Single Sign-on – SSO Enterprise solution

Motivation
Who doesn’t know the following problems? Forgetting user names and passwords; for many applications looking for complex passwords and then remembering them; having to change the password regularly; typing errors when inputting personal access codes. And as if this weren’t enough, the problems connected with security arising from the use of passwords.

Even at home, when using your own computer, tablets or smartphones the whole logon procedures for Internet portals and applications can be extremely annoying even if as a rule the number of applications remains fairly small. But in the business world these problems amount to an enormous time, safety and cost factor.

And now for the good news:
With a single logon and the SEFIROT GmbH Single Sign-on software you can free yourself from all the separate logons and the hassle with user IDs and passwords, and all at one go have access to every single application.

The SSO Enterprise solution:

The SEFIROT Single Sign-on, with its high level of convenience and unique features, is incomparable and without equal in the Enterprise area.

From the extremely easy-to handle SSO application capture, registration and distribution through to complex practices, e.g. role change between two smart cards used in a Citrix session for different workers. In the hospital environment, with role change between physician and nursing staff, this has become known as “role change in context”.

As far as is known, the SEFIROT Single Sign-on software is currently the only solution in the world using intelligent control logic enabling, in Citrix sessions, the form of application control (described above) resulting from card operations, like “remove card” or “insert card”.

Some of the SSO Enterprise solution features:

  • Easy data capture, registration and administration of SSO applications
  • Automatic capture of conditions for recognising logon windows with the run-time analysis tool of the SSO capture component
  • Simple specification of processes by mouseclick for window contents, e.g.
    logon sequences, password change sequences, confirmation sequences
  • Efficient distribution mechanism for automatic distribution of the SSO configuration to all stipulated computer systems
  • High breakdown protection through the smart card supported decentral SSO credential administration
  • Wide SSO application support
  • Smart card supported “role change in context”
  • Smart card supported authorisation and confirmation processes in accordance with the “four eyes principle” or by role transfer

Designing SSO securely

It would have considerable advantages for the user if it is left to the password manager to allow registered and applications considered to be reliable to be recognised automatically, and then to have suitable user IDs and passwords entered automatically onto the login screens, and finally to have the authentication for recognised applications issued automatically.

SSO is clearly more practical and user-friendly than manual solutions. However, security would suffer even if complex passwords were used by the SSO system and would be regularly changed.

There is a satisfactory solution to this problem. The security level can be increased if an SSO solution is subordinated to basic conditions and constraints imposed by security technology. This is achieved in the technical concept of the SEFIROT Single Sign-on solution.

Two measures are important for the security of the SSO solution:
  1. The SSO user data are protected decentrally via a PIN on the user’s relevant smart cards.
  2. In almost all Enterprise environments the basically insecure SSO solution is preceded by a strong, PKI (public key infrastructure)- bound dual-factor authentication. The primary authentication takes place with a smart card and PIN, or with a smart card and biometric recognition (e.g. fingerprint match-on card).

The convenience of this solution:
With the primary authentication the password manager is immediately enabled so that a user must only enter his PIN once, as the primary logon in order to have access to all other applications of the session.

Further convenience and security advantages:
The smart card provides more security and convenience.
The smart card is restricted to the user session so that as soon as it is removed the user session is terminated; hence access to all SSO supported applications is prevented at one go. At the same time the user can easily commence at another location another session using his smart card and PIN and in this way profit from perfect roaming.

SSO replacement card issue is firmly anchored in the security concept.
As required when printing temporary replacement cards, the user SSO data record is coded in a backup system repository and transferred during the personalisation of the replacement card. Replacement cards are issued via the smart card helpdesk. Details of the smart card helpdesk can be found under the corresponding product description.