Environment
Situation
Question
Where is SecureLogin data such as SSO enabled applications, preferences determining the behavior of SecureLogin, and of course, a user’s application logon credentials including usernames and passwords stored?
Does the Directory Schema get extended or do I need to install and configure a separate data store for SSO data. Some vendors require separate hardware and a separate database specifically for SSO.
Resolution
Answer
While some vendors require additional hardware and a separate Directory for SSO data, all SecureLogin data is encrypted and stored in your choice of Directory (e.g. Microsoft ADS, Novell eDirectory, LDAP v3 compliant Directory). For example, all user specific data such as their passwords to applications is stored against their user object in the Directory, while applications can be published at the OU level (and (and via GPO in Microsoft Active Directory environments).
Passwords to applications cannot be viewed by anyone other than the user (and you can even hide them from the user).
Since SecureLogin data is stored in your corporate Directory, you don’t need to setup special backup routines or administer a separate Directory or server environment just for SSO. By backing up the Directory as you would normally, you also backup all SSO data.
To store SecureLogin data in the Directory, the schema must be extended to accommodate six new attributes. These new attributes are added to the Directory schema when you run the appropriate tool e.g. When using Microsoft ADS mode, ADSSchema.Exe. When using eDirectory mode, NDSSchema.Exe. When using LDAP mode, LDAPSchema.exe.
LDAP mode or AD Mode
In LDAP mode or ADS mode, the six new attributes are:
- protocom-SSO-Auth-Data
Contains a key that is generated using a one way hash of the user’s passphrase.
- protocom-SSO-Entries
On both OU and User objects it contains data such as application definitions and preferences, and against the user object only, it stores all the user IDs, passwords and other variables ($VariableName) for applications.
- protocom-SSO-Entries-Checksum
Runs a check to ensure only ""protocom-SSO-Entries"" data that has changed is synchronized between the Directory and the local cache.
- protocom-SSO-Profile
Redirects the object to read it’s SecureLogin configuration information from another container. Typically all applications and settings for a user are set in the Users parent container. User CN=MichaelC,OU=Users,DC=Utah,DC=ACME,DC=COM would inherit applications and settings from OU=Users,DC=Utah,DC=ACME,DC=COM. However, you could configure OU=Users,DC=Utah,DC=ACME,DC=COM to read it’s SecureLogin configuration from another container such as OU=Users,DC=NewYork,DC=ACME,DC=COM.
- protocom-SSO-Security-Prefs
Contains passphrase configuration information such as predefined passphrase questions, passphrase policies, help text etc.
- protocom-SSO-Security-Prefs-Checksum
Runs a check to ensure only ""protocom-SSO-Security-Prefs"" data that has changed is synchronized between the Directory and the local cache.
NDS/eDirectory (only) mode or eDirectory with SecretStore Mode
In Novell Directory environments the six new attributes are:
- Prot: SSO Auth
Contains a key that is generated using a one way hash of the user’s passphrase.
- Prot: SSO Entry
On both OU and User objects it contains data such as application scripts and settings, and against the user object only, it stores all the user IDs, passwords and other variables ($VariableName) for applications.
- Prot: SSO Entry Checksum
Runs a check to ensure only ""Prot: SSO Entry"" data that has changed is synchronized between the Directory and the local cache.
- Prot: SSO Profile
Redirects the object to read it’s SecureLogin configuration information from another container. Typically all applications and settings for a user are set in the Users parent container. User CN=MichaelC.OU=Users.OU=Utah.O=ACME would inherit applications and settings from OU=Users.OU=Utah.O=ACME. However, you could configure OU=Users.OU=Utah.O=ACME to read it’s SecureLogin configuration from another container such as OU=Users.OU=NewYork.O=ACME.
- Prot: SSO Security Prefs
Contains passphrase configuration information such as predefined passphrase questions, passphrase policies, help text etc.
- Prot: SSO Security Prefs Checksum
Runs a check to ensure only ""Prot: SSO Security Prefs"" data that has changed is synchronized between the Directory and the local cache.