Preference

After creating Application SSO scripts, you must modify the following user preferences to improve security.

To modify the user preference:

  1. Log in to the primary Application SSO agent as a domain administrator.

  2. Launch SecureLogin.

  3. Launch SecureLogin Manager.

  4. Expand the domain.

  5. Expand the appropriate organizational unit (OU), then select the AD user created for SSO.

  6. Select Preferences and set the value as follows:

    • Set Display splash screen on startup to No.

    • Set Display system tray icon to No.

    • Set Wizard Mode to Disabled.

    • Set Enable passphrase security system to Hidden.

  7. Click OK.

  8. Log out and Log in to the same server as a domain administrator.

  9. Launch SecureLogin.

  10. Click Ok on the SecureLogin message to accept the passphrase preference changes.

Installing Certificates

You must secure the communication between the Application SSO agent and PAM manager by installing the SSL certificates.

You can use one of the following SSL certificates:

Certificate Authority (CA) Signed Certificates

For the CA signed certificate, you can create the certificate signing request from PAM, get it signed from a CA, and install the certificate.

To install CA signed certificate, perform the following:

  1. Create a certificate signing request for PAM administrator console.

    If you have multiple PAM administration console, you must create certificate signing request from all the consoles. For steps to create certificate signing request, see Requesting a Certificate for the Framework Manager Console.

  2. Get all PAM administration console certificate signed by your CA.

  3. Install the CA signed certificate in all PAM administration consoles. For steps to install the CA signed certificates in your administration console, see Installing a Certificate.

  4. Install the CA signed certificate as a trusted root CA on all the Application SSO agents.

Self-Signed Certificate

To install the self-signed certificate, perform the following:

  1. Launch the PAM administration console.

  2. Get the self-signed certificate from the HTTP header of the administration console.

  3. Install the self-signed certificate as a trusted root CA on all the Application SSO agents.

    If you have multiple PAM administration console, you must get the self-signed certificate from all the administration console. You must install all the self-signed certificates on all the hosts used for Application SSO.

Verifying and Installing LDAP Certificate Authority Certificates

A check box is added in the user interface to enable or disable certification verification for LDAP Credential vaults. If you enable certification verification, you must perform the following steps.

Linux Manager

  1. Place the LDAP CA certificate in the /etc/ssl/certs/ folder.

  2. Enter the command c_rehash.

  3. Restart Privileged Account Manager service using /etc/init.d/npum restart command.

Windows Manager

  1. Add the LDAP CA certificate to the Trusted Root List. You can do this by following the below steps:

    1. Right-click on the cert format certificate.

    2. Run Install Certificate and follow the subsequent steps to add it to Computer level trusted root list.

      NOTE:You can also run the certificate management tool mmc > Add the Certificates Snapin or Certim.msc. Import the CA certificate into the trusted tool certificate list.

SLES

Enter update-ca-certificates command. The directory of CA certificates trust anchors used by administrators is /etc/pki/trust/anchors

RHEL

To add a certificate in PEM or DER file format to the CA trusted list on the system:

  1. Add the certificate as a new file to /etc/pki/ca-trust/source/anchors/ directory.

  2. Run update-ca-trust extract.