In Remoteapp mode, the user launches the application from the user console and Privileged Account Manager does a SSO to the application using the SSO module installed in the server. For more information about remoteapp mode, see the RemoteApp Mode section in the Privileged Account Manager Installation Guide.
The following sections explain how to configure application SSO using RemoteApp mode and how to view application SSO reports:
Ensure that you have completed all the steps mentioned in the section Configuring Application Single Sign-On in the Privileged Account Manager Installation Guide.
You must add a credential vault for each and every application to which you want to enable SSO. To add an Application SSO resource to the vault, click Credential Vault > Application > Application SSO and click + next to Resources in the new administration console.
You must add a rule for every application to which Privileged Account Manager must perform SSO.
To add an application SSO rule:
Click Command Control > Rules.
Click Add in the last pane.
Specify a name for the rule and click Add.
To configure the rule, select the rule and click the edit icon in the last pane.
Make the following changes:
Session Capture: Set this option to ON to enable session capture.
Video Capture: Set this option to ON to enable video capture.
Authorize: Select Yes and select Stop if authorized.
Define what happens next by using the drop-down list as follows:
Blank: The next rule in the hierarchy is checked.
Stop: No more rules are checked for the command.
Return: The next rule to be checked is up one level in the hierarchy from the current rule.
Stop if authorized: If Authorize is set to Yes, no more rules are checked for the command.
Stop if unauthorized: If Authorize is set to No, no more rules are checked for the command.
Application SSO: Select Yes.
If you are creating nested rules, ensure that you set the Application SSO to Yes in each and every rule in the nested hierarchy.
Application Details: Select the appropriate application SSO vault.
Application Credentials: Select the appropriate credentials to perform SSO.
Application Host: Specify the host and the port number that must be included during SSO. You must specify the host and port number in the format <Host Name or IP Address>:<Port Number>
This option appears only when you have selected Use Host from Policy when creating the application SSO credential vault.
Account Domain: Select the domain which you used when configuring the application SSO installation attributes.
Credentials: Select the domain credential created for SSO.
Run Host: Select All Host as Privileged Account Manager would perform load balancing when connecting to RemoteApp servers.
For more information about all the rule configuration fields, see Modifying a Rule.
Click Modify.
Click the command icon on the middle pane.
Drag the Application SSO command and drop it on the application SSO rule.
If you are creating nested rules, ensure that you drag the Application SSO command and drop it on the parent application SSO rule.
This rule is accessible by all the Privileged Account Manager users. If you want to restrict the application access to specific users, create a user group and drag and drop the user group to this rule. For more information about creating user groups, see User Groups.
In RemoteApp mode, Privileged Account Manager load balances the application SSO requests. For Privileged Account Manager to load balance the application SSO requests, you must configure the application SSO agents among which the application SSO requests must be distributed.
To configure agents for application SSO load balancing:
Click Hosts > Application SSO > Remote App Servers.
Displays all the agents with the appsso package.
Select the required agents for load balancing.
If you do not select the agent, all the agents that are listed are taken for load balancing application SSO requests.
Click Finish.
Privileged Account Manager audits all the activities performed in the application SSO session. Based on the rule configuration, the reports can show keystroke and video audits.
To view application SSO reports:
Click Reports > Command Control Reports.
All report instances are displayed. You can interpret the SSO report columns as follows:
User: Privileged Account Manager user who has logged into the user console.
Host: Host where the user console is launched.
RunAs: The user who logs into the application.
RunHost: Host to which the application connects. If the application does not connect to any host, then asterisk (*) is displayed.
Command: Application.
Double-click the appropriate report.
(Conditional) If you have configured video capture, select Output and click Playback to play the audit video.