Client-Side Modules
Advanced Login, Enterprise Console, SSOWatch, Token Manager
| Platform | 1 GHz or higher Intel x86 processor,
256 MB RAM |
| Operating System | Either of the following: - Microsoft Windows 2000 Service Pack 2 or higher
- Microsoft Windows XP (Home or Professional Edition) Service Pack 1 or higher
- Microsoft Windows 2000 Server Service Pack 2 or higher
- Microsoft Windows 2003 Server Service Pack 2 or higher, (32 bit or non-Itanium 64 bit)
- Microsoft Windows 2003 Server R2
- Microsoft Windows 2008 Server (32 bit or non-Itanium 64 bit)
- Microsoft Windows 2008 Server R2
- Microsoft Windows Vista (32 bit or non-Itanium 64 bit)
- Microsoft Windows 7 (32 bit or non-Itanium 64 bit)
- Citrix MetaFrame 1.8 Service Pack 3 or higher
- Citrix MetaFrame XP Service Pack 3 or higher
|
| Additional Software | Microsoft Internet Explorer 5.5 or higher |
| Note: | Enterprise Single Sign-On has not been validated with the following: - Any virtualization software such as VMware Workstation or Microsoft Virtual PC
|
Audit Database
ESSO Console can store a "master" audit database on a relational database. ESSO Console has been validated with the following configurations:
| Operating System | Microsoft Windows 2003 Server Enterprise Edition |
| Database | Either of the following: - IBM DB2 version 9.0
- Microsoft SQL Server 2000 and 2005
- MySQL Server 5.0
- Oracle 8.1.7.4
- PostgreSQL 8.1
|
The size of the hard drive hosting the audit database depends on how long you want to keep the log online before archiving it. (The audit database does not need to reside on the ESSO Console server itself.) For a rough estimate use the following:
- One log entry = 1000 bytes (including database index and other overhead)
- Typical log activity = 20 log entries per user per day.
LDAP Directories
Enterprise Single Sign-On can access user information located in LDAP directories and use these directories to store SSO and security data. The following directories are supported:
| Directory | Directory and/or operating system versions |
| Active Directory | Either of the following: - Microsoft Windows 2000 Server Service Pack 4
- Microsoft Windows Server 2003 SP1, SP2
- Microsoft Windows Server 2003 R2, SP1, SP2
- Microsoft Windows Server 2008 SP1, SP2
|
| Fedora Directory Server | - Fedora Directory Server 1.0.1 on Red Hat Linux
- Fedora Directory Server 1.2 on Red Hat Linux
|
| IBM Tivoli Directory Server | - Version 5.2 with Fix Pack 003
- Version 6.0
|
| Novell eDirectory | Version 8.7.3 or higher |
| OpenLDAP | - OpenLDAP Directory 2.3.x
- Use the latest stable version from the OpenLDAP Foundation or your OS
manufacturer.
|
| Sun Java System Directory Server | Sun Java System Directory Server 5.2 |
Enterprise Single Sign-On can use Microsoft Active Directory Application Mode (ADAM) to store SSO and security data. ADAM version 1.1 (Service Pack 1) or higher is required. ADLDS included with Windows Server 2008 is also supported.
Using Enterprise Single Sign-On with Samba
Enterprise Single Sign-On can be installed in an environment where Samba is used as an authentication server and domain controller. The prerequisites are:
- Samba must be version 3.0.x
- Samba must use OpenLDAP (see version above)
Supported Authentication Devices
Smart Cards and USB Tokens
The middleware and authentication devices listed below are used by these specific Enterprise Single Sign-On modules:
- Advanced Login can use the devices for user authentication.
- Token Manager and ESSO Console can manage these devices.
- Token Manager and ESSO Console can use these devices for administrator authentication.
| Vendor | Middleware | Tokens |
| Gemalto | No middleware | Cryptoflex e-gate 32K
NOTE: in this mode, only Enterprise Single Sign-On can use the
authentication device. |
| Gemalto | ActivClient 5.3.1 | Cyberflex and Oberthur smart cards |
| Gemalto | ACS 5.2 | Cyberflex 64K with PC/SC readers |
| ActivCard | ACS 5.2 | Cyberflex 64K with PC/SC readers |
| AET | SafeSign 2.2 | Cyberflex smart cards and IKEY3000 tokens |
| Aladdin | eToken RTE 3.65 | eToken PRO (USB and smart card) |
| Oberthur | AWP (Authentic Web Pack)
3.6.2.2 | Cosmo 64 v5 + Option MiOption Hybride Mifare 1Kfare smart cards |
When using smart cards, you must use PC/SC smart card readers that are compatible with both the cards and the middleware detailed above.
The only Certification Authority that is supported at the moment is the Microsoft Windows 2000/2003/2008 Certification Authority in an Active Directory configuration. Other Certification Authorities can be used via the PKCS import feature of ESSO Console and Token Manager.
Biometric Devices
Biometrics support requires that you purchase from Precise Biometrics a license of Precise BioMatch Pro Toolkit 2.3.0 for each workstation where biometric authentication will be performed;
The list of biometric devices supported by Precise BioMatch Pro Toolkit 2.3.0 is currently the following;
- Precise 100 A/AX/SC/MC/XS/BioKeyboard/PC-Card
- Precise 200 MC
- Precise 250 MC
- IRIS BCR100T
- IRIS Mobile SmartTerm St4E
- AuthenTec AES4000 API-based readers
- AuthenTec AES2501 API-based readers
- Cherry FingerTip Keyboards
- UPEK ST1
- UPEK ST2
- silex FUS-200N
- silex MUSB-200-COMBO
- silex COMBO-mini
Warning: some of these devices require a specific license of the Precise Biometrics software. Determine with the vendor which license is appropriate.
For an up-to-date list, contact Precise Biometrics at http://www.precisebiometrics.com.
RFID/HID Devices
XyLoc support requires that you obtain from Ensure Technologies the Software Development Kit in order to deploy on each workstation the ETSecure.dll. E-SSO has been tested with the following MIFARE components:
- SAGEMYpsid S1-IAS
- Sagem YPsid MatchOnCard
- GemSafeYpresso 64K (Classic TPC)
- Oberthur
- Cyberflex 64K
- Crypto.NET v2+
These tests have been done with the following reader: CardMan 5321, these RFID devices are natively supported (no middleware needed)
E-SSO is pre-configured with the following ATR (Answer To Reset):
| ATR | Badge |
| 3b8f8001804f0ca000000306030001000000006a | Mifare Standard 4K |
| 3b8f8001804f0ca0000003060300020000000069 | Mifare Standard 1K |
| 3b8f8001804f0ca0000003060a001c000000007e | HID iCLASS |
| Start with 3b05 | HID Prox 125kHz format H10320 |
| Start with 3b06 | HID Prox 125kHz format H10301 |
| Start with 3b07 | HID Prox 125kHz format H10302, H10304 and Corp 1k |
Warning: Xyloc devices are not supported with Microsoft RDP.
SSOWatch Plug-in Requirements
General
Plug-ins are extensions of SSOEngine and SSOStudio. They provide SSO authentication methods for specific types of applications.
These plug-ins are delivered with SSOWatch. Plug-ins are available for:
- Microsoft Internet Explorer (for Internet Explorer 5.5, 6.0,7.0 and 8.0)
- Firefox 1.5, 2.0, and 3.0.4 and higher (warning, due to an issue Firefox 3.0.0 to 3.0.3 are not supported)
- Sun Java SE Runtime Environment (JRE) 1.4, 1.5 and 1.6
- Lotus Notes versions 4.x, 5.x and 6.5
- Microsoft Telnet
- HLLAPI (see Configuring the HLLAPI Plug-in section for supported emulators)
- SAP R/3 client version 6.20
- SAP R/3 client version 6.20
- Script environment for Windows and HTML applications that are not covered by the standard WiseGuard process
SSOWatch SAP R/3 Plug-in Requirements
Plug-ins are extensions of SSOEngine and SSOStudio. They provide SSO authentication methods for specific types of applications.
These plug-ins are delivered with SSOWatch. Plug-ins are available for:
| SSOWatch Window Type | SAPGUI Scripting |
| SAP R/3 Client Version | Either of the following: - SAP GUI 6.20
- SAP GUI 6.40
- SAP GUI 7.10
|
SAP R/3 Server Version
(Minimum Kernel Patch Level) | Either of the following: - 6.10 (360)
- 4.6D (948)
- 4.5B (753)
- 4.0B (903)
- 3.1I (650)
|
Important: The SAP web-based Start Center is compatible with Enterprise Single Sign-On, but you need to upgrade to SAPGUI Version 6.40 with Patchlevel 23.
The SAPLogin and SAPExpired window types defined in version 3.71 of SSOWatch remain available to ensure the continuity of deployed configurations. We recommend not using them for new deployments. Existing windows should be ported to SAPGUI Scripting window types.
Supported HTTP Server
The following Enterprise Single Sign-On features require HTTP server:
- Web Service administration API
- Password reset feature
Important: We strongly recommend using the HTTP server delivered on the Enterprise Single Sign-On CD. Only this HTTP server (based on Apache 2.0) is supported by Quest Software. No support for the above-mentioned features will be provided when used with any other server. As well, Quest Software will not support the bundled server for functions other than those that are strictly necessary for the abovementioned Enterprise Single Sign-On features.
The password reset feature requires you to use a certificate generated by a Certification Authority (CA) in order to activate HTTPS. For evaluation purposes, a sample CA is delivered on the product CD, without any further support for that CA. Please use a supported CA for actual deployments.