t l access manager enterprise single...

Tivoli® Access Manager for Enterprise Single Sign-On

User Guide

Version 6.0

SC32-1988-00

��

Note:

Before using this information and the product it supports, read the information in “Notices,” on page 39.

First Edition (September 2006)

This edition applies to version 6, release 0, modification 0 of IBM Tivoli Access Manager for Enterprise Single

Sign-On (product number 5724-N70) and to all subsequent releases and modifications until otherwise indicated in

new editions.

© Copyright International Business Machines Corporation 2006. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

TAM E-SSO User Guide

Table Of Contents

Introduction .................................................................................................. 1 Program Features ........................................................................................ 1 About This Guide ......................................................................................... 2 Example: Logging on Automatically ................................................................ 3

Setup Wizard................................................................................................. 5 Setting up TAM E-SSO - Setup Wizard ............................................................ 5 Restore an existing backup?.......................................................................... 5 Setup tasks to perform................................................................................. 5 Choose a logon method ................................................................................ 5 Enter your primary logon .............................................................................. 6 Insert a Smart Card ..................................................................................... 6 Enter a passphrase answer ........................................................................... 6 Add applications logons ................................................................................ 6 Setup Wizard - Finishing Up .......................................................................... 6

Using TAM E-SSO........................................................................................... 7 Starting TAM E-SSO................................................................................... 7

The System Tray Icon Menu .......................................................................... 7 System Tray Menu Options ........................................................................... 8 Shutting Down TAM E-SSO............................................................................ 8 The Title Bar Button Menu............................................................................. 9

To show or hide the Title Bar Button ............................................................ 9 Language Settings ....................................................................................... 9

Your Primary Logon Method............................................................................10 Your Primary Logon Method .........................................................................10 Changing Your Primary Logon Method............................................................11

To change your primary logon method ........................................................11 Confirming Your Primary Logon Method .........................................................12 Installing Primary Logon Methods..................................................................12

To install additional primary logon methods..................................................13 Creating and Using Logons .............................................................................14

Creating and Using Logons...........................................................................14 Logon Manager...........................................................................................14

Logon Manager options .............................................................................15 Applications that share credentials ..............................................................15 Adding multiple application logons ..............................................................15 Credentials without a configured logon ........................................................16

Creating New Logons ..................................................................................16 Setting up Logons with Logon Manager........................................................16 To add a logon for a Windows application.....................................................17 To configure a logon for an unlisted Windows application ...............................18

v


To add a logon for a Web site.....................................................................20 To add a logon for an unlisted Web Site.......................................................20 To add a logon for a host/mainframe application...........................................22

Managing Logons........................................................................................23 Setting Up Logons using Auto-Prompt .........................................................23 Logon Properties ......................................................................................24 To modify a logon's properties....................................................................25 Logon Chooser .........................................................................................26 Logon Error .............................................................................................27

Settings.......................................................................................................28 Settings dialog box: Passwords tab ...............................................................28

Password Settings ....................................................................................28 Settings dialog box: Logons tab ....................................................................29

Logon Settings.........................................................................................29 Settings dialog box: Excluded Web Sites tab...................................................29

To restore Auto-Prompt for an excluded Web site..........................................30 Settings dialog box: Excluded Applications tab ................................................30

To restore Auto-Prompt for an excluded application.......................................31 Managing Passwords .....................................................................................32

Managing Passwords ...................................................................................32 Changing Your Application Password..............................................................33

Backing Up and Restoring ..............................................................................34 Backing Up and Restoring ............................................................................34

To back up your passwords and settings ......................................................34 To restore your passwords and settings .......................................................35

Glossary ......................................................................................................36

vi


Introduction

IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO) lets you use a single password to logon to any password-protected application on your desktop, your network, and the Internet. It works "out-of-the-box" (without programming or additional network infrastructure) with virtually all applications, including Windows, Web, proprietary, and host/mainframe applications.

TAM E-SSO is intelligent agent software. It remembers your credentials – your username/ID, password, and other information – for each application or Web site and automatically responds to its logon requests.

Program Features

Single sign-on: You use just one password to log on to applications, networks, and Web sites.

Auto Prompt: TAM E-SSO can learn your credentials as you work. When it detects a new logon request, the agent prompts you to provide your username/ID, password, and other sign-on data. The next time this application asks for your logon, TAM E-SSO recognizes it and logs you on automatically.

Automatic backup/restore: TAM E-SSO automatically backs up your credentials, to a floppy disk or to a remote file or directory server - and automatically restores your credentials, if necessary.

Custom logon configuration: In addition to logons predefined by your administrator, you can add your own logons to other applications and Web sites.

Mobility support: If you work at multiple workstations TAM E-SSO makes it easy for your administrator to store your credentials on a remote server. That lets you use TAM E-SSO to manage your identity and passwords - with complete security - on any computer on your network.

1


About This Guide

This user guide is intended for anyone using TAM E-SSO to manage logon credentials for Windows, Web and host/mainframe applications. You should be familiar with Windows conventions (for example, resizing application windows) and with the logon procedures for the applications you'll use with TAM E-SSO.

If the TAM E-SSO software is already installed on your workstation, you should begin by following the procedure for Setting Up. This procedure is performed the first time you start the program. You'll provide your primary logon - the password you'll use for all other logons - and select pre-configured applications, if they are provided.

The remainder of this guide covers these topics:

Starting and shutting down TAM E-SSO and setting general program preferences.

Changing your Primary Logon Method.

Configuring and using application logons.

Procedures and options for adding or changing passwords.

Backing up and restoring your passwords and settings.

2


Example: Logging on Automatically

TAM E-SSO automatically detects when you've encountered a password-protected application or Web site. If you already provided credentials (username/ID, password, and other information) for that application or Web site, TAM E-SSO automatically enters your credentials in the appropriate fields and logs you on.

Let's say you've already provided credentials for your Lotus Notes account. As soon as you open Lotus Notes, TAM E-SSO recognizes this logon screen's request for credentials.

TAM E-SSO enters your password in the appropriate field and clicks the [OK] button, logging you on to Lotus Notes.

Now let's say you've opened the logon screen for an application or Web site for which you have not yet provided credentials.

If the Auto Prompt feature is active, TAM E-SSO offers to store your credentials for this application.

If you click [Yes], the New Logon Wizard appears, prompting you to set up credentials for this application or Web site.

You enter your Username/ID for the application and your password (twice for confirmation), and then click [Finish].

3


TAM E-SSO logs you on. From now on, whenever you start this application, TAM E-SSO will recognize the application's logon prompt and supply your credentials automatically.

4


Setup Wizard

Setting up TAM E-SSO - Setup Wizard

Before you begin using TAM E-SSO, the Setup Wizard checks to make certain that TAM E-SSO has all the information it needs. This is also called the First Time Use Wizard (FTU). You must provide the information requested in order to use TAM E-SSO.

Tip: If you cancel the Setup Wizard, it will re-appear each time you try to start TAM E-SSO until you've completed the Wizard.

The Setup Wizard may skip any or all of the following tasks, depending on the installation options selected, your network's configuration and the settings your SSO administrator makes.

Restore an existing backup?

If you've backed up any pre-existing TAM E-SSO settings, select the I want to restore an existing backup of my settings check box. If you choose this option, TAM E-SSO will complete the setup process from your stored settings. See Backing Up and Restoring for more information.

Click [Next>] to continue.

Setup tasks to perform

This page lists the Setup tasks necessary for your local installation of TAM E-SSO.

Click [Next>] to begin setup.

Choose a logon method

From the drop-down list box, choose the authenticator you'll use for your primary logon method. In a typical installation, this is Windows Logon. This means you'll use your Windows password to access password protected applications.

Depending on your network resources and administration, you may have other primary logon methods to choose from, such as:

Windows Logon v2

LDAP

LDAP v2

Authentication Manager

Smart Card

Entrust

SAFLINK SAFAuthenticator for TAM E-SSO

DigitalPersona Authenticator

Xyloc

When you have made your selection, click [Next>] to continue.

5


Enter your primary logon

If you have chosen Windows Authentication as your primary logon method, a Windows network logon prompt appears. Enter your Windows Network password for the displayed username and domain and click [OK].

Insert a Smart Card

If you choose Smart Card as your primary logon method, a smart card prompt appears. Insert the smart card and then enter your PIN. Click [OK].

Enter a passphrase answer

If you chose Windows Authentication v.2, one or more passphrase questions appear. This is used for additional security. Type the answer to the displayed question or questions (note the minimum length) and click [OK].

Note: You can change your passphrase anytime later by selecting the Change Passphrase option whenever you confirm your primary logon.

Add applications logons

This page appears if your SSO administrator has provided a list of pre-configured applications. This lets you store your logon credentials for each application.

Enter your Username/ID, Password, and any other requested information for each application you use. You may need to retype one or more items to confirm.

Click [Next>] to continue.

Setup Wizard - Finishing Up

If you want to make changes before completing Setup, click [<Back] to return to a previous Setup Wizard page.

Otherwise, click [Finish] to complete setup. You can now begin using TAM E-SSO.

6


Using TAM E-SSO

This section provides an introduction to the features and functions available via the TAM E-SSO user interface.

For more information on these and other features, see the online help. To access the online help:

Click the [Help] button within any program dialog box. or

Click the TAM E-SSO Tray Icon on your Windows system tray and select Help from the shortcut menu.

Starting TAM E-SSO

Note: The first time you start TAM E-SSO, the Setup Wizard appears to guide you through the procedure for providing your primary logon information.

After installing TAM E-SSO, the TAM E-SSO Tray Icon appears on your Windows system tray in the lower-right corner of your screen. If you do not see this icon, start TAM E-SSO:

1. Click Start, then Programs.

2. Point to IBM, then TAM E-SSO.

3. Click TAM E-SSO.

The TAM E-SSO Tray Icon now appears in your Windows system tray.

Also see the System Tray Menu Options.

The System Tray Icon Menu

Click the TAM E-SSO Tray Icon in your Windows system tray to display a shortcut menu of program functions, which are described below.

7


System Tray Menu Options

Configuration Displays a submenu of program controls and options. Each of these are detailed later in this guide:

Language

Logon Manager

Backup/Restore

Settings

Shut Down Shuts down the program.

Pause Turns off TAM E-SSO logons, including the Auto-Prompt and Auto-Recognize features, and the Logon using TAM E-SSO menu option, below.

Help Displays the online help system.

About TAM E-SSO

Displays version information about the program.

Logon using TAM E-SSO

Engages TAM E-SSO to supply information to a logon request. You can use this option to engage TAM E-SSO when Auto-Recognize is turned off.

Tip: If Auto-Recognize is enabled, TAM E-SSO automatically recognizes logon requests and supplies your stored logon information.

If you have not already set up the application or Web site logon, TAM E-SSO prompts you to do so.

Shutting Down TAM E-SSO

To shut down TAM E-SSO, click the Tray Icon and select Shutdown from the shortcut menu.

8


The Title Bar Button Menu

You can put the TAM E-SSO Title Bar Button on all application window title bars. The Title Bar Button lets you log on quickly to applications and Web sites you've already configured and add new logons as you work.

You can set the Title Bar Button to display a shortcut menu for using or adding logons, or you can omit the menu and use the Title Bar Button as a one-click logon command.

To show or hide the Title Bar Button

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Settings. The Settings dialog appears.

2. On the Settings dialog, click the Logons tab

Select the Title Bar Button check box to show the Title Bar Button or clear the check box to hide the icon.

Click the Display Dropdown check box to activate the Title Bar Button shortcut menu or clear the check box to deactivate the menu. If you clear this option, clicking the Title Bar Button initiates a logon to the active application.

3. Click [OK].

Tip: To hide the Title Bar Button and menu at any time, click the Title Bar Button on any application title bar and select Hide Title Bar Button.

Language Settings

The TAM E-SSO Agent can run in many different languages, depending on which version you are running, and which language packs are installed.

Depending on your configuration, you can change the language of the Agent through the TAM E-SSO Tray Icon menu located in your Windows system tray. Click the TAM

E-SSO Tray Icon to display the shortcut menu. Point to Configuration, then click Language. The available languages will display with a checkmark next to the current language.

Click the desired language for the TAM E-SSO Agent. All TAM E-SSO Agent dialogs and help screens will display in the selected language.

9


Your Primary Logon Method

Your Primary Logon Method

When you first set up TAM E-SSO, you are prompted to choose your primary logon method, also known as an authenticator.

The credentials you provide to the authenticator – your username/ID, password, and other information – identify you as an authorized user of your workstation and network.

In most cases, your primary logon is Windows, and your primary logon credentials are your Windows username/ID, password, and network domain.

TAM E-SSO lets you use your primary logon method for any other situation in which you need a password, including most Windows applications, host/mainframe applications, and password-protected Web sites.

It uses your primary logon information to verify that you are the same user that initially logged on.

Depending on your installation and resources, your primary logon can be any of the following:

Windows password

LDAP password

Smart Card authenticator logon information

Entrust authenticator logon information

SAFLINK authenticator logon information

DigitalPersona authenticator logon information

Xyloc authenticator logon information

10


Changing Your Primary Logon Method

You can change your primary logon method at any time, and you can install or remove authenticators as needed.

To change your primary logon method

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Change Logon Method.

2. The Setup Wizard appears with a list of steps you'll follow to change your primary logon. Click [Next>] to continue.

3. You are prompted for your current primary logon. Enter your primary logon

password, then click [OK].

4. The Setup Wizard displays the primary logon selection page. Select a primary logon method from the drop-down list box, then click [Next] to continue.

11


5. You are prompted for your new primary logon credentials. Type your user ID and password, enter or select any additional information, then click [OK].

Note: If your new primary logon is a smart card, you are prompted to insert the card into the reader and enter your personal identification number (PIN). If your new primary logon is a biometric device, you are prompted to place your finger on the fingerprint reader.

6. The Setup Wizard displays a message that your new authentication is successful. You can either:

Click [Cancel] to cancel the change and restore your previous primary logon method. or

Click [Finish] to complete your primary logon change. The Primary Logon Method dialog box appears. Click [Close] to close it.

Confirming Your Primary Logon Method

TAM E-SSO can be configured to periodically check to make sure that you are the same user who initially logged on to this workstation.

When you start a password-protected application, if a specific interval of time has passed since the last automatic logon (the default is 15 minutes), TAM E-SSO asks for your primary logon password. If you are using a logon method other than a password (smart card, token, biometric) as your primary logon, you are prompted for the appropriate authentication method (PIN, fingerprint, etc.).

TAM E-SSO also automatically performs this check when you modify your application passwords, perform other logon management tasks, or if the application logon itself requires it.

You can change the interval, or turn this feature off, by changing the Timer setting in the Logons tab of the Settings dialog box.

Depending on which primary logon you use and the settings your SSO administrator applies, you may be prompted for the passphrase answer you provided when you first set up TAM E-SSO.

If are using a passphrase, you have the option of changing your passphrase answer. To do this, select the I want to change the answer to my verification question checkbox.

Installing Primary Logon Methods

When you installed TAM E-SSO, you had the option of installing one or more authenticators. If you did not install all of the authenticators, you can use this procedure to install them. Currently installed authenticators are listed in the Primary Logon Method dialog box. See Your Primary Logon Method.

The following procedures for installing and removing primary logon methods are typically reserved for your SSO administrator to perform.

12


To install additional primary logon methods

1. Open the Control Panel and select Add/Remove Programs.

2. Select TAM E-SSO.

3. Click Change or Add/Remove, depending upon the operating system on your computer. The TAM E-SSO Install Wizard appears.

4. Read the screen, then click [Next].

5. Select the Modify option, then click [Next].

6. Click the + next to Authenticators to expand the list.

7. Click the X icon next to the password window you want to install.

8. From the shortcut menu, select This feature will be installed on the local hard drive.

9. Repeat steps 7 and 8 to install additional authenticators.

10. Click [Next].

11. Read the screen, then click [Next].

12. Follow the screen prompts.

13


Creating and Using Logons

Creating and Using Logons

TAM E-SSO provides two ways for you to create application logons:

• You can also create logons with Logon Manager, which lets you configure, edit and manage logons for most secure applications.

• You can create logons “on the fly,” using the Auto-Prompt feature, which detects an application's logon request and lets you store your credentials as you log on.

Logon Manager

Logon Manager displays your stored logons. It also lets you modify properties of each logon (for example, your user IDs and passwords) and update your settings with changes applied by your SSO administrator.

To display Logon Manager, click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Logon Manager. The Logon Manager dialog appears.

As you add or create logons for Windows applications or Web sites, and add logons for host/mainframe applications, the available logons are displayed in Logon Manager.

Tip: Logons that appear in grey, italicized text require activation by the SSO administrator. See Credentials without a configured logon.

14


Logon Manager options

View Display logons as Icons, as a List, or with full Details (similar to Windows Explorer View options)

Sort by Sort logons by a selected column; you can also sort the logons by clicking on the column heading itself.

Reveal All

In Details View. display username/IDs and passwords. (This feature is only available if the SSO administrator has activated it.)

Refresh

Update logon settings with changes from your SSO administrator. (This feature is only available if the SSO administrator has activated it.)

Add Display the New Logon dialog to set up a new application logon. If pre-configured logons are available the Add Multiple Application option appears. See Adding multiple application logons.

Properties Modify logon settings, including the user ID, password, applications specifics, and automatic behavior for a selected logon.

Copy Duplicate a selected logon.

Delete Remove a selected logon from Logon Manager.

Close Exit Logon Manager.

Help Display Logon Manager help file.

Applications that share credentials

Your SSO administrator may configure two or more applications to share the same username and password in a password group. If the credentials for one application changes, the credentials for the other applications in the group are also changed.

In some cases, where you need multiple credentials for a single application (for example having multiple mail accounts in Microsoft Outlook), you may need to exclude those additional "identities" (each with different credentials) from this feature. If this applies to a new logon you are creating for an application you have already added, you will have the option to "Exclude" the new logon.

Adding multiple application logons

If your SSO administrator has provided a new list of pre-configured application logons, the Logon Manager's [Add] button displays a drop-down option to Add Multiple Applications. Choose this option to add these new logons and supply your credentials.

15


Credentials without a configured logon

Some logons may appear in Logon Manager in grey, italicized text with a grey icon. If you attempt to use such a logon or view its properties (by selecting it and clicking [Properties]), this message appears:

Credential corresponds to an application that is not currently configured in TAM E-SSO.

This message typically appears when TAM E-SSO has been upgraded from a previous version. It means that your credentials are safely stored, but the application logon configuration (that tells TAM E-SSO where to put the credentials) needs to be upgraded as well. Contact your SSO administrator to acquire the updated logons.

Creating New Logons

Setting up Logons with Logon Manager

In the Logon Manager, Click [Add] to set up a new logon. The New Logon dialog box appears.

The following procedures describe how to use the New Logon dialog box to add logons for each application type.

The procedure is similar for each type. You identify the application and then provide your credentials - username/ID, password, and any other information the application requires you to enter.

If you add a logon for a Windows application that TAM E-SSO is not pre-configured for, you are asked to identify the username/ID and password fields by pointing and clicking on the logon fields.

16


You are also given the option to create more than one logon for a single application. This is useful for applications for which you have more than one set of credentials; for example, if you have multiple email accounts from one provider.

When TAM E-SSO detects a logon for which you have more than one credential set, it displays the Logon Chooser dialog box, which lets you select the credentials to use.

To add a logon for a Windows application

Select an application

1. In the New Logon dialog box, select the Windows option and select an application from the drop-down list box. If the application you want to add is not listed, see To configure a logon for an unlisted Windows application.

2. Click [Next>]. The New Logon dialog appears requesting credentials.

3. Type your Username/ID for the application, type your Password, and

retype your password in Confirm Password. You can display the password by clicking [Reveal].

Note: Depending on the requirements of the application you're setting up, you may be prompted for additional fields, such as Domain Name for Microsoft Outlook. Similarly, some applications may not require a username/ID. In such cases, the Username/ID box will be grayed out.

4. Do one of the following:

Click [Finish]. TAM E-SSO returns you to the Logon Manager, which now lists the logon you've just created. or

If the setting is available, select Add another set of credentials, then click [Finish]. TAM E-SSO adds the logon to the Logon Manager and re-displays the New Logon dialog box.

17


If you are adding a new logon for an existing application that is part of a password group, select Exclude from password sharing group. If this isthe first logon you have created for this application, leave this check box unselected. See Applications that share credentials.

To configure a logon for an unlisted Windows application

1. Open the Windows application that you want to set up a logon for. This is the target application.

Note: if the target application requires more than two fields for authentication, this procedure requires an SSO administrator to set it up for you. Contact your SSO administrator for assistance.

2. When the target application's logon dialog box displays, switch back to TAM E-SSO. Arrange the windows so that TAM E-SSO and the target application's logon dialog are both visible.

3. In the New Logon dialog box, select the Windows option and select Application not in list (the default) from the drop-down list box.

4. Type the Application Name of the target application and (optionally) a Description.

5. Click [Next>].

6. The New Logon dialog box displays two icons.

7. Click on the Username/ID icon then click in the username or user ID field of the target application's logon dialog box. A green check mark appears over the icon.

8. Click the Password icon. then click in the password field of the target

18


application's logon dialog box. A green check mark appears over the icon.


10. Type your Username/ID for the application, type your Password, and

retype your password in Confirm Password. You can display the password by clicking [Reveal].



If the setting is available, select Add another set of credentials, then click [Finish] . TAM E-SSO adds the logon to the Logon Manager and re-displays the New Logon dialog box.

19


To add a logon for a Web site

1. In the New Logon dialog box, select the Web option. then select a Web site from the drop-down list box. If the Web site you want to add is not listed, see To add a logon for an unlisted Web Site.


3. Type the Username/ID for the Web site, type the Password, and retype the password in Confirm Password. You can display the password by clicking [Reveal].




If you are adding a new logon for an existing application that is part of a password group, select Exclude from password sharing group. If this isthe first logon you have created for this application, leave this check box unselected. See Applications that share credentials.

To add a logon for an unlisted Web Site

1. In the New Logon dialog box, select the Web option. then select Web application not in list (the default option) from the drop-down list box. A text box for entering a Web address appears.

Note: if the target Web site requires more than two fields for authentication, this procedure requires SSO administrator resources. Contact your SSO administrator for assistance.

2. Type the URL - http:// (address) of the Web site you want to set up a logon for.

3. Type the Application Name and (optionally) a Description.

20



3. Type the Username/ID for the Web site, type the Password, and retype

the password in Confirm Password. You can display the password by clicking [Reveal].


Click [Finish]. TAM E-SSO returns you to the Logon Manager, which now lists the logon you've just created.

21


or


To add a logon for a host/mainframe application

1. In the New Logon dialog box, select the Mainframe option.

2. Type the Application Name of the target application and (optionally) a Description.


4. Type the Username/ID for the Web site, type the Password, and retype the password in Confirm Password. You can display the password by clicking [Reveal].



If the setting is available, select Add another set of credentials, then click [Finish] . TAM E-SSO adds the logon to the Logon Manager and re-displays the New Logon dialog box.

22


Managing Logons

Setting Up Logons using Auto-Prompt

To begin using Auto-Prompt, make certain that the feature is activated within Settings:

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu.

2. Point to Configuration, then click Settings.

3. Click the Password tab and make sure that the Auto-Prompt check box is selected. If not, select it, then click [OK].

The Auto-Prompt feature is enabled by default upon installing TAM E-SSO . Your SSO administrator may enable or disable Auto-Prompt for all users.

Let's say you've enabled the Auto-Prompt feature and you open the logon screen for an Application or Web site for which you have not set up a logon.

TAM E-SSO prompts you to set up a logon for this application or Web site with this message:

Would you like TAM E-SSO to remember your logon information for this application? You can re-enable this application by selecting "Logon using TAM E-SSO" from the TAM E-SSO tray icon.

You have these options:

Click [Yes] to set up a logon.

Click [Not now] if you don't want to set up a logon for this application right now.

Click [Disable] if you don't want to set up a logon for this application and don't want to be asked again. If you decide in the future that you do want TAM E-SSO to automatically prompt you for your credentials the next time you launch the application, use the Excluded Web Sites or Excluded Applications tab on the Settings dialog.

To set up a logon for this application, open the application's logon screen,

click the TAM E-SSO Tray Icon and select Logon using TAM E-SSO from the shortcut menu.

Tips: You can also tell TAM E-SSO to set a up a logon by holding down the Windows key and typing L (on non-Windows XP systems only).

If the target application requires more than two fields for authentication, this procedure requires SSO administrator resources. Contact your SSO administrator for assistance.

23


If you click [Yes], the New Logon dialog appears, prompting you to set up a new logon for this application or Web site.

Enter your username/ID, enter your password, and confirm your password. Click [Finish].

TAM E-SSO logs you on to the application or Web site and stores this new logon for future use.

Logon Properties

The Logon Properties dialog box lets you modify account information or automatic behavior for individual logons. You can

Change the Username/ID, Password or other fields that the logon sends to the application.

Restore a previous password.

Edit the Application Name and Description information for the application as it appears in Logon Manager and other dialog boxes.

Turn on or off the Auto-Prompt and Auto Recognize features for selected logons.

In a network installation, the availability of the Auto Prompt and Auto-Recognize features depends on administrative settings. Contact your SSO administrator for details

Tips: If you change a logon password, the next time you open the Logon Properties dialog for the logon, the Restore Previous Password button appears. This gives you have the option of reverting to the password used before the most recent change.

To turn Auto Prompt on or off for all logons, use the Auto Prompt option in the Passwords tab of the Settings dialog.

To turn Auto-Recognize on or off for all logons, use the Auto-Recognize option in the Logons tab of the Settings dialog.

24


To modify a logon's properties

1. In the Logon Manager, highlight an application logon from the list, then click [Properties]. The Properties dialog box for the selected application appears.

Tip: If the application logon is displayed in grey text, this message appears when you click [Properties]:

Credential corresponds to an application that is not currently configured in TAM E-SSO.

See Credentials without a configured logon for more information.

2. Modify the displayed information as needed.

3. When you have completed your changes, click [OK].

25


Logon Chooser

You may have two or more different logon accounts for the same application or Web site. If so, you can set TAM E-SSO to recognize all of those accounts, then prompt you to choose which one to log on with. To do this, create a separate TAM E-SSO logon for each account.

When you open the application or Web site, TAM E-SSO prompts you with the Logon Chooser dialog box.

Do one of the following:

Select the account you want to log on with and click [OK].

Click [Add] to add another logon for this application.

Click [Cancel] to close this dialog. TAM E-SSO will not log you onto the application.

26


Logon Error

When you enable the Auto-Recognize function, TAM E-SSO automatically detects and responds to logon and password-change requests from applications and Web sites you've set up.

If you entered the wrong password when you set up the logon, or perhaps changed the application's password from another computer, TAM E-SSO will supply an incorrect password. When this happens, the application repeats the logon request and TAM E-SSO displays the Logon Error dialog.

The Logon Error dialog asks you to review the accuracy of your Username/ID, Password and, if necessary, any additional logon fields.

Do one of the following:

You can reveal the password you've entered by clicking [Reveal].

Edit your logon information as needed and click [OK] to try logging on again.

Tip: The Save Changes check box ensures that TAM E-SSO uses same credentials next time TAM E-SSO logs you on to this application or Web site. Uncheck this option if you do not want the new credentials you entered to be saved for future use.

Click [Cancel] to stop any further logon attempts for the application or Web site until you either restart TAM E-SSO or modify the logon's properties in Logon Manager.

27


Settings

The Settings option in the Logon Manager lets you control TAM E-SSO password features, logon features, and excluded Web sites and applications.

Your SSO administrator may enable, disable or override any of the settings described below.

To view or modify TAM E-SSO settings:


2. Select the tab to display the settings:

Password tab

Logons tab

Excluded Web Sites tab

Excluded Applications tab

Settings dialog box: Passwords tab

The Passwords tab of the Settings dialog lets you control TAM E-SSO password features.

Your SSO administrator may enable, disable or override any of the settings described below.

Password Settings

Auto-Prompt

Select the Auto-Prompt check box to have TAM E-SSO automatically recognize password-protected applications and Web sites, and prompt you with the message, "Would you like TAM E-SSO to remember your logon information for this application?"

Auto-Enter

Select the Auto-Enter check box to have TAM E-SSO immediately enter an application or Web site once you have set up a logon for that application or Web site.

To view or modify password settings


2. On the Settings dialog, click the Password tab to display the password settings.

3. When you have completed your changes, do one of the following:

Click [OK] to confirm your changes and close the Settings dialog box.

Click [Apply] to confirm your changes (without closing the Settings dialog box), then select another Settings tab.

28


Settings dialog box: Logons tab

The Logons tab of the Settings dialog lets you control TAM E-SSO logon features for all logons. To change the settings for individual logons, see Logon Properties dialog box.

Your SSO administrator may enable, disable or override any of the settings described below

Title Bar Button

Select the Title Bar Button check box to display the TAM E-SSO Title Bar

Button in the upper-right corner of any new window opened on the desktop.

Display Dropdown

Select the Display Dropdown check box to have a drop-down menu display when you click the TAM E-SSO Title Bar Button.

Auto- Recognize

Select the Auto-Recognize check box to enable TAM E-SSO to recognize applications and Web sites and log you on automatically.

Timer Enter a time limit (in minutes); after this interval, TAM E-SSO asks for your password before performing any credential-related task. If the Timer setting is set to zero, TAM E-SSO always asks for your password before each credential-related task. Click [Clear Timer] to enter your password immediately, without waiting for the expiration time.

Logon Settings

To view or modify logon settings

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Settings. The Settings dialog box appears.

2. On the Settings dialog, click the Logons tab to display the logon settings.

3. When you have completed your changes, do one of the following.

• Click [OK] to confirm your changes and close the Settings dialog box.

• Click [Apply] to confirm your changes (without closing the Settings dialog box), then select another Settings tab.

Settings dialog box: Excluded Web Sites tab

The Excluded Web Sites tab of the Settings dialog lets you review and restore Auto-Prompt capability for Web site logons that you have previously told TAM E-SSO to ignore.

When you visit a password-protected Web site that you don't have a TAM E-SSO logon for, TAM E-SSO asks you if you want to create a new logon and gives you the choices:

29


Yes - create my logon now

Not Now - ask me next time

Disable - don't ask me again

If you choose Disable, TAM E-SSO adds the logon page to the Excluded Web Sites list. You can remove a Web from this list by clearing its checkbox, and thereby allow TAM E-SSO to prompt you to create a logon the next time you visit the site.

Tips: See Setting Up Logons using Auto-Prompt for more information about using Auto-

Prompt.

You can turn Auto-Prompt on or off by its setting in the Password tab of the Settings dialog.

To restore Auto-Prompt for an excluded Web site



3. Click the Excluded Web Sites tab to view the list of sites that TAM E-SSO is currently set to ignore.

4. Click to clear the check boxes of the Web sites for which you want Auto-Prompt restored, then click [OK].

The next time you visit the logon page of Web site(s) that you cleared, TAM E-SSO will ask if you want to create a logon.

Settings dialog box: Excluded Applications tab

The Excluded Applications tab of the Settings dialog lets you review and restore Auto-Prompt capability for application logons that you have previously told TAM E-SSO to ignore.

When you launch a password-protected application that you don't have a TAM E-SSO logon for, TAM E-SSO asks you if you want to create a new logon and gives you the choices:

Yes - create my logon now

Not Now - ask me next time

Disable - don't ask me again

If you choose Disable, TAM E-SSO adds the logon page to the Excluded Applications list. You can remove an application from this list

30


by clearing its checkbox, and thereby allow TAM E-SSO to prompt you to create a logon the next time you launch the application.

Tips: See Setting Up Logons using Auto-Prompt for more information about using Auto-

Prompt.

You can turn Auto-Prompt on or off by its setting in the Password tab of the Settings dialog.

To restore Auto-Prompt for an excluded application



3. Click the Excluded Applications tab to view the list of applications that TAM E-SSO is currently set to ignore.

4. Click to clear the check boxes of the applications for which you want Auto-Prompt restored, then click [OK].

The next time you launch the password-protected application that you cleared, TAM E-SSO will ask if you want to create a logon.

31


Managing Passwords

Managing Passwords

TAM E-SSO automated password change increases security by eliminating the potential for poor password selection and poor password management. It also increases usability by saving you the trouble of creating, changing, and remembering passwords. TAM E-SSO detects when an application requests a password change, then automatically generates a new password that conforms to a password policy (the rules that govern what a valid password can be) that your administrator sets.

Most applications allow you to change your logon password at any time; some require you to change passwords periodically, for example, every 30 days. You can use TAM E-SSO to apply and keep track of these changes.

If your SSO administrator has configured an application logon for automatic password change, TAM E-SSO detects the application's password-change reminder and automatically displays the Change Password dialog to help you.

When an application like Lotus Notes requests a password change, TAM E-SSO prompts with the Change Password dialog (unless the administrator has configured TAM E-SSO to perform the change automatically).

32


Changing Your Application Password

1. Open the application's Change Password window. The Change Password dialog appears (see screen shot above).

2. You have two options:

Select Automatically pick a new password for me, then click [OK]. TAM E-SSO will generate a new, randomly generated password for the application. You will never need to remember this password because TAM E-SSO will enter it for you automatically the next time you log on.

or

Select I will create my new password below, then:

a. Once this option is selected, the New Password, Confirm and Password Policy Status fields become active. Enter your new password in the New Password and Confirm text boxes.

Tip: Click [Reveal] to see the password you have entered.

b. Note the list of rules under Password Policy Status: Your new password must comply with each of these rules in order to be valid. As you type your password, the rules it complies with are automatically checked. When all of the rules are checked, your password is valid.

Tip: The "Special Characters Allowed" policy indicates the specific special characters that are allowed to be used in a password. If special characters are not allowed, this policy states: “Special characters allowed: None”

c. Click [OK].

Tip: The [OK] button will not become active until all password policies have been met.

3. On the application's password window, TAM E-SSO submits your password change request. Check the application's message to make certain it has accepted the new password.


If the application accepted the new password, you are finished.

or

If the application did not accept the new password, the Change Password dialog will appear again. Attempt to enter another password, or click [Cancel].

33


Backing Up and Restoring

Backing Up and Restoring

TAM E-SSO allows you to back up your passwords and settings to file and restore them if needed.

The Backup and Restore feature is available only if TAM E-SSO is installed using the Complete option or if the Backup/Restore extension is selected using the Custom installation option.

To back up your passwords and settings

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Backup/Restore. The Backup/Restore Wizard appears.

2. Select the Backup radio button and click [Next>].

3. TAM E-SSO prompts you for your primary logon. Enter your primary logon password and click [OK].

4. Click [Browse] to select the location of the backup file and click [Next].

5. Enter a password to encrypt the backup file. The Password and Confirm fields are pre-filled with your primary logon's password. You will need to use this password to restore the backup file, even if the password is changed later. Enter the password and click [Finish] to complete.

6. A confirmation message appears indicating that your logon information and settings were successfully backed up. Click [OK].

34


To restore your passwords and settings

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Backup/Restore. The Backup/Restore Wizard appears.

2. Select the Restore radio button and click [Next>].

3. TAM E-SSO may prompt you for your primary logon. Enter your primary logon password and click [OK].

4. Click [Browse] to select the location of the backup/restore file and click [Next].

5. Enter the password that was used to secure the backup file. Once entered, click [Finish] to complete. If the password is not correct, TAM E-SSO will prompt you to enter your password again.

6. A confirmation message appears. Click [OK].

35


Glossary

A

Authenticator: See primary logon method.

Auto-Enter: Lets TAM E-SSO immediately enter an application or Web site once you have set up lagoon for that application or Web site.

Auto-Prompt: Lets TAM E-SSO automatically recognize password-protected applications and Web sites, and prompt you to supply credentials.

Auto-Recognize: Enables TAM E-SSO to recognize applications and Web sites and log you on automatically. If TAM E-SSO recognizes an application or Web site that you have not already set up, it will then prompt you to do so.

B

Backup/Restore Wizard: Lets you save and restore all user data to a file.

C

Credentials: The user-specific information TAM E-SSO needs to perform a logon. This usually consists of a username/ID, a password, and on occasion, one or more other fields.

D

Directory Server: A specialized kind of database, supporting a tree structure rather than tables, used to manage user accounts and access.

Display Dropdown: Provides a drop-down menu display when you click the TAM E-SSO Title Bar Button.

H

Host: Generally speaking, a computer that provides services or resources to other devices. In this context, host refers to a mainframe or Unix computer connected to your desktop PC. TAM E-SSO provides your credentials through the host emulator software that connects to the host.

Host Emulator: A program that simulates the user interface (look and feel) of a mainframe/UNIX computer terminal. This enables a desktop PC user to interact with a remote host computer.

L

LDAP (Lightweight Directory Access Protocol): A common directory server protocol/standard. A TCP/IP-compatible subset of DAP (Directory Access Protocol). Refer to RFC 1777 and others.

Logon Chooser: A TAM E-SSO feature that lets you select from two or more sets of credentials for a given logon or password change request.

Logon Manager: A TAM E-SSO feature that lets you manage (add, delete, modify, copy or review) your application logon credentials.

37

Glossary

M

Mainframe: A large scale computer, typically running applications on multi-user operating systems such as AS/400 and OS/390.

P

PKI: Public Key Infrastructure.

Primary Logon Method: The credentials that identify you as an authorized user of your workstation and network. In most cases, your primary logon, also called an authenticator, is Windows, and your primary logon credentials are your Windows user name, password, and network domain. Other primary logon methods include LDAP, Microsoft Active Directory, RSA Keon (TAM E-SSO: Authentication Adapter only), and Entrust (TAM E-SSO: Authentication Adapter only) as your primary logon method, logging on tothe system unlocks TAM E-SSO.

S

Setup Wizard: Helps you select a primary logon method and (at the administrator's option) provides a list of pre-configured application logons.

System Tray: The area on the right side of the Windows task bar that displays icons for access to frequently-used applications and features, including the TAM E-SSO Tray Icon.

T

Telnet: A protocol for connecting to remote computers.

Title Bar Button Menu: A TAM E-SSO feature that displays the TAM E-SSO logo in the upper-right corner of any new window opened on the desktop. Clicking the button on each application, displays a drop-down menu that offers access to TAM E-SSO functions (logon, add application, and so on).

U

URL (Universal Resource Locator): The address of anything on the World Wide Web.

38

Appendix. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM® representative for information on the

products and services currently available in your area. Any reference to an IBM

product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify the

operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter

described in this document. The furnishing of this document does not give you

any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785

U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM

Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other

country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER

EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or

implied warranties in certain transactions, therefore, this statement may not apply

to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvements

and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web

sites. The materials at those Web sites are not part of the materials for this IBM

product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it

believes appropriate without incurring any obligation to you.

© Copyright IBM Corp. 2006 39

Licensees of this program who wish to have information about it for the purpose

of enabling: (i) the exchange of information between independently created

programs and other programs (including this one) and (ii) the mutual use of the

information which has been exchanged should contact:

IBM Corporation

2ZA4/101

11400 Burnet Road

Austin, TX 78758

U.S.A.

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this information and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement,

IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may

vary significantly. Some measurements may have been made on development-level

systems and there is no guarantee that these measurements will be the same on

generally available systems. Furthermore, some measurements may have been

estimated through extrapolation. Actual results may vary. Users of this document

should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

Trademarks

The following terms are trademarks or registered trademarks of International

Business Machines Corporation in the United States, other countries, or both:

AIX

DB2

developerWorks

eServer

IBM

iSeries

Lotus

Passport Advantage

pSeries

RACF

Rational

Redbooks

Tivoli

WebSphere

zSeries

Microsoft®, Windows®, Windows NT®, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

40 IBM Tivoli Access Manager for Enterprise Single Sign-On: User Guide

Intel®, Intel Inside® (logos), MMX and Pentium® are trademarks of Intel

Corporation in the United States, other countries, or both.

UNIX® is a registered trademark of The Open Group in the United States and

other countries.

Linux® is a trademark of Linus Torvalds in the U.S., other countries, or both.

Java™ and all Java-based trademarks are trademarks of Sun

Microsystems, Inc. in the United States, other countries, or

both.

Other company, product, and service names may be trademarks or service marks

of others.

Appendix. Notices 41

42 IBM Tivoli Access Manager for Enterprise Single Sign-On: User Guide

��

Printed in USA

SC32-1988-00

t l access manager enterprise single...

Documents