What are the recommended settings for SecureLogin preferences in a corporate SSO environment?

  • 7940208
  • 20-Aug-2009
  • 26-Apr-2012

Environment

Novell SecureLogin 3.5x and later

Situation

What are the recommended settings for SecureLogin preferences in a corporate SSO environment?

Resolution

SecureLogin includes a number of preferences that provide organizations with full control and flexibility over their Single Sign-on environment. Preferences such as whether the icon is displayed in the system tray, whether users can view their passwords to applications, whether they are able to view and modify preferences and application definitions, add their own applications to their SSO environment etc.

SecureLogin is extremely customizable and flexible. The preferences below are not necessarily applicable to all organizations (no two organizations in the world have the same requirements) but can be used as a guide.

Setting preferences to suit your environment and requirements is essential for a successful deployment of SecureLogin Single Sign-on and ActivIdentity consultants have extensive experience in this area.

Note: Not all preferences are available in Standalone mode, nor are they all viewable using the management utility via system tray icon (they are all viewable in MMC, ConsoleOne etc.).

Before setting these preferences at the OU level to apply to all users in that OU, you should first set preferences to enable SSO Administrators and the user you are logged on as to manage SecureLogin.

For example, you should NOT set the options to "Allow users to view and modify preferences" and "Allow users to view and modify application definitions" to No or you will prevent ALL users in the Users container (possibly including your user object) from administering SecureLogin.

To prevent this from occurring, first grant the ability to view and modify preferences, view and modify application definitions etc. via the SecureLogin SSO tab under the properties of the user object (e.g. CN=Administrator). Once you have done this, you can then turn them off at the container level and the user specific settings will apply and you will be able to perform SecureLogin administration.
Preferences can be centrally managed and applied using the MMC snap-in in Microsoft environments, the ConsoleOne snap-in in a Novell environment and SecureLogin Manager in other environments.

How are preferences applied?

Note: Group Policies only apply to Active Directory environments and any Microsoft rules and settings that affect Group Policies also apply to SecureLogin data.

Changes to SecureLogin data you make to Organizational Units apply to all users who reside there. For example, you can change a setting once at the OU and it is automatically inherited by all users in that OU and below.

Changes to SecureLogin data you make to Group Policies will apply to all users that "run/apply" that Group Policy.

You can also set user specific preferences if required.

By default, user specific settings override preferences set at container objects and group policy objects. For example, in the event one setting is defined on the user object and another is defined on the container the user object resides in, the setting on the user object applies.

By default, container settings override preferences set via Group Policies. For example, in the event one setting is defined on the Group Policy object and another is defined on the container the user object resides in, the setting on the container the user object resides in applies.

General Preferences

Allow application definitions to be modified by users (version 6.1.0 and later)

In version 6.1.0 and above, the preference "Allow users to view and modify application definitions" was split into 2 separate preferences following customer feedback/requirements. With this preference set to Yes, users can modify application definitions.

Default Value: Yes
Recommended Setting: No

Set to No to prevent users from modifying application definitions and potentially causing support issues.

Allow application definitions to be viewed by users (version 6.1.0 and later)

In version 6.1.0 and above, the preference "Allow users to view and modify application definitions" was split into 2 separate preferences following customer feedback/requirements. With this preference set to Yes, users can view (but not modify) application definitions.

Default Value: Yes
Recommended Setting: Yes

Set to Yes to allow users to view (but not modify) application definitions to assist with troubleshooting. If this preference is set to No, Allow application definitions to be modified by users will automatically be set to No (since you cannot modify without viewing).

Allow credentials to be deleted by users through the GUI (version 6.1.0 and later)

In version 6.1.0 and above, the preference "Allow users to modify credentials through the GUI" was split into 2 separate preferences following customer feedback/requirements. With this preference set to Yes, users can delete credentials using the ASL personal management utility (system tray).

Default Value: Yes
Recommended Setting: Yes

Set to Yes to allow users to delete credentials using the GUI and then re-enter them as if they are a new SSO user, if required.

Allow credentials to be modified by users through the GUI (version 6.1.0 and later)

In version 6.1.0 and above, the preference "Allow users to modify credentials through the GUI" was split into 2 separate preferences following customer feedback/requirements. With this preference set to Yes, users can modify credentials using the ASL personal management utility (system tray).

Default Value: Yes
Recommended Setting: No

Set to No to prevent users from modifying credentials (and names of credentials/logins) using the GUI. If the option to delete credentials is set to Yes, the user can still completely clear the credentials if required but should be prevented from making modifications.

Allow users to (de)activate SecureLogin (Version 6 and later)

In version 6 and above, SecureLogin includes an option to determine whether the user is able to deactivate and activate SecureLogin via the system tray icon. This deactivates SecureLogin temporarily (not to be confused with the Disable Single sign-on preference explained later).

Default Value: Yes
Recommended Setting: Yes

Set to Yes to allow users to easily deactivate SecureLogin for troubleshooting purposes or No to prevent them from disabling SSO.

Allow users to backup/restore (Version 3.6 and later)

In version 3.6 and above, SecureLogin includes an option to allow users to backup and restore their SecureLogin data (i.e. their encrypted cache file) by right clicking on the system tray icon and choosing Advanced>Backup (or Restore) User Information.

Your organization's Directory and Directory backups also store and backup SecureLogin data including application usernames and passwords, but users may want to run a backup of their SSO data if they are offline for an extended period of time. For example, a user could backup their SecureLogin data as a precaution if they have been out of the office and using their laptop for a long period of time without connecting to the network to synchronize their cache with the Directory, and are concerned about losing data because of hardware failure.

When you backup data, all user data including credentials, application definitions and password policies is saved in a password protected, encrypted XML file with an .esx extension. Data can also be backed up (and you can choose exactly what you wish to backup) to a file using the Distribution tab in the SecureLogin MMC snap-in.

Default Value: Yes
Recommended Setting: No

Set to No to disable manual (user) backup and restore of SecureLogin files. Set to Yes so users that will be disconnected from your corporate directory for long periods of time have an option to backup their data if required.

Tip: If testing ASL in Standalone mode only – e.g. for testing before extending the production schema, set this option to Yes to backup SSO data (particularly before upgrading the version of the client) since you are not using the Directory.

Activate the diagnostics log file (only appears prior to version 3.6)

With this set to Yes, SecureLogin logs information to ssodebug.txt. It is typically used for debugging and troubleshooting and should only be enabled if requested by support.

Default Value: No
Recommended Setting: No

If a specific user is having problems you wish to debug using the log file, set this option to Yes on their user object so it only affects that user (don't forget to set it to No once debugging is complete or the log file will grow and grow and grow).

In version 3.6 and above, debugging is set through the registry and this preference is no longer available in the GUI. See the debugging knowledgebase item for more information.

Allow users to change passphrase (version 3.6 and later)

With this set to Yes, users are permitted to change their passphrase using the SecureLogin system tray icon (Advanced>Change Passphrase). If the setting is set to No, the option will not be available.

Default Value: Yes
Recommended Setting: Yes (if passphrases have been implemented)

SecureLogin will NOT prompt users to change their passphrase every x days. However, users might wish to change their passphrase. Users must know their existing passphrase in order to set a new one.

Allow users to close SecureLogin SSO via system tray (version 6.1.0 and later)

This preference determines whether users are able to right click on the system tray icon and select the Close menu option. If this preference is set to No, the option will not be available.

Default Value: Yes
Recommended Setting: No

With this preference set to No, users are unable to close SecureLogin via the system tray icon.

Allow users to log off via system tray (version 6.1.0 and later)

This preference determines whether users are able to right click on the system tray icon and select the "Log off User" menu option. If this preference is set to No, the option will not be available.

Default Value: Yes
Recommended Setting: No

With this preference set to No, users are unable to log the user off Windows using the SecureLogin system tray icon.

Allow users to modify credentials through the GUI (version 6 only)

This preference determines whether users have access to modify credentials (such as usernames and passwords) using the ASL personal management utility (system tray icon).

Default Value: Yes
Recommended Setting: No

With this preference set to No, users are unable to modify their credentials using the GUI (but can still do so if you have enabled DisplayVariables command in your application definition error handling). Note: SSO Administrators (with this preference set to Yes) can modify credentials using MMC (but are never able to view someone else's passwords).

Allow users to modify names of applications and logins

This preference, formerly "Allow users to modify User ID descriptions" and "Allow users to modify names of applications and credential sets" determines whether users have access to change application names and credential descriptions.

If users are able to change descriptions, it might make it more difficult for your support staff to determine which credentials apply to which applications. For example, a set of credentials named by default as the "Finance System" makes sense, but a user could change the name to "Mine" and cause support pain.

Default Value: Yes
Recommended Setting: No

Allow users to refresh cache via system tray (version 6.1.0 and later)

This preference determines whether users are able to right click on the system tray icon and select the Advanced>Refresh Cache menu option. If this preference is set to No, the option will not be available and users will have to wait for the cache refresh period before SSO data will synchronize with the directory.

Default Value: Yes
Recommended Setting: Yes

With this preference set to Yes, users are unable to synchronize data immediately, which is useful for troubleshooting. For example, if the administrator has made changes in the Directory, they will be immediately applied by refreshing the cache using the system tray icon.

Allow users to view and change preferences (formerly called settings)

By default, the SecureLogin personal management utility enables users to customize their SecureLogin environment. To prevent users from customizing preferences (and potentially causing support issues), set this preference to No.

Default Value: Yes
Recommended Setting: No

Note: Before turning this off at the container, make sure administrative users (including the user you are using to set the preferences) have the preference set to Yes for their User object or they may not be able to administer SecureLogin. Administrators can view a users preferences using the MMC snap-in.

Allow users to view and modify API preferences (Version 5 and later)

This preference determines whether users are able to set "Provide API Access" or to "Enter their API license key(s)". To prevent users from viewing and modifying API preferences, set this preference to No.

Default Value: Yes
Recommended Setting: No

Note: Before turning this off at the container, make sure administrative users (including the user you are using to set the preferences) have the preference set to Yes for their User object or they may not be able to change API preferences.

Allow users to view and modify application definitions (version 6.0.0 and earlier, split into 2 preferences in v6.1.0 and later)

To prevent users from viewing and modifying application definitions set this option to No.

Default Value: Yes
Recommended Setting: No

Application definitions are used to enable the applications you wish to include in your SSO group. They include the application name, type, and the "rules" SSO must follow when logon, error handling, and change password messages are detected (for example).

ActivIdentity Professional Services recommend organizations consider setting this preference to No to prevent users from adding their own applications or editing or viewing application definitions.This maintains control over which applications are handled by SecureLogin.

Note: Before turning this off at the container (e.g. OU=Users), make sure Administrative users (including the user you are using to set the settings) have the setting turned on (set to Yes) for their User object or they may not be able to administer SecureLogin.

Allow users to view passwords

This preference determines whether users can view their passwords using the SecureLogin icon in the system tray. By default, SecureLogin enables users to view the passwords they use to log in to applications (no-one else except the user can view them). To prevent users from viewing their passwords for SSO enabled applications, set this to No.

Default Value: No
Recommended Setting: Contact ActivIdentity Professional Services

If a user requires access to web based email from an Internet cafe whilst on holiday they may need to be able to view their eMail password (they don't enter it anymore so will most probably have forgotten it). ActivIdentity Professional Services recommend organizations review whether users need to view their application passwords (e.g. if accessing applications from a workstation without SecureLogin installed e.g. web cafe).

A more secure option is to disable the viewing of passwords but enabling users to use SSO to change their password to something they know. A user that does not know their password could logon using SSO, change their password to something they know, and use it to logon to an application from another workstation.

If this preference is set to Yes, ActivIdentity Professional Services recommend organizations consider password (or PIN) protecting the system tray icon. This prevents another person walking up to a user's computer and viewing their passwords by simply accessing the SecureLogin icon in the system tray.

Allow users to work offline via system tray (version 6.1.0 and later)

This preference determines whether users are able to right click on the system tray icon and select the Advanced>Work Offline menu option (and toggle it back to Work Online). If this preference is set to No, the option will not be available. SecureLogin will still fail over to the offline cache if it has been enabled, this determines whether the user can do so manually, if desired.

Default Value: Yes
Recommended Setting: Yes

Detect incorrect passwords

Note: This preference only affects web pages.

If this is set to Yes, SecureLogin will attempt to detect if a user has entered an incorrect password when logging onto a web page (i.e. web application with embedded logon panels - this option doesn't work for any other applications such as Windows, Java, Terminal Emulator etc.) and then prompt the user their credentials are invalid.

Default Value: Yes
Recommended Setting: No

With this set to Yes, SecureLogin assumes an incorrect password has been entered if the web site loads multiple times within 20 seconds.

For corporate rollouts, this should always be set to No and the administrator should edit the application definition (or use the Wizard) for failed web logons to ensure they are successfully captured and responded to (e.g. prompt the user for the correct credentials and retry logon) 100% of the time.

Disable SecureLogin SSO (formerly Disable single sign-on)

With this option set to Yes, SecureLogin will not prompt the user to enter their passphrase (if enabled) and SecureLogin will not load.

Default Value: No
Recommended Setting: No

This setting should be set to Yes on the user object for any users you don't want to be prompted to enter a passphrase or use SecureLogin (e.g. guest, visitor and administrator accounts).

Note: A connector is available for ActivIdentity Card Management System (CMS) that toggles this setting based on card issuance, suspension and termination (if a user is issued a smart card, SSO is available etc.). Contact ActivIdentity Professional Services for more information.

Display splash screen on startup (version 6.1.0 and later)

This preference determines whether the splash screen displays when SecureLogin loads.

Default Value: Yes
Recommended Setting: No

Display system tray icon

This preference determines whether the SecureLogin icon appears in the system tray. To prevent users from displaying and accessing the system tray icon, set this option to No. If you set the option to No and then refresh the data, the icon still appears until you restart SecureLogin.

Default Value: Yes
Recommended Setting: Yes

Displaying the system tray icon is useful so you can deactivate SecureLogin and manually logon to applications to troubleshoot. It is also useful so users can view passwords to applications (if desired e.g. intensive care unit of a hospital who wish to plan for possible system failure), refresh cache (force synchronization with the Directory so it immediately reads new application definitions and changes you have made), to change the passphrase, and to use other features such as the New Login wizard to allow users to setup multiple logons to an application.

Enable cache File

Usernames and Passwords are stored in the Directory, but for performance reasons, if the server is unavailable, or you are using a notebook computer, an encrypted cache can also be used.

Default Value: Yes
Recommended Setting: Yes

Enabling the cache file is useful if the network fails (you can still use SSO if the application servers are available, even if network logon is not possible) or if SecureLogin is required in offline mode (e.g. laptop).

Although SecureLogin network traffic is minimal, it is further reduced because the local cache file is used if it is enabled. The SecureLogin agent communicates with the local cache instead of the Directory and synchronizes with the Directory every x minutes as specified by the cache refresh interval.

Enable logging to Novell Audit

Enables logging of SecureLogin events using Novell Audit for auditing in Novell eDirectory environments.

Default Value: Yes
Recommended Value: Contact ActivIdentity Professional Services

Enable the New Login Wizard via the system tray icon

By default, SecureLogin supports one User ID per application. However, extra credential sets (User ID/Password) can be configured in the application definition or by using the New Login Wizard so the user can choose who they wish to logon as.

With this option set to Yes, users are able to right click on the system tray icon and add extra user IDs to logon to an application. For example, John Citizen may sometimes logon to SAP as JCitizen and sometimes as an Admin user.

Default Value: Yes
Recommended Setting: Yes

Access to the New Login Wizard allows users to setup multiple logins without contacting the Helpdesk.

If you wish to enable this for your users you should set it to Yes. Document the procedure for setting up extra logins and publish it on your Intranet IT Help pages. Alternatively, organizations could consider only SSO enabling the user's standard logon and advising administrators to deactivate SSO when they wish to logon as another user.

Enforce passphrase enrollment (Enforce passphrase use in version 3.6 and 5.x)

Once SecureLogin is installed on their workstation, if Enable passphrase security system is set to Yes, users are required to set their passphrase before SecureLogin will operate.

If this preference is set to Yes, the user must complete setup of their passphrase before they can proceed with any other activity on the workstation (they will not be able to Cancel the process).

Default Value: No
Recommended Setting: No

If set to No the user can click the Cancel button and will be prompted with the Passphrase dialog each time they logon to the workstation until the passphrase is set. If you set this to Yes, the user might enter something without thinking too much about it or knowing what it is used for, increasing their chances of being frustrated and entering something they are unable to remember down the track.

Enter API license key(s)

The API license key restricts the API's to a specific key. If you wish to use any key, type "Any" in this field. Contact support@actividentity.com for more information on API license key(s).

Password protect the system tray icon (also PIN protects if using smart cards)

To force users to enter their network password before they can access the SecureLogin system tray icon, set this option to Yes.

Default Value: No
Recommended Setting: Yes

ActivIdentity Professional Services recommend organizations consider password protecting the system tray icon if the option to allow users to view passwords is enabled. This prevents another person walking up to a user's computer and viewing their passwords. Anyone who attempts to access SecureLogin using the icon in the system tray will be prompted for the logged on user's network password (or PIN) before SecureLogin will load.

Provide API access

SecureLogin includes slapi.dll that enables organizations to write APIs that can access (e.g. read and write) SecureLogin data. The slapi.dll is used as the interface between the API and SecureLogin.

Default Value: No
Recommended Setting: No

With this preference set to No, slapi.dll will not respond to API requests to access SecureLogin data.

Set the cache refresh interval (in minutes)

This preference, previously named "Change the cache refresh interval", determines the number of minutes SecureLogin waits between synchronizing SecureLogin data between the Directory and the local cache.

Default Value: 5 (minutes)
Recommended Setting: 5-90 (depending on your environment and how often data will change e.g. new application added to be handled by SSO.)

Note: You can right click on the system tray icon and choose Advanced> Refresh Cache to synchronize the cache and the Directory immediately (instead of waiting for x minutes specified). This means any application definition changes or settings will be applied immediately.

Note: Setting applied using GPO are applied when Microsoft GPO's are updated via Microsoft GPO mechanisms and are not affected when manually refreshing the cache as described above.

Standalone distributes settings have priority over user's (this preference was named Container has priority over User in previous versions of ASL)

By default, preferences that are specifically applied on a user object override preferences that are set at containers.

Default Value: No
Recommended Setting: No

If you set this to Yes, container preferences (OU) will have priority over user preferences.

By setting this to No, you are able to customize certain preferences for certain users. For example, when troubleshooting you could set the preferences to allow users to view and modify application definitions and/or preferences just on their user object.

Disable passphrase security system (version 5.5 – removed in v6 and replaced with Enable Passphrase Security System preference – explained under Security preferences in this KBase item)

SecureLogin is extremely customizable and flexible and provides you with the ability to configure the product to suit the needs of your organization. Some organizations have requested that user defined passphrases are disabled so this functionality has been included in version 5 and later.

Default Value: No
Recommended Setting: Contact ActivIdentity Professional Services

With this preference set to Yes, the user will NOT be prompted to set their passphrase when they first run SecureLogin. However, if you set this to No after the user has already set a passphrase, the user will be warned that their security settings have been changed and asked whether they agree to the changes. This is to protect the user from a rogue administrator that is attempting to lower their Single Sign-on security.

ActivIdentity Professional Services recommend organizations carefully consider the impact of setting passphrases. Passphrase questions can be predefined by the administrator so the user doesn't have to choose a question, only an answer.

It is strongly recommended you contact ActivIdentity Professional Services regarding this setting.

There are various knowledgebase articles explaining the use of the passphrase.

Stop walking here

By default, SecureLogin will search up the Directory structure for SecureLogin applications and settings to apply. For example, user CN=JCitizen,OU=NewYork,OU=Users,DC=FinServ,DC=com would search the NewYork and Users Organizational Units and JCitizen would inherit all applications and settings set on the User object, OU=NewYork and OU=Users.

Default Value: No
Recommended Setting: No

To prevent SecureLogin from searching up the Directory structure, typically to assist with speed and performance issues when poor WAN links exist, set this option to Yes at the desired container.

Disable advanced settings of Manage Logins (replaced by other settings since v5)

If this is set to Yes, the Application and Password Policy tabs are hidden. When a user accesses the SecureLogin personal management utility, they cannot view the tabs at all.

Default Value: No
Recommended Setting: No

Web Preferences (formerly called Internet Preferences)

Add application prompts for Internet Explorer

This preference controls whether SecureLogin will automatically detect Internet/Intranet sites, accessed using IE, with embedded logon panels. If set to Yes, users are prompted to run the wizard and a web application definition is created that will SSO enable the web site.

Tip: Web sites that logon using the Internet Explorer authentication window (fully explained later in this document) is actually a Windows logon box owned by IEXPLORE.EXE.

Default Value: Yes
Recommended Setting: No

With this set to Yes, SecureLogin will prompt the user and SSO enable all web based applications with embedded logon fields. The powerful web wizard can SSO enable hundreds of web sites making life easy for users; or so it seems. You may run into problems because users don't think about all the implications of SSO enabling an application (and managing changes to the web site, what happens if you the site is down, what happens if the user is on holiday and needs to know their hotmail or Internet Banking password etc.).

ActivIdentity Professional Services recommend organizations restrict user's ability to add their own (non-corporate) applications (web, java, windows, terminal emulator, etc.). SSO administrators should consider maintaining full control over the SSO environment by thoroughly testing and centrally configuring application definitions for business applications.

If users are left to enable their own applications they may phone the Helpdesk when external web sites are down or because they are unable to logon. They will think it is SSO's fault they couldn't logon when in fact the backend server may be unavailable (or the web site may have changed etc.).

Add application prompts for Mozilla Firefox

This preference controls whether SecureLogin will automatically detect Internet/Intranet sites, accessed using Mozilla Firefox, with embedded logon panels. If set to Yes, users are prompted to run the wizard and a web application definition is created that will SSO enable the web site.

Default Value: Yes
Recommended Setting: No

Allow single sign-on to Internet Explorer

If this preference is set to Yes the Microsoft Internet Explorer features of SecureLogin will operate. If set to No, Internet Explorer SSO is disabled.

Default Value: Yes
Recommended Setting: Yes

Set this to Yes if you require logon to web applications with embedded logon fields accessed via Internet Explorer.

By setting this option to No, you don't disable SSO to sites using the Internet Explorer authentication window (e.g. Proxy). This setting only applies to web sites with embedded Username and Password fields (created as web applications with web site addresses in the name e.g. www.hotmail.com).

Allow single sign-on to Mozilla Firefox

If this preference is set to Yes the Mozilla Firefox "Remember this login with SecureLogin" checkbox will appear on the Mozilla Username and Password prompt. If set to No, this checkbox will not appear.

Default Value: Yes
Recommended Setting: Yes

By setting this option to No, you disable SSO to all web sites accessed using Mozilla Firefox, including those accessed via the pop up prompt (as opposed to embedded logon fields such as www.hotmail.com).

Allow single sign-on to Netscape

If this preference is set to Yes the Netscape SSO features of SecureLogin will operate. If set to No, Netscape SSO is disabled.

Default Value: Yes
Recommended Setting: No

Set this to Yes if you require logon to web applications with embedded logon fields accessed via Netscape.

By setting this option to No, you don't disable SSO to sites using the Netscape authentication window (e.g. Proxy). This setting only applies to web sites with embedded Username and Password fields (created as web applications with web site addresses in the name e.g. www.hotmail.com).

Java Preferences

Add application prompts for Java applications

This preference controls whether the Java SSO component will automatically detect Java login panels. If set to Yes, users are prompted to run the Java wizard.

Default Value: Yes
Recommended Setting: No

With this set to Yes, SecureLogin will prompt the user and SSO enable all java based applications. Users don't think about all the implications of using the wizard to SSO enable an application. By turning wizards off, you maintain full control over your SSO environment including which applications SecureLogin will handle.

Allow single sign-on to Java applications

If this preference is set to Yes the Java SSO features of SecureLogin will operate. If set to No, Java SSO is disabled.

Default Value: No
Recommended Setting: Yes

Set this to Yes if your require SSO to Java applications e.g. Swing, AWT that use the Java Runtime Environment (JRE).

Windows Preferences

Add application prompts for Windows applications

This preference controls whether the Windows SSO component will automatically detect Windows login panels.

Default Value: Yes
Recommended Setting: No

With this set to Yes, SecureLogin will prompt the user and SSO enable all windows based applications. Users don't think about all the implications of using the wizard to SSO enable windows applications. By turning wizards off, you maintain full control over your SSO environment and determine which applications SecureLogin will handle.

Allow single sign-on to Windows applications

If this preference is set to Yes then the Windows SSO features of SecureLogin will operate. If No then Windows SSO is disabled.

Default Value: Yes
Recommended Setting: Yes

Set this to Yes if you require SSO to windows applications

Security Preferences

Certificate Selection Criteria (Version 6 and later)

The certificate selection criteria determines which certificate to select if multiple certificates are in use (for example if you have multiple valid certificates stored on the smart card).

If you only have one certificate, leave this field blank and it will be detected automatically and set to "User certificate".

No special formatting is required and the search string is case insensitive. Wildcards are not used and it will match if the search text is a substring of the certificate subject field. ASL attempts to match against the certificate Subject, then Issuer and finally Friendly Name in that order.

For example:

If the Subject is

CN=Nick Katsivelos
OU=London
DC=undiscovered
DC=com

London would be a valid search value, as would undiscovered and com. The CN=, OU= or DC= are not required.

If the Issuer is:

CN=IssuingCA1
OU=AD
DC=undiscovered
DC=com

IssuingCA1 would be a valid search value, as would AD, undiscovered and com etc.

Certificate Type (Version 6 only)

Select the key pair (and certificate) to use for the encryption and decryption of SSO credentials. This is only set if you are using PKI based smart card authentication to the Directory.

Default Value: None
Recommended Setting: Contact ActivIdentity Professional Services

This preference can be set to the Encryption or Signing certificate. This preference was removed in v6.1.0. In v6.1.0 and later, the certificate must be an encryption certificate.

Current Certificate (Version 6 and later)

The certificate that is currently being used to encrypt SSO data.

Enable passphrase security system (Version 6 and later)

SecureLogin is extremely customizable and flexible and provides you with the ability to configure the product to suit the needs of your organization. Some organizations do not want their users setting passphrase questions and this functionality has been included in version 5 and later.

Default Setting: Yes
Recommended Setting: Contact ActivIdentity Professional Services

With this preference set to Yes, the user will be prompted to set their passphrase when they first run SecureLogin. In version 5 and later, although typically not recommended by ActivIdentity professional services for security reasons, the passphrase security system can be hidden or completely disabled so users do not have to enter a passphrase question or answer. This can be performed by setting the following preference at the container, group policy or user object.

  • Enable passphrase security system = Hidden (equivalent of Disable passphrase security system = Yes in v5.5)
  • Enable passphrase security system = No

With Enable passphrase security system set to Hidden, a random passphrase key is derived on the user's behalf, instead of the user being involved in selecting the question and/or answer. Since the security question will no longer be asked if someone other than the user resets their network password, an administrator could potentially reset a user's Directory password, logon as the user, and access their Single Sign-on credentials. For security reasons, user defined passphrases are recommended if password based authentication is permitted.

Organizations that use smart card PKI based authentication and are using PKI credentials to encrypt SSO data should carefully consider their options for handling the scenario where a user's smart card is not available as per the following information/recommendations.

  • Organizations that have key escrow and recovery in place should consider setting Enable Passphrase Security System to No or Hidden. With Enable Passphrase Security System set to No, the primary key for SSO decryption is never changed from the user's PKI private key. SSO will be unavailable until a replacement card is issued with the same PKI credentials (there is no way to decrypt data other than to use the same PKI credentials that encrypted the data).
  • With Enable passphrase security system set to hidden, ASL will encrypt SSO data with a primary key (PKI credentials) AND a secondary key (randomly generated). If the smart card is unavailable, ASL will seamlessly change the user's primary key to the randomly generated key, and then back to the new (or recovered) PKI credentials once the smart card (and PKI credentials) is available again.
  • With Enable passphrase security system set to Yes, the user must set (or select if the list is predefined) a question and set a passphrase when they first use ASL. If the smart card is unavailable, ASL will prompt the user to answer their passphrase question before ASL will decrypt the user's SSO data (if the smart card is not available and PKI credentials are being used to encrypt SSO data).

See the knowledgebase item addressing the passphrase for more information.

Contact ActivIdentity Professional Services for recommendations based on your organizations environment and requirements.

Lost card scenario (Version 6 and later)

The preference determines how ASL will handle a user forgetting, losing or damaging their smart card.

  • Allow passphrase

This preference must be used in conjunction with enable passphrase security system and allows the user to logon using their passphrase if their smart card is not available.

  •  Require smart card

This preference will not allow a user to start SSO without their smart card.

Recommended Setting: Contact ActivIdentity Professional Services

Allows the user to access ASL using the passphrase if the smart card is lost, stolen, or damaged (but only if a passphrase has previously been set).

Require Smart Card is present for SSO and administrative operations

If this preference is set to Yes, the smart card that was used to logon to the network must be inserted in the reader for SSO and administrative operations to proceed. If it is set to No (and screen lock on smart card removal is not enforced) the user will still have SSO access without the smart card being inserted.

Default Value: No
Recommended Setting: Contact ActivIdentity Professional Services

Contact ActivIdentity Professional Services for recommendations based on your organizations environment and requirements.

Store credentials on smart card (Version 6 and later)

If this preference is set to Yes, SSO credentials including usernames and passwords will be stored on the smart card. If set to No, the credentials will be stored in the offline cache (if it has been enabled by the administrator)

Default Value: No
Recommended Setting: Contact ActivIdentity Professional Services

Contact ActivIdentity Professional Services for recommendations based on your organizations environment and requirements.

Use AES for SSO data encryption (Version 6 and later)

If this preference is set to Yes, AES encryption is used. If it is set to no, TripleDES encryption is used.

Default Value: No
Recommended Setting: Contact ActivIdentity Professional Services

Set this to Yes if you require AES encryption. If you have deployed a previous version of ASL and/or implemented user defined passphrases, users will have to answer their passphrase before data can be decrypted and re-encrypted using AES. Before toggling this preference, the data store must also be modified and all clients must be upgraded to v6 or later.

Contact ActivIdentity Professional Services for recommendations based on your organizations environment and requirements.

Use Enhanced Protection by default

This setting is only relevant in a Novell environment. It relates to the use of Novell "Secret Store" protection. If set to "Yes", extra password protection is added.

Default Value: No
Recommended Setting: No (contact Novell Consulting for recommendations if using SecretStore)

Use smart card to encrypt SSO data (Version 6 and later)

There are a number of encryption options in version 6 of SecureLogin. By default, SecureLogin encrypts data using either a user defined passphrase key or a randomly generated key. In addition, PKI credentials or a key generated and stored on the smart card can be used to encrypt SSO data.

This preference can be set to the following:

  • PKI credentials

SSO data is encrypted using the user's PKI credentials.

  • Key generated on smart card

SSO data is encrypted using a randomly generated key that is stored on the user's smart card.

Default Value: No
Recommended Setting: Contact ActivIdentity Professional Services

ActivIdentity Professional Services recommend organizations consider the impact (e.g. a user forgets their passphrase or loses a smart card) and their requirements before implementing encryption options such as PKI, passphrases etc.


Feedback service temporarily unavailable. For content questions or problems, please contact Support.