Going In Depth with Oracle ESSO-LM Administrative Console (formerly Passlogix SSO)
Oracle , Password Management , Single Sign On Add commentsLast month I wrote a blog and touched upon the topic of customizing the Oracle Enterprise Single Sign-On Password Reset MSI. This month will mark the first of four in-depth blogs covering the following Oracle ESSO (formerly Passlogix SSO) components: The Oracle ESSO-LM Administrative Console, the ESSO-LM Agent, the ESSO-PG extension, and the ESSO-PR component.
Before beginning any installation concerning the Oracle Logon Manager, you need to know three important things: Where will the data be stored; what features should be enabled/configured for the Logon Manger; and how will the user interface with the Agent? While these questions may be different among deployment environments, they can all be answered within the ESSO-LM Administrative Console.
The Oracle ESSO-LM Administrative console MSI is included in the ESSO Suite; located in the same directory as the Logon Manager Agent MSI. It is a tool used by administrators charged with configuring how the ESSO-LM Agent will function in a production environment.
As can be seen above, there are many sections for configuring Oracle ESSO-LM to operate with other Enterprise SSO products, such as the ESSO Kiosk Manager and the ESSO Universal Access Manager. We’ll be primarily looking at the sections which pertain most to ESSO-LM.
The Applications section is where administrators can create templates that Oracle ESSO-LM will respond to. You can configure the templates to respond to certain password policies generated by ESSO-LM, which method of credential capturing to use (silent or non-silent), along with many other features shown in the picture below. Each tab pertains to something specific, and allows for a wide range of customization on a template-by-template basis. Once created, these templates are then published to the environment’s repository, where they can be accessed by the Logon Manager Agents.
The Password Generation Policies section allows an administrator to configure a custom policy for templates to use during a password change. If an application has a password change template configured for it, Oracle ESSO-LM will only allow a password change to succeed if the user satisfies the custom requirements mandated by chosen policy. Different applications may use different password policies, and they can all be created here. These policies are also published to the repository for easy access by the ESSO-LM Agents.
Exclusions allow administrators to prevent certain names from being saved by the Oracle Logon Manager. For instance, if you do not want users storing the credentials for accounts named Admin, Administrator, or Root for certain applications, you can create an exclusion policy. This will allow users to utilize the Logon Manager for accounts, except for those names which are excluded. If templates were created with the excluded usernames before the policy was published, Logon Manager will identify and remove those credentials from the agent, and the repository.
The Global Agent Settings are the registry settings used to determine the ultimate functionality of the Oracle Logon Manager. You can configure many important features here:
• Communication with the repository
• How the Agent stores and cleans the local credential cache after the Agent is shut down
• If the First-Time-Use wizard is initiated
• How the credential data is encrypted
• What the user is allowed to do within the Agent itself
The above is just a small list of how you can configure the Oracle ESSO-LM Agent. These settings can be written to the local machine where the Administrative Console is running, or it can be saved as a file for use elsewhere. The ‘Live’ settings, highlighted above, can also be used during the creation of a custom ESSO-LM Agent MSI, so that the selected features are automatically written to the registry when the Agent is installed.
The repository section allows users to view their repository (the repository displayed above is an Active Directory), along with the Enterprise SSO data stored within.
Lastly, as was briefly mentioned above, the Administrative Console allows administrators to generate custom MSIs for the Oracle ESSO-LM Agent. These customized MSIs can be configured with the ‘Live’ settings, so that a straight install from the custom MSI yields a fully functioning Logon Manager Agent. This is an excellent tool to use if you are looking to do a mass-deployment with the product!
That’s all for now, I hope you all enjoyed this brief walkthrough of the ESSO-LM Administrative Console. Next month, I’ll be covering the ESSO-LM Agent. As always, if you have any questions or comments regarding what you’ve read, feel free to comment below.
Action Identity has certified Passlogix SSO deployment engineers who have deployed this product for various customers and for all types of industries. As Passlogix deployment engineers, we have been deploying Oracle ESSO before it was known by that name. Among the many version of ESSO we offer are Oracle ESSO Logon Manager (ESSO-LM), Oracle ESSO Password Reset (ESSO-PR), Oracle ESSO Kiosk Manager (ESSO-KM), Oracle ESSO Authentication Manager (ESSO-AM), and Oracle ESSO Provisioning Gateway (ESSO-PG).
To learn more about us, visit our website.
To get more information on Single Sign on Solutions, please click here.
Interested in learning more about ESSO? Check out these other entries:
http://www.actionidentity.com/blog/post.cfm/oracle-s-esso-pr-customizing-the-password-reset-msi
http://www.actionidentity.com/blog/post.cfm/optimizing-drivers-that-involve-multiple-information-resources
http://www.actionidentity.com/blog/post.cfm/making-direct-soap-calls-within-the-novell-idm-soap-driver
http://www.actionidentity.com/blog/
Oct 10, 2011 at 7:48 AM Dear AI,
I have problem to set configurations of OESSO(Oracle Enterprise Single Singn-on) .I have searched about a month on the internet to solve it but I couldn’t so I decided ask you and I hope you help me
I downloaded the Oracle Enterprise Single Sign-on Suite Plus (11.1.1.5.0) from http://download.oracle.com/otn/nt/middleware/11g/111150/ofm_esso_win_11.1.1.5.0_disk1_1ofn.zip and tried to Install it. I succeeded to install ESSO-LM and ESSO Console and they have worked properly but when I install ESSO Provisioning Gateway and try to access to Provisioning Gateway Web Service to manage User’s credentials centrally I have got "The application list object is missing or corrupt." or "The application list object is empty. " errors.
I'll appreciate it if you help me to solve it .
GHASSEM
Oct 10, 2011 at 8:14 AM Ghassem,
Provisioning Gateway heavily depends on how the data is stored within the repository (Active Directory in most cases). If you have setup the ESSO-LM to store data under the user object within AD, you will need to check the 'Locate in User'. Also, if you are using Configuration Objects, you will need to check that option in the storage setting and then list enter the location where they are stored in LDAP format.
I hope this helps!
Nov 24, 2011 at 4:17 AM Hi,
Need some help, we have esso deployed with active directory, and recently with windows 7 deployment, the esso launches and asks for passphrasekey after log on, could you please let us know on what situations does this happen?
Appreciate your help.
Sudhir
Nov 28, 2011 at 8:46 AM It sounds as though when you installed Oracle ESSO-LM, you selected the default Windows Logon v2 authentication. This method of authentication uses an auxiliary pass-phrase in the form of a pin.
In order to avoid this mode of operation, uninstall this product. During the re-install, deselect the Windows Authentication v2, and instead select the original 'Windows Authentication' as the primary method of authentication. This mode will allow ESSO-LM to authenticate against a user's Active Directory login alone.
If you have any additional questions, feel free to contact me! I'll be glad to help you out.
Dec 7, 2011 at 3:44 AM Hi
We are facing some problems when an ESSO-LM user changes Windows Logon Password. If a user changes Windows Logon Password, ESSO-LM ask the new password but when enter the new password; "OK" button does not become active or it says "ESSO-LM cannot initialize your password reset method".
I hope that Technical Consultants help me to fix this issue.
Regards,
Dec 7, 2011 at 4:11 PM I have run into this issue multiple times in older revisions of the products. What is the current version of the LM software you are using? Also, which authentication methods did you select during installation (example: Windows Authentication v1, Windows Authentication v2, Smartcard, etc.)
Let me know, and I'll do my personal best to ensure that your issue is resolved!
Dec 7, 2011 at 10:59 PM It is ESSO-LM 11.1.1.5.0 and the authentication Method is Windows Authentication (v1).
This issue just appear only when a user changes Windows Logon Password. Then ESSO ask the new password when it tries to logon any application and generates the messages which is in my previous entry.
Your helps will be very much appreciated.
Regards,
Dec 12, 2011 at 8:44 AM This seems like it will require more than just conversing back and forth on the blog. Please contact AI using this form and we'll see what we can do: http://www.actionidentity.com/contact
Jan 18, 2012 at 10:09 AM I'm sorry but comment #4 is incorrect in this instance. WinAuth v1 should not be used under any circumstances, in fact it's likely to be removed from future versions.
If you do not want to use the passphrase you should install and enable the passphrase supression components, and disable the option for users to change the passphrase. That way, you can continue to use the more secure WinAuthv2 authenticator without having users bugged for a passphrase.
Jan 23, 2012 at 11:53 PM Hi, Can anyone tell me the working of ESSO Provision Gateway?
Jan 24, 2012 at 7:54 AM Hi There,
Can you give us a bit more information as to what you're looking for?
Jan 26, 2012 at 10:51 AM Hi,
First thanks for your reply.Actually i am new to Esso PG.As i read that ESSO PG server ,ESSO PG client,Microsoft iis server,a repository and ESSO LM are the components of ESSO PG. I want to Know the working of each component and the flow of data among them.
Why we need Microsoft iis server.
And one more question in Esso LM admin console ,if we define password policies for templates and if that policies differ from the policy support by a particular application then which kind of conflicts will arise and what is the solution of this ??
Thanks in advance
Jan 26, 2012 at 11:25 AM I'm glad to hear that you are interested in the ESSO-PG. The purpose of the IIS server is to allow the Provisioning Gateway Administrative Console to be accessible via the intranet/internet. Any administrator needing access to provision a logon template to a user can easily navigate to the admin console via web-browser. The client-side component extends the functionality of the Logon Manager so that it can communicate with the Provisioning Gateway server. Whenever an add/modify/delete command is invoked from the server, the LM with the PG extension will acknowledge the command, and return a message to the server, to confirm the action occurred.
As for the password policy, the policy must agree with the pre-existing policy. For instance, some applications do not allow the '$' or '|' characters. You may create a password policy for this application that allows the use of these characters. However, it will not function properly. A password that suits the Logon Manager's password policy will pass through LM, but will not be accepted by the target application. If you have created only a password change template for this application, it will be stored in the Logon Manager wallet, which is ultimately be rejected and will cause the agent to ask you to re-enter the password at the login screen. This is why there are the Password Success and Password Failure templates. By creating these templates, the LM becomes aware of an attempted password change outcome. So, if a password change attempt fails, the credentials do not immediately go into the wallet, as they did before. This creates a more flexible and intelligent solution.
I hope this information has helped! If you have any additional questions, feel free to message me through www.actionidentity.com
Jan 26, 2012 at 12:28 PM Hi,
Thanks a ton again. Now i have some problem in configuring pg server and client on windows server 2008. I don't have any tutorial or guide available by which i can get help.
oracle website is providing installation guide for these components that is only for win 2003 sever. So can u please provide me anything related to installation and configuration or ESSO PG on windos server 2008.
Thanks in advance
Jan 27, 2012 at 4:33 AM Hi,
I am using windows server 2008 (machine1)on which i have installed Active directory,LM console and LM agent.And now on the other windows server 2008 machine(machine2) i have configured iis server and installed ESSO PG server.
I have created a user in Active Directory (A dedicated Anonymous User account through which Provisioning Gateway users and administrators access Provisioning Gateway Web Services)and made it member of administrator and domain users. Now i have also made machine2 member of Active Directory domain.
Now i want that user to access the provisionig gateway web service .How can i provide access to that user??
if we are using window server 2003 then there is option in iis server manager>(Domain name)>website>default websites>v-GO-PM console>properties>Directory security>authentication and access control>Allow anonymous authentication .
But my question is, from where we can add this option in windows server 2008 and for allowing anonymous authentication from where we can add user's credentials which we created in AD.
Jan 27, 2012 at 6:55 AM Hi,
I am getting this error while trying to access esso pg web services.
The request failed with HTTP status 403: Forbidden.
Please provide me a solution to this problem.
Thanks in advance
Jan 30, 2012 at 5:34 AM hi ,
Please help me to find the solution of this problem.
I m trying to use the esso pg server web service. When I browse logon.aspx page and logon into it and try to configure the storage type then i am getting the error "can't connect to the directory" .
please let me know the possible causes of this error.
if you want to know the complete information about configuration of pg server please let me know.
Thanks in advance
Feb 1, 2012 at 11:59 AM Please contact us through http://www.actionidentity.com/contact
thanks