How to: Group Policy Guidance

How to: Group Policy Guidance

1.1 Use Just One Group Policy

For simplicity in administering group policies we suggest that all My1Login related settings are made in the same group policy (e.g. “My1Login SSO”). However, this is merely a suggestion, we recognise that some products, particularly Firefox, tend to work better if all group settings are in the same group policy and that you may already have some settings enabled.

This document assumes that all settings are in a policy called “My1Login SSO”.

1.2 Merging Settings

The instructions in this document assume that you are starting from a clean sheet and that the settings may be freely applied.

Some browser settings, e.g. setting startup pages, can influence what users can do so it may be desirable to merge existing settings with the My1Login settings.

Contact My1Login if you have any questions on this.

1.3 Linking the Group Policy

The My1Login SSO policy should be deployed to those users who are synchronised to the My1Login system with the Active Directory Connector.

Deploying the policy to users that are not synchronised will not break anything, but users will see the browser plug-in icons and may see warnings that they do not have permission to use the My1Login system.

In a typical install the users permitted to use My1Login would be in one, or more, groups under a suitable OU. In the example below the users are in a group called “SSO Users” under an OU called “My1Login SSO”.

The My1Login SSO policy may be linked to the domain but to restrict the deployment of the My1Login group policy to those users permitted to use the system (using the above example), you would remove “Authenticated Users” from the Security Filtering section of the Scope tab of the policy and add the “SSO Users” group.

Removing “Authenticated Users” from this section requires it to be added, with read permissions, under the delegation tab.

1.4 Location of Administrative Templates

It is necessary to install administrative templates for several of the browsers.

This document assumes that administrative templates are in the central store.

If your practice is to add templates to specific policies then you will need to amend the paths in the document to take account of the additional Classic Administrative Templates folder.

Setting up the central store is beyond the scope of this document. Full details may be found at:

Central store templates will be found in the PolicyDefinitions folder under your domain’s SYSVOL directory.
• Browse to %logonserver%\sysvol
• Drill into the folder named after your domain
• Drill into Policies \ PolicyDefinitions

1.5 Browser Password Managers

My1Login recommend disabling browser password managers (and other password vaulting tools) to improve security and eliminate any potential conflict.

1.6 Zero Sign-On and Non-IE Browsers

This section is not applicable to Internet Explorer.

Zero Sign-on authentication can be achieved by:

My1Login subdomain

Setting one of your browser start-up pages to your company's My1Login subdomain [] will automatically authenticate your users on browser start-up and present their User Vault to them. 

Query String

This parameter identifies your My1Login account to the browser plug-in which, in turn, allows the plug-in to login to My1Login with no user intervention.

The query parameter value for your account is available in the Administration Portal: Administration | Security | Key Management 

The query string has the format “?m1l=ABC123” and is added to the end of your start-up URL across all non-IE browsers. 

If one of your home pages was google, then you would append the query string as follows: