SecureLogin provides SSO using a method known as "password replay" or "store and forward". What does this mean and what are the benefits of using this approach versus other SSO methods?

Question

SecureLogin provides single sign on (SSO) using a method known as ""password replay"" or ""store and forward"". What does this mean and what are the benefits of using this approach versus other SSO methods?

Answer

In its simplest form, using SSO password replay software, a user authenticates once to a trusted system (e.g. Directory such as ADS or Novell’s eDirectory) when the workstation first boots up, and never has to enter any other passwords to access applications. Authentication occurs (i.e. passwords are entered), but is seamless to the user.

SecureLogin needs to ""learn"" logon credentials so it can ""remember"" them. The first time a user runs an application that is SSO enabled, they are prompted to enter their application logon credentials such as their username and password. The credentials are then encrypted and stored against their user object in the Directory. From then on, SSO ""remembers"" them. Instead of the user having to write all their different application passwords down on paper, they are all encrypted and ""written"" in the Directory against the user object.

The user’s initial logon to the Directory could be a password or, if used in conjunction with advanced authentication products, they could authenticate using a biometric (e.g. fingerprint scan), smartcard or token for stronger proof of identity. Once they are authenticated, an SSO agent starts up on the workstation and ""watches"" for applications that are SSO enabled.

When an SSO enabled application such as e-mail loads, instead of prompting the user for their logon credentials, SSO retrieves them from the Directory, enters them in the appropriate fields and clicks the Logon button. SSO is effectively ""replaying"" the password for the user when the application requests it, hence the term, ""password replay"".

When a password expires for an application, the SSO agent ""sees"" the password expiry and can either randomly generate the user a new password that meets the application’s policy, or can prompt them to choose a password of their own. The new password is then encrypted and stored against the user object in the Directory and is used to logon to that application until the next password expiry. From an application’s point of view, it appears as though the user is entering their credentials and changing their password every x days as they always have. In fact, SSO is handling this for them.

Rather than entering the same password when you are prompted to logon to all applications, SSO remembers all the different application passwords and ties them to your network logon. From a user’s point of view, they only need to remember one password (to authenticate to the network) for all applications (because SSO remembers and enters the rest, making application logon fast and seamless).

SecureLogin’s Password Replay Architecture:

• Does not require any changes to applications or application servers - works with off the shelf, in-house developed or externally managed applications.
• Users no longer need to know their passwords to applications so they can’t write them down or share them. When they leave your organization, they don’t know their passwords to logon.
• Makes passwords to applications unique and confidential.
• Can enforce password expiry and strong password policies on systems that are unable to do so natively.
• Can randomly generate strong passwords (making the process seamless to the user) or ask the user to enter a new password when an application requires one.
• Remembers all credentials an application requires including usernames, domain names, database names etc. Also handles invalid logon, account locked and any other message generated by the application, further reducing Helpdesk costs.
• Is centrally managed, customizable, flexible and powerful. Application logon prompts and other messages can be streamlined to handle multiple systems, logon IDs and passwords, picking from lists, ticking boxes etc.
• Encrypts application logon credentials and stores them in your corporate choice of Directory (e.g. ADS, eDirectory, LDAP v3 Compliant Directory).
• Is more than just SSO - you can audit, use 2 factor authentication, integrate with user provisioning systems etc.