From the Choose applications page of the User Configuration Wizard, add the applications for the user configuration. When you click the Add button, a dialog box showing the application definitions you created previously appears. You can now combine these application definitions in an application group. An application group can contain several applications or as few as one application.
You can also make the application group a password sharing group to automate and simplify the password change process. If the password for an application definition that is part of a password sharing group changes, the plug-in software ensures that the password change is reflected in the stored credentials for all applications in the group.
Password sharing groups enable the plug-in software to manage multiple credentials for applications that use the same authentication authority. For example, if you have two applications that use the same Oracle database to authenticate, such as a financial application and a human resources application, you can place these two applications in the same password sharing group. When your users change their password for either application, the other application’s credentials are updated automatically.
Important: For best results, ensure that all passwords in the password sharing group are managed by a common authentication authority. For example, you would implement a password sharing group if the applications in a password sharing group share a common back-end authentication authority like a database, where the user would submit the same credentials to each application to authenticate to the database. You would not group unrelated applications like an email program, a Web application, and a custom Single Sign-on enabled program on your intranet where a user could potentially submit three different sets of credentials, but only by coincidence is using the same credentials for all three applications. In this case, if a user changed the credentials for one application in this password sharing group, it does not necessarily follow that those credentials would be valid for the other two applications.
Configure User Settings
Use the following pages to configure user settings. For setting details, see the topics under Single Sign-on Settings Reference > User Configurations.
- The Configure Single Sign-on Plug-in interaction page of the User Configuration Wizard enables you to determine the user experience for all plug-in software users in your environment.
- Select a license server and licensing model at the Configure licensing page of the User Configuration Wizard.
Important: If you edit the user configuration later and change product editions, your license model will change. For example, changing the product edition from Single Sign-on Enterprise to Single Sign-on Advanced will change your licensing model from Concurrent User to Named User.
- The Select data protection methods page of the User Configuration Wizard enables you to select the data protection methods to protect user credentials based on the various authentication methods your users are authorized to use. In some environments, users can use more than one method.
- When users change their primary authentication (for example, a domain password change or a replaced smart card), the Select secondary data protection page of the User Configuration Wizard enables you to specify secondary credential data protection options to use before unlocking user credentials. It also enables you to require that users verify their identity for added security. Alternatively, it also enables you to specify that credentials are restored automatically by implementing the Key Management Module.
- The options available on the Enable self-service features page of the User Configuration Wizard require the installation of the Key Management Module. This feature inserts an Account Self-Service button on the Windows logon and Unlock Computer dialog boxes and can help reduce costs associated with administrator intervention or help desk support in your enterprise.
- The Key Management Module and Provisioning module pages of the User Configuration Wizard require you to specify the URL and service port of any installed service modules.