Description

About the Indeed AM ESSO Agent

The Indeed Enterprise Single Sign-On implements the Single Sign On uniform login technology in the organization IT systems. It stores user application passwords centrally and automatically fills in those passwords in hidden form to log in to the required applications or to perform other actions that require authentication. The Indeed AM ESSO Agent facilitates the authentication procedure by eliminating the need to enter the password manually or to change the password on a regular basis.

Supported applications

The Indeed Enterprise Single Sign-On technology is used with Windows and Web applications. It is configured without interfering with either server or client part of the target application. Support for a new application requires creating a special template in .xml format. The template defines the application forms that are to be managed by the Agent. Access management stipulates for repeat of authentication request, filling in the certain fields with account data (username and password), activating of required control elements (clicking the “Login” button), recording of the event to log file etc.

Supported authentication technologies

Indeed Enterprise SSO supports alternative authentication technologies, besides the standard one, implemented in the most of the Single Sign-On products - universal master password. These alternative technologies are: two-factor authentication, biometric authentication, certificates, proximity cards, one-time passwords, sms technologies etc. Each category of Indeed AM Enterprise SSO users can be configured to use the preset authentication technology only. The following technology combinations are also supported:

  • authentication technology, adapted for remote use
  • multi-factor authentication.

Installation

Installation of the component is carried out at user workstations. Local administrator privileges are required for the component installation.


To deploy the Indeed AM Enterprise SSO Agent at user workstations in automatic mode, the group policy mechanism (Microsoft Group Policy) can be used. Or you can use any other tool that allows batch copying and installation of msi packages to user workstations (for example, Microsoft System Center Configuration Manager).

  1. Run the IndeedID.Enterprise SSO.Agent.msi file and follow the Installation wizard instructions.
  2. After the installation is complete, system restart is necessary. Click Yes to restart the system immediately or No, if you plan to do this later manually.

Files for installation Indeed AM SSO Agent placed:indeed AM\Indeed AM Enterprise SSO\<version number>\

  • IndeedID.ESSO.Agent.en-us.msi - installation package for Indeed AM SSO Agent on 32 bit OS.
  • IndeedID.ESSO.Agent.x64.en-us.msi  - installation package for Indeed AM SSO Agent on 64 bit OS.

Setting up a connection to an AM Server

Configuration from regedit

  1. Open regedit Windows.
  2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Indeed-ID\SrvLocator2.
  3. Change string parameter ServerUrlBase and set URL your Indeed Access Manager Server (example http(s)://dc.indeed-id.local/easerver/).

Configuration from GPO


Group Policy Templates placed: indeed AM\Misc\GroupPolicyTemplates

Add policy IndeedID.ServerUrl.admx on workstantion, with installed indeed AM Windows Logon.

Open gpedit.msc and go to Computer Configuration - Administrative templates - Indeed ID - Client Connection - Server connection settings. Enable policy.

In field "AM Server URL address" set URL your Indeed Access Manager Server (example http(s)://dc.indeed-id.local/easerver/).

Configuring the Indeed ESSO web plugin

Indeed AM ESSO Agent uses web plugin for Internet Explorer, Mozilla Firefox and Google Chrome browsers when working with web applications.

Internet Explorer

The Indeed AM Enterprise SSO Helper for Internet Explorer add-on is installed along with the Indeed AM ESSO Agent. To use the add-on, please activate in your browser. If the add-on does not appear in the browser after installation of Indeed AM ESSO Agent, proceed as follows:

  1. Switch to Internet options-> Advanced -> Browsing section and activate the Enable third-party browser extensions option.
  2. For server operating systems, in addition to item 1, switch to Server manager -> Loсal server and disable Internet Explorer Enhanced Security Configuration (IE ESC).

For bulk changing of Internet Explorer add-on parameters, use the Windows group policies.

The necessary policies are located in Local Group Policy Editor (gpedit.msc), section User Configuration\Administrative Templates\Windows Components\Internet Explorer.

  1. Activate the Automatically activate newly installed add-ons policy to enable web plugin automatically.
  2. To prohibit add-on deactivation by users, disable the Do not allow users to enable or disable addons policy.

Mozilla Firefox

The Indeed AM ESSO extension is installed along with the Indeed AM ESSO Agent. To use the extension, please activate in your browser.

Google Chrome

The Indeed AM ESSO extension is installed manually or automatically via group policy mechanism of Microsoft Windows.

Installation from Chrome Web store

  1. Install the Indeed AM ESSO Agent to workstation with Internet access.
  2. Run Google Chrome.

The extension shall be downloaded automatically within 1 minute. After the extension is downloaded, access to Internet is not required anymore. The extension should be activated in your browser.

Downloading and activation of extension should be carried out for every Windows session of the user. If the extension was removed from the browser manually, then it
has to be downloaded from Chrome Web store to install again.


Available at https://chrome.google.com/webstore/detail/indeed-id-esso/lcjenjmcehnkfkghcflkfialplejjkdj

Installation via group policy mechanism

The Indeed AM ESSO propagated by group policies is installed for all users of the workstation. Internet access is not required for installation.

To configure a group policy to install the Indeed AM ESSO extension, proceed as follows:

  1. Create a web application with arbitrary name, say, chromeplugin, in IIS Manager, define the DefaultAppPool application pool and Anonymous Authentication for it.
  2. Place the lcjenjmcehnkfkghcflkfialplejjkdj.crx and update.xml files to the application folder (the files are in the Indeed Enterprise Single Sign-On\\Misc\ChromePlugin folder of the installation package).
  3. In the MIME Types section of the website with chromeplugin application add a new type with .crx extension and application/chrome description.
  4. Configure a secure https connection for chromeplugin application and make sure that it is reachable
    from user workstations.
  5. Add the adm/admx templates to local / central administrative template storage of domain controller and create a new group policy object with an arbitrary name in Group Policy Management instrument.
  6. Open the created object for editing and switch to Computer Configuration -> Administrative Templates -> Google -> Google Chrome -> Extensions section.
  7. Enable the Configure the list of force-installed apps and extensions policy and define the application identifier (indicated in the .crx file name) and path to .xml file in the folder of chromeplugin web application, created at step 2. Save the changes. 
  8. Enable the Configure extension, app, and user script install sources policy and indicate the address of the server, where the chromeplugin web application, created at step 2, is deployed. Save the changes. 
  9. Set the group policy object scope to user workstations with Indeed AM ESSO Agent installed.
  10. The extension is downloaded and installed automatically after the group policy is applied to the workstation. It might take up to several minutes for the extension to appear in the installed extension list. The extension installed via group policies is marked with the special symbol .

Indeed Enterprise Single Sign-On task

The Indeed Enterprise Single Sign-On task is to monitor application starts and to fill in the fields and forms automatically with data required to access the application: username, password etc. Automatic filling up takes place only after user identity verification using supported authentication technology. Thus, Indeed Enterprise Single Sign-On spares the users the need to memorize, write down, store and enter passwords manually to login to an application. Due to centralized storage of SSO profiles, users can access their
applications from any workstation with Indeed AM ESSO Agent installed. As Indeed AM ESSO Agent supports the authentication technologies adapted for terminal environment and not requiring additional equipment, it can be used on virtually any computer, including slim clients on the basis of Windows CE, Linux, Wyse etc.

Uniform login to applications using the Indeed authentication technology

Access to applications using an authenticator becomes possible after configuring the application account, user profile and registering an authenticator itself. To access and application using the Indeed AM authentication technology, proceed as follows:

  1. Login to workstation. The taskbar shows a popup notification of SSO session start. 
  2. .Indeed AM ESSO Agent starts up automatically upon operating system logon. To start it manually, use Indeed AM > Enterprise SSO > Enterprise SSO - Agent item in Programs menu.

Selection of target application

To select the target application, please do one of the following:

  1. Press [Ctrl]+[Alt]+[Q] or run the Indeed AM Enterprise SSO Agent application by double-clicking the  icon in the Windows notification bar.
  2. Open the Indeed-indeed AM ESSO Agent context menu by right-clicking the  icon in the Windows notification bar and select Quick start... item.

The Select an application window shows the applications that are allowed to run with Indeed AM ESSO Agent. The appearance of the Quick start... window is defined by ESSO applications’ settings.

Next picture shows the situation, where the target application has only one executable file.

If there are several SSO accounts defined for one target application, then it is necessary to select an account after application selection.

If an application contains several components, then executable files of each component are grouped under a single name in the quick launch panel for more convenience. Next screenshot shows an example of grouping the several IBM Notes components under the single name of IBM Lotus Notes.

After the application is selected, it is necessary to select an account for it.

Authentication

To authenticate in an application, proceed as follows:

  1. Select the username and login method. By default, the operating system offers the last method used. Follow the instructions, appearing on the screen and provide the authenticator when prompted. If you have several authenticators, you can use any of those.
  2. To select an authenticator, click Switch authentication method. 
  3. After authentication, the login window of the target application displays. The “Username” and “Password” fields are automatically filled in with the data defined during SSO account creation. Then login to application is performed.
    Besides automatic filling, manual entering of credentials is also available. Username and password, entered upon the first login to application, are stored and filled in automatically upon the next login attempt. If authentication is cancelled, then login to application is not performed. The current application form or the application itself is closed.
  4. If an administrator defines that the application can be started using Indeed AM ESSO Agent only and authentication is required to login to application, then authentication cancellation results in error message. 

Access to target applications is regulated by administrative settings. Some applications can be prohibited to run by the ESSO administrator. These applications are not available in the Select an application window of Indeed AM ESSO Agent. An attempt to run the prohibited application results in the following error message: “A device attached to the system is not functioning”.

Changing of user accounts

To change ESSO account, proceed as follows:
1. Login to the operating system and open the context menu of Indeed AM ESSO Agent:

  • Press [Ctrl]+[Alt]+[Q] or run the Indeed AM Enterprise SSO Agent application by double-clicking the  icon in the Windows notification bar.
  • Open the Indeed-indeed AM Enterprise ESSO Agent context menu by right-clicking the  icon in the Windows notification bar and select Switch user... item.

2. In the Login to SSO window select the necessary user account or Automatic identification item, if it is enabled.

3. Perform authentication with the authenticator for the selected user account. If authentication is successful, the ESSO Agent opens a SSO session for the user.

Password management

The Indeed Enterprise Single Sign-On stipulates for regular password change in applications. The password is changed automatically, as a rule. Manual change of password by user is regulated by ESSO administrator settings. If manual password change is allowed, then upon the next password change its value is not generated automatically, but the user is prompted to enter it. The system behaviour upon requesting a new password from user depends on the type of Enterprise SSO user account, defined by SSO administrator: If
the administrator configured manual password change by user, then the following window appears for password change.

Enter a new password and its confirmation.

  • Password entering mode (password is hidden / password is revealed) is regulated by clicking the  button (Reveal password).
  • Clicking the  button (Generate a random password) results in automatic password generation in accordance with the restrictions set for this application. The generated password is automatically pasted into the Password field. The Reveal password option is then enabled and Password confirmation field is cleared.

The new password entered in the standard manner is checked for compliance with password security criteria set for the application. An error message appears, if the password does not comply with the said criteria.

Indeed AM ESSO Agent commands

The following commands are available in the context menu opened by right-clicking the Indeed-Indeed AM ESSO Agent icon in the Windows notification bar:

  • Change user means to select a different account to access the application. This command opens the SSO Login window showing the list of available accounts. Login method selection is also possible. The last method utilized by the user is selected by default.
  • Deactivate hotkeys – this deactivates the following key combinations:
    • [Ctrl]+[Alt]+[Q] - opens the quick start window.
    • [Ctrl]+[Alt]+[U] - performs ESSO data update.
    • [Ctrl]+[Alt]+[R] - performs forced processing of the application form (re-matching).
      All the combinations are enabled by default.
  • Update data – this loads the SSO profile changes. Message examples are given in the following images.

ESSO data update:New ESSO data is received:

Data update error:

Quick start is performed upon selection of the corresponding item from the context menu of Indeed AM ESSO Agent or upon pressing [Ctrl]+[Alt]+[Q] keys. This command opens the Select an application window with the list of applications allowed to be started.

Application is not displayed in the list, if Indeed AM ESSO Agent cannot find its executable file at the user workstation.

Error processing

If an error occurs (for instance, form filling error), the Indeed AM ESSO Agent provides for selection of action to process the error.
The following options are available in the Error processing window (it is closed automatically after an option is selected):

  • Repeat – the operation resulted in error is performed again.
  • Close application – the application that triggered an error is closed. All unsaved data is then lost.
  • Close window – this closes the current window or form of target application. If it is the main window of the application, it might close.
  • Ignore – no action is performed.