t l access manager enterprise single...

Tivoli® Access Manager for Enterprise Single Sign-On

User Guide

Version 5.0

��

Note:

Before using this information and the product it supports, read the information in “Notices,” on page 1.

First Edition (March 2006)

© Copyright International Business Machines Corporation 1996, 2006. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

TAM E-SSO User's Guide

Table of Contents Introduction ..............................................................................................4

Program Features.................................................................................... 4 Example: Logging on Automatically............................................................ 4 System Requirements .............................................................................. 5 About this guide...................................................................................... 6

Installing TAM E-SSO.................................................................................7 Custom Installation ................................................................................. 9 Setting up TAM E-SSO ........................................................................... 10

Using TAM E-SSO .....................................................................................13 Starting TAM E-SSO............................................................................... 13 The System Tray Icon Menu.................................................................... 13 Shutting Down TAM E-SSO ..................................................................... 14 The Title Bar Button Menu ...................................................................... 14

To show or hide the Title Bar Button..................................................... 14 Your Primary Logon Method ....................................................................15 Creating and Using Logons ......................................................................16

Logon Manager ..................................................................................... 16 Setting up Logons with Logon Manager..................................................... 18

To add a logon for a Windows application .............................................. 19 To configure a logon for an unlisted Windows application ......................... 20 To add a logon for a Web site .............................................................. 21 To add a logon for an unlisted Web Site ................................................ 22 To add a logon for a host/mainframe application .................................... 22 To add a logon for an online service ..................................................... 23

Setting Up Logons using Auto-Prompt ...................................................... 23 Modifying Logon Properties ..................................................................... 24

To modify a logon's properties ............................................................. 25 Using Logon Chooser ............................................................................. 25 Handling Logon Errors............................................................................ 26 Setting Logon Options............................................................................ 26

To view or modify logon settings .......................................................... 27 Managing Excluded Web Sites ................................................................. 28

To restore Auto-Prompt for an excluded Web site ................................... 28 Managing Passwords ...............................................................................29

Changing Your Application Password ........................................................ 29 To change an application's password .................................................... 29

Setting Password Options ....................................................................... 30 To view or modify password settings .................................................... 31

Backing Up and Restoring........................................................................32 To back up your passwords and settings ............................................... 32 To restore your passwords and settings ................................................ 33

Glossary...................................................................................................34

TAM E-SSO User's Guide Introduction

Introduction IBM Tivoli Access Manager for Enterprise Single Sign-On lets you use a single password to logon to any password-protected application on your desktop, your network, and the Internet. It works "out-of-the-box" (without programming or additional network infrastructure) with virtually all applications, including Windows, Web, proprietary, and host/mainframe applications.

TAM E-SSO is intelligent agent software. It remembers your credentials – your username/ID, password, and other information – for each application or website and automatically responds to its logon requests.

Program Features • Single sign-on: You use just one password to log on to applications,

networks, and Web sites.

• Auto Prompt: TAM E-SSO can learn your credentials as you work. When it detects a new logon request, the agent prompts you to provide your username/ID, password, and other sign-on data. The next time this application asks for your logon, TAM E-SSO recognizes it and logs you on automatically.

• Automatic backup/restore: TAM E-SSO automatically backs up your credentials, to a floppy disk or to a remote file or directory server - and automatically restores your credentials, if necessary.

• Custom logon configuration: In addition to logons predefined by your administrator, you can add your own logons to other applications and websites.

• Mobility support: If you work at multiple workstations TAM E-SSO makes it easy for your administrator to store your credentials on a remote server. That lets you use TAM E-SSO to manage your identity and passwords - with complete security - on any computer on your network.

Example: Logging on Automatically TAM E-SSO automatically detects when you've encountered a password-protected application or Web site. If you already provided credentials (username/ID, password, and other information) for that application or Web site, TAM E-SSO automatically enters your credentials in the appropriate fields and logs you on.

Let's say you've already provided credentials for your Lotus Notes account. As soon as you open Lotus Notes, TAM E-SSO recognizes this logon screen's request for credentials.

- 4 -


TAM E-SSO enters your password in the appropriate field and clicks the [OK] button, logging you on to Lotus Notes.

Now let's say you've opened the logon screen for an application or Web site for which you have not yet provided credentials.

If the Auto Prompt feature (page 30) is active, TAM E-SSO offers to store your credentials for this application with this message.

If you click [Yes], the New Logon Wizard appears, prompting you to set up credentials for this application or Web site.

You enter your Username/ID for the application and your password (twice for confirmation), and then click [Finish].

TAM E-SSO logs you on. From now on, whenever you start this application, TAM E-SSO will recognize the application's logon prompt and supply your credentials automatically.

System Requirements Minimum Configuration

Microsoft Windows 2000 (SP1+), XP (SP1 or SP2), 2003

120 MHz Pentium-compatible processor (233Mhz Pentium-compatible processor recommended)

32 Mb RAM (64Mb RAM recommended)

4-7 Mb hard drive space for the agent (depending on installation options)

Microsoft Internet Explorer 5.5SP2/6.0SP1 or above with 128-bit encryption

Hard drive space for user data

- 5 -


Optional Components (from other sources)

Entrust PKI support requires Entrust/Entelligence v5.0 (TAM E-SSO: Authentication Adapter only)

RSA Keon PKI support requires RSA Keon Desktop v5.5 (TAM E-SSO: Authentication Adapter only)

Java Runtime Environment (ver. 1.3 or later)

About this guide This User Guide is intended for anyone using TAM E-SSO to manage logon credentials for Windows, Web and host/mainframe applications. You should be familiar with Windows conventions (for example, resizing application windows) and with the logon procedures for the applications you'll use with TAM E-SSO.

If the TAM E-SSO software is already installed on your workstation, you should begin by following the procedure for Setting Up on page 10. This procedure is performed the first time you start the program. You'll provide your primary logon - the password you'll use for all other logons - and select pre-configured applications, if they are provided.

The remainder of this guide covers these topics:

Starting and shutting down TAM E-SSO and setting general program preferences (page 13).

Configuring and using application logons (page 16).

Procedures and options for adding or changing passwords (page 29).

Backing up and restoring your passwords and settings (page 32).

Note: In a network installation, many features can be activated, deactivated or preset by the SSO administrator. This icon indicates features that depend on or may be affected by administrative settings.

- 6 -

TAM E-SSO User's Guide Installing TAM E-SSO

Installing TAM E-SSO The TAM E-SSO main menu screen appears automatically upon placing the installation CD in your CD-ROM drive (or starting the installation from a shared network drive).

1. Click Install TAM E-SSO to begin installation

2. When the Install Wizard appears, click [Next>] to continue.

3. The License Agreement screen appears. Read the license agreement carefully. Click the I accept the terms in the license agreement button and click [Next>] to continue.

4. Select an installation type and click [Next>].

The remainder of this procedure describes the installation steps for a Standalone installation.

For instructions on the Custom installation type, see Custom Installation on page 9.

- 7 -


5. Click [Install] to install TAM E-SSO .

6. This gauge appears, showing the progress of the installation.

7. When the installation is complete, click [Finish].

If this is the first time you have installed the program, you'll need to provide your primary logon information the first time you start TAM E-SSO.

- 8 -


Custom Installation If you selected the Custom installation option in the Install Wizard, TAM E-SSO prompts you to select exactly which features to install and where to install them.

The features that are grayed out have additional sub-features that you can install. To view the sub-features, expand the list by clicking the plus (+) sign.

The red “x” next to a drop-down list signifies a feature that will not be installed.

To add this feature to the installed components, click on the “x” and select This feature, and all sub-features, will be installed on local hard drive from the shortcut menu.

To enable LDAP support, expand the Extensions list, expand the Synchronization Manager, Depending on which Synchronizer you will use, click on Active Directory Synchronizer or LDAP Synchronizer, and select This feature, and all sub-features. You can now continue with the installation.

If you selected the LDAP synchronizer, you are prompted for your LDAP credentials.

Enter your User ID and Password for your directory server account, and select a User Path from the drop-down list.

Example:

uid=johndoe,ou=marketing,ou=atlanta,dc=IBM,dc=com

- 9 -


Setting up TAM E-SSO Before you begin using TAM E-SSO, the Setup Wizard checks to make certain that TAM E-SSO has all the information it needs. You must provide the information requested in order to use TAM E-SSO. If you cancel the Setup Wizard, it will re-appear each time you try to start TAM E-SSO until you've completed the Wizard.

The Setup Wizard may skip any or all of the following tasks, depending on the installation options selected, your network's configuration and the settings your SSO administrator makes.

Restore an existing backup? If you've backed up any pre-existing TAM E-SSO settings, select the I want to restore an existing backup of my settings check box. If you choose this option, TAM E-SSO will complete the setup process from your stored settings. See Backing Up and Restoring on page 32 for more information.

Click [Next>] to continue.

Setup tasks to perform This page lists the Setup tasks necessary for your local installation of TAM E-SSO.

Click [Next>] to begin setup.

- 10 -


Choose a logon method From the drop-down list box, choose the authenticator you'll use for your primary logon method. In a typical installation, this is Windows Logon. This means you'll use your Windows password to access password protected applications.

Depending on your network resources and administration, you may have other primary logon methods to choose from, such as:

LDAP Entrust PKI

RSA PKI

Smart Card

When you have made your selection, click [Next>] to continue.

See Your Primary Logon Method on page 15 for more information.

Enter your primary logon If you chose Windows Authentication on the previous Wizard page, a Windows network logon prompt appears. Enter your Windows Network password for the displayed username and domain and click [OK].

Enter a passphrase answer If you chose Windows Authentication v.2, one or more passphrase questions appear. This is used for additional security. Type the answer to the displayed question or questions (note the minimum length) and click [OK].

Note: You can change your passphrase anytime later by selecting the Change Passphrase option whenever you confirm your primary logon, see page 15.

- 11 -


Add applications

This page appears if your SSO administrator has provided a list of pre-configured applications. This lets you store your logon credentials for each application.

Enter your Username/ID, Password, and any other requested information for each application you use. You may need to retype one or more items to confirm.

Click [Next>] to continue.

Finishing Up If you want to make changes before completing Setup, click [<Back] to return to a previous Setup Wizard page.

Otherwise, click [Finish] to complete setup. You can now begin using TAM E-SSO. See page 13 for more information.

- 12 -

TAM E-SSO User's Guide Using TAM E-SSO

Using TAM E-SSO This section provides an introduction to the features and functions available via the TAM E-SSO user interface.

For more information on these and other features, see the online help. To access it:

• Click the [Help] button within any program dialog box.

• Or, click the program icon on your Windows system tray and select Help from the shortcut menu.

Starting TAM E-SSO Note: The first time you start TAM E-SSO, the Setup Wizard appears to guide you through the procedure for providing your primary logon information. See page 10 for more information.

After installing TAM E-SSO, the TAM E-SSO Tray Icon appears on your Windows system tray in the lower-right corner of your screen. If you do not see this icon, start TAM E-SSO:

1. Click Start, then Programs.

2. Point to IBM, then TAM E-SSO.

3. Click TAM E-SSO.

The TAM E-SSO Tray Icon now appears in your Windows system tray.

The System Tray Icon Menu Click the TAM E-SSO Tray Icon in your Windows system tray to display a shortcut menu of program functions, which are described below.

System Tray Menu Options

Configuration Displays a submenu of program controls and options. Each of these is detailed in this guide:

• Logon Manager, page 16

• Backing Up and Restoring, page 32

• Settings, pages 26, 28, and 30.

Shutdown TAM E-SSO

Shuts down the program.

Pause TAM E-SSO

Turns off TAM E-SSO logons, including the Auto-Prompt (page 23) and Auto-Recognize (page 26) features, and the Logon using TAM E-SSO menu option, below.

- 13 -

TAM E-SSO User's Guide Using TAM E-SSO

Help Displays the online help system.

About TAM E-SSO

Displays version information about the program.

Logon using TAM E-SSO

Engages TAM E-SSO to supply information to a logon request. You can use this option to engage TAM E-SSO when Auto-Recognize is turned off.

Note: If Auto-Recognize (page 26) is enabled, TAM E-SSO automatically recognizes logon requests and supplies your stored logon information.

If you have not already set up the application or Web site logon, TAM E-SSO prompts you to do so.

Shutting Down TAM E-SSO To shut down TAM E-SSO, click the Tray Icon and select Shut Down from the shortcut menu.

The Title Bar Button Menu You can put the TAM E-SSO Title Bar Button on all application window title bars. The Title Bar Button lets you log on quickly to applications and Web sites you've already configured and add new logons as you work.

You can set the Title Bar Button to display a shortcut menu for using or adding logons, or you can omit the menu and use the Title Bar Button as a one-click logon command.

To show or hide the Title Bar Button

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Settings. The Settings dialog appears.

2. On the Settings dialog, click the Logons tab

• Select the Title Bar Button check box to show the Title Bar Button or clear the check box to hide the icon.

• Click the Display Dropdown check box to activate the Title Bar Button shortcut menu or clear the check box to deactivate the menu. If you clear this option, clicking the Title Bar Button initiates a logon to the active application.

3. Click [OK].

Tip: To hide the Title Bar Button and menu at any time, click the Title Bar Button on any application title bar and select Hide Icon.

- 14 -

TAM E-SSO User's Guide Your Primary Logon Method

Your Primary Logon Method When you first set up TAM E-SSO, you are prompted to choose your primary logon method, also known as an authenticator. The credentials you provide to the authenticator – your username/ID, password, and other information – identify you as an authorized user of your workstation and network. In most cases, your primary logon is Windows, and your primary logon credentials are your Windows username/ID, password, and network domain.

TAM E-SSO lets you use your primary logon password for any other situation in which you need a password, including most Windows applications, host/mainframe applications, and password-protected Web sites. It uses your primary logon information to verify that you are the same user that initially logged on.

Depending on your installation and resources, your primary logon password can be any of the following:

• Windows password

• Directory service (LDAP or Sun ONE) password

• Public key infrastructure (PKI) authenticator logon information (TAM E-SSO: Authentication Adapter only)

Confirming your primary logon

TAM E-SSO can be configured to periodically check to make sure that you are the same user who initially logged on to this workstation.

When you start a password-protected application, if a specific interval has passed since the last automatic logon (the default is 15 minutes), TAM E-SSO asks for your primary logon password. If you are using a smart card as your primary logon (TAM E-SSO: Authentication Adapter only), you are prompted for your personal identification number (PIN).

TAM E-SSO also automatically performs this check when you modify your application passwords, perform other logon management tasks, or if the application logon itself requires it.

You can change the interval, or turn this feature off, by changing the Timer setting in the Logons tab of the Settings dialog box. See page 26 for more information.

Depending on which primary logon you use and the settings your SSO administrator applies, you may be prompted for the passphrase answer you provided when you first set up TAM E-SSO.

If are using a passphrase, you have the option of changing your passphrase answer. To do this, select the I want to change the answer to my verification question checkbox.

- 15 -

TAM E-SSO User's Guide Creating and Using Logons

Creating and Using Logons TAM E-SSO provides two ways for you to create application logons:

• You can also create logons with Logon Manager, which lets you configure, edit and manage logons for most secure applications. See See page 18 for more information.

• You can create logons “on the fly,” using the Auto-Prompt feature, which detects an application's logon request and lets you store your credentials as you log on. See page 23 for more information.

Logon Manager Logon Manager displays your stored logons. It also lets you modify properties of each logon (for example, your user IDs and passwords) and update your settings with changes applied by your SSO administrator.

To display Logon Manager, click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Logon Manager.

The Logon Manager dialog appears.

As you add or create logons for Windows applications or Web sites, and add logons for host/mainframe applications, the available logons are displayed in Logon Manager.

Note: Logons that appear in grey, italicized text require activation by the SSO administrator. See Credentials without a configured logon on page 6.

Logon Manager options

View Display logons as Icons, as a List, or with full Details (similar to Windows Explorer View options)

Sort by Sort logons by a selected column; you can also sort the logons by clicking on the column heading itself.

Reveal All

In Details View. display username/IDs and passwords. (This feature is available if the SSO administrator has activated it.)

Refresh

Update logon settings with changes from your SSO administrator. (This feature is available if the SSO administrator has activated it.)

Add Display the New Logon dialog to set up a new application logon. If pre-configured logons are available the Add Multiple Application option appears. See Adding multiple application logons, below.

- 16 -


Properties Modify logon settings, including the user ID, password, applications specifics, and automatic behavior for a selected logon.

Copy Duplicate a selected logon.

Delete Remove a selected logon from Logon Manager.

Close Exit Logon Manager.

Applications that share credentials

Your SSO administrator may configure two or more applications to share the same username and password in a password group. If the credentials for one application changes, the credentials for the other applications in the group are also changed.

In some cases, where you need multiple credentials for a single application (for example having multiple mail accounts in Microsoft Outlook), you may need to exclude those additional "identities" (each with different credentials) from this feature. If this applies to a new logon you are creating for an application you have already added, you will have the option to "Exclude" the new logon.

Adding multiple application logons

If your SSO administrator has provided a new list of pre-configured application logons, the Logon Manager's [Add] button displays a drop-down option to Add Multiple Applications. Choose this option to add these new logons and supply your credentials.

Credentials without a configured logon

Some logons may appear in Logon Manager in grey, italicized text with a grey icon. If you attempt to use such a logon or view its properties (by selecting it and clicking [Properties]), this message appears:

Credential corresponds to an application that is not currently configured in TAM E-SSO.

This message typically appears when TAM E-SSO has been upgraded from a previous version. It means that your credentials are safely stored, but the application logon configuration (that tells TAM E-SSO where to put the credentials) needs to be upgraded as well. Contact your SSO administrator to acquire the updated logons.

- 17 -


The Setup Wizard Logons page appears.

1. Enter your username, password, and any other requested information for each application you use. You may need to retype one or more items to confirm.

2. Click [Next>] to continue. then click [Finish] to close the wizard.

Setting up Logons with Logon Manager In the Logon Manager, Click [Add] to set up a new logon. The New Logon dialog box appears.

The following procedures describe how to use the New Logon dialog box to add logons for each application type.

The procedure is similar for each type. You identify the application and then provide your credentials - username/ID, password, and any other information the application requires you to enter.

If you add a logon for a Windows application that TAM E-SSO is not pre-configured for, you are asked to identify the username/ID and password fields by pointing and clicking on the logon fields.

You are also given the option to

create more than one logon for a single application.

This is useful for applications for which you have more than one set of credentials; for example, if you have multiple email accounts from one provider.

When TAM E-SSO detects a logon for which you have more than one credential set, it displays Logon Chooser, which lets you select the credentials to use.

- 18 -


To add a logon for a Windows application

1. In the New Logon dialog box, select the Windows option and select an application from the drop-down list box. If the application you want to add is not listed, see To configure a logon for an unlisted Windows application, below.

2. Click [Next>].

3. Type your Username/ID for the application, type your Password, and retype your password in Confirm Password. You can display the password by clicking [Reveal].

Note: Depending on the requirements of the application you're setting up, you may be prompted for additional fields, such as Domain Name for Microsoft Outlook. Similarly, some applications may not require a username/ID. In such cases, the Username/ID box will be grayed out.

4. Do one of the following:

• Click [Finish]. TAM E-SSO returns you to the Logon Manager, which now lists the logon you've just created.

or

• Select Add another set of credentials, then click [Finish] . TAM E-SSO adds the logon to the LogonManager and re-displays the New Logon dialog box.

If you are adding a new logon for an existing application that is part of a password group, select Exclude from password sharing group. If this is the first logon you have created for this application, leave this check box unselected. See Applications that share credentials on page 17.

- 19 -


To configure a logon for an unlisted Windows application 1. Open the Windows application that you want to set up a logon for. This is the

target application.

Note: if the target application requires more than two fields for authentication, this procedure requires an SSO administrator to set it up for you. Contact your SSO administrator for assistance.

2. When the target application's logon dialog box displays, switch back to TAM E-SSO . Arrange the windows so that TAM E-SSO and the target application's logon dialog are both visible.

3. In the New Logon dialog box, select the Windows option and select Application not in list (the default) from the drop-down list box.

4. Type the Application Name of the target application and (optionally) a Description. Click [Next>]. The New Logon dialog box displays two icons.

5. Click the Username/ID icon then click in the username or user D field of the

target application's logon dialog box. A green check mark appears over the icon.

6. Click the Password icon. then click in the password field of the target application's logon dialog box. A green check mark appears over the icon.

7. Click [Next>].

8. Type your Username/ID for the application, type your Password, and retype your password in Confirm Password. You can display the password by clicking [Reveal].



• Select Add another set of credentials, then click [Finish] . TAM E-SSO adds the logon to

- 20 -


the LogonManager and re-displays the New Logon dialog box.

To add a logon for a Web site

1. In the New Logon dialog box, select the Web option. then select a Web site from the drop-down list box. If the Web site you want to add is not listed, see To add a logon for an unlisted Web Site, below.

2. Click [Next>].

3. Type the Username/ID for the Web site, type the Password, and retype the password in Confirm Password. You can display the password by clicking [Reveal].



or


If you are adding a new logon for an existing application that is part of a password group, select Exclude from password sharing group. If this is the first logon you have created for this application, leave this check box unselected. See Applications that share credentials on page 17.

- 21 -


To add a logon for an unlisted Web Site 1. In the New Logon dialog box, select the Web option. then select Web

application not in list (the default option) from the drop-down list box. A text box for entering a Web address appears.

Note: if the target Web site requires more than two fields for authentication, this procedure requires SSO administrator resources. Contact your SSO administrator for assistance.

2. Type the URL (address) of the Web site you want to set up a logon for.

3. Type the Application Name and (optionally) a Description.

4. Click [Next>]




or

• Select Add another set of credentials, then click [Finish]. TAM E-SSO adds the logon to the LogonManager and re-displays the New Logon dialog box.

To add a logon for a host/mainframe application 1. In the New Logon dialog box, select the Mainframe option.

2. Type the Application Name of the target application and (optionally) a Description. Click [Next>].




or

- 22 -



To add a logon for an online service Note: if the target Web site requires more than two fields for authentication, this procedure requires SSO administrator resources. Contact your SSO administrator for assistance.

1. In the New Logon dialog box, select the Online Service option.

2. Select an online service from the drop-down list box. If you select Online Service Not in List, see To configure a logon for an unlisted Windows application on page 20.

3. If necessary, edit the name of the online service, enter a description for the online service (optional), then click [Next>].




or

• Select Add Additional Logon, then click [Finish] . TAM E-SSO adds the logon to the LogonManager and re-displays the New Logon dialog box.

Setting Up Logons using Auto-Prompt The previous section describes how to set up logons using Logon Manager. This section describes how to set up logons on the fly using Auto-Prompt.

To begin using Auto-Prompt, make certain that the feature is activated within Settings:

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu.

2. Point to Configuration, then click Settings.

3. Click the Password tab and make sure that the Auto-Prompt check box is selected. If not, select it, then click [OK].

The Auto-Prompt feature is enabled by default upon installing TAM E-SSO . Your SSO administrator may enable or disable Auto-Prompt for all users.

Let's say you've enabled the Auto-Prompt feature and you open the logon screen for an application or Web site for which you have not set up a logon.

TAM E-SSO prompts you to set up a logon for this application or Web site with this message:

Would you like TAM E-SSO to remember your logon information for this [web] application?

You have these options:

• Click [Yes] if you want to set up a logon.

• Click [Not now] (for Web sites only) or [No] (for Windows and host/mainframe applications) if you don't want to set up a logon for this application right now.

- 23 -


• Click [Disable] (for Web sites only) if you don't want to set up a logon for this application and don't want to be asked again. If you decide in the future that you do want TAM E-SSO to automatically prompt you for your credentials the next time you visit this site, use the Excluded Web Sites tab of the Settings dialog (see page 28).

• to set up a logon for this application, open the application's logon screen,

click the TAM E-SSO Tray Icon and select Logon using TAM E-SSO from the shortcut menu.

Notes:

The [Not Now] and [Disable] buttons appear only with Web site logon requests. With all other logon requests, the options are [Yes] and [No].

You can also tell TAM E-SSO to set a up a logon by typing +L (on non-Windows XP systems only).

If the target application requires more than two fields for authentication, this procedure requires SSO administrator resources. Contact your SSO administrator for assistance.

If you click [Yes], the New Logon dialog appears, prompting you to set up a new logon for this application or Web site.

• Enter your username/ID, enter your password, and confirm your password. Click [Finish].

TAM E-SSO logs you on to the application or Web site and stores this new logon for future use.

See Setting Password Options on page 30 for information on other password and logon settings.

Modifying Logon Properties Use Login Manager to modify account information or automatic behavior for individual logons. You can

• Change the username/ID, password or other fields that the logon sends to the application.

• Restore a previous password.

• Edit the name and descriptive information for the application as it appears in Login Manager and other dialog boxes.

• Turn on or off the Auto-Prompt and Auto Recognize features for selected logins.

In a network installation, the availability of the Auto Prompt and Auto-Recognize features depends on administrative settings Contact your SSO administrator for details

- 24 -


settings. Contact your SSO administrator for details

Notes:

• If you change a logon password, the next time you open the Logon Properties dialog for the logon, the Restore Previous Password button appears. This gives you have the option of reverting to the password used before the most recent change.

• To turn Auto Prompt on or off for all logons, use the Auto Prompt option in the Passwords tab of the Settings dialog (see Setting Password Options on page 30 for more information).

• To turn Auto-Recognize on or off for all logons, use the Auto-Recognize option in the Logons tab of the Settings dialog (see Setting Logon Options on page 26 for more information).

To modify a logon's properties 1. In the Logon Manager, select an

application logon from the list, then click [Properties]. The Properties dialog box for the selected application appears.

Note: If the application logon is displayed in grey text, this message appears when you click [Properties]

Credential corresponds to an application that is not currently configured in TAM E-SSO.

See Credentials without a configured logon on page 6 for more information.

2. Modify the displayed information as needed.

3. When you have completed your changes, click [OK].

Using Logon Chooser You may have two or more different logon accounts for the same application or Web site. If so, you can set TAM E-SSO to recognize all of those accounts, then prompt you to choose which one to log on with. To do this, create a separate TAM E-SSO logon for each account.

When you open the application or Web site, TAM E-SSO prompts you with the Logon Chooser dialog box.

Select the account you want to log on with and click [OK].

Click [Add] to add another logon for this application.

- 25 -


Handling Logon Errors When you enable the Auto-Recognize function, TAM E-SSO automatically detects and responds to logon and password-change requests from applications and Web sites you've set up. If you entered the wrong password when you set up the logon, or perhaps changed the application's password from another computer, TAM E-SSO will supply an incorrect password. When this happens, the application repeats the logon request and TAM E-SSO displays the Logon Error dialog.

The Logon Error dialog asks you to review the accuracy of your Username/ID, Password and, if necessary, any additional logon fields. You can reveal the password you've entered by clicking [Reveal]. Edit your logon information as needed and click [OK] to try logging on again. Select the Save Changes check box to use the same credentials next time TAM E-SSO logs you on to this application or Web site. Clicking [Cancel] stops any further logon attempts for the application or Web site until you either restart TAM E-SSO or modify the logon in Logon Manager

.

Setting Logon Options The Logons tab of the Settings dialog lets you control TAM E-SSO logon features for all logons. To change the settings for individual logons, see Modifying Logon Properties on page 24.

Also see Setting Password Options on page 30 for information about password settings.

Your SSO administrator may enable, disable or override any of the settings described below

Logon Settings

Title Bar Button

Select the Title Bar Button check box to display the TAM E-SSO

Title Bar Button in the upper-right corner of any new window opened on the desktop.

Display Dropdown

Select the Display Dropdown check box to have a drop-down menu display when you click the TAM E-SSO Title Bar Button.

Auto- Recognize

Select the Auto-Recognize check box to enable TAM E-SSO to recognize applications and Web sites and log you on automatically. If TAM E-SSO recognizes an application or Web site that you have

- 26 -


not already set up, it will then prompt you to do so.

Timer Enter a time limit (in minutes); after this interval, TAM E-SSO asks

for your password before performing any credential-related task. If the Timer setting is set to zero, TAM E-SSO always asks for your password before each credential-related task. Click [Clear Timer] to enter your password immediately, without waiting for the expiration time.

To view or modify logon settings

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Settings. The Settings dialog box appears.

2. On the Settings dialog, click the Logons tab to display the logon settings.

3. When you have completed your changes, do one of the following.

• Click [OK] to confirm your changes and close the Settings dialog box.

• Click [Apply] to confirm your changes (without closing the Settings dialog box), then select another Settings tab.

- 27 -

TAM E-SSO User's Guide

Managing Excluded Web Sites The Excluded Web Sites tab of the Settings dialog lets you review and restore Auto-Prompt capability for Web site logons that you have previously told TAM E-SSO to ignore.

When you visit a password-protected Web site that you don't have a TAM E-SSO logon for, TAM E-SSO asks you if you want to create a new logon and gives you the choices Yes (create my logon now), Not Now (ask me next time), and Disable (don't ask me again). If you choose Disable, TAM E-SSO adds the logon page to the Excluded Web Sites list. You can remove a site from this list by clearing its checkbox, and thereby allow TAM E-SSO to prompt you to create a logon the next time you visit the site.

Notes:

• See Setting Up Logons using Auto-Prompt on page 23 for more information about using Auto-Prompt.

• You can turn Auto-Prompt on or off by its setting in the Password tab of the Settings dialog; see page 30.

To restore Auto-Prompt for an excluded Web site

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu.

2. Point to Configuration, then click Settings.

3. Click the Excluded Web Sites tab to view the list of sites that TAM E-SSO is currently set to ignore.

4. Click to clear the check boxes of the Web sites for which you want Auto-Prompt restored, then click [OK]

The next time you visit the logon page of Web site(s) that you cleared, TAM E-SSO will ask if you want to create a logon.

- 28 -

TAM E-SSO User's Guide Managing Passwords

Managing Passwords TAM E-SSO automated password change increases security by eliminating the potential for poor password selection and poor password management. It also increases usability by saving you the trouble of creating, changing, and remembering passwords. TAM E-SSO detects when an application requests a password change, then automatically generates a new password that conforms to a password policy (the rules that govern what a valid password can be) that your administrator sets.

When an application like Lotus Notes requests a password change, TAM E-SSO prompts with the Password Change Wizard, unless the administrator has configured TAM E-SSO to perform the change automatically.

Simply click [Next>] to generate a new, randomly generated password for the application. You will never need to remember this password because TAM E-SSO will enter it for you automatically the next time you log on.

Changing Your Application Password Most applications allow you to change your logon password at any time; some require you to change passwords periodically, for example, every 30 days. You can use TAM E-SSO to apply and keep track of these changes.

If your SSO administrator has configured an application logon for automatic password change, TAM E-SSO detects the application's password-change reminder and automatically displays the Password Wizard to help you.

To change an application's password 1. Open the application's Change Password window. The Password Wizard

appears.


Select the option to generate a new password automatically, then click [Next].

or

Select the option to enter a new password manually, then:

a. On the next Wizard screen, enter your new password in the New Password and Confirm text boxes.

- 29 -


Tip: Click [Reveal] to see your password. If you want to change your password, click [Back] and reenter it.

Note the list of rules under Password Policy Status: Your new password must comply with each of these rules in order to be valid. As you type your password, the rules it complies with are checked. When all of the rules are checked, your password is valid.

b. Click [Next].

On the application's password window, TAM E-SSO submits your password change request.

3. Check the application's message to make certain it has accepted the new password.


If the application accepted the new password, click [Next].

or

If the application did not accept the new password, click [Back] and either repeat the previous steps or click [Cancel].

5. When you see the Completed the Password Change Process message, click [Finish].

Setting Password Options The Passwords tab of the Settings dialog lets you control TAM E-SSO password features.

Your SSO administrator may enable, disable or override any of the settings described below.

Password Settings

Auto-Prompt

Select the Auto-Prompt check box to have TAM E-SSO automatically recognize password-protected applications and Web sites, and prompt you with this message for Windows applications:

and this one for password-protected Web sites:

- 30 -


Note: The [Not Now] and [Disable] buttons appear only with Web site logon requests. With all other logon requests, the options are [Yes] and [No].

Auto-Enter

Select the Auto-Enter check box to have TAM E-SSO immediately enter an application or Web site once you have set up a logon for that application or Web site.

See Setting Logon Options on page 26 for information about logon settings.

To view or modify password settings 1. Click the TAM E-SSO Tray Icon

on the Windows system tray to display the shortcut menu. Point to Configuration, then click Settings. The Settings dialog appears.

2. On the Settings dialog, click the Password tab to display the password settings.

3. When you have completed your changes, do one of the following:

• Click [OK] to confirm your changes and close the Settings dialog box.

• Click [Apply] to confirm your changes (without closing the Settings dialog box), then select another Settings tab.

- 31 -

TAM E-SSO User's Guide Backing Up and Restoring

Backing Up and Restoring TAM E-SSO allows you to back up your passwords and settings to file and restore them if needed.

Note: The Backup and Restore feature is available only if TAM E-SSO is installed using the Complete option or if the Backup/Restore extension is selected using the Custom installation option.

To back up your passwords and settings

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Backup/Restore. The Backup/Restore Wizard appears.

2. Select the Backup radio button and click [Next>].

6. TAM E-SSO prompts you for your primary logon. Type your primary logon password and click [OK]

7. Click [Browse] to select the location of the backup file and click [Finish].

8. A confirmation message appears. Click [OK].

- 32 -

TAM E-SSO User's Guide Backing Up and Restoring

To restore your passwords and settings

1. Click the TAM E-SSO Tray Icon on the Windows system tray to display the shortcut menu. Point to Configuration, then click Backup/Restore. The Backup/Restore Wizard appears:

2. Select the Restore radio button. and click [Next>].

3. TAM E-SSO prompts you for your primary logon. Type your primary logon password and click [OK]

4. Click [Browse] to select the location of the backup/restore file and click [Finish].

5. A confirmation message appears. Click [OK].

- 33 -

TAM E-SSO User's Guide Glossary

Glossary Authenticator See primary logon method.

Auto-Recognize Enables TAM E-SSO to recognize applications and Web sites and log you on automatically. If TAM E-SSO recognizes an application or Web site that you have not already set up, it will then prompt you to do so.

Auto-Enter Lets TAM E-SSO immediately enter an application or Web site once you have set up a logon for that application or Web site.

Auto-Prompt Lets TAM E-SSO automatically recognize password-protected applications and Web sites, and prompt you to supply credentials.

Backup/Restore Wizard

Lets you save and restore all user data to a file.

Credentials The user-specific information TAM E-SSO needs to perform a logon. This usually consists of a username/ID, a password, and on occasion, one or more other fields.

Directory Server A specialized kind of database, supporting a tree structure rather than tables, used to manage user accounts and access.

Display Dropdown Provides a drop-down menu display when you click the TAM E-SSO Title Bar Button.

Host Generally speaking, a computer that provides services or resources to other devices. In this context, host refers to a mainframe or Unix computer connected to your desktop PC. TAM E-SSO provides your credentials through the host emulator software that connects to the host.

Host Emulator A program that simulates the user interface (look and feel) of a mainframe/UNIX computer terminal. This enables a desktop PC user to interact with a remote host computer.

LDAP (Lightweight Directory Access Protocol)

A common directory server protocol/standard. A TCP/IP-compatible subset of DAP (Directory Access Protocol). Refer to RFC 1777 and others.

Logon Chooser A TAM E-SSO feature that lets you select from two or more sets of credentials for a given logon or password change request.

Logon Manager A TAM E-SSO feature that lets you manage (add, delete, modify, copy or review) your application logon credentials.

Mainframe A large scale computer, typically running applications on multi-user operating systems such as AS/400 and OS/390.

PKI Public Key Infrastructure.

- 34 -

TAM E-SSO User's Guide Glossary

Primary Logon Method

The credentials that identify you as an authorized user of your workstation and network. In most cases, your primary logon, also called an authenticator, is Windows, and your primary logon credentials are your Windows user name, password, and network domain.

Other primary logon methods include LDAP, Microsoft Active Directory, RSA Keon (TAM E-SSO: Authentication Adapter only), and Entrust (TAM E-SSO: Authentication Adapter only) as your primary logon method, logging on to the system unlocks TAM E-SSO.

Setup Wizard Helps you select a primary logon method and (at the administrator's option) provides a list of pre-configured application logons.

System Tray The area on the right side of the Windows task bar that displays icons for access to frequently-used applications and features, including the TAM E-SSO Tray Icon.

Telnet A protocol for connecting to remote computers.

Title Bar Button Menu

A TAM E-SSO feature that displays the TAM E-SSO logo in the upper-right corner of any new window opened on the desktop. Clicking the button on each application, displays a drop-down menu that offers access to TAM E-SSO functions (logon, add application, and so on).

URL (Universal Resource Locator)

The address of anything on the World Wide Web.

- 35 -

Appendix. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM® representative for information on the

products and services currently available in your area. Any reference to an IBM

product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify the

operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter

described in this document. The furnishing of this document does not give you

any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785

U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM

Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other

country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER

EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or

implied warranties in certain transactions, therefore, this statement may not apply

to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvements

and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web

sites. The materials at those Web sites are not part of the materials for this IBM

product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it

believes appropriate without incurring any obligation to you.

© Copyright IBM Corp. 1996, 2006 1

Licensees of this program who wish to have information about it for the purpose

of enabling: (i) the exchange of information between independently created

programs and other programs (including this one) and (ii) the mutual use of the

information which has been exchanged, should contact:

IBM Corporation

2Z4A/101

11400 Burnet Road

Austin, TX 78758

U.S.A.

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this information and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement,

IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may

vary significantly. Some measurements may have been made on development-level

systems and there is no guarantee that these measurements will be the same on

generally available systems. Furthermore, some measurements may have been

estimated through extrapolation. Actual results may vary. Users of this document

should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change or

withdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily business

operations. To illustrate them as completely as possible, the examples include the

names of individuals, companies, brands, and products. All of these names are

fictitious and any similarity to the names and addresses used by an actual business

enterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which

illustrate programming techniques on various operating platforms. You may copy,

modify, and distribute these sample programs in any form without payment to

IBM, for the purposes of developing, using, marketing or distributing application

programs conforming to the application programming interface for the operating

platform for which the sample programs are written. These examples have not

been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or

imply reliability, serviceability, or function of these programs. You may copy,

modify, and distribute these sample programs in any form without payment to

IBM for the purposes of developing, using, marketing, or distributing application

programs conforming to IBM’s application programming interfaces.

2 IBM Tivoli Access Manager for Enterprise Single Sign-On: User Guide

If you are viewing this information softcopy, the photographs and color

illustrations may not appear.

Trademarks

The following terms are trademarks or registered trademarks of International

Business Machines Corporation in the United States, other countries, or both:

AIX

DB2

IBM

IBM logo

Tivoli

Tivoli logo

Universal Database

WebSphere

z/OS

zSeries

Lotus is a registered trademark of Lotus Development Corporation and/or IBM

Corporation.

Domino is a trademark of International Business Machines Corporation and Lotus

Development Corporation in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United

States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered

trademarks of Sun Microsystems, Inc. in the United States and other countries.

UNIX is a registered trademark of The Open Group in the United States and other

countries.

Other company, product, and service names may be trademarks or service marks

of others.

Appendix. Notices 3

4 IBM Tivoli Access Manager for Enterprise Single Sign-On: User Guide

��

Printed in USA

SC32-2297-00

t l access manager enterprise single...

Documents