Review: Simple single sign-on

If you need to boost network security or if your help desk is spending hours looking up or resetting user passwords, you might want to look at Imprivata's OneSign Enterprise single sign-on (SSO) appliance, which has a number of advantages over competing products from Passlogix and Protocom.

For starters, I found Imprivata OneSign to be simple to install and manage, a trait that should not be assumed in the single sign-on world. While all sign-on management products claim simple installation and deployment, in most cases integrating a SSO solution means dedicating hardware and custom scripting to get SSO software to recognize applications. OneSign, however, is an appliance, which provides easy integration with existing hardware infrastructure.

OneSign also requires no modification to existing applications and no user learning curve thanks to OneSign Application Profile Generator. My tests showed that OneSign's native support for multiple authentication methods and centralized password policies allows agencies to quickly implement password security that is appropriate to their environment.

OneSign works through a relatively simple process. OneSign Application Profile Generator tool learns the password behavior of all applications then uses that information to create an Extensible Markup Language profile for each one and records it in an XML document. The XML files, together with their corresponding policies, are uploaded and stored on the OneSign appliance. The OneSign Agent, which resides on each user's computer, receives the latest set of XML profiles, policies and credentials distributed every time a user is authenticated.

From the user's perspective, the process is unobtrusive. OneSign handles primary authentication through an extension of the Windows login. The Agent establishes an Imprivata Secure Exchange (ISX) session with the appliance using double-blind encryption and disposable session keys. ISX delivers the single sign-on data and OneSign Agent observes the application screen as defined in XML and behaves as needed to enable SSO and password management according to the latest policy for each individual user.

By default Imprivata ships two 1U appliances: one primary and one failover box. For my test, I only configured the primary box. Initial configuration was truly simple — I assigned an IP address, and then set the DNS, gateway and SMTP server for event notifications.

A browser-based configuration wizard took me through the rest of the setup by first creating an administrative account. I then imported users from Active Directory by specifying the connection to the external source (i.e. host name, user name and password). In addition, the Active Directory OneSign can connect and import users from NT Domains, Novell Netware Directory Services (NDS) eDirectory and Sun Microsystems' SunOne Lightweight Directory Access Protocol directories. OneSign can also import users from multiple directories and is capable of mirroring user environments without any manual changes and can be set to automatically synchronize periodically.

Administration is performed using a straightforward browser interface. For the most part, I found administering OneSign to be a simple process. I was particularly impressed with the fact that OneSign supports major forms of strong authentication out of the box, which could be applied to groups or per user basis. For example, in addition or instead of standard user name and password I could have chosen secured access using ID tokens or biometrics.

Computers on the network communicate with OneSign SSO appliance using a OneSign Agent, which is a Windows program resident on each user's machine. The Agent creates a secure session to the OneSign appliance to deliver SSO functionality. The Agent can be delivered to users through an MSI-compatible push technology or delivered through a download link in an e-mail. Imprivata also provides a Workstation Agent for use on public or shared computers and a Citrix Agent that installs on Citrix MetaFrame servers or MS Terminal Servers.

OneSign truly allows easy implementation and deployment of Single Sign-On functionality, eliminates the need for back-end coding of applications, replaces many logons with one centrally managed secure login and, most importantly, reduces costly password related calls to the Help Desk. OneSign is not an inexpensive product but the return on investment through eliminating downtime due to user lockouts is well worth it.

Kvitka is a principal of an information technology and Web development company. He can be reached at andre@digitalrig.com.