True single sign on is achieved when all applications are Kerberos ready. Since this is unfortunately not always the case, SSO remains difficult to achieve in current deployments. The main obstacles are legacy applications that do not support Kerberos authentications. Another approach to SSO is simply to map user identities for different authentication mechanisms and let the operating system take in charge the input of authentication credentials on behalf of the user. This is exactly what the “Simplified Single Sign-On” solution provided by Imprivata. Inc does.

OneSign Single Sign-On automates application login access for users. Instead of requiring a user to remember and enter individual logon information for each application, OneSign Single Sign-On transparently and securely delivers user sign-on credentials to each application automatically on the user’s behalf. Imprivata claims that its solutions supports most enterprise applications – legacy, client/server, Windows, Java, and Web – without requiring any custom scripting, modifications to existing applications, directories, or inconvenient end-user workflow changes.

The solution relies on two components :

This is a patented single sign-on enablement engine that quickly and easily captures application dynamics for user logon and password changes. Enabling and managing single sign-on to applications requires no scripting. Administrators create or edit SSO profiles using the OneSign APG, which dynamically learns the authentication requirements of each target application and generates an XML-based application profile. The OneSign APG keeps track of all supported computing environments on the network and generates the corresponding profiles without the need for any custom scripting or integration. Profiles are automatically uploaded to the OneSign Appliance by the OneSign APG and are ready for deployment to users at runtime according to user and application-level policies set in the OneSign Administrator.

With the OneSign Agent, users authenticate to the OneSign Appliance where credentials and policies are stored, managed, and distributed from a digital vault. Once a OneSign session is granted, credentials and access policy are downloaded. In a single sign-on environment, the OneSign Agent recognizes the sign-on dynamics for OneSign-profiled applications and responds by proxying the user’s credentials into one or more input fields on the user’s behalf. The OneSign Agent dynamically self-updates whenever new versions, new applications, or new security policies are detected on the appliance.

Having an SSO at your fingertips have never been so easy. Imprivata's approach to provide Simplified Single Sign On is simply brilliant. From technological innovation point of view, the solutions is not based on groundbreaking research results. The commercial and business case for the solution however are undeniable. Many institutions especially those where employees need to authenticate to several applications from several stations can perform a Simplified Single Sign On even if different underlying authentication mechanisms are used for each application.

• Imprivata's website
• Single sign-on by Wikipedia

Labels: security