Novell Doc: Identity Manager Resource Kit 1.2 Business Solutions Reference Guide

2.3 The Technical Explanation

The solution is implemented by enabling Credential Provisioning policies that create and enable the user’s Single Sign-On accounts. A user can have one or more accounts, depending upon how many drivers and applications you have configured to use Single Sign-On.

The Resource Kit contains the policies and resource objects required for the solution to work. The additional products required for this solution must be installed and configured for the solution to work.

Install and configure SecureLogin. For more information, see the Novell SecureLogin 6.1 Installation Guide.
(Optional) Install and configure Novell® SecretStore®. For more information, see the Novell SecretStore 3.4 Installation Guide.
Choose one of the following methods to enable the Credential Provisioning policies:
- To enable policies globally, continue with Step 4.
- To enable the policies for each connected system, skip to Step 5.
Enable the Credential Provisioning policies globally by specifying the Credential Provisioning GCV on the driver set:
1. In the Designer project, right-click the driver set.
2. Select GCVs, then use the information in Table 2-1 to configure the settings under Credential Provisioning.
3. Click OK to save the changes.
Enable the Credential Provisioning policies for each connected system:
1. In the Designer project, right-click the connected system driver (Active Directory^* or Lotus Notes^* icon or the driver line in the Modeler), then click Properties.
2. Select GCVs, then use the information in Table 2-1 to configure the settings under Credential Provisioning.
3. Click OK to save the changes.
4. Repeat Step 5.a through Step 5.c for each application driver.
(Conditional) If the SecretStore or SecureLogin servers are on a separate machine from the Resource Kit image, you must change the server information on the repository objects:
1. In Designer, click the Outline tab, then expand the library object.
2. Right-click the lib-CredProv-NSSRepository object, then select Edit.
3. Change the server-specific information, then click OK to save the changes.
4. Right-click the lib-CredProv-NSLRepository object, then select Edit.
5. Change the server-specific information, then click OK to save the changes.
Click Save in the toolbar to save the Designer project.
Deploy the changed project to the Identity Vault. For more information, see Deploying a Project to an Identity Vault in the Designer 3.5 for Identity Manager 3.6 Administration Guide.

Table 2-1 Credential Provisioning GCV options

Option	Value
Enable Credential Provisioning Policies	Set this option to true. By default it is set to false.
On user creation	If this is set to true, credentials are provisioned when a user is created. By default, it is set to true.
On user enable/disable	If this is set to true, credentials are provisioned when user accounts are enabled and credentials are de-provisioned from user accounts that are disabled. To enhance security new credentials are provisioned every time an enable/disable cycle completes.
On password changes	If this is set to true, the credentials are re-provisioned on every password change.
Application Credential ID	Specify the ID that SecureLogin uses to identify the provisioned login. This login is linked with an application on the SecureLogin client.
Application User ID Attribute	Specify the attribute name used to retrieve the application userid. This is an attribute in the application’s namespace.
Provision to Novell SecretStore	Set this to true if the SecretStore is used by the credential provisioning policies. Set it to false if a SecretStore is not used by the credential provisioning policies. By default, it is set to false.
Provision to Novell SecretStore > SecretStore Shared Secret Type	If the credential is provisioned to SecretStore, select the SecretStore Shared Secret Type to be used. It is either Credential Set or Application Set.
Provision to Novell SecretStore > Use Enhanced Protection Password	Select true if the SecretStore Enhanced Protection Password is to be used. If true is selected, then the named password secretstore-enhanced-protection-password must be properly set. The named password is stored on the driver object. By default, it this is set to false.
Provision to Novell SecureLogin Repository	Select true if a SecureLogin repository is used by the Credential Provisioning policies. Select false if a SecureLogin repository is not to be used by the Credential Provisioning policies. By default, it is set to true.
Provision to Novell SecureLogin Repository > Set Novell SecureLogin Passphrase	Select true to set a passphrase question and answer for SecureLogin. Select false if a passphrase question and answer should not be set by the Credential Provisioning policies.
Provision to Novell SecureLogin Repository > SecureLogin Passphrase Question	Specify the passphrase question that is set for each user.
Provision to Novell SecureLogin Repository > SecureLogin Passphrase Answer Value Attribute	Specify the attribute name that contains the value of the passphrase answer.