ActivIdentity Secure Log In Single Sign-On Wizard Administration Guide

ActivIdentity SecureLoginSingle Sign-On

Application Definition Wizard Guide

Version 6.2 | Released | November 23, 2009

ActivIdentity SecureLogin Single Sign-On | Application Definition Wizard Guide P 2

Table of Contents

Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5About Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5About the Application Definition Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Application Definition Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 2: Application Definition Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Layout of the Application Definition Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Application Screen Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Other. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Attribute Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10General Controls and Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Test. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13OK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Apply. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Cancel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Selecting and Identifying Screens and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Choose and Show Me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Recording Keystrokes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Matching Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 3: Using the Application Definition Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Opening the Application Definition Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Auto-Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Start the Wizard from the ActivIdentity SecureLogin Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Start the Wizard from the Personal Management Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Wizard Default Selections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Predefined Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Enabling Web Applications using Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Enabling Oracle Forms Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Chapter 4: Enabling Application Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Managing Application Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

External Use | November 23, 2009 | Product Version 6.2 | © 2009 ActivIdentity


Add a New Application Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Rename an Application Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Delete an Application Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Incomplete Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Logon Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26Identify Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Credential Source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Identify Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Submit Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Re-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Matching Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Logon Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44Identify Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Notification Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Submit Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Matching Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Change Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49Identify Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Identify Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Password Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Submit Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Matching Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Change Password Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57Identify Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Submit Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Notification Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Matching Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Identify Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Identify Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Submit Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Matching Criteria. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Chapter 5: Testing Application Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Chapter 6: Modifying Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Chapter 7: Wizard Mode Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Changing the Wizard Mode Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75



Chapter 8: Deploying Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Chapter 9: Compatibility with Other Versions of ActivIdentity SecureLogin . . . . . . . . . . . . . . . . . . . . . 77Earlier Versions of ActivIdentity SecureLogin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77Earlier Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77Manually Created or Edited Application Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Chapter 10: Tips and Hints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Auto-Detection of Multiple Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79Using Show Me to Highlight Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79Dynamic Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79User Name and Password Fields Not Populating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79Matching Criteria for Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80Citrix Published Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80COM Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

Chapter 11: Application Definition Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Create a Logon Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81Create a Logon Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83Create a Change Password Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89Create a Change Password Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94



Chapter 1: IntroductionThis guide describes how to configure and use the ActivIdentity SecureLogin™ Single Sign-On Application Definition Wizard.

The instructions in this guide are applicable on all supported platforms. The specific examples in this guide use Windows Vista® workstation in a Microsoft Active Directory® environment, with a directory server managed through an administration workstation. If you need assistance, contact ActivIdentity Support for help.

For information about installing ActivIdentity SecureLogin Single Sign-On, administrators should see the installation guide for their directory environment. For information about configuring and managing ActivIdentity SecureLogin Single Sign-On, administrators should see the ActivIdentity SecureLogin Single Sign-On Administration Guide.

Product OverviewActivIdentity SecureLogin is the single sign-on solution that provides users with a single, secure logon for accessing corporate resources from dedicated or shared workstations.

For end users, ActivIdentity SecureLogin eliminates the need to remember multiple user name/password combinations beyond their initial network logon. It stores user credentials and automatically enters them when required.

For organizations, ActivIdentity SecureLogin helps to reduce help desk costs, and improve both network security and user productivity.

For complete product details, see the ActivIdentity SecureLogin Single Sign-On Overview.

About Application DefinitionsApplication definitions specify how ActivIdentity SecureLogin interacts with an application or web page using your single sign-on (SSO) credentials.

An application definition is essentially a list of instructions that ActivIdentity SecureLogin follows in order to perform various tasks upon an application or web page. In an application definition, you are able to assign different instructions to each dialog box or screen that an application or web site might produce. You have the choice of acting upon only the logon page, only selected windows or pages, or on every window or page produced by the application or web site.

ActivIdentity SecureLogin provides predefined application definitions for many commercial applications. To SSO-enable other applications or web sites, you can use the Application Definition Wizard to help create a definition or you can write one manually.

Chapter Contents

5 Product Overview

5 About Application Definitions

6 About the Application Definition Wizard

This document is for:• End users with access the

Application Definition Wizard• System and network

administrators• System integrators• IT support staff with a good

understanding of Windows® operating systems and management tools (Active Directory, Management Console, Group Policy and LDAP)



About the Application Definition WizardThe Application Definition Wizard guides you through the creation of new application definitions using a straightforward and intuitive interface.

When ActivIdentity SecureLogin recognizes a logon dialog box of an undefined application, it asks you whether you want to create an application definition and, if yes, guides you through the options in a question-and-answer format.

The Application Definition Wizard supports Windows® applications, Web applications and Java™ application.

You can also use the Application Definition Wizard to modify existing application definitions.

The ability to create tailored application definitions is a powerful feature and the Application Definition Wizard makes it easy. You can use application definitions to:

• Retrieve and enter logon details. Application definitions are stored and secured within the directory to ensure maximum security, support for single-point administration, and manageability.

• Automate many logon processes, such as multi-page logons and logon panels requiring other information that you can also store in the directory (such as surnames, telephone numbers or IP addresses). Application definitions can include commands to automate password changes on behalf of users and to request user input when required.

For a full description of the Application Definition Wizard and its screens, see Chapter 2, "Application Definition Wizard," on page 8.

Note for AdministratorsApplication definitions created by the wizard are stored in XML format in the directory user object of the current user.

Notes for UsersSystem administrators can choose to restrict user access to the Application Definition Wizard. This guide generally assumes you have full access, the default setting. However, you might only be allowed to create new logons for new applications, or you might have no access. See "Changing the Wizard Mode Preference" on page 75.

Notes• You can only define one

application at a time with the wizard.

• The ActivIdentity SecureLogin has detected a password field on this screen dialog box is not displayed if the Application Definition Wizard or Management Utility are already open.

Modifying Definitions• You cannot modify the predefined

application definitions supplied with ActivIdentity SecureLogin using the wizard. You can only modify those you created with the wizard and have been granted permission to edit. Predefined application definitions can be edited manually.

• You can only edit definitions created using this version of the wizard. If a definition was created with a previous version of the wizard (as available in ActivIdentity SecureLogin 6.0 or 6.1), it cannot be edited with the wizard. Previous definitions can be edited manually.



Application Definition MethodsTo create application definitions using the wizard, you can:

• Accept the default selections made by the Application Definition Wizard.

See "Wizard Default Selections" on page 19.

• Use a predefined application definition to simplify logging on to a broad range of applications.

See "Predefined Application Definitions" on page 20.

• Allow the wizard to guide you through the complete definition process, asking whether you want to single sign enable an application or web page and prompting you for the required information at each step.

The Application Definition Wizard is capable of creating complex application definitions, dealing with advanced scenarios or different types of application screens that an application presents.

See Chapter 4, "Enabling Application Screens," on page 23.



Chapter 2: Application Definition WizardThis chapter describes the Application Definition Wizard and its components.

Layout of the Application Definition WizardThe Application Definition Wizard displays three related groups of controls.

• Application screens

Different screens within the application or web site that have been ActivIdentity SecureLogin-enabled using the Application Definition Wizard are listed on the left under the heading Application Screens.

For further information, see "Application Screen Types" on page 9.

• Attribute panels

The attributes of the application definition for the selected screen are detailed on the right under the title of that screen.

For further information, see "Attribute Panels" on page 10.

• General controls and messages

These are located at the bottom of the wizard.

For further information, see "General Controls and Messages" on page 13.

Chapter Contents

8 Layout of the Application Definition Wizard

9 Application Screen Types

10 Attribute Panels

13 General Controls and Messages

14 Selecting and Identifying Screens and Controls



Application Screen TypesApplication screens that have been ActivIdentity SecureLogin-enabled using the Application Definition Wizard are listed on the left under the heading Application Screens.

The wizard can help you develop application definitions for:

• Logon screens

• Logon notification screens

• Change password screens

• Change password notification screens

• Other screens

The wizard leads you through a series of questions specific to each screen type. Your answers become the specifications of the new application definition.



LogonThe logon screen corresponds to the application’s own logon screen asking for your user name and password. In more advanced scenarios, ActivIdentity SecureLogin can be configured to:

• Handle more controls, such as check boxes, radio buttons, or drop-down lists.

• Use another credential source, such as your network credentials, a smart card-based OTP, credentials from another application, or credentials based on very specific information displayed on the logon screen.

• Enforce re-authentication to specific applications for additional security.

• Force users to store their credentials within ActivIdentity SecureLogin.

Change PasswordThe wizard can automate periodic changing of passwords. You can choose to let users select their own passwords or have ActivIdentity SecureLogin generate passwords. In either case, you can use a password policy to maintain security, and the new password will be stored in ActivIdentity SecureLogin when it has been changed successfully.

NotificationsThe wizard can configure handling of:

• Logon notification screens - used to inform users that an event has occurred while logging on, for instance, that a user name and password do not match. This notification can then be configured to display all or part of the credentials to the user to be updated.

• Change password notification screens - used to inform users whether they have changed their password successfully. ActivIdentity SecureLogin uses this notification to update its credentials for that application with the new password. If there is no notification, ActivIdentity SecureLogin prompts the user for confirmation before updating its credentials.

OtherIn this form type can be defined any form that does not rely on or use credentials. This can be automated navigation through menus or dismissal of an application prompt, for instance.

Attribute PanelsThe attribute panels on the right of the Application Definition Wizard refer to different aspects of ActivIdentity SecureLogin’s interaction with the screen or notification selected on the left of the wizard.

You simply need to work through these panels, answering questions as you go to create your application definition. The attribute panels are described in detail in Chapter 4, "Enabling Application Screens."



The attribute panels varying according to the type of application screen. They include a combination of the following:

• Identify Screen

• Credential Source (Logon screens only)

• Identify Fields

• Notification Handling

• Submit Options

• Re-authentication (Logon screens only)

• Matching Criteria

• Password Generation (Change Password screens only)

• Password Policy (Change Password screens only)

If the wizard opens automatically after detecting a logon screen, it opens at the panel for "Credential Source" on page 27. Otherwise it opens at "Identify Screen" on page 27.

When you are building an application definition, attribute panels can only be opened in order from top to bottom as you complete each step.

Completed panels are marked with a tick and displayed in color.

You can re-open a completed panel by clicking on it.

Panels that cannot be opened because prerequisite steps are incomplete are dimmed to show they are unavailable.

NotePanels display in two different layouts:

• Questions and answers as you are guided you through the definition process.

• Summary of the selected options when you review the definition at the end of the process.



Each attribute panel has an area at the top containing descriptive help text. Click on the expander to expand or collapse the help text as needed.

When you have completed an attribute panel, the next panel becomes available.

Click on the title of completed attribute panels to review your previous decisions, or click on one of the following general controls to finish using the wizard.



General Controls and MessagesGeneral controls and messages are grouped together at the bottom of the wizard.

HelpClicking on the Help button or pressing F1 on your keyboard opens the Help for the wizard. This can be done at any stage.

TestCompleted application definitions can be tested. When you click Test, the wizard minimizes and the Testing Application Definition Console opens. If you then open your application, the console displays a log of fields identified and actions taken by ActivIdentity SecureLogin as it works through your application definition.

The log can be used to review or troubleshoot the application definition. See Chapter 5, "Testing Application Screens," on page 65. If necessary, contact ActivIdentity Support for assistance.

NoteWhen you click Test, OK, or Apply, your data is synchronized and saved to the directory.



OKClicking OK saves any changes you have made to the application definition and close the wizard.

ApplyClicking Apply saves any changes you have made to the application definition and leaves the wizard open for further editing.

CancelClicking Cancel closes the wizard without saving any changes you have made. Unsaved changes will be lost.

Selecting and Identifying Screens and ControlsChoose and Show Me• You identify application windows and web pages, as well as specific

controls and fields within those windows or pages, by dragging the Choose icon to them. The wizard moves behind all other windows while you make your selection.

• To confirm which control has been identified, click the Show me icon to highlight an identified control. The wizard flashes a thick red line outlining the control in the application screen or web page.

ActivIdentity SecureLogin detects standard Windows screens and user interface elements. If you cannot choose or highlight a control, your application might use a unrecognized or proprietary framework. In this case, ActivIdentity SecureLogin suggests that you record keystrokes to navigate to fields or controls.

Recording KeystrokesActivIdentity SecureLogin can record keystrokes to facilitate navigation or enter particular commands. The keystrokes can define how to access and handle controls in applications using proprietary controls, specific user interfaces, or dynamic controls that would otherwise be difficult to identify. You can record keystrokes wherever an action must be done, credentials updated, or a screen submitted.

Note for AdministratorsThe application definition is saved to the directory object of the current user.

You can create and test an application definition using a test account before copying it for distribution.

Choose Icon FocusWhen you select a screen with the Choose icon, make sure that no other application occupies the whole desktop display.

NoteSome applications might take slightly longer than others to display their interface when highlighted.



Together, these features mean the Application Definition Wizard can handle a broad range of single sign-on requirements. All of these options are explained in Chapter 4, "Enabling Application Screens."

You can choose:

• Navigate to field using keystrokes to navigate between control fields that ActivIdentity SecureLogin has to interact with.

• Type the following keystrokes to define the commands that ActivIdentity SecureLogin enters as part of the application definition (for example, typing on the logon button).

In either case, the method of recording keystrokes is the same.

1. To record the keystrokes, click Record.

A dialog box prompts you to select the appropriate screen and record your keystrokes.

2. When you have navigated to the required field or entered the necessary commands, click Close.

The dialog box closes and you are returned to the Application Definition Wizard, with the Keystrokes recorded displayed.

ImportantCTRL+ALT+DEL cannot be recorded and cancels the collection of keystrokes.

NoteIf you select the Navigate to field using keystrokes option, you cannot leave the keystroke edit box empty.



You cannot type directly into the Keystrokes recorded text box. It only displays recorded keystrokes.

If you make a mistake, click Record again to record a new sequence of keystrokes.

When a script is played, ActivIdentity SecureLogin enters the user name first and password second. Consequently, when you are recording keystrokes for the password, remember that the starting point for the cursor is the user name field.

Matching Regular ExpressionsSome ActivIdentity SecureLogin dialog boxes give you the option of specifying text ActivIdentity SecureLogin needs to match to identify an application screen. This is another option for uniquely identifying a particular application screen.

The text must be entered as a regular expression. Regular expressions are text patterns that are used for string matching. They contain a mix of plain text and special characters to indicate what kind of matching to do.

If you are testing your regular expression in the wizard and it does not match any controls on the particular application screen, ActivIdentity SecureLogin prompts you to check your regular expression and ensure the correct control is selected. Special characters in your regular expression might need to be escaped.

For further information about using regular expressions within ActivIdentity SecureLogin, see the ActivIdentity SecureLogin Single Sign-On Application Definition Guide.



Chapter 3: Using the Application Definition WizardThis chapter describes how to open the Application Definition Wizard and provides general procedures for its use in greater detail, moving beyond using the default settings.

The ability to create tailored application definitions is a powerful feature and the Application Definition Wizard makes it easy. At every stage of the process, you are able to choose more advanced options to make the application definition exactly match your requirements.

A full description of every function of the wizard is available in Chapter 4, "Enabling Application Screens."

Opening the Application Definition WizardThere are several ways to open the Application Definition Wizard. In most instances the wizard opens automatically when it detects a new logon screen. You can also choose to create or modify application definitions using the wizard to automate the handling of notification screens including prompts to change your password and error messages.

Auto-DetectionAuto-detection is often used by administrators to create a simplified logon procedure that allows users to single sign-on enable an application using ActivIdentity SecureLogin in just two clicks.

If ActivIdentity SecureLogin automatically detects a logon dialog box, it asks you whether you want to single sign-on enable that application or Web site.

Chapter Contents

17 Opening the Application Definition Wizard

19 Wizard Default Selections

20 Predefined Application Definitions

22 Enabling Web Applications using Firefox

22 Enabling Oracle Forms Applications

Citrix ApplicationsThe wizard cannot detect Citrix® published applications. Run the application on your workstation to create an application definition.



Either:

• Click Yes to have ActivIdentity SecureLogin automatically create an application definition using the default settings.

An application definition is created to handle the user name and password fields and submit button automatically identified by the wizard.

Follow the wizard instructions to enable the application for single sign-on. All the steps are pre-filled by the wizard's default selection and you can accept the definition as it is. If the dialog contains several controls that require your input, the wizard asks to check the different steps to ensure that no action is forgotten in the definition.

For further information, see "Wizard Default Selections" on page 19.

• Click No, not this time to cancel the use of the wizard this time.

The next time ActivIdentity SecureLogin detects the application logon dialog box, you are prompted again.

• Click No, never prompt me to single sign this screen to stop ActivIdentity SecureLogin prompting to enable this application again.

Start the Wizard from the ActivIdentity SecureLogin IconThe auto-detection dialog box does not display if the Application Definition Wizard or Management Utility are already open.

To start the wizard manually:

1. Right-click on the ActivIdentity SecureLogin icon in the Windows notification area and select New Application to create a new application definition.

2. Drag and drop the Choose arrow to select the application for which you want to create a definition.

Notes• If a Windows application is

already up and running before ActivIdentity SecureLogin starts, the wizard proposes to enable the application or directly run the script if application is already defined.

• Auto-detection only applies only to logon forms. If you want to define other forms (such as notifications or change password), you need to start the wizard manually. See "Start the Wizard from the ActivIdentity SecureLogin Icon" on page 18.

• The resulting application definition can be edited or tested using the wizard if you have been granted permissions. See "Testing Application Screens" on page 65 or "Modifying Application Definitions" on page 68 for further guidance on application definitions, and "Changing the Wizard Mode Preference" on page 75 to learn about permissions.

• You can only define one application at a time with the wizard.

Editing Existing DefinitionsYou can also start the wizard by editing an existing definition.

Right-click on the ActivIdentity SecureLogin icon and select Open.

For further information, see Chapter 6, "Modifying Application Definitions," on page 68.



Alternatively, if a definition exists for this application but not for the specified form, you are asked if you want to single sign-on enable the screen you pointed to.

Click Yes or No according to your requirements.

Start the Wizard from the Personal Management Utility

1. Open the Personal Management Utility.

2. Select an application and either:

– Click New.– Right-click and select New.

Wizard Default SelectionsIf ActivIdentity SecureLogin detects a logon dialog box, it asks you whether you want to single sign-on enable that application or Web site.

1. Click Yes.

ActivIdentity SecureLogin automatically creates an application definition.

– If the logon form is simple enough (it does not contain too many controls that might require configuration), the wizard pre-populates the definition with its default selection. As a consequence, the different panels are already validated (ticked ). You can accept the pre-selection and save the definition as it is, or you can review the default selection and modify the settings to personalize the definition.

– If the logon form is complex, the wizard requires that you validate the definition, step by step, to ensure that no requirement is missed.



2. Validate the pre-selected configuration or modify the definition accordingly.

Using the wizard allows you to review and confirm that the correct fields and buttons have been identified.

You are prompted to enter your credentials.

3. Enter your logon credentials and click OK.

ActivIdentity SecureLogin stores those credentials and automatically logs on to that application when it is opened in the future.

Predefined Application DefinitionsActivIdentity SecureLogin comes with predefined application definitions for many commercial applications.

When one of these applications is opened, ActivIdentity SecureLogin prompts you to single sign enable it and automatically use the predefined application definition.

NotePredefined application definitions cannot be edited with the Application Definition Wizard, they can only be edited manually.



1. Click Yes.

ActivIdentity SecureLogin applies the predefined definition.

Instead of opening the wizard, you are automatically prompted to enter your credentials.

2. Enter your logon credentials and click OK.

ActivIdentity SecureLogin stores those credentials and automatically logs on to that application when it is opened in the future.



For further information about the predefined application definitions (including the list of available definitions), see the ActivIdentity SecureLogin Single Sign-On Overview.

Enabling Web Applications using FirefoxThe Mozilla® Firefox® Authentication Required dialog box should not be single sign-on enabled using the wizard.

If you wish to enable a web application using Firefox, simply select the Remember this login with ActivIdentity SecureLogin check box. ActivIdentity SecureLogin automatically creates and stores an application definition and the user is never be prompted to enter their credentials again.

Enabling Oracle Forms ApplicationsIf your Oracle® Forms application is based on JRE 1.5 or higher, then the Application Definition Wizard will automatically detect the application, as it does for Java applications.

If your Oracle Forms application is based on Jinitiator® 1.3.1 or higher, then the Application Definition Wizard cannot automatically detect the application. Instead, it will create an application definition with the list of all controls detected in the application, that you can leverage by editing the definition script.

For further information, see the ActivIdentity SecureLogin Single Sign-On Application Definition Guide (Appendix A).

NoteDepending on how the application was created, a script created on Firefox might not work on Internet Explorer®. You might need to create two application definitions.



Chapter 4: Enabling Application ScreensThis chapter contains a comprehensive description of the options in every attribute panel of the Application Definition Wizard.

Managing Application ScreensThe application screen panels are grouped by functionality in the wizard.

Panels and controls are displayed progressively by the wizard, with advanced options only displayed if you choose to use them:

• "Logon Screens" on page 26

• "Logon Notifications" on page 44

• "Change Password" on page 49

• "Change Password Notifications" on page 57

• "Other" on page 61

Add a New Application ScreenTo add a new screen or notification to the list, you can either:

• Use the New menu to select the type of item to add.

Chapter Contents

23 Managing Application Screens

26 Logon Screens

44 Logon Notifications

49 Change Password

57 Change Password Notifications

61 Other

Notifications Screens for Web ApplicationsFor web pages (normal and java plug-in), the effectiveness of logon and change password notifications is limited.

They might cause the application definition to fail.



• Right-click on the form type and click New.



• Right-click on an existing form name and click New. You can also delete or rename a form using this method.

New screens or notifications are saved to the directory when you click Test, Apply or OK.

The entry for the new screen or notification displays under the appropriate heading and you can begin working on it in the attribute panels on the right.

Rename an Application ScreenYou can rename the entry by clicking on it a second time after selecting it (slowly clicking twice, not double-clicking) or right-clicking and clicking Rename.

Delete an Application ScreenYou can delete an entry for a screen or notification from the list by selecting it and then clicking the cross button or right-clicking and selecting Delete.



There is no undo after deleting an entry. All details and attributes are removed.

Also, if you click Cancel before you have finished a new application definition, all unsaved changes will be lost.

Incomplete ScreensNew and incomplete screens and notifications are marked with a red exclamation point. Complete the application definition by working sequentially through the attribute panels on the right.

Logon ScreensIn order to uniquely identify and handle logon screens, ActivIdentity SecureLogin needs to:

• Identify the logon screen of the application.

• Determine or define the credentials that will be used to log on to the application.

• Identify the fields that are used to enter the credentials.

• Identify how the logon screen is submitted.



• Determine whether you wish to use any optional settings such as re-authentication.

• Check that it can identify the screen uniquely, if necessary further criteria can be defined.

The wizard works through these steps to develop an application definition.

Identify ScreenActivIdentity SecureLogin needs to identify the logon screen of any application or web page that you want to enable. You can make or change the selection of a logon screen using the Identify screen panel.

Select the logon screen by dragging the Choose icon on to it, as described in "Selecting and Identifying Screens and Controls" on page 14.

The title of the logon screen is displayed on the attribute panel. Clicking Show me highlights the identified logon screen.

Credential SourceYou can choose which credentials ActivIdentity SecureLogin provides to an application on the Credential source panel.



You can only have one credential set for an application. Changes to credentials made on any application screen handled by the application definition are applied to all other screens of that application. If a second logon screen is enabled with different credentials from the first, those credentials will replace the originals.

• If you select Yes, ActivIdentity SecureLogin creates a discrete set of credentials to enable this application or web page. The credential set is named after the application.

• If you select No. This application uses credentials from another source, you are presented with a choice of other credential sources.



The options are:

• A one-time password from a smartcard.

Select this option to use a one-time password from a smart card. If the authentication mode is asynchronous (challenge-response), ActivIdentity SecureLogin must read the challenge value from a field on that screen.

– Select This is a challenge-response token, then choose the field on the application or web page by dragging the Choose icon and clicking Show me, as described in "Selecting and Identifying Screens and Controls" on page 14.

• The user's network login credentials.

Select this option to use the user’s directory credentials to log on to this application or web page.

• Another ActivIdentity SecureLogin enabled application.

One-Time Password for Web ApplicationsIf One-Time Password is selected as the Credential source for a web application, only the synchronous mode is available.

The challenge-response option is not displayed.



Select this option to use the credentials of another SSO-enabled application by selecting the application from the list displayed in the wizard.

• ActivIdentity SecureLogin selects credentials based on a value identified on this screen.

Where the logon information required by an application or a web page can be determined from the presence of a particular value on the logon screen, then that text can be specified here.

Select the field using the procedure described under "Selecting and Identifying Screens and Controls" on page 14.

Regular expressions are supported in the text. To learn more about using regular expressions in ActivIdentity SecureLogin, see the ActivIdentity SecureLogin Single Sign-On Application Definition Guide.

A simple example of a regular expression is:

Connecting to server (.*)

The (.*) specifies the value that must be captured to define the credentials, meaning you have one credential set for each regular expression value. The credential set is named after the regular expression value.

Identify FieldsYou can review or change the selection of fields ActivIdentity SecureLogin uses to log on to an application or web page on the Identify fields panel.



• If you select Yes, ActivIdentity SecureLogin uses the fields it has detected and selected by default and lead you to the next step.

• If you select No. Let me select or review the logon fields, you can review and confirm the fields identified by the wizard. The name of each field identified is displayed. By default, ActivIdentity SecureLogin uses the field names as the prompts in its own dialog boxes, but you can edit these to be clearer or more user-friendly.

If they have not been identified correctly, you can identify them manually

by dragging the Choose icon onto the fields and clicking Show me, as described in "Selecting and Identifying Screens and Controls" on page 14.

NoteIf the label text for the control is empty or incorrect:

• Click Show me to check that the selected control is correct

• If Show me does not highlight the expected control, then update it using the drag and drop Choose icon or Navigate... option

The selection using the Choose icon might not update the label if the application is built without ordering labels in accordance with controls.

You can update the control label manually. This corresponds to the field's prompt that will be displayed to user when prompting to enter the credentials.



• Select Treat field as sensitive field to treat the user name field like a password field and disguise the characters entered with asterixes. This is optional for the user name but set and fixed for the password.

• Select Navigate to field using keystrokes if you are having difficulty identifying the correct field using other methods.

Click Record, select the logon screen when prompted by the dialog box, and navigate to the relevant field before closing the dialog box to record

Single Field Logon ScreensIf the form contains only one field (for example, password but no username), then clear the Navigate to field using keystrokes option that corresponds to the username field.



your keystrokes, as described in "Selecting and Identifying Screens and Controls" on page 14.

ActivIdentity SecureLogin prompts you to use Navigate to field using keystrokes if it cannot identify the fields on the logon screen.

All Fields

1. Click on the All fields expander to show other fields that were detected by the wizard on this screen. Each control is listed by type and name (if known).

2. Select each field you would like ActivIdentity SecureLogin to use in managing the logon for this application, then specify the actions ActivIdentity SecureLogin should undertake with the field.

Edit Box

If a text box is detected, you can use the Action drop-down list to configure ActivIdentity SecureLogin to:

• Ask the user to enter a value into field.

• Use the value selected below for all users.

If you select Ask the user to enter a value into field, you need to specify a User-Friendly Name and the text used to Prompt users to enter a value.

Primary ControlsWhen the wizard retrieves default controls, such as username and password, the controls are described as primary controls on the top of the Identify fields pane.

• These controls are also listed with all the other controls in the All fields section of this pane and are selected by default. If you set the control definitions for these primary controls using the All fields section, the top part of the pane is also updated accordingly.

• If these controls are selected by default in the top part of the page and you change them by using the Navigate to field using keystrokes option, the username and password sections are grayed out. To make them available again, you must clear the Navigate option and then manually select them with the Choose icon .



The User-Friendly Name is also used as the variable name in the ActivIdentity SecureLogin Personal Management Utility.

Select Treat field as sensitive field to treat the user name field like a password field and disguise the characters entered with asterixes.

If you select Use the value selected below for all users, you must type the text ActivIdentity SecureLogin should enter.

Check Box

If a check box is detected, you must use the action Use the value selected below for all users to select whether the check box is checked or not.

Combo Box

If a drop-down list box or any other kind of combination box is detected, you can use the Action drop-down list to configure ActivIdentity SecureLogin to:

• Use the value selected below for all users.

• Ask the user to select from the list that the application presents.

If you select Use the value selected below for all users, you must specify the option ActivIdentity SecureLogin should select.

The Values detected in the list box drop-down list contains the values ActivIdentity SecureLogin has retrieved from the application combo box.

NoteIf you select Remember first value entered, ActivIdentity SecureLogin saves the first value entered in this field by the user and automatically enter it on all subsequent logons.



This is the only option available for combo boxes in web applications.

If you select User is to select from the list the application presents, you need to specify a name for the value and the text used to Prompt users to make the choice.

This option is not available for web applications.

If you select Remember the value the user selects and do not prompt again, ActivIdentity SecureLogin stores and automatically enters this value into this screen in the future.

NoteSelect Treat field as sensitive field to treat the value of the variable defined by the user-friendly name like a password field and disguise the characters entered with asterixes within the ActivIdentity SecureLogin Personal Management Utility.



Radio Buttons

If a radio button is detected, you must use the action Use the value selected below for all users to select whether the radio button is selected or not.

Submit OptionsUse these options to tell ActivIdentity SecureLogin how to submit the logon screen.

• If you select Yes, you must specify what action ActivIdentity SecureLogin should take, either clicking a button or typing certain keystrokes, as described in "Selecting and Identifying Screens and Controls" on page 14.

• If you select No. User submits the screen, ActivIdentity SecureLogin does nothing and the user must submit the logon screen manually.



Enable Action When User Cancels to Enter Their Credentials

If you select Enable action when user cancels to enter their credentials, users can be forced to store their credentials for this application or web page in ActivIdentity SecureLogin.

If selected, you also need to define the action ActivIdentity SecureLogin takes when a user is prompted to save their credentials but chooses Cancel on the dialog box. By default, ActivIdentity SecureLogin cancels the logon screen.

To define an alternative action, you can select Click this button that you have identified by dragging the Choose icon and clicking Show me, or you can Type the following keystrokes by clicking Record and recording your keystrokes, as described in "Selecting and Identifying Screens and Controls" on page 14.


• Press Show me to check that the selected control is correct.

• If Show me does not highlight the expected control, then update it the drag and drop Choose icon

or Navigate... option.

The selection using the Choose icon might not update the label if the

application is built without ordering labels in accordance with controls.

Using KeystrokesIf you are using keystrokes to define the Submit option, the application will submit and close if no credentials are provided. Re-open the application in order to complete the application definition with the wizard.



For web applications, you also have a third option, Re-direct the user to this website. An edit box is displayed for you to enter the URL where user is re-directed.

If not selected, users can close the ActivIdentity SecureLogin dialog box and log on to the application manually.

Re-authenticationYou can choose whether ActivIdentity SecureLogin prompts users to re-authenticate (with their network credentials or authentication device) before using an application's credentials. This second strong authentication can provide an extra layer of security around certain applications.

• If you select No, ActivIdentity SecureLogin will not re-authenticate users before supplying credentials to the application or web page.

• If you select Yes. Enforce re-authentication before accessing this application, you must specify which credentials ActivIdentity SecureLogin should use to re-authenticate the user’s identity.



You can select the method ActivIdentity SecureLogin should use to re-authenticate from the drop-down list:

• Use same credentials as network logon

• Password

The network password. (Only available in Active Directory and ADAM/AD LDS modes.)

• Smart card

A smart card that ActivIdentity SecureLogin checks as belonging to the user after the PIN has been checked.

If you enable re-authentication, you also need to define the action ActivIdentity SecureLogin takes when a user is prompted for re-authentication but chooses Cancel on the re-authentication dialog box. ActivIdentity SecureLogin can:

• Click this button.

Smart Card Re-AuthenticationThe smart card re-authentication option is only available if smart card support is installed.



Choose a button on the application or web page that ActivIdentity SecureLogin should press when a user clicks Cancel on ActivIdentity SecureLogin’s re-authentication dialog box. By default, ActivIdentity SecureLogin cancels the logon screen. You can choose and highlight the

button by dragging the Choose icon and clicking Show me, as described in "Selecting and Identifying Screens and Controls" on page 14.

• Type the following keystrokes.

Define commands or key strokes ActivIdentity SecureLogin enters when a user presses Cancel on the re-authentication dialog box.

– Click Record to begin recording keystrokes. The wizard minimizes and a small dialog box displays a record of your keystrokes.

– Click Stop to end the recording and return to the wizard.

If you need to change the keystrokes recorded, click Record again to make a new recording.

If you choose re-authentication in the logon form, ActivIdentity SecureLogin only applies re-authentication to the logon.

For web applications, you also have a third option, Re-direct the user to this website. An edit box is displayed for you to enter the URL where user is re-directed.

Matching CriteriaActivIdentity SecureLogin must identify each application screen or web page uniquely to successfully run an application definition. If ActivIdentity

ImportantYou cannot record the following keystrokes, which are reserved by Windows:

• CTRL+ESC, posts a journal quit message

• CTRL+ALT+DEL, posts a journal quit message

• CTRL+BREAK, part of the journal quit code

• CTRL+SHIFT+ESC, not recorded.

NoteMatching criteria are for the use of experienced users and administrators.



SecureLogin cannot uniquely identify a particular application screen or web page, you can customize matching criteria to assist ActivIdentity SecureLogin.

If you select Yes, ActivIdentity SecureLogin uses the rules defined in previous attribute panels to identify and handle an application screen.

If you select No. I want to customize rules, the rules already defined are listed. You can add, modify, or remove rules. Your matching criteria must include at least one rule.

You can check a rule by selecting it in the list and clicking Show me to confirm which control it corresponds to.



You can add a new rule by selecting the <Add a new rule> option and using the Choose icon on a specific control and clicking Show me to confirm that ActivIdentity SecureLogin has identified the correct control, as described in "Selecting and Identifying Screens and Controls" on page 14, and then clicking Add.

You can modify a rule for a control by selecting the rule and editing the matching rules for that specific control.

The matching rules are:

• ActivIdentity SecureLogin is to match the value displayed.

ActivIdentity SecureLogin only matches screens that exactly match the displayed text and other rules identified.

• ActivIdentity SecureLogin is to match specific part of the identified control.

You must use a regular expression to define the screen features to match.



Click Test Match to check that your regular expression is correct.

If your regular expression does not match any controls on the particular application screen, ActivIdentity SecureLogin prompts you to check your regular expression and ensure the correct control is selected. Special characters in your regular expression might need to be prefixed by \. For further information about regular expressions, see the ActivIdentity SecureLogin Single Sign-On Application Definition Guide.

You can delete a rule by selecting it in the list and clicking Remove.

After making changes, you can check that all the matching rules are still valid by dragging the Choose icon on to the logon screen again. You can use this test even if you have not customized rules.

Remove OptionThe Remove option is only available if the rule you want to remove is not linked to a previous panel definition.

For example, you cannot remove the rule associated to the logon button presence as this button is defined in the submit option.



Logon NotificationsA logon notification is a message that the application might present after ActivIdentity SecureLogin has submitted credentials to notify you about the result of that action. An example is an error message stating that an incorrect password has been entered. You can define how ActivIdentity SecureLogin handles logon notifications in your application definition.

To handle logon notifications ActivIdentity SecureLogin needs to:

• Identify the logon notification screen.

• Determine how to handle the notification.

• Present credentials to the user for updating when required.

• Identify how the logon screen is submitted.

• Check that it can identify the screen uniquely, if necessary by defining further criteria.

Identify ScreenActivIdentity SecureLogin needs to identify the logon notification screen for this application. You can make or change the selection of a logon notification screen using the Identify screen panel by dragging the Choose icon to it, as described in "Identify Screen" on page 27 when discussing logon screens.

NoteA logon notification cannot be created if a logon form is not defined.



Notification HandlingYou must specify how ActivIdentity SecureLogin should respond when a logon notification screen is displayed.

Click Yes to prompt the user to enter all their credentials again. ActivIdentity SecureLogin prompts with the notification from the application.

Click No. Let me select the appropriate credentials to select which credentials to display to the user for updating and enter a customized prompt or error message for users.



• If you select this option, you must type in the Notification prompt text box, the prompt or message you want displayed that replaces the notification from the application.

• You must also highlight which Credentials the user will be asked to update. The new credentials the user enters will be used to update ActivIdentity SecureLogin’s credential set for this application.

• If you select Enable action when user cancels to enter their credentials, you must specify what action ActivIdentity SecureLogin should take if the user cancels the ActivIdentity SecureLogin prompt.

The default action is for ActivIdentity SecureLogin to cancel. Alternatively, you can choose either to click a button or type certain keystrokes, as described in "Selecting and Identifying Screens and Controls" on page 14.

Web Application Logon ErrorsFor web applications, if the error is included and displayed on the logon page, it might be difficult to create a logon notification as the screen identification criteria will be very similar to the ones for the logon page.

To cater for this configuration, ActivIdentity SecureLogin detects that the same web page is displayed in a very short time frame and interprets it as a logon notification error. You will automatically be prompted to re-enter your credentials.



• For web applications, you also have a third option, Re-direct the user to this website. An edit box is displayed for you to enter the URL where user is re-directed.

Submit OptionsUse these options to tell ActivIdentity SecureLogin how to submit the logon notification screen, as described in "Submit Options" on page 36 when discussing logon screens.

Matching CriteriaIf ActivIdentity SecureLogin cannot uniquely identify a particular logon notification screen automatically, you can customize matching criteria, as described in "Matching Criteria" on page 40 when discussing logon screens.



If you select No. I want to customize rules, you can use regular expressions to identify nearly identical dialog boxes, such as those counting down the number of incorrect password attempts before locking an account.

For example:

When the original logon notification message is:

A regular expression is defined so that the logon notification matches when the displayed message is modified to "Invalid username and/or password. 1 attempt until your account is locked."



The corresponding matching rule is then:

• ActivIdentity SecureLogin is to match specific part of the identified control

• The Match text is "Invalid username and/or password\.*"

Change PasswordApplication definitions can also include instructions for changing passwords for an application. ActivIdentity SecureLogin can automatically generate new



passwords that match your password policies or you can allow users to select passwords. You can also customize the change password prompts that are displayed to users.

To change passwords ActivIdentity SecureLogin needs to:

• Identify the change password screen.

• Identify the fields that are used to enter a new password.

• Determine whether the user or ActivIdentity SecureLogin generates the new password, and whether there is a password policy.

• Identify how the change password screen is submitted.

• Check that it can identify the change password screen uniquely, if necessary by defining further criteria.

Identify ScreenActivIdentity SecureLogin needs to identify the change password screen for this application. You can make or change the selection of a change password screen using the Identify screen panel by dragging the Choose icon on to the screen, as described in "Identify Screen" on page 27 when discussing logon screens.

NoteIf Change Password attributes have been set but not Change Password Notification attributes, then after you change your password ActivIdentity SecureLogin asks you Has the password been successfully changed? before updating the credential set with your new password if it has been changed successfully.



Identify FieldsYou can make or change the selection of fields ActivIdentity SecureLogin uses changing a password on the Identify fields panel.

If you select Yes, ActivIdentity SecureLogin uses the fields it has detected and selected by default and lead you to the next step.

If you select No. Let me select or review the change password fields, you can review and confirm the fields identified by the wizard or identify fields manually if they were not correctly detected by the wizard by dragging the Choose icon and clicking Show me, as described in "Selecting and Identifying Screens and Controls" on page 14.

There might be one or more password fields depending on the application.


• Press Show me to check that the selected control is correct

• If Show me does not highlight the expected control, then update it using the drag and drop Choose icon or Navigate... option




You can also Navigate to field using keystrokes if you are having difficulty identifying the correct field using other methods.

Click Record, select the change password screen when prompted by the dialog box, and navigate to the relevant field before closing the dialog box to record your keystrokes, as described in "Selecting and Identifying Screens and Controls" on page 14.

Under all fields, you can also configure additional fields you would like to handle in this screen. For further information on how to handle the different control types, see "Identify Fields" on page 30.

Password GenerationActivIdentity SecureLogin can automatically generate new passwords or you can allow users to enter passwords.

NoteThe fields displayed in the summary are also displayed in the "all fields" section and can be updated there. If your screen contains only two fields (or two password fields) then the only actions available are:

• Type existing password• Type new proposed password



Click Yes to have ActivIdentity SecureLogin generate new passwords when required.

Click No. User chooses a new password to have ActivIdentity SecureLogin prompt users for a new password when required. If selected, you must also enter a customized Prompt message for users.

Password PolicyActivIdentity SecureLogin can apply a password policy to new passwords. You can select an existing ActivIdentity SecureLogin password policy or create a new policy.

NoteIf a password policy has not been defined, ActivIdentity SecureLogin generates a random password eight characters long.



Click No to allow any password, whether generated by the user or ActivIdentity SecureLogin. ActivIdentity SecureLogin does not perform any validation of the password that has been entered against any policy.

Click Yes. Let me specify the password rules to choose or create a password policy. All new passwords for that application submitted through ActivIdentity SecureLogin, whether generated by the user or ActivIdentity SecureLogin, are first validated by ActivIdentity SecureLogin against the policy.

The drop-down list displays all password policies detected for the current user. Select an existing password policy or type a name in the combination box to begin creating a new policy.



An ActivIdentity SecureLogin password policy can have any combination of these rules:

• Minimum length

• Maximum length

• Minimum punctuation characters

• Maximum punctuation characters

• Minimum uppercase characters

• Maximum uppercase characters

• Minimum lowercase characters

• Maximum lowercase characters

• Minimum numeric characters

• Maximum numeric characters

• Disallow repeated characters

• Disallow duplicate characters

• Disallow sequential characters

• Begin with an uppercase character

• End with an uppercase character

• Prohibited characters

• Begin with any alpha character

• Begin with any number

• Begin with any symbol

• End with any alpha character

• End with any number

• End with any symbol

These options are explained further in the ActivIdentity SecureLogin Single Sign-On Administration Guide.

You must use the ActivIdentity SecureLogin Management Utility to revise password policies, as described in the ActivIdentity SecureLogin Single Sign-On Administration Guide. You cannot edit or delete password policies through the wizard.

Select Enforce password history to stop users re-using a certain number of previous passwords.



Submit OptionsUse these options to tell ActivIdentity SecureLogin how to submit the change password screen, as described in "Submit Options" on page 36 when discussing logon screens.

Matching CriteriaIf ActivIdentity SecureLogin cannot uniquely identify a particular change password screen automatically, you can customize matching criteria, as described in "Matching Criteria" on page 40 when discussing logon screens.



Change Password NotificationsA Change Password Notification is a message that the application might present after ActivIdentity SecureLogin has submitted the new password. This might be a confirmation or error message.

This notification is important for ActivIdentity SecureLogin to know whether the password has been changed successfully as it needs to update its credentials for that application when they are updated.

If no change password notification is defined, then ActivIdentity SecureLogin prompts the user after changing a password to ensure it has been successful. Several notifications can be defined for an application.

To handle change password notifications, ActivIdentity SecureLogin needs to:

• Identify the change password notification screen.

• Determine how the change password notification screen is dismissed.

• Check that it can identify the change password screen uniquely, if necessary by defining further criteria.

Identify ScreenActivIdentity SecureLogin needs to identify the change password notification screen for this application. You can make or change the selection of a change password screen using the Identify screen panel by dragging the Choose icon on to the screen and clicking Show me, as described in "Selecting and Identifying Screens and Controls" on page 14.

NoteA Change Password Notification cannot be created if a change password form is not defined.



If you select This window is a change password successful notification, the next attribute panel asks you to define Submit options.

If it is not selected, the next attribute panel asks you to define rules for Notification handling.

Submit OptionsUse these options to tell ActivIdentity SecureLogin what to do when the change password notification is displayed.

NoteActivIdentity SecureLogin updates the credentials for this application as soon as it has confirmed that the password has been changed successfully, whether automatically or by asking the user.

NoteIf the label text for the control is empty or incorrect, press Show me to check that the selected control is correct




Click Yes and then define what action ActivIdentity SecureLogin should take to automatically submit the screen. You can choose to click a button or record keystrokes, as described in "Selecting and Identifying Screens and Controls" on page 14.

Click No. User submits the screen to allow users to handle any change password notification screens.

Notification HandlingIf a change password notification screen is not confirming that the password was changed successfully, you must define how ActivIdentity SecureLogin should handle the notification.

If you select Yes, you must define the actions ActivIdentity SecureLogin takes and enter a customized message that is displayed to the user after the change password notification screen is dismissed. You can choose to click a button or record keystrokes, as described in "Selecting and Identifying Screens and Controls" on page 14.



If you select No. User dismisses the notification, ActivIdentity SecureLogin displays the notification from the application and leave it to the user to action.

Matching CriteriaIf ActivIdentity SecureLogin cannot uniquely identify a particular change password notification screen automatically, you can customize matching criteria, as described in "Matching Criteria" on page 40 when discussing logon screens.



OtherUse Other to define how the application definition handles any other application screens, such as splash screens, automating menu navigation, or redirecting users to a web site.

To handle other screens, ActivIdentity SecureLogin needs to:

• Identify the other screen.

• Identify the fields in that screen that must be handled by ActivIdentity SecureLogin.

• Identify how the other screen is submitted.

• Check that it can identify the other screen uniquely, if necessary by defining further criteria.

Identify ScreenActivIdentity SecureLogin needs to identify the other screen for this application. You can make or change the selection of an other screen using the Identify screen panel by dragging the Choose icon on to the screen, as described in "Identify Screen" on page 27 when discussing logon screens.



Identify FieldsYou can confirm or change the selection of fields ActivIdentity SecureLogin uses for other screens on the Identify fields panel.

By default, ActivIdentity SecureLogin does not select any fields on other screens. Everything has to be defined by the user.

If the selected screen does not contain any controls, then this attribute panel is automatically ticked and users are taken to the Submit options.

If you select No, then you are moved to the Submit options attribute panel. ActivIdentity SecureLogin takes no action.



If you select Yes. Let me select and configure the fields, then you must identify the controls you want ActivIdentity SecureLogin to handle and the actions it should take.

The actions that can be taken depend on the control types that are identified. The controls and actions are as described in "Identify Fields" on page 30 when discussing logon screens.

Submit OptionsUse these options to tell ActivIdentity SecureLogin how to submit the other screen, as described in "Submit Options" on page 36 when discussing logon screens.

NoteIf the label text for the control is empty or incorrect, press Show me to check that the selected control is correct




Matching CriteriaIf ActivIdentity SecureLogin cannot uniquely identify an other screen automatically, you can customize matching criteria, as described in "Matching Criteria" on page 40 when discussing logon screens.



Chapter 5: Testing Application ScreensYou can test an application definition after completing all the relevant attribute panels (all ticked ) for the application screen you want ActivIdentity SecureLogin to handle.

1. Click Test to open the Testing Application Definition Console.

Note: When you click Test, OK, or Apply, your data is synchronized and saved to the directory. Only saved application definitions can be tested.



2. Close and re-open the application screen associated with the application definition you are testing.

As ActivIdentity SecureLogin works through the application definition for that application the Testing Application Definition Console displays a log of the:

– Steps ActivIdentity SecureLogin has taken to match the application you have started with the application definition.

– If matched, the message Successfully matched.– The credentials that are typed into the form and actions that are

taken, as defined in the application definition.



The log can be used to review or troubleshoot the application definition; contact ActivIdentity Support if necessary for assistance.

• Click Clear to clear the log and continue testing.

• Click Cancel to close the Testing Application Definition Console and return to the Application Definition Wizard.

You can test any application definition developed with the Application Definition Wizard. You cannot test application definitions you have developed manually or with earlier wizards.



Chapter 6: Modifying Application DefinitionsYou can edit application definitions you have created or been granted permissions to using the Application Definition Wizard. You can add or change options, or add other screens and notifications generated by an application to its application definition.

Predefined application definitions cannot be edited with the Application Definition Wizard, they can only be edited manually. To learn more about manually editing application definitions, see the ActivIdentity SecureLogin Single Sign-On Application Definition Guide.

There are several ways you can open an existing application definition or begin defining rules to add another application screen to an existing application definition.

• You can right-click on the ActivIdentity SecureLogin icon in the Windows notification area and select New Application, then drag the Choose icon to an application screen that you want ActivIdentity SecureLogin to handle as part of the existing application definition.

If you have already created an application definition to handle that application screen, ActivIdentity SecureLogin asks Do you want to edit the existing application definition?



– Click Yes to edit the existing definition using the wizard.– Click No to cancel editing and continue using the existing definition.

• You can right-click on the ActivIdentity SecureLogin icon in the Windows notification area and select Open.

a. When the ActivIdentity SecureLogin Personal Management Utility opens, navigate to the application whose application definition you wish to modify by expanding the menus on the left.



b. Click on the Definition tab on the right.



c. Either:

– Double-click on an application screen name, or select it and click Edit Wizard to review or modify the options you have selected for handling that application screen.

– Double-click on another application screen type to add rules for handling another screen from that application to the application definition.

d. When the Application Definition Wizard opens, work through the attribute panels to either review and modify the existing rules for handling an application screen, or to define rules for handling another screen from that application.

If your modifications prevent ActivIdentity SecureLogin from identifying a screen or control or you introduce contradictory rules, the tick adjacent to



the attribute panel title disappears and the application screen is marked as incomplete on the left. You should correct the application definition before saving it.

You can Test an application definition after completing all the relevant attribute panels for the application screen you want ActivIdentity SecureLogin to handle, as described in Chapter 5, "Testing Application Screens," on page 65.

When you are finished, click OK to save your changes or Cancel.

NoteWhen you click Test, OK, or Apply, your data is synchronized and saved to the directory.



Chapter 7: Wizard Mode PreferenceThe Application Definition Wizard is installed as part of ActivIdentity SecureLogin Single Sign-On version 6.2 and later, and access to it is enabled by default.

Access to the Application Definition Wizard is controlled by the ActivIdentity SecureLogin Wizard mode preference.

The Wizard mode preference has three settings:

• Administrator, the default setting. This setting allows users full access to the Application Definition Wizard to create and edit their own application definitions.

• User. Users are only allowed to create new logon credential sets for new applications using the auto-detection settings, as described in "Auto-Detection" on page 17.

Specifically, at the prompt Do you want to single sign-on enable this screen?, the option Yes does not open the wizard but automatically creates an application definition with either the default selection made by the wizard or the predefined application definition.

Chapter Contents

75 Changing the Wizard Mode Preference

Notes• The Allow user to modify

application definitions preference has precedence over the Wizard mode preference. If users are not allowed to modify application definitions, the wizard preference has no effect.

• ActivIdentity recommends that access to the Application Definition Wizard is restricted to administrators.

• The Wizard mode preference is not available in Stand-Alone mode.



Also, in the ActivIdentity SecureLogin Personal Management Utility, the Edit Wizard button is disabled, and the New Application command is not

available from the ActivIdentity SecureLogin icon menu in the Windows notification area.



• Disabled. This disables the launching of the wizard. The following prompts are disabled:

– All automatic prompts to single sign-on enable an application.– The Edit Wizard button in the ActivIdentity SecureLogin Personal

Management Utility.– The New Application option normally accessed by right-clicking the

ActivIdentity SecureLogin icon in the Windows notification area.

Changing the Wizard Mode Preference1. To access the Preferences properties open the Administrative

Management Utility through either the:

– Active Directory Users and Computers snap-in. – Windows Start menu. Point to All Programs, point to ActivIdentity,

point to SecureLogin, and then click ActivIdentity SecureLogin Manager.

The Administrative Management Utility is displayed.

2. Navigate to Preferences, click General, scroll to the Wizard mode preference and select the desired option.

3. Click OK to save your preferences or Cancel.




Chapter 8: Deploying Application DefinitionsWhen the Application Definition Wizard is used to create an application definition, that definition is stored in the creator’s user object in the directory.

ActivIdentity recommends that access to the Application Definition Wizard is restricted to administrators. Administrators can create and test application definitions using a test account before copying them for general distribution.

For information about deploying and distributing application definitions, see the ActivIdentity SecureLogin Single Sign-On Administration Guide.

For information about manually editing and creating application definitions, see the ActivIdentity SecureLogin Single Sign-On Application Definition Guide.


Chapter 9: Compatibility with Other Versions of ActivIdentity SecureLoginEarlier Versions of ActivIdentity SecureLoginThe Application Definition Wizard is designed for ActivIdentity SecureLogin version 6.2 and later.

Application definitions created with the wizard are not directly compatible with earlier versions of ActivIdentity SecureLogin Single Sign-On.

If you wish to use an application definition developed with the wizard in an earlier version of ActivIdentity SecureLogin Single Sign-On, you must open the Personal Management Utility, select the application definition, and click Convert to Application Definition.

The resultant application definition can be manually edited and exported to the earlier version of ActivIdentity SecureLogin.

Other wizards included in earlier versions of ActivIdentity SecureLogin Single Sign-On are superseded by the Application Definition Wizard and are no longer available.

Earlier Application DefinitionsApplication definitions created using ActivIdentity SecureLogin Single Sign-On version 6.1 or earlier can be used with this version but cannot be edited using the Application Definition Wizard.

Chapter Contents

77 Earlier Versions of ActivIdentity SecureLogin

77 Earlier Application Definitions

78 Manually Created or Edited Application Definitions



To edit application definitions created by earlier versions of ActivIdentity SecureLogin, you must use manual editing.

If you wish to be able to edit a particular application definition using the wizard, the earlier application definition must be removed from the directory before using the Application Definition Wizard to create a new definition for that application.

Manually Created or Edited Application DefinitionsApplication definitions that are created or edited manually cannot later be edited using the Application Definition Wizard, but application definitions created by the wizard can be exported for manual editing.



Chapter 10: Tips and HintsAuto-Detection of Multiple ControlsWhen ActivIdentity SecureLogin automatically detects a typical application logon screen with a user name field, password field and submit button, the Application Definition Wizard launches and pre-fills all the options with its default selected controls and nominal action. Each definition node is then marked as ticked (green check mark icon ) so that user can immediately accept the definition and run it.

However, if the logon screen is more complex – for instance offering users a choice to log on to different networks by configuring combo boxes – then ActivIdentity SecureLogin pre-fills the different options with its default control selection but require the user to review each option individually to ensure that no action is forgotten. In that case, each definition node is marked as incomplete, and user needs to validate each one of them to single sign-on enable the application.

Using the Application Definition Wizard gives users the opportunity to review and if necessary edit the selections made by the wizard to ensure that the application definition meets their requirements. Alternatively, you can proceed with the default selections by the wizard and modify the application definition later if necessary; see "Modifying Application Definitions" on page 68.

Using Show Me to Highlight ControlsIf you click Show me to highlight a control while building an application definition, as described in "Selecting and Identifying Screens and Controls" on page 14, and two screens are open containing that control and matching the criteria for that application, ActivIdentity SecureLogin highlights both.

Dynamic ControlsYou can use the Window Finder tool to identify whether your application uses dynamic controls. To learn how to use the Window Finder tool, see the ActivIdentity SecureLogin Single Sign-On Application Definition Guide.

If your application uses dynamic controls, ActivIdentity recommends you use Navigate to field using keystrokes to select and populate those fields. See "Selecting and Identifying Screens and Controls" on page 14.

User Name and Password Fields Not PopulatingIf you have defined an application definition but ActivIdentity SecureLogin is not populating the user name and password fields when that application is started:

• Check that the fields are correctly identified. See "Selecting and Identifying Screens and Controls" on page 14.

• Use the Test button to walk through your application definition step by step. See "Testing Application Screens" on page 65.

• Check the matching criteria. See "Matching Criteria" on page 40.

Chapter Contents

79 Auto-Detection of Multiple Controls

79 Using Show Me to Highlight Controls

79 Dynamic Controls

79 User Name and Password Fields Not Populating

80 Matching Criteria for Web Applications

80 Citrix Published Applications

80 COM Applications



• Use Navigate to field using keystrokes when the matching criteria validate but the user name and password fields are not populating. See "Selecting and Identifying Screens and Controls" on page 14.

Matching Criteria for Web ApplicationsWhen you highlight an application screen using Show me, as described in "Selecting and Identifying Screens and Controls" on page 14, ActivIdentity SecureLogin does not consider the “page text” matching rule to uniquely identify the web page. This is to improve performance identifying and highlighting controls inside the wizard.

Once the application has been fully defined, the “page text” matching rule is taken into account when the script is run outside the wizard.

Citrix Published ApplicationsThe ActivIdentity SecureLogin Application Definition Wizard cannot detect Citrix published applications. You must run the application on a workstation to create an application definition using the wizard.

For information about using ActivIdentity SecureLogin with Citrix and Terminal Services, see the ActivIdentity SecureLogin Single Sign-On Installation and Deployment Guide for Citrix and Terminal Services.

COM ApplicationsThe ActivIdentity SecureLogin Application Definition Wizard cannot differentiate between a COM application (where Internet Explorer is the top parent) prompt and that of a genuine Internet Explorer prompt. To create an application definition for COM applications, you must extend the default Internet Explorer script or create a new one based on the Internet Explorer model.



Chapter 11: Application Definition ExampleThis chapter provides an example of the application definition process using the Application Definition Wizard.

In this example, ASTrainer.exe is the application for which the definition is to be created.

Create a Logon Form1. Start ASTrainer.exe.

ActivIdentity SecureLogin detects the logon screen and an automatic prompt is displayed.

Chapter Contents

81 Create a Logon Form

83 Create a Logon Notification

89 Create a Change Password Definition

94 Create a Change Password Notification



2. Click Yes.

ActivIdentity SecureLogin detects that it is a simple application form so it automatically fills the required fields:

3. Click OK and close the wizard.

You are prompted to enter your credentials.



4. Enter your credentials and click OK.

You are automatically logged on to the application.

Create a Logon Notification1. Start ASTrainer.exe and enter the wrong credentials in order to display

the following message.

2. Right-click on the ActivIdentity SecureLogin icon in the Windows notification area and select New Application.



3. Drag the Choose icon to the error message.

4. Click Yes.



5. Click Yes.

6. Click Yes.



7. Use the Show me to verify that the correct control is selected by default.

8. Select the Matching criteria bar.



• To complete the definition, click Yes.

• Alternatively you can configure this notification to handle the different attempt counter. To do so, click No. I want to customize rules in the initial Matching criteria screen or choose the Customize rules option.



9. In the Rules section, select Text field....

10. Configure the Match Text to take into account the counter.

11. To test the rule, click Test Match.

12. Click OK.



Create a Change Password Definition1. Log on to the application.

2. Start the application’s change password process.


4. Drag the Choose icon to the change password dialog.



5. Click Yes.

6. Click Yes.



7. Click Yes.

8. Click No.



9. Click Yes.





12. Click Yes and then OK.

13. Close and restart the change password dialog to run the newly created application definition for the change password form.

ActivIdentity SecureLogin automatically generates a new password and submits it to the application.

As no change password notification form has been created for this application, the following message is displayed.



14. Click Yes to update your password correctly in the directory and stay synchronized with the application.

Create a Change Password NotificationThe application itself displayed a notification that can be SSO-enabled. Next time you change the application password, ActivIdentity SecureLogin will not prompt to confirm that the password was changed successfully.


2. Drag the Choose icon to the change password notification message.



3. Click Yes.



4. Verify that the This window is a change password successful notification option is selected.

5. Click the Submit options bar.

6. Click Yes.



9. Click Yes.

10. Click OK to complete the definition process.

11. Open the management console and view the summary of the application definition.



Legal Disclaimer

Americas US FederalEuropeAsia Pacific EmailWeb

+1 510.574.0100+1 571.522.1000+33 (0) 1.42.04.84.00+61 (0) [email protected]

Trademarks: ActivIdentity, ActivIdentity (logo), and/or other ActivIdentity products or marks referenced herein are either registered trademarks or trademarks of ActivIdentity in the United States and/or other countries. The absence of a mark, product, service name or logo from this list does not constitute a waiver of the ActivIdentity trademark or other intellectual property rights concerning that name or logo. The names of actual companies, trademarks, trade names, service marks, images and/or products mentioned herein may be the trademarks of their respective owners. Any rights not expressly granted herein are reserved.


ActivIdentity Secure Log In Single Sign-On Wizard Administration Guide

Documents

Transcript of ActivIdentity Secure Log In Single Sign-On Wizard Administration Guide