Product Documentation

How Single Sign-on Plug-in Identifies Applications and User Credential Management Events

Mar 24, 2011

The user interface to an application includes different forms that are used to manage user credential events associated with the application.

For example, one form enters the logon credentials, a second form changes an application password, and a third form confirms a successful change to user credentials.

Depending on the type of application being defined (Windows, Web, or terminal emulator), Single Sign-on uses a variety of identifiers collected in application definitions, to uniquely respond to and identify the forms. These include but are not limited to the application type, window title, and the executable file name.

When Single Sign-on Plug-in identifies the application and form, it prompts users to provide or store their credentials, submits stored credentials, or prompts users to update their credential information, depending on the defined settings.

Create application definitions using the AppCenter or the Application Definition Tool.

A single application definition supports all user credential management events associated with a single application including:
  • Authenticating the user.
  • Changing user credentials.
  • Confirming credential changes.
Application definitions are categorized into three main types which determine the information collected:
  • Windows applications (including Java applications and the SAP LogonPad)
  • Web applications (including Java applets)
  • HLLAPI-compliant terminal emulator-based applications
An application definition consists of:
  • Application characteristics that apply to all forms included in the definition. These are defined using the Application Definition Wizard.
  • Form-specific data used to recognize each different credential management event associated with the application. Define these forms and events using the Form Definition Wizard. This wizard runs during the Application Definition Wizard operation.

The application characteristics for all types of applications contain similar configuration information. However, form-specific data contained in the application definition varies greatly based on the type of application being defined.

To create an application definition, you must be able to access the application from the computer where the application definition is created. Because application signatures can vary depending on the underlying operating system, test application definitions on all operating system software in your organization.

Test any changes or upgrades to an application after an application definition is deployed to ensure that there are no changes to the application signatures requiring a change to the application definition.

Important: As a security measure, in its default state, Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7 run with User Interface Privilege Isolation (UIPI) enabled. UIPI prevents applications from sending messages to other applications with a higher integrity level. As a result, the Single Sign-on Plug-in, which operates by default at a medium integrity level, does not detect or submit credentials to applications running at a high integrity level. To maintain the intended security level of these operating systems and Single Sign-on, continue to use these default settings.