Single Sign-On and provisioning from ITIM (strong authentication + physical access)

Delivering single sign-on to 25,000 users in North and South America was not only achievable, it was enjoyable. Single sign-on is commonly referred to as the “Holy Grail” in IT security, but the truth is that SSO can be accomplished with little risk so long as the right technology is selected.

“Identity management solutions must include a single sign-on solution in order to fully recognize the benefits and achieve expectations.”

IdentiPHI has succeeded in successfully integrating with the Tivoli Identity Manager solution. Competitive technologies which claimed support for iTIM and listed in this as a documented feature. However upon testing, it was determined that this was still a roadmap feature under development and another case of a deliberate misrepresentation. Fortunately there was an SSO technology with proven experience that could integrate single sign-on directly into the provisioning tool. Through iTIM IdentiPHI SSO was able to automatically populate application credentials into the directory without any user intervention. SSO data was immediately available to the application and end user once the account was provisioned – the end user didn’t ever need to touch the password or be aware that one existed.

With over 25 applications and websites with unique credentials to manage, the task was daunting. After working with several vendors to single sign-on enable complex applications such as SAP it was obvious that single sign-on was quickly becoming reduced sign-on as is so often stated in product reviews. SAP presented many challenges as there were dozens of possible sessions available with each maintaining a unique username and password for authentication. To add further complication, many of the applications were accessible from applications with both a client and a browser interface. The difficulty that this presented was the necessity to synchronize passwords and password changes between the multi-interface systems and the SSO client.

In order to enable single-sign on to so many different types of applications and systems, it was very obvious that the solution deployed would not succeed if changes to every application were required. “the time and expense alone would prevent a single sign-on project from succeeding, especially when you look at the time it took to deploy user provisioning.” The common link between all SSO vendors is the claim of ROI. In the 90’s, this claim fueled projects that generally resulted in failure. The experienced gained led to the understanding that there can be no calculable ROI until the solution is deployed. This simply meant that the single sign-on technology must deliver the desired result in a very short time period, thus excluding any solution that had to modify each target application.

Additional project requirements were added to allow for strong authentication to Windows domain using both biometrics and smart cards. Though this requirement was not required/desired for all users, company executives were determined to remove the final password that was left to manage (the domain password) with a biometric. Combined with IdentiPHI Advanced Authentication, the single sign-on client was able to provide this. Within the IT department, smart cards were also desired as a preferred authentication method. The use of smart cards also presented the opportunity to link directly in with the physical access teams to provide a single ID badge for network login and to gain access to physical resources.