|
Samson S3 has numerous features
that are hard to completely explain in a simple document. This section
provides images and narrative that provides a view of Samson's capabilities.
The views are broken down into
three segments:
The Samson Single SignOn is built upon two components.
The first is the Samson S3 Administrative Server, the second is
the Samson Client Agent. In a typical organization there will be
at least two servers. Both will serve the enterprise, each server
will back the other up in case of a failure.
Each server can be used to administer the environment.
The systems will update each others database as changes occur.
This provides an extremely flexible environment
where multiple physical locations may exist. S3 Administration Servers
might be distributed to remote locations where data communications
are not trusted but authentication is critical.
Client systems establish connections to one of the
administrative servers. Upon connection to the server, a relationship
between the client and the server is established. The workstation
is now under the control of the Samson S3. Basic configuration,
including default behaviors, are passed to the client.
Once a workstation has been
properly identified to the system, it can participate in servicing
user activities. When users authenticate, an authentication request
is send to the S3 Administrative Server. Upon proper authentication,
the Administrative Server returns a user policy to the system. The
user policy describes the rights the user has in relation to the
workstation the authentication came from.
Samson S3 has full redundancy
in the event of a failure. Samson clients are provided a list of
the servers functioning within the Samson S3 environment. The server
list identifies the primary authentication server and the fail over
server(s).
Should the Primary connection fail,
the client will automatically select the Fail Over server. If the
event multiple servers are unavailable, the client will continue
until it exhausts it's searching.
In the event all servers are unavailable,
the client can function from cached information. This allows all
known users of the workstation to function until a server can be
reached. Samson S3 is engineered to support 24x7 operations with
the understanding that business must continue.
Samson Administration starts
with the S3 Administrators console. The administrators console displays
navigation selections. When the pointer is place over one of the
selections a sub menu appears displaying more options. Samson menus
were designed to minimize navigation and flow through the process
selected. In very few instances is backward navigation needed to
complete a process.
Group
Concepts
Samson S3 is engineered to make the management of
the single sign on environment as logical and flexible as possible.
In the real world, management of user rights tend to be logical
groupings that can handle the majority of the rights situations
within an organization. On the other hand, there are the one-off
and special scenarios that, while similar to existing users, require
more or less privileges than a standard user.
Samson implements the idea of groups around the
three major components of the system; users,
workstations and applications.
The Samson admin console allows you to create logical
groupings of USERS, for example:
Users can be grouped by job function
or physical location, i.e.: testing group, nurses in a particular
wing or employees in a plant.
The same logical groupings can be applied to WORKSTATIONS,
for example:
- Engineers
- Administration
- Hospital5W
- Clinic
Each Group represents a common grouping of workstations.
A logical grouping may be workstations in a physical location or
department within the organization.
And the same for APPLICATIONS, for example:
- DesktopApps
- ClinicApps
- NursingApps
- AdminApps
- FinanceApps
Each group represents a number of applications that
logically fit the group definition. DesktopApps may have Ms-Word,
Ms-Excel, Internet Explorer and others. FinanceApps may have Payroll
and HR programs like PeopleSoft.
Once these logical groupings are established then it is easy to
see that the:
Users in the Doctors USER GROUP can be assigned
to:
- Workstations in the Clinic WORKSTATION
GROUP which use the
- Applications in the ClinicApps APPLICATION
GROUP and
- Applications in the DesktopApps APPLICATION
GROUP
Samson allows this to happen seamlessly within the
administrator. This makes administering large numbers of workstations
simple and efficient.
Users
One of the key elements of Samson S3 is the concept
of a user. Users are the core component to the system. As you will
see,once users are established it is easy to assign them quickly.
Once the S3 system is established, a totally new user can be created
and assigned in as little as two assignment screens, which only
takes a minute.
Users Add User
Adding a new user to the system is easy. Simply select User ->Add
User:
 and
you will be taken to the User Creation screen.
This screen requests simple information about the user. It requires
you to define a userid and password for the user. The Samson S3
system is capable of using biometric devices as the primary authentication
method for a user. In the case a workstation does not have a biometric
device or the device has failed, the alternative will always be
a userid and password combination.
User Clone User
When working with large number of users,
it becomes apparent that most users end up being similar to an
already existing user in rights and capabilities. To avoid having
to manually define these rights over and over again, S3 offers
the ability to clone a user like another user. To clone a user,
select User -> Clone User.
You will receive the Clone User screen. On this screen you can
select the user and then replace the attributes that are unique
to the user.
In this case, the new userid: newuser will have all the rights
and capabilities of the userid: user5.
User Edit/Delete User
To perform maintenance on a user you select
User -> Edit/Delete User.
You will receive the User Modify Screen. On this screen you can
modify the base attributes of the user or work on the user's settings
and assignments.
By clicking the User Settings button,you will see the Settings
screen. This screen concentrates on the workstation control attributes
that Samson S3 provides. A large amount of look and feel can be
set to customize the presentation to the user. The standard windows
presentation is maintained. This reduces user-training issues
when single sign on systems are implemented.
The control section relates directly to the windows desktop.
There are many familiar concepts there like My Computer, Network
Neighborhood, etc. S3 has the capability to dynamically present
or remove these attributes of the Windows desktop. S3 can also
set backgrounds, screensaver and screensaver timeouts. These can
change with the each user using the system. S3 can also change
the way shutdown is interpreted by the system. In some cases,
it maybe undesirable to allow users to shutdown a system so the
system restarts instead (this cannot stop the workstation from
being physically disabled). The last item is a Security Question
that an administrator can ask when a user calls in for password
reset, etc.
S3's ability to control workstation attributes
is unique to single signons. Most single signons ignore the desktop.
It is easy to manipulate desktop settings to create undesirable
working conditions.
User - Assigning Applications
This function allows you to assign a user
to a particular group(s) and then assign applications to the user.
As you make assignments, the actual rights are resolved dynamically
on the bottom of the screen. This makes it easy to model changes
and view the results before having to commit the change to the
system.
User Locate/Communicate
In the course of administering the Single
Sign On it is useful sometimes to locate a user. In some scenarios
people will logon to multiple workstations and forget where they
have been or reach a logon limit and wonder what happened. To
facilitate in these activities, S3 allows the administrator to
locate a user. Select User -> Locate/Communicate
You will receive the following screen:
Highlight a user with the mouse and click Select. The admin will
tell you whether the user is logged in on any S3 controlled workstation
and the current status of their activities. Through different
functions, the administrator can cleanly log a user off a workstation
remotely.
User Manage User Groups
This function allows you to manage what groups users have membership
in. This approaches the process from a generic point of view,
not specific to a particular user. Select User -> Manage User
Groups.
You should receive the User Group Management screen. You highlight
a group with the mouse and then select the operation you wish
to perform.
If you chose to Edit Members you will receive the User Group
Members screen. You can select groups and users. As you work with
users and groups, the assignments are resolved on the screen.
Once you have defined the grouping, you can commit them to use
by clicking the Save button.
Applications
The second key component of S3
is the concept of an application. Applications define all the attributes
of the programs that may run on a workstation. In some scenarios,
applications may be installed in different locations causing problems
for an application specified specifically to be in one place on
the system. Samson S3 handles this in two ways. The first way is
to create another definition of the application, defining its specific
location (this is acceptable for a small number of situations).
If the application environment is not consistent, Samson S3 can
locate the application on the system and use the discovered location
over the specified location. This capability can make or break a
successful single sign on implementation where the workstations
have not been implemented consistently.
Applications Add/Edit
Application
The Application Edit and Create screen are
similar. We will discuss both in this section. The administrator
can select Applications -> Add or Edit/Delete Application.
You will receive a screen similar to:
 \
The application is defined to S3 in sections.
The Application Info defines
the location of the exe, which may exist on a network drive. In
the case of a network application, the drive may need to be connected.
S3 can perform drive mapping prior to application launch. At the
end of the process the drive can be disconnected.
Other unique functions are the capability to Hide on Close. Hide
on Close tells the S3 client not to shut the application down
when the user is finished, simply take the application back to
the logon screen of the application and hide the application from
view. This alleviates long startup times that can be experienced
with some types of programs. The Single Instance option specifies
if more than one copy of the program can be running at any given
time.
Scripting Info defines
the script that performs the actual login and logout function
for the application. Scripting was chosen to avoid hard coded
sequences within the S3 that would incur change and require client
updates at the code level. A logon/logout script can be easily
replaced without impacting the running state of a workstation.
Logon Info
addresses default logging information. Some applications are set
up to use a common logon for all users. In this case, it can be
specified here and a unique userid/password is not presented at
logon of the application. The Break the Glass scenarios address
the unlikely situation that an authentication method cannot be
found and a default userid/password pair must be used.
Application Manage App
Groups
Applications can be grouped to make assignment
easier. To manage application groups, select Applications ->
Manage App Groups:
You will receive the following screen:
This concept is similar to the concept of managing User Groups.
You can select your assignments and the group resolution is displayed
on the bottom of the screen. Once you are satisfied with the assignments
you can commit them to the system by clicking the Save button.
Workstations
The third component needed to
define rights to the system is the definition of workstations. In
a large organization, the process needed to acquire all the workstation
information can be tedious. S3 accommodates this problem by letting
workstations auto-enroll themselves the first time they contact
S3. After a reasonable period of time has passed, the auto-enroll
can be disabled and workstations manually maintained.
WorkStation Add Workstation
By now you should recognize that the process
of defining workstations is similar to Users and Applications.
Defining workstations to Samson S3 is a simple process. From the
navigation bar select Workstations -> Add Workstation.
You will receive the Workstation Create screen.
At this point you can define what department and/or physical
location the workstation is assigned to.
WorkStation Edit/Delete
Workstation
To edit a workstation, you select Workstations -> Edit/Delete
Workstation.
You will receive the Pick Workstation screen. Select a workstation
to see the attributes of the workstation.
The workstation can have assigned display settings. Display settings
are also allowed at the user level. S3 provides a hierarchy of
defaults. In this way, the entities never fall out of control
of the system. When setting are created for a user and setting
are created for a workstation, the user's settings are prioritized
before the workstations settings. If all users have settings,
there is no need to establish these settings at the workstation
level.
Workstation Manage WrkStn
Groups
Workstations can be placed in logical groups
for easy assignment. Select Workstations -> Manage WrkStn Groups.
You will receive the Workstation Group Management screen.
The Edit Members selection allows you assign groups within this
group, as well as individual workstations. As select groups or
individual workstations, the group members are resolved dynamically
in the table on the bottom of the screen. You can also deny membership
to this group for groups or specific workstations. The deny function
allows you to handle exception conditions without having to create
exception groups. You may want all the workstations in a particular
group, except for three. Instead of creating a new group, just
select the group including those workstations and mark them as
deny.
As you manipulate the membership within the groups, the logical
resolution of the workstation membership is displayed in the table
on the bottom of the screen. Once satisfied with the memberships,
you commit them to the system by pressing Save.
WorkStation Communication
One of the unique features of Samson S3 is
the ability to communicate with remote workstations (two-way communication).
This capability makes administration and troubleshooting of S3
workstations efficient and simple.
| Current User |
Display the current users of the
system |
| Current Status |
Display a complete status of the
workstation and S3 library |
| Lock Station |
Lock the workstation
from usage |
| Capture & Lock |
Capture an image of the current
screen and lock the station |
| Unlock Station |
Unlock the workstation from a locked
state |
| Reload Config |
Reload the station configuration |
In this scenario, select Workstation -> Workstation Communication.
You then choose the workstation you wish to perform an operation
on. Finally, select one of the options. In this case, the Current
Status button is clicked.
A message is sent to the workstation and the response is displayed
in the browser.
The user is unaware that the communication has taken place. This
feature provides system administrators with simple but powerful
troubleshooting capabilities.
Conclusion
- Samson S3 Administration Views
This concludes the Samson S3 Administration
Views. You have now experienced some of the processes of the S3
Administration console. You should have a basic understanding of
the concepts and power of the Samson S3 Admin and how it is designed
to be an efficient part of an administrator's function.
The Samson S2 client is lightweight and simple
to install and configure.
The main components are:
The S3CommService is installed
as a service on the target workstation. It is installed under the
system account, protecting it from tampering by users of the system.
The S3CommService handles all communication to the S3 Admin Server
as well as managing the desktop of the workstation. Since the service
controls the desktop, it is difficult to circumvent the service
to manipulate the workstation.
The S3 Desktop tries to perform
and maintain the integrity of the standard windows desktop. Fewer
modifications to the desktop mean less user training is required
to use Samson.
Based upon options or profiles
set in the S3 Admin, the client workstation adjusts and presents
a variety of authentication scenarios and the desktop look &
feel.
Samson S3 supports a variety
of means to authenticate users to a workstation. Many schemes have
been created over the years to make the process of logging in and
out of systems easier. All involve an initial OS authentication
followed by some form of application authentication.
Samson S3 can support a variety of OS authentication
schemes.
They are:
- Authentication using a common
USERID/PASSWORD pair
- Authentication using a
UNIQUE USERID/PASSWORD pair
- Biometric authentication
mapping a user to a UNIQUE USERID/PASSWORD pair
S3 provides its own authentication dialog. The S3
dialog can be used in a variety of ways depending upon the OS authentication
chosen. Lets look at a specific scenario where the OS authentication
occurs:
- Auto Logon: The
workstation is automatically logged on but has no rights or
privileges or network connected resources (the workstation is
connected to the network). Once logged in, the station never
logs out.
- Common Logon:
All users are instructed to authenticate to a workstation with
a common userid/password pair. The logon account has no rights
or privileges or directly connected network resources (the workstation
is connected to the network). Once logged in, the station never
logs out.
In these scenarios the Samson S3 can provide the
user authentication layer, while the OS authentication simply gained
access to the network. As users authenticate to Samson S3, the single
signon process is invoked and manipulates the workstation from that
point forward.
The user will be presented the Samson S3 authentication
screen.
This screen supports userid/password pairs and biometric
authentication if the workstation and user are identified for biometric
authentication.
This very simple screen can support a variety of
behavior:
- Timeout from Inactivity
- Lock workstation after Administrator
specified login failures
- Messaging from the S3 Administrator
function
- Company Identification comes
Administrative function
Once authenticated, the user's
desktop is under control of S3. S3 can present the user a variety
of ways to manipulate programs:
- Present a toolbar of the
applications available to the user
- Modify the Windows presentation
to display on the applications available to the user.
S3 is engineered to maintain the look and
feel of Windows while making the environment conform to the enterprise's
needs. The client workstation is a weak link in the security chain
where intrusions, viruses and other problems begin.
In this scenario the single signon
presents the Applications available to this user in the toolbar
at the bottom of the screen. The user simply clicks the application
button and the application starts, the single signon answers the
user/password challenge of the application and the user works.
The S3 Administrators console identified workstation
Settings that controlled the presentation to the user. Lets look
at the settings screen again:
Lets begin by changing a simple option,
lets remove the status bar. To do this, simply uncheck the Display
Status Bar option:
In this case, you can see that the
status bar on the bottom of the screen has been removed. This is
set on a user-by-user basis. This provides extreme flexibility in
how users are presented their working desktops. It should be easy
to see that scenarios from full lock down to wide open can be accommodated
with S3. Portrayed below is desktop that has been locked down.
It is easy to see that a very secure
desktop can be achieved. The only functions available to the user
are presented on the application toolbar. In Windows, if you cant
click on it or click a key sequence to engage the function, it is
NOT AVAILABLE. This type of desktop may be suitable for an open
kiosk where the public utilizes the workstation. There is nothing
to get in to complicate issues.
You can also see that S3 is highly customizable,
offering administrators flexibility in how users are granted access
to the system. We believe S3 is the most flexible single signon
available today.
This overview view only hints at the capabilities
of Samson S3. This overall view should present the flexibility and
capability of Samson. Samson allows administrators to manage many
levels of users and provide productivity enhancements.
Let Samson be your Enterprise Single SignOn!
|
