Planning an Application Profile

Pre-planning your profiles will make the learning and testing process more effective. This topic contains information on identifying and learning key screens to create an effective profile using the Imprivata APG.

Imprivata OneSign must recognize the screen to learn the user’s credentials and store them for later use when the same screen opens again.

Application Screens and Their Profile Roles

The APG classifies application screens as one of these types:

  • Login Screens — can include prompts for domain or database, Novell context, as well as username and password

    • Login Failure Screens — An application may have multiple failure screens.

    • Login Success Screens

  • Change Password Screens

    • Change Password Failure Screens — An application may have multiple failure screens.

    • Change Password Success Screens

  • Custom Screens can be used for dismissing screens, auditing internal application screens, and for closing non-SSO-enabled applications.

Other screen types include welcome screens and all other screens requiring automated interaction.

Which Screens to Learn

Consider the following when planning which screens to learn:

  1. Login Screen — required because it allows user credential capture.

  2. Login Failure Screen(s) — plays a critical role in credential capture; if a login failure is recognized, the Imprivata agent rejects the entered credentials and re-enters capture mode.

  3. Login Success Screen — provides confirmation. It is not required, as the APG assumes success. If no login failure is recognized, the APG stores the entered credentials.

  4. Change Password password failure and success screens — Follow the same principles as login success and failure screens.

Note: You may not have to profile each screen in an authentication workflow, but in general, the more screens you capture, the more unique and thus effective the profile will be.

To help decide what screens to learn, think through the users’ workflows. For example:

  • Is there more than one login screen? For example, some applications have a dialog allowing credential re-entry on a failure. This would have to be learned as a login screen rather than a login failure screen.

  • What happens when a user enters incorrect credentials?

  • Are there multiple failure screens - for example, is a different failure screen presented for a mistyped username than for a mistyped password?

  • How do you know you have logged in correctly - is there a success screen, or does an application open, for example?

  • Change password screens often have more failure variations. For example, password policies can often produce different screens or messages.

  • Some applications employ sequential Change Password screens.

Imprivata OneSign uses Change Password Screens to detect:

  • When the password is being changed for an application.

  • When to proxy the old password on behalf of the user.

  • When to generate a new random password for the user.

On recognition of the screen, Imprivata OneSign proxies the current password into the old password field, and then:

  • Waits for the user to enter and confirm the password

    OR

  • Auto-generates and submits a random password according to the password policy set up for the application in OneSign.

Application login screens are the most important screens for Single Sign-On (SSO). You usually profile this screen before you profile additional screens. The important credential capture and credential proxy steps happen on login screens.

What can prevent Imprivata OneSign from recognizing a screen?

  • Text that varies, such as session data, a time stamp, user name, hidden or temporary-use text.

  • URLs that change as a result of load balancing, session maintenance, or for other reasons may include information when the user authenticates that is not the same as when you profiled the screen.

  • Variable parameter data and control layout may cause the Imprivata APG to learn a control or some other information that is present only sometimes; screen recognition may fail when the control fails to appear.

  • The Imprivata agent may not be able to differentiate between similar screens.

Capturing Credentials from a Login or Change Password Screen

Credentials capture occurs only the first time the login screen opens for each user. It can occur many times on a change password screen.

Imprivata OneSign learns the user’s credentials the first time the user successfully logs into the application. Imprivata OneSign records the user as enrolled to the application in the user record.

Credential Capture Methods

Imprivata OneSign offers two methods of capturing credentials. With Native Capture, Imprivata OneSign captures the credentials from the application screen automatically at runtime. When native credential capture does not provide the results you need, you can create a Credential Enrollment Window.

Native Capture

With Native Capture, Imprivata OneSign captures the credentials from the application screen automatically at runtime. Native capture behavior for Windows applications is different from the behavior for Web applications:

  • Native Capture for Windows Applications - For Windows applications, Imprivata OneSign first tries to capture credential text in the form of keystroke data communicated when the application field calls the Windows VKEY.DLL. This is often successful, but not always.

  • If Imprivata OneSign does not work optimally with VKEY.DLL, then Imprivata OneSign copies the content directly from the field when the screen is submitted. and selects the Get Text? option for that field in the application profile.

  • Native Capture for Web Applications - For web applications, Imprivata OneSign copies the content directly from the field when the screen is submitted. Sometimes, for security reasons, the user input of a field is obscured before it is submitted. When a web application captures encrypted data such as asterisks, gibberish characters, or nothing at all for a given field, then select the Obscured Data option. This tells Imprivata OneSign to capture credential data from the user’s keyboard activity instead of copying data from a field in which the credential data has been obfuscated.

Credential Enrollment Window

Imprivata OneSign presents a Credential Enrollment Window to the user and captures user credentials from it. A Credential Enrollment Window is sometimes referred to as an ECC screen, or Explicit Credential Capture screen. Use a Credential Enrollment Window when you are unable to capture credentials natively. The Imprivata OneSign Credential Enrollment Window is detailed in The Imprivata Credential Enrollment Window.

Imprivata OneSign credentials proxy occurs every time the login screen opens. Proxy takes place on the Login Screen and the Change Password Screen.

Credential Proxy Methods

Imprivata OneSign offers two methods of proxying credentials. With Native Proxy, Imprivata OneSignproxies the credentials automatically at runtime by injecting the credential data into the fields in the application login screen and submitting it.

Native Proxy for Windows Applications

Imprivata OneSign can proxy credentials in the form of keystroke data as if it were typed by the user. If the Send Text? option for a field is selected, then Imprivata OneSign inserts the credential data directly into the field for submission, bypassing VKEY.DLL.

Customized Keystrokes and Mouse Clicks

Imprivata OneSign can submit the credentials following a highly customizable custom keystroke and mouse click sequence. Use this if the native proxy method does not work. This feature always overrides the Get Text? and Send Text? options. The customized keystrokes and mouse clicks feature is detailed in Advanced Credential Proxy Techniques.

Failure and Success Screens

Application failure and success screens provide important confirmation data.

Failure Screens

Imprivata OneSign use Failure Screens to detect:

  • When a user has mistyped a username and/or password during enrollment.
  • When a username and/or password submitted by Imprivata OneSign is no longer valid.

On recognition of a Failure Screen, Imprivata OneSign clears stored credentials in the Imprivata agent cache and the Imprivata OneSign database and waits for the user to enter the new correct credentials.

Success Screens

Imprivata OneSign uses Success Screens to detect:

  • When a user has enrolled valid credentials for an application.
  • When Imprivata OneSign has submitted the correct credentials for an application.

On recognition of a Success Screen, Imprivata OneSign maintains the credentials as valid in the Imprivata agent cache and Imprivata OneSign database.