Hover here, then click toolbar to edit content
Identity & Access Management
Single Sign-On
Solutions for user-based SSO
Solutions for server-based SSO
Kerberos
ILM "2" / Microsoft Forefront Identity Manager
Omada Identity Manager
IBM Tivoli Identity Manager (ITIM)
Sun Identity Manager
Single Sign-On
Single Sign-On (SSO) is a method that allows employees to get access to more systems without having to authenticate (normally by submitting user name and password) more than once. This is often being confused with password synchronization where employees are logging on to each separate system but using the same password. This latter method is often referred to as “reduced sign-on” (or Simple Sign-On) because you need to sign in to each system but it’s the same password that is used on every system.
One has to distinguish between two very different kinds of SSO: Web-based Single Sign-on (WSSO) and Enterprise Single Sign-On (ESSO):
- WSSO is used in web-portals, where a employee gets access to a number of different web-applications via his web-browser. WSSO is included in the most commonly available Access Management solutions that have built-in WSSO and other features to protect elements and applications in the portal.
- ESSO is giving employees access to other resources and applications within the IT landscape with one single login. The employee logs into the ESSO solution that already knows the employee and which employee names and passwords applies for each application. When the employee is logging in, the ESSO solution will take care of the authentication and automated logon to the applications that has been “ESSO enabled”.
SSO is a key area to look into when it comes to access control. From a security point of view there and pro’s and con’s when it comes to letting access to all systems and applications be dependent on just one single logon.
Normally you would recommend that a SSO solution should be supplemented by a second factor authentication process, or at least, as a minimum, password policies should be very strong/restrictive. In the end, such considerations must be taken based upon a risk analysis.
ESSO can be divided into two categories:
- User-based SSO, through automated employee authentification
- Server based SSO, through central authentikation
Top
Solutions for user-based SSO
There are many commercially available solutions in the market place today (IBM, Oracle, CA, ActivIdentity etc.), and from a conceptual point of view, they are very similar. Obviously there are differences amongst those, but they are very similar in the sense that they all are based on front-end interaction (screen-grabbers).
Implementation of employee-based SSO can be extremely cumbersome, which is the primary reason for many failed ESSO projects and the generally bad reputation ESSO has.
The concept of user-based SSO has a number of downsides and as such should be evaluated very thorrowly before considering such solution.
Top
Solutions for server-based SSO
SSO functionality can in a much more sophisticated way be reached through central authentication - typically with Active Directory (AD) as the authorative repository. A good number of software vendors have developed coding and implementation guidelines that enables AD authentication, for instance SAP and Oracle.
There are a number of vendors in the market that offers packaged solutions for server-based SSO. A very good example of such vendor is Cybersafe. Cybersafe has a proven track-record from large organizations ( http://www.cybersafe.com)
Top
Kerberos
Kerberos authentication is a technology that has been available for more than a decade. The technology and many utilities made generally available and these are constantly being developed and spread out in many different areas. In Windows Server you will find support for UNIX systems and from SAP and other major vendors you will find guidelines and recommendations for using Kerberos against applications and systems thus leveraging the powerful Kerberos network security infrastructure of Active Directory. More information on:
http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx
Top
Microsoft Forefront Identity Manager (now FIM - formerly ILM "2")
Identity Lifecycle Manager “2” has been renamed Microsoft Forefront Identity Manager
ILM "2" builds on the metadirectory and user provisioning available in ILM 2007 (and before that MIIS), and adds further capabilities to this platform. With the introduction of FIM Microsoft has also introduced basic password reset functionality into the product.
FastPass is delivering a robust and fully fletched user self-service front-end for password reset and beyond, that will integrate and fit into a FIM project through PCNS (Password Change Notification Services).
FastPass will not only deliver advanced password reset functionality, but is also the ideal starting point of an Identity project that you consider and daren't think will be able to deliver cost justification. For more information on how FastPass in Identity projects read more here:
Download productsheet
Top
IBM Tivoli Identity Manager (ITIM)
Tivoli Identity Manager allows users to reset passwords themselves but this solution always leaves one big question:
“How does the user get access to IBM Tivoli Identity Manager, when the windows password is not known?”
The FastPass Password Reset Add-on for IBM Tivoli Identity Manager is a solution to the problem of the user not being able to access his or her computer without knowing the password. With this solution users are enabled to reset their windows password themselves. This again saves time for the user, saves resources at the IT Service desk and it enables users to reset passwords 24/7/365.
Solution Overview
The FastPass Password Reset Add-on for IBM Tivoli Identity Manager is a Windows utillity, which can easily be customized for the need of any organization. The FastPass Tivoli Add-on can be installed stand alone or be distributed to many clients.
Once installed the user will see a “Forgot password” button on the Windows login dialog. A click on this button, will take the user into the IBM Tivoli Identity Manager web interface allowing the user to reset the password by answering the challenge response questions of ITIM.
ITIM will be running in a locked down KIOSK mode, that allows no other actions to be taken on the computer. After the user has reset the password, the user exits ITIM and logs in with the new password.
The FastPass Password Reset Add-on for IBM Tivoli Identity Manager is developed by FastPassCorp and exclusively available from here.
Benefits
Using the FastPass Password Reset Add-on you will experience the following benefits:
- The user does not need involvement from any other person => Enhances efficiency and ROI
- The password change is done literally in seconds => Enhances efficiency and ROI
- The solutions works after hours and off-site => Enhances efficiency and ROI
Compability
The FastPass Password Reset Add-on is compatible with the following versions of Tivoli Identity Manager:
- IBM Tivoli Identity Manager 4.6
- IBM Tivoli Identity Manager 5.0
Download productsheet
Consider your best password management approach
If you have not yet deployed the password reset feature in ITIM you may want to consider using FastPass as the password management solution. FastPass is a fully fletched password management solution that will secure the success in your project and thus taking advantage of the many advanced features that can be the crucial part that will just make the whole difference in your IdM project.
FastPass will then take advantage of ITIM and use it as the syncronization engine for forwarding password resets to those other systems that are part of your IdM project.
Top
Enhanced Password Reset for Sun Identity Manager
Handling forgotten or lost passwords is a major challenge in any organization causing:
- Reduced efficiency
- Increased administrative costs
- Reduced security
Sun Identity Manager allows users to reset passwords themselves but this solution
always leaves one big question:
“How does the user get access to Sun Identity Manager,when the windows password is not known?”
The FastPass Password Reset Add-on for Sun Identity Manager is a solution to the
problem of the user not being able to access his or her computer without knowing the
password. With this solution users are enabled to reset their windows password
themselves. This again saves time for the user, saves resources at the IT Service desk
and it enables users to reset passwords 24/7/365.
Solution Overview
The FastPass Password Reset Add-on for Sun Identity Manager is a Windows utility,
which can easily be customized for the need of any organization. The FastPass Sun
Add-on can be installed stand alone or be distributed to many clients.
Once installed the user will see a “Forgot password” button on the Windows login
dialog. A click on this button, will take the user into the Sun Identity Manager web
interface allowing the user to reset the password by answering the challenge response
questions of SIM.
SIM will be running in a locked down KIOSK mode, that allows no other actions to be
taken on the computer. After the user has reset the password, the user exits Sun
Identity Manager and logs in with the new password.
Benefits
Using the FastPass Password Reset Add-on you will experience the following benefits:
- The user does not need involvement from any other person => Enhances efficiency and ROI
- The password change is done literally in seconds => Enhances efficiency and ROI
- The solutions works after hours and off-site => Enhances efficiency and ROI
Compatibility
The FastPass Password Reset Add-on is compatible with the following versions of Sun
Identity Manager:
- Sun Identity Manager 7.1
- Sun Identity Manager 8.0 & 8.1
Download productsheet
Consider your best password management approach
If you have not yet deployed the password reset feature in SIM you may want to consider using FastPass as the password management solution. FastPass is a fully fletched password management solution that will secure the success in your project and thus taking advantage of the many advanced features that can be the crucial part that will just make the whole difference in your IdM project.
FastPass will then take advantage of SIM and use it as the syncronization engine for forwarding password resets to those other systems that are part of your IdM project.
Top