2 Using the Administrative Console to Configure Logon Manager

2.1.1.1 Authentication

Authentication is how the system validates users to gain access to Logon Manager. It consists of three layers:

• The authenticator itself

• The authentication service

• The Logon Manager Authenticator API

After the system validates the user, it passes the users validation information to the core shell.

Logon Manager ships with these authenticators:

• Windows Domain (same password used to log on to the network (deprecated as of version 11.1.2)

• Windows Authentication v2

• LDAP Directory Server

• LDAP Directory Server v2

• Authentication Manager

• Entrust Entelligence

• Proximity Card

• Read-Only Smart Card

• RSA SecurID

• Smart Card

You determine which authenticators to support, which to install on each computer, and which to enable for each user. (Default: Windows Domain installs.)

For details, see Configuring the Agent for Windows Authentication.

2.1.1.2 Encryption

Encryption secures user credentials in the data store. The Agent requests that credentials be encrypted/decrypted based on the appropriate Crypto Library algorithm. The Agent automatically migrates credentials to a new algorithm/strength (for example, from Triple-DES to AES).

Logon Manager supports a variety of encryption algorithms and algorithm strengths to suit your corporate, legal, security, performance, and other requirements. The product ships with these popular algorithms:

• AES (MS CAPI) (Default)

• Cobra 128-bit (deprecated)

• Blowfish 448-bit (deprecated)

• Triple-DES 168-bit (deprecated)

• AES 256-bit (deprecated)

• Triple-DES (MS CAPI) (ALL OSs) (deprecated)

• Triple-DES (MS CAPI) (XP/2003 only) (deprecated)

• RC-4 (MS CAPI) (ALL OSs) (deprecated)

• RC-4 (MS CAPI) (XP/2003 only) (deprecated)

Other algorithms can work as encryption modules.

You determine which encryption algorithms a user can use and which encryption new/modified credentials should use.

For details on setting the default algorithm and strength, see the Global Agent Security Settings.

2.1.1.3 Intelligent Agent Response

When an application presents a request for credentials, the Agent detects this event, determines the appropriate action, and responds with the correct credentials. The interface that performs these evaluations is the Intelligent Agent Response. It interfaces with Access Manager to supply the proper credentials to each application. Access Manager acquires the credentials from the Shell.

Windows support installs automatically. You determine whether to install support for Web and/or Host applications. (Default: All modules install, but Host support is disabled.) Logon Manager supports many host emulators. You determine which, if any, the Agent will recognize. (Default: The Agent works with all supported emulators but requires emulator configuration for some emulators.) Oracle recommends that you configure host emulators to work with the Agent before deploying Logon Manager.

For more information on adding additional application configurations, see Creating and Using Templates. For more information on host emulators, see Section 7.2.4, "Configuring Host Emulators."

Logon Manager ships with the configuration information for popular applications built in. It can work with its default installation settings; however, you have the flexibility to tailor its functionality to the specific needs of any organization. Some of the most commonly-customized functions are:

• Application Templates, which improve usability by letting users select from a predefined logon list. Applications include Windows applications, host applications, and Web applications.

• Mobility Support, to provide location transparency and automatic backup and restore.

• Event Logging, which enables Logon Manager to log various events such as logons, password changes, and so on.

• First-time use, which customize the user setup process to meet an organizations needs and improve usability.

• Password policies, which propagate enterprise security policies, improve security, and (when automated) improve usability.

• Logon Manager settings, which control the UI, implement security, enable, disable, and configure features, and more.

Each of these customization decisions impacts multiple stages of planning, deployment, use, and management.

2.1.1.4 Core (Including Storage)

Using your preferred encryption algorithm, the Agent encrypts and stores user credentials locally in the encrypted Local Credential Storage; it never maintains credentials unencrypted on disk or in memory. The credentials are stored in a user-specific secure database file. Within this file are the encrypted records for each set of user credentials, user settings, and additional configuration information.

2.1.1.5 Credential Synchronization

While the Agent stores user credentials and settings locally, it can synchronize the credentials and settings with remote file systems, directories, databases, devices, and so on. Synchronization can be of the entire user database file (which contains all user credentials) or of individual records within the database. The synchronization is triggered by a change to the Local Credential Storage or settings. Synchronization can be extended to any storage mechanism via the Synchronization API.

Agent administration is fully supported via the Synchronization component and allows the administrator to dynamically deliver updated settings and configuration data to the Agent through the central storage mechanism.

The Agent works with a variety of synchronization extensions, providing users access to their credentials from any desktop, and includes the following:

• Microsoft Active Directory

• Microsoft Active Directory Lightweight Directory Services (AD LDS), formerly Microsoft Active Directory Application Mode (ADAM), hereafter referred to as Microsoft AD LDS (ADAM)

• Lightweight Directory Access Protocol (LDAP)

• Database

• File System

Logon Manager supports the most popular LDAP-compliant directory servers, including:

• Oracle Directory Server Enterprise Edition

• Oracle Internet Directory

• Oracle Unified Directory

• Oracle Virtual Directory

• IBM Tivoli Directory Server

• Microsoft Active Directory Server

• Novell eDirectory

• OpenLDAP Directory server

• SQL-compliant relational database system, including:

  • Oracle Database

  • Microsoft SQL Server

  • IBM DB2

  Note:

  For information about required and supported versions, see the product certification matrix.

Logon Manager also includes a synchronizer extension supporting a file system, such as can be found on a remote network drive share.

You determine which synchronization modules to install on each computer, which modules to enable for each user, and how to configure each extension. (Default: The synchronizer module installs but no synchronization extensions install.) See the following sections for more information about each feature:

• Mobility Configuration

• Storing User Data

• Directory Server Synchronization Support

• File System Synchronization Support

• Database Synchronization Support

2.1.1.6 Event Logging

When notified by the Shell, the Agent can log all SSO system events, including credential use, credential changes, global credential events, Agent events, and Agent feature use. The Agent can also log specified fields. Events can be logged locally or to any external destination through the Event Logging API. These destinations can include an SNMP service, a Windows server (for viewing via the Windows Event log), or even a local XML log file for simplified parsing and reporting.

The Agent can log all events through its Event Logging API.

Logon Manager works with a variety of Event Logging extensions and includes two Event Logging extensions writing to both local and remote servers:

• Local File extension, to an XML file

• Windows Event Logging extension, to a Windows Event Logging server

• Logging events to a database

• Logging events to a Syslog server

Oracle may release additional extensions (for example, Oracle and SNMP), and you can easily write your own extensions.

You determine which Event Logging modules to install on each computer, which modules to enable for each user, how to configure the extensions, how frequently the Agent writes to these extensions, how much data the Agent caches, where the Agent writes the log, and more. (Default: No Event Logging modules install, and no logging occurs)

See Event Logging for details.

2.1.1.7 Miscellaneous Components

Logon Manager also contains the following miscellaneous modules:

• Backup/Restore. For users who do not perform any Credential Synchronization, the Backup/Restore component enables archiving and restoration of user credentials.

• Citrix and Windows Terminal Services Tools. For environments that require using the Agent within a Citrix Server or Windows Terminal Services environment, additional components are supplied to allow Logon Manager to interact appropriately within each session.

• Installer Package. Logon Manager ships within a Windows Installer package that supports the flexibility of that technology for easier deployment and customization.

2.3.1.1 One Workstation, One User

When users are always at a given workstation, their credentials can be backed up to a remote location using an SSO synchronizer extension. See Synchronization for more information.

Alternately, the Backup/Restore facility module can store credentials on the workstation without the use of a remote repository. The Backup/Restore module is not installed by default. Users can perform backups manually, or the backup can be automated. See File-Based Backup/Restore for more information.

2.3.1.2 Frequent Movement Among Few Workstations

When users move frequently among a few workstations, but are always on those few workstations, you have two basic options for supporting their Logon Manager credentials.

The recommended option is to utilize a remote SSO repository. Both starting the Agent and any change to credentials force a record-level comparison (synchronization) of all records, ensuring that the user always has the most current credentials possible.

One other option is to configure Automatic Backup to a network file share. With proper configuration, the Agent will perform a silent backup to a remote store (network drive) with each change of credentials (Refresh Task). When the Agent first starts, it will see if the remote store is newer than the local store; if so, it will perform a silent restore; either way, the user will have the current credentials. Because this is a file-level (as opposed to record-level) comparison, this option is not safe if the user logs onto more than one computer at the same time.

2.3.1.3 Frequent Movement Among Many Workstations

When users move frequently among many workstations, you have two basic options for supporting their credentials.

The recommended option is to utilize a remote SSO synchronization repository. Both starting the Agent and any change to credentials force a record-level comparison (synchronization) of all records, ensuring that the user always has the most current credentials possible. In addition, to increase security and to reduce disk space use, enable the o increase security and to reduce disk space use, enable the Delete Local Cache (on Shutdown) option in Global Agent Synchronization Settings.

Alternately, if your Windows environment is already set up with Windows Roaming Profiles, user data is automatically available to the user since it is included in the %AppData% file directory. However, due to the bandwidth-intensive nature of Windows Roaming Profiles, it is not recommended for use with SSO credentials.

2.3.1.4 One Workstation, Many Users

A single workstation may be accessed by a number of users, such as a kiosk. A smart card (or other token) and a PIN can be used to log on to a kiosk (Authentication Manager only). To enable these users' access to the remote SSO repository the ssoSCDetect utility can be used to start the Logon Manager Agent and prompt for primary logon whenever a smart card is inserted in the reader. When the card is removed, the user is automatically logged out of the Agent. See Section 7.2.9, "Smart Card Monitor Utility (ssoSCDetect.exe)" for more information.

2.3.1.5 Disconnected

When users use laptops or are in remote locations, they often stay disconnected from the network for long periods of time.

The Logon Manager Agent stores credentials locally, providing full independence for mobile users who cannot rely on a network connection. Logon Manager modules like Storing User Credentials and Settings (see Storing Credentials in the User Object) and Event Logging support occasional reconnecting, ensuring reliability.

With File-Based Backup/Restore, users can save their own data to a floppy or zip drive.

The Logon Manager synchronizer extensions are configured for offline users using Synchronization options, including Disconnected Operation (see Global Agent Synchronization Settings).

2.3.1.6 Security Locked Down vs. User Freedom

You can customize Logon Manager to provide the balance of security appropriate to your organization's policies and risk/trust level. For example, some organizations need to insure that a user cannot deny having taken a given action, whereas others are not as security-conscious. See Oracle Enterprise Single Sign-On Suite Secure Deployment Guidelines for a complete discussion of Oracle's security recommendations.

2.3.1.7 Usability: User Flexibility vs. Simplicity

You can customize Logon Manager to provide the balance of usability appropriate to your organization's policies and user skill level. For example, some organizations largely employ users who are confused by all but the simplest user interface, whereas others are staffed by more experienced users and might wish to offer flexibility in their environment.

2.3.1.8 Other Settings

You can customize Logon Manager in many ways, and you can enforce these settings at the user, computer, or group level. (The group level can include the entire enterprise.) See Global Agent Settings in Depth for details.

2.3.2.1 Application Configurations

You can provide application configurations to users from the Logon Manager repository. Determine your application configurations and then push to an object in the Logon Manager repository. If using a centralized environment, you need only one object; if you are using a decentralized environment, you can customize the list of supported applications to meet each groups needs. See Creating and Using Templates for more information.

2.4.2.1 Creating the Container Object

A container object is typically a file system share in UNC format, for example:

\\Server\Share

Or it can be a share with a path, for example:

\\Server\Share\Path\subPath

The container object holds overriding settings and a container object named People.

• The People container object is a file folder that holds a container object for each user (rights: User=Full; Server\Administrators=Full),

• Each of these user container objects holds a container object named SSOUserData.

• Each SSOUserData container object holds user settings in an SSOSecretData object (a file) and container objects for each application credential.

• Each of these container objects contains a user's credentials for one application (a file named SSOSecretData).

Use the Administrative Console to create container objects with the proper security, to create the People container object with the proper security, and to place overriding settings with the proper security in the People container object.

1. In the left pane of the Administrative Console, right-click Repository and choose Connect To… from the shortcut menu.

2. Enter or select the required connection information, then click OK.

3. In the right pane, navigate to the container object where you will create the People object and overriding settings.

4. If necessary, create a new container object:

   1. Right-click the parent container object, and choose New Container from the shortcut menu.

   2. Enter a name for the new container object and select it.

5. Right-click the container object (where the People container object and overriding settings will exist) and choose Publish to Repository from the shortcut menu (also see Publishing to the Repository).

6. Choose the Data Source of the overrides and provide the information requested:

   • Administrative Console

   • Data File

7. When you complete the configuration procedure, the newly-created People object and entries for any overriding settings appear in the Repository pane. Right-click on any object and choose Refresh if necessary.

8. Repeat this procedure for each additional container object.

2.4.4.1 IBM DB2 Setup Requirements

• You must install the IBM DB2 Client on the local machine.

• The DB2 client must have OLE DB (Object Linking and Embedding Database) support installed and configured. This support provides a set of interfaces that allow applications to uniformly access data stored in different data sources. To install OLE DB support, run the DB2 setup wizard and navigate to Client support > Interfaces > OLE DB Support. See your DB2 documentation for more information.

• The currently logged-on user (to Windows) who is extending the schema must have the appropriate rights to the database in order to connect to the repository and extend the schema. The DB2 User Account must have "Database Administrator Authority" rights.

• A DB2 administrator must create a database named "vGOSSO."

  Refer to the IBM DB2 instructions for detailed information on any of these instructions.

2.4.4.2 Extending the Database Schema

1. Open the Administrative Console.

2. From the Repository menu, select Extend Schema.

3. From the Connect to Repository menu, enter or select the required IBM DB2 connection information:

   • Server name. Enter the server name.

   • Repository Type. Select DB2 Database.

   • Port. The port number needs to be entered only if it is not the default port (normally 50000). If the port is the default, you can leave this field blank.

     
     

4. Click OK.

   Note:

   You must have administrator-level authentication to connect the Administrative Console to the database server. The Administrative Console connects to the database, creates the necessary objects, and confirms successful configuration.

   The Extend Schema function uses the following SQL commands to extend the schema:

   CREATE SCHEMA vGOSSO;

   CREATE TABLE vGOSSO.SSO_ADMIN (ConfigType VARCHAR(128) NOT NULL, Data CLOB, PRIMARY KEY(ConfigType));

   CREATE TABLE vGOSSO.SSO_USERS (UserID VARCHAR(128) NOT NULL, ObjectID VARCHAR(255) NOT NULL, Data CLOB, PRIMARY KEY (UserID, ObjectID));

5. After schema extension, in the DB2 database, grant full rights to SSO_USERS table and its indexes and read-only rights to SSO_ADMIN table and its indexes.

2.4.4.3 Publishing to the Repository

1. In the left pane of the Administrative Console, right-click Repository and select Connect To… from the shortcut menu.

2. Enter or select the required connection information, then click OK.

3. In the right pane, navigate to the root (server name).

4. Right-click on the root and select Publish to Repository from the shortcut menu. The People container object will already exist under the root.

5. Choose the Data Source of the Administrative Overrides and provide the information requested:

   • Administrative Console. Use this wizard page to export an Agent configuration to a selected synchronizer container using the current Administrative Console settings as the source.

   • Data File. Use this wizard page to export an Agent configuration to a selected synchronizer container using one or more data files as the source.

6. When you complete the configuration procedure, entries for any overriding settings appear in the Repository pane. Right-click on any object and choose Refresh if necessary.

2.4.4.4 Required Settings for Connecting to IBM DB2 Database

You must set the Required Database Synchronization settings for all database synchronizer extensions.

To add the synchronizer and configure it for IBM DB2:

1. Open the Administrative Console and select a set of Global Agent Settings.

2. Expand Synchronization > DBExt > Required.

3. Enter the following information:

   • Extension location. Make sure this is checked. It is the path\filename of the IBM DB2 database synchronizer extension. Default: C:\Program Files\LocalDirectory\v-GO SSO\Plugin\SyncMgr\DBEXT\DBExt.dll)

   • Servers. Specify the connection string for the database server in the order to attempt connection for synchronization. Select the checkbox and click the ellipsis ("…") button to open the Edit List dialog. Enter the full connection string for one database server on each line; end each line by pressing Enter. Do not use any other delimiter characters.

     Note:

     You must specify at least one connection string for the extension to work.

     To connect to an IBM DB2 database, use the following connection string:

     Provider=IBMDADB2;Data Source=vGOSSO;CurrentSchema=vGOSSO;Location= <DB2ServerName>[:port];Extended Properties="trusted_connection=yes";

     Where <DB2ServerName> is the name of the server and [:port] is the optional port.

4. Expand Synchronization>DBExt>. The Advanced Database Synchronization settings control special-case options for all database synchronizer extensions. This setting is not required.

   Append Domain when naming objects enables appending of the user's domain to the username in naming the user's container.

   Example: For the domain company and user user1, the container is named user1 with this flag disabled and user1.company with this flag enabled. Default is set to Disable. Select Enable to activate this feature.

2.4.5.1 Displaying and Connecting to a Repository

• To display an established connection to a synchronization repository:

  Click Repository in the left pane to display the current Logon Manager synchronization repository.

• Or, if no connection is active:

  Right-click Repository in the left pane and choose Connect To… from the shortcut menu.

2.4.5.2 Repository Actions and Options

Right-click an object in the Repository window in the right pane to display one of the following shortcut menus of commands and options.

2.4.5.3 Add User or Group (for Active Directory Role/Group Support)

Use this dialog to select the individual users or user groups to add to the access list for the current configuration item (application logon, password policy, Global Agent Settings, or passphrase set).

2.4.5.4 Viewing Global Group Membership (for AD Role/Group Support)

The Global Group Membership dialog lists the members of a group selected in the Add User or Group dialog. Use this dialog to select the individual members to add to the access-control list for the current configuration item. (Use Ctrl+click or Shift+click to select multiple entries). Click Add to copy the selected names to the Add Names list in the Add User or Group dialog.

2.4.5.5 Searching for Specific Users or Groups (for AD Role/Group Support)

Use the Find Account dialog to search for a specific individual user account or user group in a specific domain or across multiple domains, then add any or all of the search results to the access-control list for the current configuration item (application logon, password policy, Global Agent Settings or passphrase set).

2.4.5.6 Adding Users or Groups (for LDAP Role/Group Support)

Use this dialog to select the individual users or user groups that are to be added to the access list for the current configuration item (application logon, password policy, Global Agent Settings or passphrase set).

2.4.5.7 Selecting a Search Base (for LDAP Role/Group Support)

Use this dialog to browse to and select the base (highest-level) directory to search for user/group names. Click OK when finished to return to the Select Users or Groups dialog.

2.4.5.8 Browsing for a Repository

This dialog allows you to navigate to a specific target repository container within the currently connected directory server's hierarchy. It also allows you to connect to a different server, if necessary.

To select the target repository container:

1. (Optional) If the directory server to which the Administrative Console is currently connected is not the desired target server, click Change Server, fill in the connection information, and click OK to connect to the desired server.

2. In the directory tree, navigate to and select the target container.

3. Click OK.

2.4.5.9 Connecting to the Repository

To connect the Administrative Console to a synchronization repository:

1. Right-click Repository and select Connect To… from the shortcut menu.

2. Enter or select the required connection information, then click OK.

2.4.5.10 Connection Controls

2.4.5.11 Creating a New Container

Use the New Container prompt to name a new container object at the selected node in the current repository.

To name a new container, enter a container name, then click OK.

See Repositories for more information.

2.4.5.12 Editing a Server List

Use this dialog to remove servers that are listed in the Server Name drop-down list on the Connect to Repository dialog. Select a server and click Delete. Click OK when finished.

2.4.5.13 Editing a Repository List

The dialog, Select Objects to Bring to Console, displays the list of most recently used target repositories and allows you to delete unwanted entries from the list.

To delete an unwanted entry from the list:

1. Select the entry in the list.

2. Click Delete.

3. Repeat steps 1-2 for any other unwanted list entries.

4. When you have finished, click OK.

2.4.5.14 Subnodes Filtering Options

The subnodes filtering settings control the number of items that display in repository trees. Using filtering, you can refine the criteria that the Administrative Console uses to display the subnodes of these trees, so that they display more manageable results.

You can limit displayed subnodes in two ways:

• Filter list. Uses the asterisk (*) and question mark (?) wild cards.

  The wildcard filter is node-specific. You can use a different wildcard for each node that you want to filter. The wildcard filter is discarded when you switch repository nodes and expires at the end of the Administrative Console session.

• Truncate list. Limits the number of nodes to display.

  Specify a threshold for the maximum number of child nodes to display in a tree. This number governs all repository nodes and remains in effect between Administrative Console sessions. The minimum value is 1; the maximum value is 65,535; and the default value is 1,000. This means that the Administrative Console will display no more than 1,000 entries in a subnode unless you configure it differently.

  If you enter a value less than the minimum or greater than the maximum allowable values, Administrative Console uses whichever limit is closer.

To filter a subnode:

1. Connect to a repository.

2. Right-click on a node in the repository and select Filter Subnodes…

3. In the Subnodes Filtering Options dialog, do either or both of the following:

   • In the Filter List field, enter a wildcard expression.

   • In the Truncate list field, select the maximum number of nodes to display. The maximum number that you can specify is 65,535. The default is 1,000.

4. Click OK.

5. Expand the subnode to view the results.

2.4.5.15 Working with Filtered Subnodes

The icon of a filtered subnode contains an F next to its standard icon to indicate a filtered state:

If you choose to expand a node containing a number of subnodes greater than the threshold that you set in the Truncate list setting, the Subnodes Filtering Options dialog appears, displaying the following:

Warning: The number of items to be displayed is XXXX (the number you specified), which exceeds the limit defined below.

Click OK to expand the subnode using the limit that you previously set, or change the maximum number of nodes to accommodate the list, and then click OK.If you did not set a threshold for this subnode, the Administrative Console uses the system default of 1,000.

2.4.5.16 Importing Multiple Objects to the Administrative Console

The Bring Multiple Objects to Console dialog displays, in a flat list, all objects residing in the selected container and all of its child containers, and allows you to select multiple objects for import to the current Administrative Console settings

To select multiple objects from the list and bring them to the Administrative Console:

• Ctrl+click each desired object.

  or

1. Shift+click the first and last objects in the desired range.

2. Click OK.

2.4.5.17 Publish to Repository

This screen allows you to publish configuration objects of your choice to the selected target container, either in a directory-style hierarchy (default), or as a flat configuration file.

To select and publish the desired objects to the repository:

1. Do one of the following:

   • From the tree, right-click on the configuration object that you want to publish, and select Publish or Publish To….

     or

   • Select a configuration object from the tree and select Tools > Publish to Repository.

2. In the Available configuration objects list of the Publish to Repository dialog, navigate to and select the desired objects.

   Note:

   Only categories for which objects have been configured will appear in this list. For example, if no password generation policies exist, the corresponding category will not appear in this list.

3. Click >> to move the selected objects to the Selected objects to be published list. (To remove an object from this list and not publish it, select the object and click <<.)

4. (Optional) If you did not invoke the Publish SSO Objects Here command by right-clicking on the target container, select the desired container from the Target repository drop-down list.

   Note:

   If the target container path does not appear in the list, click Browse to find and select the desired container.

   To remove unwanted entries from this list, select the Edit list option from the list.

5. (Optional) If your environment calls for storing configuration objects in flat-format, check the box, Store selected items in configuration files, rather than as individual objects.

   Note:

   Selecting this option will overwrite all items stored in existing configuration files, if present, in the target container.

6. (Optional) If you want to create the first-time-use object (FTUList), select the corresponding check box.

   Note:

   This option only becomes active if you choose to store your configuration objects in flat format in step 4.

7. Click Publish. The Administrative Console publishes the selected objects to the target repository.

   Note:

   Do not attempt to dismiss the dialog or close the Administrative Console until the publishing process completes. The dialog disappears automatically when the objects have been published.

   To quickly publish an object or a group of objects, select it in the left-hand tree, right-click it, and select Publish (single objects and groups) or Publish To (single objects only) from the context-menu.

   This will invoke the Publish to Repository dialog and automatically add the object(s) to the list of objects to be published. Keep in mind that:

   • If you select the Publish option, the Publish to Repository dialog appears.

   • If you select the Publish To option and select a repository, the selected object is automatically published to that repository and the Publish to Repository dialog is not displayed. (If you are not currently connected to the selected repository, you will be prompted to authenticate to the directory server.)

2.4.5.18 Publishing to the Repository from the Administrative Console

Use this window to export an Agent configuration to a selected synchronizer container using the current Administrative Console settings as the source. You can export:

• One or more application logons

• A first-time use (bulk-add) object

• A set of Global Agent Settings

2.4.5.19 Exporting Administrative Overrides from the Administrative Console

To export administrative overrides from the Administrative Console:

1. Do one of the following:

   • Select Send All Applications.

     or

   1. Select Send Some Applications, then:

   2. Click Select Apps.

      or

   1. From the Select Applications dialog, select the applications to send, and click OK.

   2. Choose Send No Apps.

2. Optionally, select Create First-Time-Use (FTUList) object.

3. Optionally, choose a set of Global Agent Settings from the Admin Overrides drop-down list.

4. Select Next. The wizard displays a summary of the Override configuration.

5. Select Finish to complete the export.

2.4.5.20 Displaying the Publish to Repository Window

1. Connect to the Logon Manager repository.

2. In the right pane, right-click a container object and select Publish to Repository from the shortcut menu to open the Publish to Repository dialog.

3. Select Administrative Console.

2.4.5.21 Publishing to the Repository from a Data File

Use this window to export an Agent configuration to a selected synchronizer container using one or more data files as the source. You can export:

• One or more application logons.

• A first-time use (bulk-add) object.

• A set of Global Agent Settings (from an.ini or.reg file).

2.4.5.22 Exporting Administrative Overrides from Data Files

1. Enter the file names (or select Browse to select a data file) as the source for each administrative override object you want to export. You can export:

   • First-Time Use (from an ftulist.ini file).

   • Administrative overrides (from a valid INI or REG file).

   • Applications (from an entlist.ini file).

2. Click Next. The wizard displays a summary of the override configuration.

3. Click Finish to complete the export.

2.4.5.23 Displaying the Wizard Page

1. Connect to the synchronizer repository.

2. From the right pane, right-click a container object and select Publish to Repository from the shortcut menu to open the Publish to Repository dialog.

3. Select Data File.

2.4.10.1 Publish to Repository Summary Page

Use this page to review the configuration. To make changes, use the Back and Next buttons to display a page. When your configuration is complete, select Finish.

2.5.4.1 Method 1: Logon Manager Looks for the User Object

Logon Manager first looks for the user object, CN=%UserName%, inside an OU=People object, specified by the Root registry key (see above).

If that registry key is set to:

OU=SSOConfig,OU=QA,OU=Eng,OU=Company,DC=com,

then the Agent looks for:

CN=%UserName%,OU=People,OU=SSOConfig,OU=QA,OU=Eng,OU=Company,DC=com.

If the Root registry key is not set, the Agent looks in:

HKLM\…\Extensions\SyncManager\%Extension%

for User Paths (see LDAP Synchronization Settings) or Naming Attribute string (see LDAP Special Purpose Synchronization Settings), which points to where the Agent should look.

For example, if UserPath1 is set to:

CN=users,DC=Company,DC=com

then the Agent looks for:

CN=%UserName%,OU=People,OU=SSOConfig,OU=QA,OU=Eng,OU=Company,DC=com

2.5.4.2 Method 2: Logon Manager Looks for a User Pointer

If the user object is not present, Logon Manager next looks for an SSOLocator object in the same object as the SSOConfig object. Therefore, continuing the example above, the Agent looks for:

CN=%UserName%,OU=SSOLocator,OU=QA,OU=Eng,DC=Company,DC=com

If the user pointer is not present, then the Agent walks the tree, toward the root, looking first in:

CN=%UserName%,OU=SSOLocator,OU=Eng,DC=Company,DC=com

and then

CN=%UserName%,OU=SSOLocator,DC=Company,DC=com

If an SSOLocator object exists with the users CN, it points to where the user's credentials will be stored; the Agent records this information in the user's Root registry key, and future logons look in that location.

Note that the pointer can indicate any location in the Directory Tree; for example, a pointer at:

CN=%UserName%,OU=SSOLocator,OU=Eng,DC=Company,DC=com

can point to a user object at:

CN=%UserName%,OU=People,OU=SSOConfig,OU=Sales,DC=Company,DC=com.

2.5.4.3 Method 3: Logon Manager Looks for a Default Pointer

If a user pointer object is not present, Logon Manager next looks for a default object inside each SSOLocator object. Continuing the example above, the Agent looks for

CN=default,OU=SSOLocator,OU=QA,OU=Eng,DC=Company,DC=com

If an SSOLocator object exists with the CN=default object, it points to where the user's credentials will be stored by default; the Agent records this information in the user's Root registry key, and future logons look in that location. An example of a default object is:

OU=People,OU=SSOConfig,OU=Sales,DC=Company,DC=com.

2.5.5.1 File System Structure

When a user first connects to the file system, the computer is configured to locate a specific path. The Agent is then directed to find the vGOConfig object, which contains overriding settings and a People object, which contains the user's settings, preferences, and credentials.

2.5.11.1 Sample Scenarios

Example

• Order: Ext1,Ext2,Ext3,Ext4.

• Ext1 has Admin Overrides.

• Ext2 has Admin Overrides, an entlist.ini file, and an first-time use information file.

• Ext3 has no Admin Overrides.

• Ext4 has Admin Overrides, and an first-time use information file.

Scenario A

• Ext1 connects; downloads Admin Overrides; and synchronizes.

• Ext2 connects; downloads application configuration information and first-time use configuration information; and synchronizes.

• Ext3 connects and synchronizes.

• Ext4 connects and synchronizes.

Scenario B

• Ext1 fails.

• Ext2 connects; downloads Admin Overrides, application configuration information, and first-time use configuration information; and synchronizes.

• Ext3 connects and synchronizes.

• Ext4 connects and synchronizes.

Scenario C

• Ext1 fails.

• Ext2 fails.

• Ext3 connects and synchronizes.

• Ext4 connects; downloads Admin Overrides and first-time use configuration information; and synchronizes.

2.6.5.1 Password Constraint Options

The following tables list the various password constraint options and their possible values.

2.6.6.1 Generating a Test Password

Use this screen to generate a list of passwords that conform to your policy and determine if the policy adequately addresses your needs.

1. Select or enter the Number of test passwords to generate.

2. Click Generate Passwords. The sample passwords display in the output window.

3. When you are finished, click Cancel or the X in the upper right corner to close the dialog.

To display this dialog:

1. Do one of the following:

   • Select a password policy

     or

   • Create a new password policy.

2. Click the Password Constraints tab in the right pane.

3. Set or modify the constraint settings, then click Test Policy.

2.9.2.1 Special Considerations for Active Directory Users

Active Directory users who publish exclusion lists must be members of the "SSOExclusionAdmins" Global Security Group, if the group exists. Logon Manager handles the SSOExclusionAdmins group as follows:

• If you are using Active Directory and the SSOExclusionAdmins group exists, a user must be a member of this group to publish exclusions.

• If you are using Active Directory and the SSOExclusionAdmins group does not exist, or if you are using another directory service, anyone with publishing rights can publish an exclusion list.

• If you are using Active Directory, the SSOExclusionAdmins group exists, and a non-group member attempts to publish several objects that include an exclusion object, the other objects will be published without the Exclusion object.

2.9.2.2 Publishing Exclusion Lists with Configuration Files

You cannot publish exclusion lists as standalone configuration (entlist.ini) files. When you publish configuration files (that is, you have checked the box in the File mode section of the Publish to Repository screen), exclusion lists are published as a subset of an application for which you've configured exclusions.

2.9.4.1 Selecting an Exclusion List for Viewing or Editing

To view or edit an exclusion list:

1. Click Exclusions in the left pane.

2. Select an Exclusion list from the list in the right pane, then click Edit; or double-click the Exclusion list name in the right pane. The Exclusion Subscribers tab appears in the right pane.

or

1. In the left pane, click the plus sign (+) next to the Exclusions icon (or double-click Exclusions) to display the created Exclusion lists.

2. Click an Exclusion list to select it. The Exclusion Subscribers tab appears in the right pane.

2.9.4.2 Exclusion Subscribers

Use this tab to add applications to an exclusion list.

1. Select an Exclusion list from the Exclusions node in the left pane.

2. Click Add on the bottom of the tab.

3. In the Select Application screen, select the application that you want to add to the list. Use Shift+Click or Ctrl+Click to add multiple selections.

4. Click OK. The applications you selected appear in the tab window.

2.9.4.3 Excluded Usernames

Use this tab to add users to an exclusion list.

1. Select an Exclusion list from the Exclusions node in the left pane.

2. Click Add on the bottom of the tab.

3. In the Excluded Usernames screen, select the users that you want to add to the list. Use Shift+Click or Ctrl+Click to add multiple selections.

4. Click OK. The users you selected appear in the tab window.

2.11.2.1 Automatic Backup

You can configure the Agent to perform a full backup of user credentials and settings. This backup can be triggered from the command line (and thus from an "at," or timed, job) or by configuring certain Agent events (for example, the Startup task, the Refresh task, and so on).

2.11.2.2 Command-Line Backup

To trigger a command-line automatic backup, run the Agent from the command line (even when the Agent is currently running) using the following syntax:

ssoshell.exe/mobility /backup [path] /silent

where:

[path] is the actual path to the directory where the backup file is placed. The default is the last directory where a command line backup file was stored.

and:

/silent indicates to hide the operation when performing the backup.

To perform a completely silent backup to a network share at \\FS\Backup\Private:

ssoshell.exe /mobility /backup "\FS1\Backup\Private" /silent

To back up to the last-used location:

ssoshell.exe /mobility /backup /silent

2.11.2.3 Event-Driven Automatic Backup

To configure the Agent to perform an automatic backup upon certain Agent events, determine the command line string needed to perform the desired backup. Then, set the appropriate task. For example, to perform a backup with every change in credentials, set a task to run When logons change (add, delete, copy, modify) (under User Experience > Custom Actions) to the command line string.

2.11.2.4 Forced Restore

The Agent can be configured to perform a full restore of user credentials and settings, replacing any existing data. This restore can be triggered from the command line (and thus via a remote "run" command) or by configuring certain Agent events (for example, the startup task).

2.11.2.5 Command-Line Forced Restore

To trigger a command-line forced restore, run the Agent from the command line (even when the Agent is running) using the following syntax:

ssoshell.exe /mobility /restore [path] /silent

where:

[path] is the path to the directory where the backup file exists. The default is the last directory where a command line backup file was stored.

and:

/silent indicates to hide the operation when performing the restore.

To perform a completely silent restore from a network share at \\FS\Backup\Private:

ssoshell.exe /mobility /restore "\FS1\Backup\Private" /silent

To restore from the last-used location:

ssoshell.exe /mobility /restore /silent

2.11.2.6 Event-Driven Forced Restore

To perform a forced restore upon certain Agent events, determine the command line string needed to perform the desired restore. Then, set the appropriate task. For example, to perform a restore at startup, set a task to run After Agent starts (in the Global Agent Custom Actions Settings) to the command line string.

2.12.1.1 Creating a Template for a Running Application

You can create a new template, or edit an existing one, on-the-fly for a Windows or Web application while the application is running.

In order to perform this procedure, both the Administrative Console and the Logon Manager Agent must be running, and you must configure the Agent settings to display the Title Bar Button menu.

2.12.1.2 Creating a New Template for Applications That Are Not Running on Your Workstation

You can create a template for an application, even if it is not running or installed on your workstation. To create a new template in this scenario:

1. Click Add to create a new template from an application logon.

2. From the Select Applications dialog, select the application on which to base the template.

3. Click OK. In the Edit Template dialog, specify the settings that must be supplied by an administrator, and the template's overriding settings.

2.12.1.3 Modifying an Existing Template

To modify an existing template, select an application from the list and click Edit. In the Edit Template dialog, modify the settings that must be supplied by an administrator, and the template's overriding settings.

2.12.1.4 Deleting a Template

To delete a template, select an application from the list and click Remove.

2.12.1.5 Adding Application Templates to Logon Manager

To add templates to Logon Manager:

1. Create the application logons using the Administrative Console's configuration features.

2. Create and deploy an entlist as an INI file or equivalent synchronization object.

   • Export to an INI file to create an entlist.ini file.

   • Publish to the repository to create an entlist synchronization object.

3. Do one of the following:

   • If you are using synchronization to deploy application logons, do not use the Location of entlist.ini file setting. The synchronizer automatically locates entlist.ini and ftulist.ini in the user's %AppData%\Passlogix directory.

   • If you are not using synchronization to deploy application logons, use the Location of entlist.ini file setting in the Synchronization Global Agent Settings.

2.12.3.1 Special Issues and Settings

Some Windows applications interact in unusual ways or have special requirements. For these scenarios, the Administrative Console offers these additional configuration options.

2.12.5.1 Configuring a Host/Mainframe Application Manually

The following procedure describes the steps for manually configuring or modifying a host/mainframe logon. Refer to the specific dialogs and controls for more information. Before you begin this procedure, see the General Guidelines for Setting Up Applications and Creating a Template Using an Open Application for the procedure to select an application from a list of open applications.

1. Start the application and configure the host emulator. See Section 7.2.4, "Configuring Host Emulators," for more information.

2. In the Administrative Console, do one of the following:

   • Create a new host/mainframe application logon.

     or

   • In the left pane, click Applications and select a host/mainframe application. Click the General tab in the right pane.

3. In the Identification tab of the Host/Mainframe form-configuration dialog:

   1. Select a logon form from the list and click Edit.

   2. Specify one or more Text Matching captions, so that this page can be identified uniquely from other pages. Specify the identifying Text string of the caption and its starting Row and Column numbers.

   3. Specify the Fields for credentials. Click Edit (under Fields) to display the SendKeys (Host/Mainframe) dialog. Specify the starting Row and Column for each field and the keystrokes to send.

4. If the terminal response time requires a pause between credential field entries, select the Options tab and enter the number of milliseconds to pause in Delay Field.

5. Repeat the steps above for each additional logon screen.

6. To add password change information, repeat the process with the Password Change tab and the password change dialog in the target application.

2.12.5.2 Adding Java Applications and Applets

You can configure Java application logons and Java applet logons (in Web pages) by using the The Windows Form Wizard. The procedures for creating and deploying are generally identical for Java and Windows applications.

Before you begin Java logon configuration, refer to the General Guidelines for Setting Up Applications for configuring applications.

2.12.5.3 Adding Telnet Applications

Logon Manager supports Telnet sessions using HLLAPI (high-level language application programming interface) implemented by a mainframe/host emulator. For the most current list of supported emulators, see the Oracle certification matrix:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html.

Configuring a logon for a Telnet application is essentially identical to adding host/mainframe applications in general, but with these exceptions:

• Host applications generally display text captions and data fields in fixed positions, which lets Logon Manager detect a screen as a logon form using Text Matching and absolute row/column coordinates. By contrast, a Telnet application, including its logon screen, appears in a scrolling text window. The screen position of the text caption for Logon Manager to match (and begin the logon) should be set as a row number relative to the cursor (negative for above, positive for below) and an absolute column number. See the example in the next section.

• If one or both of the caption's coordinates are unpredictable, you can use an asterisk (*) for the row setting to match text in any row (and a fixed column), for the column setting to match text in any column (and a row relative to the cursor), or for both settings to match text anywhere on screen.

• When supplying credentials for a Telnet logon, Logon Manager ignores the row and column coordinate settings for field-matching. However, the settings must be present in the logon configuration. Use one (1) as the value for both row and column coordinates for all credential fields in a Telnet logon.

• In order to ensure that the Telnet logon credentials are filled in properly, Logon Manager is enabled with timing logic. The Delay Field setting (on the Options tab for configuring a host/mainframe logon form) indicates the time in milliseconds that the Agent should pause between each action.

2.12.5.4 Adding a Telnet Application Logon

The easiest, and most precise way to configure Telnet applications is by using the Host/Mainframe Form Wizard. Before you begin this procedure, refer to the General Guidelines for Setting Up Applications.

2.12.5.5 Configuring a Telnet Application Logon Manually

The following procedure describes the steps for manually configuring or modifying a Telnet logon. Refer to the specific dialogs and controls for more information. Before you begin this procedure, refer to the General Guidelines for Setting Up Applications.

1. Start the application and configure the host emulator.

2. In the Administrative Console, do one of the following:

   • Create a new Host/Mainframe application logon.

     or

   • In the left pane, click Applications and select a host/mainframe application.

3. Click the General tab in the right pane.

4. Select a logon form from the list and click Edit.

5. In the General tab of the Host/Mainframe form-configuration dialog:

   1. Specify one or more Text Matching captions, so that this page can be identified uniquely from other pages. Specify the identifying Text string of the caption and its starting Row and Column numbers.

      The row numbers should be relative to the current cursor position and can be negative integers. See the example below.

      The column number is an absolute position.

      You can also use an asterisk (*) for the row or column as a wildcard.

   2. Specify the Fields for credentials. Under Fields, click Edit. In the Edit SendKeys Fields and Actions dialog, select each field, and set the Row and Column for each field to one (1). If needed, specify any additional keystrokes that should follow each field entry.

6. If the terminal response-time requires a pause between credential field entries, select the Options tab and type the number of milliseconds to pause in Delay Field.

7. Repeat the steps above for each additional logon form.

8. To add Password Change information, repeat the process with the Password Change tab and the password change dialogs in the target application.

Text Matching Example

Because the text in a Telnet application scrolls, the row positioning must be set relative to the cursor's row, which is always row one (1). Therefore, the row coordinate for a caption ("Welcome to VAX/VMS_V6.1") that is two rows above the cursor is negative two (-2). The column setting of the start of the caption text is an absolute coordinate; in the example here, nine (9).

For Logon Manager to identify this sample screen, you would set these text matching criteria (using the Text Matching dialog):

2.12.6.1 Specifying Applications to Bulk-Add

1. Select Applications in the left pane, then select the Bulk-Add tab in the right pane.

2. Click Add.

3. From the Select Application dialog, select the applications to add to this group. (Use Ctrl+click or Shift+click to select multiple entries.)

4. Click OK.

5. Enter or edit the Date Stamp in yyyymmdd format (for example 20130615 for June 15, 2013). If this date is later than the last date that a given Agent completed setup, then the Agent activates the Setup Wizard to add the new logons.

To enable a logon for Bulk-Add:

1. Select Applications in the left pane, then select an application.

2. Click the Bulk-Add tab in the right pane.

3. Select Enable Bulk-Add capability for this application.

4. If the user must re-enter one or more fields for confirmation, then select the appropriate Confirm settings.

2.13.2.1 Adding an Application from a Template

Use this wizard page to supply application logon configuration settings that are not provided by the application logon template. Settings that must be supplied to complete the logon are marked in the left pane with a red X.

1. In the left pane of the dialog, click a logon setting item that is marked by a red X. The corresponding dialog for supplying the setting appears in the right pane.

2. Enter or choose the requested setting. A green check mark replaces the red X when the setting is completed.

3. Click Finish to close the wizard and add the new application.

To display this page:

1. Do one of the following:

   • Right-click Applications in the left pane, then choose the application type (Windows, Web or Host/Mainframe) from the shortcut menu.

     or

   • Click Add in the Applications list.

2. In the New Application dialog, select a template from the Application drop down list and click Next.

2.13.3.1 Creating a Template Using the Administrative Console

To create a Windows or Java application template using the Administrative Console:

1. In the left pane, right-click Applications then select New Windows App from the shortcut menu. The Add Application dialog appears with the Windows option selected.

2. Enter a Name for the new logon and click OK. The Windows Form Wizard (for configuring new logon forms) appears.

or

1. Click the Add Application icon on the Administrative Console toolbar.

2. Select an application from the Select Window screen. The Windows Form Wizard (for configuring new logon forms) appears.

Continue to The Windows Form Wizard for more information.

2.13.3.2 Configuring a Template Manually

To create a Windows or Java application template manually:

1. Enter the Name of the application.

2. In the AppPathKey group, click Add.

3. In the Add AppPathKey dialog, enter a valid application key (usually the application executable's name, such as Eudora.exe). Click OK.

4. In the Window Titles group click Add, then enter the Window title or click Choose to open the Select Window dialog, where you can select a title from a currently-running application window.

5. Click OK.

2.13.3.3 Creating a Template Using an Open Application

You can create a new template on-the-fly for a Windows application while the application is running.

In order to perform this procedure, both the Administrative Console and the Logon Manager Agent must be running, and you must configure the Agent settings to display the Title Bar Button menu.

1. Launch the application for which you want to create a template.

2. Select Create Template from the application's Title Bar Button menu.

   
   

   Two things happen:

   • In the application's window, Logon Manager detects the credential fields and highlights them.

   • A condensed version of the Form Wizard appears. Enter information for the following fields:

     • Form Name. This field is pre-filled with the name of the selected application. You can leave this as it is or change it if you want to.

     • Form Type. Select the form type from the drop-down menu:

       Logon

       Logon Success

       Logon failure

       Password change

       Password change success

       Password change failure

     • Add to Template. This field defaults to the New Template selection. Alternatively, the drop-down menu contains the list of all configured Windows application templates to which you might want to add this form.

     • Edit Fields/Hide Details. Toggle this button to expand the window to display the entire Form Wizard, or collapse the window to the simpler Form Wizard.

Continue to The Windows Form Wizard for more information.

2.13.4.1 Selecting the Window Title

Use the Select Window dialog to choose the title of an application's logon or password change window.

Select the logon or password change window and click OK.

2.13.4.2 The Windows Form Wizard Application Tab

Use this Form Wizard page to select the application's logon or password/PIN change window.

2.13.4.3 The Windows Form Wizard Credential Field Tab

Use this Form Wizard page to select the fields of the application's logon or password change window.

The Summary screen displays the results of the Wizard. Do one of the following:

• Click Finish to save your settings and close the Wizard.

  or

• Click Back to return to a previous page and modify your settings.

2.13.4.4 Windows Form Wizard for RSA SecurID Applications

Use the Windows Form Wizard to perform any of these tasks:

• Configure new logons for RSA SecurID Windows applications

• Add new forms to existing RSA SecurID logons

• Create forms for automatic PIN changes

• Create forms for supporting a PIN confirmation field displayed in a separate window

• Create forms for automatic detection of PIN change success and failure

The Windows Form Wizard lets you use the application itself to identify its forms, the individual fields, and the submit OK button.

Before you begin this procedure, refer to the General Guidelines for Setting Up Applications for configuring applications. Also see Adding Windows Applications for specific information about configuring Windows application logons.

To display the Windows Form Wizard, do one of the following:

• Create a new Windows or Java application logon. Be sure to select the RSA SecurID check box in the Add Application dialog.

  or

• In the Identification tab (for a Windows form), click Wizard.

To configure a form:

1. Start the target application and navigate to the target form. Arrange the Administrative Console and target application windows so that you can see both at once.

2. In the Form Wizard, select the type of form you want to configure. The available options are:

   • SecurID Logon. Configures a SecurID logon form.

   • PIN Change. Configures a PIN change form.

   • Confirm PIN. Configures a new PIN confirmation form for applications that display their "Confirm PIN" field in a separate window.

   • Logon Success. Configures a form that serves as a match for the target application's Logon Success message. Since this form does not inject credentials, the Credentials page of the Windows Form Wizard is skipped. When the logon success message is detected, Logon Manager will automatically save the new credentials.

   • Logon Failure. Configures a form that serves as a match for the target application's logon failure message and reinjects credentials when the logon failure message is detected. If you select this option, you will be presented with the Credentials page of the Windows Form Wizard in which you will configure the necessary fields.

   • PIN Change Success. Configures a form that serves as a match for the target application's PIN change success message. Since this form does not inject credentials, the Credentials page of the Windows Form Wizard is skipped. When the PIN change success message is detected, Logon Manager will automatically save the new credentials.

   • PIN Change Failure. Configures a form that serves as a match for the target application's PIN change failure message and reinjects credentials when the PIN change failure message is detected. If you select this option, you will be presented with the Credentials page of the Windows Form Wizard in which you will configure the necessary fields.

3. In the Application Window list, select the window to configure. Note that a blinking outline indicates the application window you select.

4. Specify whether the application is running on the Local Computer or a Remote Computer. If you select Remote Computer, enter the path to the application.

   Note:

   Logon Manager must be running on the computer you select.

5. In the Application Window list, select the window to configure. Note that a blinking outline indicates the application window you select.

   Use the Application type: dropdown menu to filter the list. An application is classified as either:

   • A standard Windows application.

   • A Java, SAP, or Modern UI application.

6. Confirm that you have selected the correct window, then click Next.

7. In the Credential Fields page, for each credential field:

   1. Select a field to configure; for example, the logon window's user ID field. In the application's window, a blinking outline indicates the field corresponding to your current selection.

   2. Confirm that you have selected the correct field, then right-click the selected item and choose the logon field type (for example, UserID) from the shortcut menu. The corresponding icon appears to the left of the item. To deselect an item, right-click the item and choose None from the shortcut menu.

      Note:

      New PIN Acceptance forms do not inject credentials and thus do not require you to configure any fields. In such cases, proceed to step 7, as the Credential Fields page will not be displayed.

      The Class and Text columns provide cues to the fields. For example, text boxes appear as "Edit" Class; PIN fields usually have the Text value *** HIDDEN ***

8. Repeat this process for each field required to complete the logon form. You can configure up to four fields in all.

9. Confirm that you have configured the necessary fields and button, then click Next. A summary page appears, listing your configuration.

10. Do one of the following:

    • Click Back to return to a previous page and make corrections.

    • Click Finish to complete the logon configuration and close the Form Wizard.

2.13.4.5 The Windows Form Wizard Identification Tab

Use the Identification (Windows) tab to modify program and window information about a Windows application logon configuration.

• Configure a logon manually by adding, editing, or deleting entries in the AppPathKeys and Window Titles lists.

  or

• Use The Windows Form Wizard to define windows, titles and fields by pointing and clicking.

To display this tab, do one of the following:

1. Create a new Windows application logon.

or

1. In the left pane, click Applications and select a Windows application.

2. Click the General tab in the right pane.

3. Select a logon form from the list and click Edit.

The Windows form-configuration dialog appears, displaying the General tab.

2.13.4.6 The Windows Form Wizard Fields Tab

Use the Fields (Windows) tab to define how the Agent interacts with the fields of the logon form. You can identify one of the following for the currently-selected application form:

• Up to four logon fields (user ID, password, etc.), using Control IDs

• A series of keystrokes (with optional timings) that fill-in and submit the logon form, using SendKeys.

To display this tab, do one of the following:

1. Create a new Windows application logon.

or

1. In the left pane, click Applications and select a Windows application.

2. Select the General tab in the right pane.

3. Select a logon form from the list and click Edit.

4. In the Windows form-configuration dialog General tab, click the Fields tab.

2.13.4.7 SendKeys for a Windows Application Logon

Use the SendKeys dialog to specify a series of keystrokes that Logon Manager should transfer to the logon form.

Use the SendKeys option for Windows applications that:

• Cannot receive credentials from the Windows message queue or by other techniques the Agent normally uses to send credentials.

• Do not use standard Windows controls that have Control IDs.

• Dynamically generate controls or do not use Windows controls at all (for example, Flash applications).

The New Actions list box in the right pane of the SendKeys dialog provides the keystroke options for each action. Highlight the action for which you want to configure SendKeys, and select or type the options you need on for each action. Click the Insert button to add the key or action to the series.

Your selections appear in the Current Actions list in the left pane:

• To change the order of the series, select an item and click the Up or Down arrows to move it.

• To delete an item, select it, and click Delete.

• To edit an item, select it, and click Edit. The Edit Action dialog opens. Edit the fields as necessary and click OK.

To display this dialog, do one of the following:

1. Create a new Windows application logon.

or

1. In the left pane, click Applications and select a Windows application.

2. Click the General tab in the right pane.

3. Do one of the following:

   • Select a logon form from the list and click Edit.

     or

   • Click Add to configure a new form.

     The Windows form-configuration dialog opens, displaying the General tab.

4. Click the Fields tab, select SendKeys as the Transfer Method, then click Edit.

2.13.4.8 Kiosk Manager SendKeys (for a Windows Application)

Use the SendKeys dialog to specify a series of keystrokes that Kiosk Manager should transfer to the logon form.

The tabs in the right pane of the SendKeys dialog provide the keystroke options. Select or type the options you need on each tab. Click the Insert button to add the key or action to the series.

Your selections appear in the list in the left pane. To change the order of the series, select an item and click the up or down arrows to move it. To delete an item, select it and click Remove.

Controls

2.13.4.9 Matching Tab for Configuring a Windows Application

Use the Matching (Windows) tab to distinguish among similar forms within the same Windows application. The supported form types, referred to here as target forms, are:

• Logon

• Password Change

• Password Confirmation

• Logon Success

• Logon Failure

• Password Change Success

• Password Change Failure

  Note:

  Unlike the "Logon," "Change Password," "Confirm," and "Ignore" match types, these matches cannot be explicitly selected by the user. They are determined by form type.

Controls

The Agent uses the match criteria you supply to distinguish among similar forms. This lets the Agent apply a single set of user credentials appropriately to these multiple forms. You can use also use matching to identify forms that the Agent should ignore.

Do one of the following:

• Click Add to create a new matching criterion.

  or

• Select a Match and click Edit.

  The Matching dialog appears.

  Note:

  The easiest and most efficient way to create match criteria is by using the Control Match Wizard. The Wizard lets you specify match criteria by selecting elements from the target form itself. You can also create and modify match criteria manually.

To display this tab, do one of the following:

• Create a new Windows application logon.

or

1. In the left pane, click Applications and select a Windows application.

2. Click the General tab in the right pane.

3. Select a form from the list and click Edit.

4. Select the Matching tab.

2.13.4.10 The Windows Form Wizard Matching Dialog

Use this dialog to create match criteria that the Agent uses to distinguish among similar target forms that use the same credential data. This lets the Agent apply a single set of user credentials appropriately to these multiple forms. To display this dialog, from the Matching tab (for configuring a Windows logon form) click Add.

The easiest and most efficient way to create match criteria is through the Control Match Wizard. The Wizard lets you specify match criteria by selecting elements from the target form itself. You can also create and modify match criteria manually.

2.13.4.11 Creating Match Criteria Using the Wizard

Click Wizard and follow the onscreen instructions.

2.13.4.12 Creating or Modifying Match Criteria Manually

To create or modify matching criteria manually:

1. Enter a Match name and select the Type of target form.

2. Add or edit the Window Titles that the target form displays, or select Use Titles from Main.

3. Add or edit the Control Matching items; these are criteria based on the properties of form objects (such as a text caption or a control class). Together these items uniquely identify the target form.

4. Add or edit the Control IDs of the target form's credential fields.

5. Click OK.

2.13.4.13 Add or Edit a Title on the Windows Matching Tab

Use this dialog to add or modify the text string that the Agent uses to detect specific application windows (for example, for logon entry or password change) by their window title.

2.13.4.14 Control Matching

Use the Control Matching dialog to specify a match criterion based on the properties of a target-form control (such as a text caption or a control style).

Click OK to save and exit the dialog or Cancel to exit without changes.

2.13.4.15 Control ID Dialog (Windows Fields Tab)

Use the Control ID dialog to identify the fields and the Submit button of a logon form in order to configure the Agent's response.

2.13.4.16 Control Match Wizard

Use the Control Match Wizard to define match criteria by choosing from the windows and controls of the target application. The Agent uses match criteria to identify a target form, such as a password-change dialog, that is similar to the currently selected logon. The Agent then supplies data to the matched target form using the same credentials as the original logon. You can also use match criteria to specify target forms similar to the current logon that the Agent should ignore.

To create match criteria using the Wizard:

1. Start the target application and navigate to the target form. Arrange the Administrative Console and target application windows so that you can see both at the same time.

2. Select a form Match Type, then follow the onscreen instructions or help topics.

   • Ignore

   • Logon

   • Password Change

   • Password Confirm

See the Matching Tab for Configuring a Windows Application for more information.

To display the Control Match Wizard:

1. From the Matching tab, select Add (for configuring a Windows logon form). The Matching dialog appears.

2. Click Wizard.

2.13.4.17 Ignore App Window

Use this Wizard page to choose the application window that the Agent should recognize.

1. Select the application window that the Agent should ignore from the Window List.

2. Click Next to display the Match Fields page.

2.13.4.18 Ignore Match Fields

Use this Wizard page to choose a set of match fields: one or more window objects that uniquely identify the application window that the Agent should recognize. You can identify a match field by its Class (the type of control, such as Edit or Static), its Style (the aggregate of its properties identified by a number), or its Text.

1. In the field list, right-click a field and select the match criteria.

2. Click Next to display the Summary page.

2.13.4.19 Logon App Window

Use this Wizard page to choose the application window that the Agent should recognize.

1. Select the application window that the Agent should recognize as a logon form from the Window List.

2. Click Next to display the Match Fields page.

2.13.4.20 Logon Match Fields

Use this Wizard page to choose a set of match fields: one or more window objects that uniquely identify the application window that the Agent should recognize. You can identify a match field by its Class (the type of control, such as Edit or Static), its Style (the aggregate of its properties identified by a number), or its Text.

1. In the field list, right-click a field and select the match criteria

2. Click Next to display the Credentials page.

2.13.4.21 Logon Credential

Use this Wizard page to identify the field in which the Agent should supply credential data.

1. In the field list, right-click a field and select the credentials.

2. Click Next to display the Summary page.

2.13.4.22 Password Change App Window

Use this Wizard page to choose the application window that the Agent should recognize.

1. Select the application window that the Agent should recognize as a password-change form from the Window list.

2. Click Next to display the Match Fields page.

2.13.4.23 Password Change Match Fields

Use this Wizard page to choose a set of match fields: one or more window objects that uniquely identify the application window that the Agent should recognize. You can identify a match field by its Class (the type of control, such as Edit or Static), its Style (the aggregate of its properties identified by a number), or its Text.

1. In the field list, right-click a field and select the match criteria

2. Click Next to display the Credentials page.

2.13.4.24 Password Change Credential

Use this Wizard page to identify the field in which the Agent should supply credential data.

1. In the field list, right-click a field and select the credentials.

2. Click Next to display the Summary page.

2.13.4.25 Password Confirm App Window

Use this Wizard page to choose the application window that the Agent should recognize.

1. Select the application window that the Agent should recognize as a password-confirmation form from the Window list.

2. Click Next to display the Match Fields page.

2.13.4.26 Password Confirm Match Fields

Use this Wizard page to choose a set of match fields—one or more window objects that uniquely identify the application window that the Agent should recognize. You can identify a match field by its Class (the type of control, such as Edit or Static), its Style (the aggregate of its properties identified by a number), or its Text.

1. In the field list, right-click a field and select the match criteria

2. Click Next to display the Credentials page.

2.13.4.27 Password Confirm Credential

Use this Wizard page to identify the field in which the Agent should supply credential data.

1. In the field list, right-click a field and select the credentials.

2. Click Next to display the Summary page.

2.13.4.28 Options Tab for Configuring a Windows Application

Use the Options (Windows) tab to refine properties of the currently-selected application logon form for special configurations.

To display this tab, do one of the following:

1. Create a new Windows application logon.

or

1. In the left pane, click Applications and select a Windows application.

2. Click the General tab in the right pane.

3. Select a logon form from the list and click Edit.

4. Select the Options tab.

2.13.5.1 Creating a Template Using the Administrative Console

To create a template using the Administrative Console:

1. In the left pane, right-click Applications then select New Web App from the shortcut menu. The Add Application dialog appears with the Web option selected.

2. Enter a Name for the new logon and click OK. The Web Form Wizard (for configuring new logon forms) launches.

or

1. Click the Add Application icon (below) on the Administrative Console toolbar.

   
   

2. Select a Web application from the Select Window screen. The Web Form Wizard (for configuring new logon forms) launches.

2.13.5.2 Creating a Template Using an Open Application

You can create a new template on-the-fly for a Web application while the application is running.

In order to perform this procedure, both the Administrative Console and the Logon Manager Agent must be running, and you must configure the Agent settings to display the Title Bar Button menu.

1. Open a browser and navigate to the URL for which you want to create a template.

2. Select Create Template from the browser's Title Bar Button menu.

   
   

   The Web Form Wizard (for configuring new logon forms) launches.

2.13.5.3 Web Form Wizard

The Web Form Wizard lets you browse the Web application itself to capture the identifiers for its logon or password-change windows, the individual fields, and the Submit (OK) button. To display the Web Form Wizard:

1. Create a New Web application.

2. In the New Web Application configuration dialog, click Wizard. The Web Form Wizard appears.

2.13.5.4 Configuring a Web Application Using the Wizard

To configure a Web Application with the Web Form Wizard:

1. In the first Wizard dialog that appears, select the type of application form you want to configure. The available options are:

   • Logon. Configures a logon form.

   • Logon success. Configures a form that detects a match during silent credential capture. In the presence of this form, the Agent delays credential capture until it verifies the user's entries and displays the Logon Success dialog. If this form is not present, the Agent captures credentials immediately after the user enters them and clicks OK.

   • Logon failure. Configures a form that detects a non-match during silent credential capture. In the presence of this form, the Agent delays credential capture until it verifies the user's incorrect entries and displays the Logon Failure dialog. If this form is not present, the Agent immediately informs the user that the credentials are incorrect, displaying either the New Logon dialog or the Retry Logon dialog to allow the user to re-enter credentials.

   • Password change. Configures a password change form.

   • Password confirmation. Configures a form that verifies that the user's second password entry in a password change form is identical to the first password entry.

   • Password change success. Configures a form that serves as a match for the target application's password change success message. Since this form does not inject credentials, the Credentials page of the Web Form Wizard is skipped. When the password change success message is detected, Logon Manager will automatically save the new credentials.

   • Password change failure. Configures a form that serves as a match for the target application's password change failure message and reinjects credentials when the password change failure message is detected. If you select this option, you will be presented with the Credentials page of the Web Form Wizard in which you will configure the necessary fields.

     Refer to Configuring and Diagnosing Logon Manager Application Templates for a full discussion on using the forms above.

     Note:

     If you are editing an existing form, this dialog will not appear.

2. In the Web Form Wizard, enter the Web Address (URL) of the Web site and click Go. The top pane of the Wizard acts as a web browser window. You can resize the Wizard's window as needed.

3. In the top pane, navigate to the Web site's logon form. When the Wizard detects one or more forms in a web page, it lists the forms and their elements (fields and buttons) in the bottom pane.

4. Click the Detect Fields button. The Wizard attempts to detect and configure the credential fields and marks them accordingly:

   • Username/ID

   • Password

   • Old Password (password change forms only)

   • New Password (password change forms only)

   • Submit button.

5. (Optional) Select Use ordinals instead of names. The Credential Fields Screen displays the fields, assigning Control IDs by location order instead of using native (dynamic) Control IDs.

6. (Optional) Select Show non-input fields. The Administrative Console detects fields that have input functionality but into which you cannot enter information, such as IMG tags that function as Submit buttons, and includes these fields in the Web Form Wizard fields list.

7. (Optional) Select Allow multiple field designation. The Administrative Console recognizes multiple fields that require the same credential, such as enter and confirm password fields, or a page with the same field on two forms.

8. Confirm that the Wizard has selected the correct fields. You can modify a selection, if necessary:

   1. If you are editing an existing template, you may change the form type using the Form Type drop-down at the lower right. Keep in mind that if you do so, you will need to reconfigure the template (reassign fields, and so on). Only fields relevant to a given form type are displayed when that form type is selected.

   2. Identify and select a field from the list in the bottom pane. (The Element and Type descriptions provide cues.) In the top pane, a blinking outline indicates the corresponding field or button you have selected.

   3. Confirm that you have selected the correct field, then right-click the selected item and choose from the shortcut menu (for example, UserID). An icon appears to the left of the item. To deselect an item, right-click the item and select None from the shortcut menu.

9. Confirm that the Wizard has selected the correct fields. You can modify a selection, if necessary:

   1. If you are editing an existing template, you may change the form type using the Form Type drop-down at the lower right. Keep in mind that if you do so, you will need to reconfigure the template (reassign fields, and so on). Only fields relevant to a given form type are displayed when that form type is selected.

   2. Identify and select a field from the list in the bottom pane. (The Element and Type descriptions provide cues.) In the top pane, a blinking outline indicates the corresponding field or button you have selected.

   3. Confirm that you have selected the correct field, then right-click the selected item and choose from the shortcut menu (for example, UserID). An icon appears to the left of the item. To deselect an item, right-click the item and select None from the shortcut menu.

10. Confirm that the Wizard has selected the correct fields. You can modify a selection, if necessary:

    1. If you are editing an existing template, you may change the form type using the Form Type drop-down at the lower right. Keep in mind that if you do so, you will need to reconfigure the template (reassign fields, and so on). Only fields relevant to a given form type are displayed when that form type is selected.

    2. Identify and select a field from the list in the bottom pane. (The Element and Type descriptions provide cues.) In the top pane, a blinking outline indicates the corresponding field or button you have selected.

    3. Confirm that you have selected the correct field, then right-click the selected item and choose from the shortcut menu (for example, UserID). An icon appears to the left of the item. To deselect an item, right-click the item and select None from the shortcut menu.

11. Repeat this process for each field required to complete the logon form. You can configure up to four fields in all.

12. Repeat the two previous steps for each field required to logon. You can configure up to four fields in all.

13. When you have completed your configuration click OK to save it and close the Web Form Wizard.

2.13.5.5 Web Form Wizard (for RSA SecurID Applications)

Use the Web Form Wizard to perform any of these tasks:

• Configure new logons for RSA SecurID Windows applications

• Add new forms to existing RSA SecurID logons

• Create forms for automatic PIN changes

• Create forms for automatic detection of PIN change success and failure

The Web Form Wizard lets you browse the Web application itself to capture the identifiers for its forms and windows, the individual fields, and the submit (OK) button. To display the Web Form Wizard:

1. Create a new Web application. Be sure to select the RSA SecurID check box in the Add Application dialog.

2. In the New Web Application configuration dialog, click Wizard. The Web Form Wizard appears.

   Note:

   When using a workstation running at 800x600 resolution, buttons are missing from the bottom of the Web Form Wizard. The wizard is also extremely slow to start at this resolution. Oracle recommends that you set the resolution on your workstation to a higher resolution.

To configure a Web Application Using the RSA SecurID Wizard

1. In the dialog that appears, select the type of application form you want to configure. The available options are:

   • SecurID Logon. Configures a SecurID logon form.

   • SecurID Logon success. Configures a form that detects a match during silent credential capture. In the presence of this form, the Agent delays credential capture until it verifies the user's entries and displays the Logon Success dialog. If this form is not present, the Agent captures credentials immediately after the user enters them and clicks OK.

   • SecurID Logon failure. Configures a form that detects a non-match during silent credential capture. In the presence of this form, the Agent delays credential capture until it verifies the user's incorrect entries and displays the Logon Failure dialog. If this form is not present, the Agent immediately informs the user that the credentials are incorrect, displaying either the New Logon dialog or the Retry Logon dialog to allow the user to re-enter credentials.

   • PIN change. Configures a PIN change form.

   • PIN confirmation. Configures a form that verifies that the user's second password entry in a password change form is identical to the first password entry.

   • PIN change success. Configures a form that serves as a match for the target application's PIN change success message. Since this form does not inject credentials, the Credentials page of the Web Form Wizard is skipped. When the PIN change success message is detected, Logon Manager will automatically save the new credentials.

   • PIN change failure. Configures a form that serves as a match for the target application's PIN change failure message and reinjects credentials when the PIN change failure message is detected. If you select this option, you will be presented with the Credentials page of the Web Form Wizard in which you will configure the necessary fields.

     Refer to Configuring and Diagnosing Logon Manager Application Templates for a full discussion on using the forms above.

     Note:

     If you are editing an existing form, this dialog will not appear.

2. In the Web Form Wizard, enter the Web Address (URL) of the Web site and click Go. The top pane of the Wizard acts as a Web browser window. You can resize the Wizard's window as needed.

3. In the top pane, navigate to the Web site's logon form. When the Wizard detects one or more forms in a Web page, it lists the forms and their elements (fields and buttons) in the bottom pane.

4. Click the Detect Fields button. The Wizard attempts to detect and configure the credential fields and marks them accordingly:

   • SecurID Username

   • Passcode

   • Tokencode

   • Old PIN (PIN change and PIN change failure forms only)

   • New PIN (PIN change and PIN change failure forms only)

   • Submit button

5. (Optional) Select Use ordinals instead of names. The Credential Fields Screen displays the fields, assigning Control IDs by location order instead of using native (dynamic) Control IDs.

6. (Optional) Select Show non-input fields. The Administrative Console detects fields that have input functionality but into which you cannot enter information, such as IMG tags that function as Submit buttons, and includes these fields in the Web Form Wizard fields list.

7. (Optional) Select Allow multiple field designation. The Administrative Console recognizes multiple fields that require the same credential, such as enter and confirm password fields, or a page with the same field on two forms.

8. Confirm that the Wizard has selected the correct fields. You can modify a selection, if necessary:

   1. If you are editing an existing template, you may change the form type using the Form Type drop-down at the lower right. Keep in mind that if you do so, you will need to reconfigure the template (reassign fields, and so on). Only fields relevant to a given form type are displayed when that form type is selected.

   2. Identify and select a field from the list in the bottom pane. (The Element and Type descriptions provide cues.) In the top pane, a blinking outline indicates the corresponding field or button you have selected.

   3. Confirm that you have selected the correct field, then right-click the selected item and choose from the shortcut menu (for example, SecurID Username). An icon appears to the left of the item. To deselect an item, right-click the item and select None from the shortcut menu.

9. Repeat this process for each field required to complete the logon form. You can configure up to four fields in all.

10. Repeat the two previous steps for each field required to logon. You can configure up to four fields in all.

11. When you have completed your configuration click OK to save it and close the Web Form Wizard.

2.13.5.6 Identification Tab for Configuring a Web Application

Use the Identification (Web) tab to modify program and window information for a Web application logon configuration.

• You can configure a logon manually by adding, editing, or deleting entries in the Form name and URL fields.

  or

• You can use the Web Form Wizard to define URLs, forms, and fields by pointing and clicking.

To display this tab, do one of the following:

1. Create a new Web application logon.

or

1. In the left pane, click Applications and select a Web application.

2. Click the General tab in the right pane.

3. Select a form from the list and click Edit.

   The Web form-configuration window appears, displaying the General tab.

   Control	Function
   Form name	Enter an application name.
   URL	One or more URLs of the logon or password-change form to configure. Click Add (or select a matching item and click Edit) to display the URL dialog. Click Delete to remove a URL.

   
   

2.13.5.7 Fields Tab for Configuring a Web Application

Use the Fields (Web) tab to define how the Agent interacts with the fields of the logon form. Select one of the following transfer methods for the currently-selected application form:

• Up to four logon fields (user ID, password, etc.), using Control IDs

• A series of keystrokes (with optional timings) that fill in and submit the logon form, using SendKeys or SendKeys using Journal Hook.

  If you want to switch from one transfer method to the other after creating a Web form, select the desired transfer method on this screen. The Administrative Console converts the fields for the transfer method you selected.

  Note:

  When you switch from Control IDs to SendKeys, all fields convert with a direct injection setting. You can change the injection method during the editing process. When you switch from SendKeys to Control IDs, any field that is not set to inject directly does not convert.

To display this tab, do one of the following:

1. Create a new Web application logon.

or

1. In the left pane, click Applications and select a Windows application.

2. Select the General tab in the right pane.

3. Select a logon form from the list and click Edit.

4. Select the Fields tab.

2.13.5.8 Dynamic and Ordinal Control IDs

Certain applications change the Control ID for each field with every application launch. Logon Manager provides you with the option to assign ordinal ID numbers to replace these dynamic Control IDs, thereby eliminating variations in Control IDs with each application launch.

To configure Logon Manager to assign ordinal Control IDs:

1. Launch the Administrative Console.

2. Pause the Logon Manager Agent.

3. Launch an application to create a template.

4. Launch the template wizard.

5. Select Logon.

   The Control ID for each field appears in the Credential Fields screen. For applications with dynamic Control IDs, these ID numbers will vary with each launch. (This does not apply to .NET applications, which have no native Control IDs.)

6. Select Use ordinals instead of Control IDs.

   • The Credential Fields Screen displays the fields, assigning Control IDs by location order instead of using native (dynamic) Control IDs.

   • For applications with native Control ID Support, if Use ordinals instead of Control IDs is checked, the Control ID detection is done by enumerating controls on the application window. The ID column will be filled with field ordinals and the display refreshes.

   • If you opt not to use ordinal IDs, dynamic Control IDs will display as the default (except for .NET applications, for which the ordinals are already displayed).

   • If you select Use 'Send Keys' for this form. Do not use Control ID, the Use ordinals instead of Control IDs option is unavailable.

7. Select a numeric field value to determine which field is assigned to the ID. The field will be surrounded by a flashing border. Right-click the dropdown menu to select the field name (for instance, Username or Password).

2.13.5.9 Choose Control ID

Use the ConfigName wizard to select a logon window's text control to use as the initial name of the application logon. Use this feature to name a logon (when it is added to the Agent) with a variable text item (such as an account name) that appears in the logon window.

1. Select the window that contains the text control you want to use, then click Next.

2. Select the control that contains the text item to use as the logon's initial configuration name. Click Finish.

2.13.5.10 SendKeys Settings for a Web Application

Use the controls on this screen to define SendKeys actions. If you convert the transfer method from Control IDs to SendKeys or SendKeys using Journal Hook, the Administrative Console automatically converts the ControlID settings to SendKeys actions, and specifies the Direct injection option. If you convert from either SendKeys transfer method to Control IDs, you must configure the settings to use direct injection or they will be lost.

To use the SendKeys editor:

1. On the Fields tab, select SendKeys as the transfer method. The Fields window changes to reflect conversion of the existing fields, whose names now include -> direct injection.

2. Click the Edit button to open the SendKeys editor. The Current Actions list contains the items that the editor has detected.

   The New Actions dialog contains a list of additional controls to add to the form. Depending on what you select in this list, the options vary.

   For example, if you select Fields from the New Actions list, the Field Type dialog appears, offering choices of a third and fourth field. If you select Delay, a menu in which you can specify a delay interval appears.

3. Select an item in the Current Actions list and click the Edit button below the list to change the settings for that field or action. Click the Up or Down arrows to reorder the list.

4. Use the New Actions section of the SendKeys editor to add fields and actions to the list. Refer to the following tables for information on configuring the various action choices.

   After you configure a New Action and insert it, it appears as part of the Current Actions list.

2.13.5.11 Matching Tab for Configuring a Web Application

Use the Web Matching tab to distinguish among logon, password-change, or password-confirmation forms (referred to here as target forms) within the same Web application, typically a multi-form portal page. The Agent uses the matching criteria you supply here to distinguish among similar forms.

This tab is typically used to refine the detection match criteria, that is, the set of HTML tags and values you use to identify a specific page. You can then create an offset match that uses a subset of the detection match to identify the desired logon or password-change form on the page.

To display this tab:

1. Create a new Web application logon.

or

1. In the left pane, select Applications and select a Web application.

2. Click the General tab in the right pane.

3. Select a form from the list and click Edit.

4. Select the Matching tab.

2.13.5.12 Creating or Modifying Detection-Matching Criteria

To create or modify detection-matching criteria:

1. In the Detection Match list, do one of the following:

   • Click Add to create a new matching criterion.

   • Select a match and click Edit to modify an existing match.

2. From the Edit Match dialog, enter or select the required information, then click OK to return to this dialog.

3. If necessary, adjust the match criteria order.

   1. Select a match to move.

   2. Click the Up or Down arrow.

4. Click OK.

2.13.5.13 Offset Matching

This type of matching is used with portal pages that have multiple windows that the user can rearrange, add, and remove. If the site you are matching on is not a portal, leave the offset matching section on this panel blank.

With regular match detection, the forms must always appear in the same order. With offset matching, you can rearrange the forms (which look like a window) and isolate a specific window from all the others. This only applies to portal pages because these pages are dynamic, and ordinal values are used to match instead of field names.

Use the Offset Start field to tell Logon Manager which match result's forms to use for the form offsets. The offset start value should be the number of the offset matches. For example, if there are three offset matches, the offset start value should be 3.

To create or modify Offset Matching criteria:

1. In the Offset Match list, do one of the following as needed:

   • Click Copy from Detection to copy defined Detection Match criteria.

   • Click Add to create a new matching criterion.

   • Select a match and click Edit to modify an existing match.

2. In the Edit Match dialog, enter or select the required information, then click OK to return to this dialog.

3. If necessary, adjust the match criteria order.

   1. Select a match to move.

   2. Click the Up or Down arrow.

   3. Select an Offset Start.

4. Click OK.

2.13.5.14 Edit Match Criteria for a Web Application

Use this dialog to create or modify matching criteria for the selected Web form.

2.13.5.15 Add/Edit URL

Use this prompt to specify the URL of the logon or password-change form to configure.

To specify a URL for matching

1. Select one of the following (see Matching Expressions).

   • Exact

   • Wildcard (does not apply to Kiosk Manager)

   • Regular Expression (does not apply to Kiosk Manager)

2. Enter (or edit) the URL or a matching expression.

3. Click OK.

2.13.5.16 Matching Expressions

For applications that have varying text in their URLs, you can use substrings or regular expressions to specify how to match the variable text.

2.13.5.17 Matching Environment Variables

For applications that include the user's name in the URL (as derived from the DOMAINUSER environment variable in the workstation operating system), select Exact as the matching criterion, and use one of the following substitution tokens in the match string:

Example

This URL entry matches a password-change window title that includes the username:

Password Expired - %UC%%DOMAINUSER%

2.13.5.18 Adding and Editing Web Fields

Use this dialog to specify a credential field or Submit button on a Web form.

2.13.5.19 Field Identification Dialog

Use this screen to specify the type of field you want the Agent to recognize. Check the appropriate radio button from among the following:

• Use field name. Select for a Web site whose fields have consistent, named labels, such as "User" or "e-mail."

• User ordinal number. Select if you want to replace varying field numbers with ordinals for dynamic Web pages. See Dynamic and Ordinal Control IDs for more information.

• Use matching. Select for a Web site where the field index varies depending on the user. Choose from among the matching choices as explained in the following table.

2.13.5.20 Options Tab for Configuring for a Web Application

Web pages occasionally include forms that require a short time to become enabled as the page loads. In such a case, Logon Manager might submit credentials too soon. To avoid this occurrence, use the Submit Delay setting on the Options tab to allow time for all forms to become enabled.

To display this tab:

• In the General tab in the right pane for a Web application, double-click or right-click on the Web application, and select the Options tab.

2.13.5.21 Proxy Tab for Configuring a Web Application

Use the Proxy tab to:

• Provide mock values for the single sign-on fields when the fields are first rendered to the Web page.

• Configure form masking to prevent the user from seeing or altering the injected credentials.