Environment
Situation
Question
I have heard SecureLogin can enforce application re-verification. What is it and how does it work?
Resolution
Answer
Customers with strong authentication requirements can configure SecureLogin SSO to work with Novell Modular Authentication Services (NMAS) in an eDirectory environment, or NetIQ Advanced Authentication Framework in an Active Directory environment. Using this software together, users logon to the network (e.g. ADS or eDirectory) and/or applications using strong authentication methods such as;
- Biometric (e.g. fingerprint),
- Smartcard/PIN
- OneTimePassword
- Directory password
With SecureLogin SSO installed by default, a user simply runs an application and SecureLogin seamlessly retrieves the user’s application credentials (e.g. username, password, database name) and authenticates in the background. The user is not prompted to enter a password at all. Some customers want to configure SecureLogin to prompt the user for strong authentication to applications.
SecureLogin Single Sign-on can be configured to request application re-verification. SecureLogin would request a biometric, smartcard or token authentication before permitting logon to any or all SSO enabled applications.
The difference between standard SSO and SSO with application re-verification is, with virtual password synchronization, the user is still prompted to logon to the application. They enter their network password before SSO will retrieve the stored credentials (which can be passwords that are all different and complex). From a user point of view, they logon to the network (e.g. ADS or eDirectory) with a logon method such as fingerprint, smartcard or token, and they are also prompted to re-verify their configured logon method when they run SSO enabled applications.
In the background, SecureLogin verifies the logon method and retrieves the stored application logon credentials (e.g. the actual eMail username and password) from the Directory and enters them into the application logon prompt. The application believes the user is entering a password as they always have, but the user is actually logging onto an application using a fingerprint (or other method). Applications need no special configuration to enable this feature.
Application re-verification is achieved using the AAVerify command. See the Knowledgebase for more information on using AAVerify.