Single Sign-On
Solutions for user-based SSO
Solutions for server-based SSO
Kerberos
ILM 2007
ILM "2" / Microsoft Forefront Identity Manager
Omada Identity Manager
IBM Tivoli Identity Manager (ITIM)
Sun Identity Manager

Single Sign-On
Single Sign-On (SSO) is a method that allows employees to get access to more systems without having to authenticate (normally by submitting employee name and password) more than once. This is often being confused with password synchronization where employees are logging in at each separate system but uses the same employee name and password, or at least the same password. This latter method is often referred to as “reduced sign-on” because you need to sign in to each system but it’s the same password that is used on every system.

One has to distinguish between two very different kinds of SSO: Web-based Single Sign-on (WSSO) and Enterprise Single Sign-On (ESSO):

• WSSO is often used in web-portals, where a employee gets access to a number of different web-applications via his web-browser. WSSO is included in the most commonly available Access Management solutions that have built-in WSSO and other features to protect elements and applications in the portal.
• ESSO is giving employees access to other resources and applications within the IT landscape with on single login. The employee logs into the ESSO solution that already knows the employee and which employee names and passwords applies for each application. When the employee is logging in, the ESSO solution will take care of the authentication and automated logon to the applications that has been “ESSO enabled”.

SSO is a key area to look into when it comes to access control. From a security point of view there and pro’s and con’s when it comes to letting access to all systems and applications be dependent on just one single logon.
Normally you would recommend that a SSO solution should be supplemented by a second factor authentication process, or at least, as an absolute minimum, password policies should be very strong/restrictive. In the end, such considerations must be taken based upon a risk analysis.

ESSO can be divided into two categories:

• Employee-based SSO, via automated employee authentification
• Server based SSO, via central authentikation

Solutions for user-based SSO
There are many commercially available solutions in the market place today (IBM, Oracle, CA, ActivIdentity etc.), and from a conceptual point of view, they are very similar. Obviously there are differences amongst those, but they are very similar in the sense that they all are based on front-end interaction. Implementation of employee-based SSO can be extremely cumbersome, which is the primary reason for many failed SSO projects and the generally bad reputation SSO has.
The concept of employee-based SSO has a number of downsides and as such should be evaluated very precisely before any implementation of such solution.

Solutions for server-based SSO
SSO functionality can in a much more sophisticated way be reached through central authentication - typically with Active Directory (AD) as the authorative repository. A good number of software vendors have developed coding and implementation guidelines that enables AD authentication, for instance SAP and Oracle.

Kerberos
Kerberos authentication is a technology that has been available for more than a decade. The technology and many utilities made generally available and these are constantly being developed and spread out in many different areas. In Windows Server you will find support for UNIX systems and from SAP and other major vendors you will find guidelines and recommendations for using Kerberos against applications and systems thus leveraging the powerful Kerberos network security infrastructure of Active Directory. More information on:
http://www.microsoft.com/windowsserver2003/technologies/security/kerberos/default.mspx

Besides the opportunity to manually implement Kerberos authentication, a number of vendors has made this products available. A very good example of such vendor is Centrify. Centrify has recently extended the reach and the number of supported environments. Further information on: http://www.centrify.com

IBM Tivoli Identity Manager (ITIM)
Tivoli Identity Manager allows users to reset passwords themselves but this solution always leaves one big question:
“How does the user get access to IBM Tivoli Identity Manager, when the windows password is not known?”

The FastPass Password Reset Add-on for IBM Tivoli Identity Manager is a solution to the problem of the user not being able to access his or her computer without knowing the password. With this solution users are enabled to reset their windows password themselves. This again saves time for the user, saves resources at the IT Service desk and it enables users to reset passwords 24/7/365.

Solution Overview
The FastPass Password Reset Add-on for IBM Tivoli Identity Manager is a Windows utillity, which can easily be customized for the need of any organization. The FastPass Tivoli Add-on can be installed stand alone or be distributed to many clients.

Once installed the user will see a “Forgot password” button on the Windows login dialog. A click on this button, will take the user into the IBM Tivoli Identity Manager web interface allowing the user to reset the password by answering the challenge response questions of ITIM.

ITIM will be running in a locked down KIOSK mode, that allows no other actions to be taken on the computer. After the user has reset the password, the user exits ITIM and logs in with the new password.

The FastPass Password Reset Add-on for IBM Tivoli Identity Manager is developed by FastPassCorp and exclusively available from here.

Benefits
Using the FastPass Password Reset Add-on you will experience the following benefits:

• The user does not need involvement from any other person => Enhances efficiency and ROI
• The password change is done literally in seconds => Enhances efficiency and ROI
• The solutions works after hours and off-site => Enhances efficiency and ROI

Compability
The FastPass Password Reset Add-on is compatible with the following versions of Tivoli Identity Manager:

• IBM Tivoli Identity Manager 4.6
• IBM Tivoli Identity Manager 5.0