eTrust Single Sign-On FAQs

eTrust Single Sign-On enhances overall security by automating access to all authorized Web services and enterprise-wide applications through a single login.

What is Single Sign-On?

Single Sign-On or 'SSO' is the ability for users of large enterprise networks or customers to a web site to logon once via a single authentication and obtain access to authorized resources.

What is eTrust Single Sign-On and the current version?

eTrust Single Sign-On is the market leader in SSO technology that provides secured and simplified access to all of an enterprise network, including Internet-based systems. The current release of eTrust Single Sign-On is level 6.5 SP2.

Who benefits from eTrust SSO?

eTrust SSO solves the secured access problem for three main areas of an organization: users (customers), security, and administration. eTrust SSO addresses user frustration by automating user logins, it addresses security by providing a secured login authentication, and it addresses administration through its centralized administration component, the SSO Assistant and Manager.

What makes eTrust Single Sign-On different from other solutions?

eTrust SSO was conceived from the start with an open architecture that has allowed it to keep ahead of fast-changing customer requirements. It offers the type of flexibility and scalability required to mold to the precise requirements of the customer environment. eTrust Single Sign-On is built upon an 'open' framework, which offers a great deal of flexibility. For example, eTrust SSO offers a wide range of authentication methods: OS Authentication (NT, Novell), Proprietary (secure password based), Hard Token (SDI, Safeword), Digital Certificates (Entrust PKI), Smartcards (iD2) others. Third-party methods such as Kerberos, Smartcards or Biometrics can also be integrated via the SSO API Toolkit. Numerous credentials are forwarded such as passwords, one-time passwords, tokens and passtickets. With administration, eTrust SSO offers companies the flexibility to choose from a number of system and user administration methods. Other solutions have not surfaced as best of breed as they have based their solutions on proprietary architectures. eTrust SSO grows as the organization does.

Please describe the Web Single Sign-On component

The eTrust Single Sign-On 6.5 for Web agent has four major functions

Access Control - Protection of web resources by defining URLs as applications in the SSO database. A stream filter is installed on the web server and checks every user access attempt to a specific URL. If the URL is defined in the SSO database, the user's permissions to enter that URL will be checked.

Personalized Navigation Menu - Displaying the user's application list in the form of a set of links the user can follow. This set of links is built according to the user's permissions. The Administrator can design the navigation menu according to the "look and feel" standards of the site.

Single Sign-On - Once user has authenticated to SSO and the application's password is kept in the SSO database, entering the application will be automated. This is true for both internal (placed on the web server) and external (placed on external web servers) applications.

Web Based Front End Building API - For non-web based application. This will enable the users to enter the application based on the SSO primary authentication instead of using their username and password. This is used for non-web based applications.

SSO authentication will be performed each time the user encounters an SSO protected application or one of the "front ends" built using the API. Primary authentication will be in the form of an HTML page where the user is asked to enter SSO login credentials. The stream filter installed on the web will intercept the form and send the data to the SSO server, which will try to authenticate the user. If the login credentials are authenticated, the SSO server will send the SSO ticket, wrapped inside a cookie, to the stream filter installed on the web server. This cookie will be used each time the user has to be authenticated to an SSO application.

What Web Servers are included?

Currently, Microsoft IIS and Netscape web servers are supported.

Are Web Browsers supported? (As a target platform for login)

eTrust Single Sign-On can log in a user to a selected web browser, such as Microsoft Explorer or Netscape. In addition, eTrust Single Sign-On can automate the login to secured sites when initiating access to the browser. However, when most organizations request Web support they are referring to "Sign-On" within the browser (html). This can be accomplished via Single Sign-On Login APIs. Currently, Login Dialogs do not support login to Web-based applications from within the browser environment (monitoring of web login).

What other server platforms and client workstations are supported?

eTrust SSO Server runs on UNIX (AIX, HP-UX and Solaris) and Windows NT/2000. Windows '95, '98 and NT are currently supported clients. UNIX clients are supported for non-X Windows applications, only text-based applications are currently supported in the Unix environment.

What target applications does eTrust SSO support?

Theoretically, eTrust SSO can support all target applications and systems on Windows, UNIX, mainframe or other legacy systems.

Does eTrust provide secure SSO?

eTrust Single Sign-On provides a secured system for SSO by providing secured user credentials when transmitted across the network they can not be replayed or abused if intercepted. A wide range of credentials is offered including passwords, tickets, and one-time passwords and digital certificates. The eTrust Single Sign-On server and database is secured by a special version eTrust Access Control, further enhancing the security of the SSO application.

How is communication secured between the client and the SSO server?

The communication between the client and the server is fully encrypted via Triple DES algorithm and El-Gamal key management. DES, data encryption standard, is a 56-bit encryption algorithm designed to secure data and information.

What login methods are supported?

eTrust SSO is a framework solution that provides two types of sign-on methods: Login Dialogs and APIs (Application Programming Interface). These methods are used to support the following password or credential schemes: OTP (One-Time Passwords), digital certificates, tickets/tokens and proprietary passwords. In today's enterprise, some applications allow you to implement more sophisticated methods of signing users onto applications and systems. Our solution supports a hybrid approach to allow you to implement one of the various single sign-on schemes as appropriate for your specific environment. Login Dialogs are provided through Tcl, a common, non-proprietary language that makes application connection fast and consistent.

Can eTrust Single Sign-On keep passwords consistent across all applications and systems in an organization?

eTrust Single Sign-On reduces a user's level of complexity memorizing multiple different passwords. Additionally, although this is not mandatory, SSO supports password synchronization, which will ensure a known password is propagated to any number of target applications.

Can an organization audit user logins?

Yes, eTrust Single Sign-On provides audit capabilities to allow all user login activity to be recorded and stored for later retrieval. SSO auditing includes user logins, access to the SSO server, requests for application lists, failed login attempts and more.

If an organization has shared PCs how will SSO work?

eTrust Single Sign-On stores all login information on the SSO Server in order to support roaming users centrally. This means that several users can use the same PC and work well with Single Sign-On. In addition, the Single Sign-On Familiar Desktop provides re-login capabilities for shared PCs.

If users do not log off the network at the end of the day regularly for business or other reasons, will the users now have to reboot their workstation(s) at the start of their day?

Users are not forced to re-boot their machines at any time. If a user needs to re-authenticate they have that option to do so from within the Single Sign-On tools menu. In addition, the SSO Station Lock facility can be used to prevent access to the user applications by unauthorized users, and to force re-login for other users who wish to use the same station.

Does eTrust Single Sign-On comply with X.500 standards?

eTrust Single Sign-On integrates with LDAP to allow import/export of data. PKI and digital certificates from leading vendors are supported to allow customers to use this advanced security technology for primary user logins.

How are password expirations handled?

eTrust SSO handles password expiration in several ways:
SSO can force stronger password rules than the application; in this case SSO will initiate the password change during the application login. Through error handling, user password expiration for target systems and applications can be fully handled by Single Sign-On. Single Sign-On can also enforce primary password expiration to be handled automatically by the SSO server if Single Sign-On authentication is used.

How does SSO relate to disaster recovery?

When implementing Single Sign-On, you should recognize that SSO is a mission critical application and it should be included in your disaster recovery procedures. In addition, the Single Sign-On Server provides a Hot Backup feature, which is dynamic and automatic. This feature ensures the availability of the SSO server, which will reduce the need for users to sign-on outside of Single Sign-On. Multiple backup servers can be defined offering multiple fully redundant servers.

Does the use of a single connection channel between the distributed environment and the application host force the users to log in for every request? If so, could this cause a performance problem?

The applications continue to work as usual. The only change is that logging in to them is done automatically by SSO. Information traveling on the network includes the login credentials to applications, the login dialog to the application, and the SSO ticket. (The authentication host issues the ticket once primary authentication is completed and sends it to the Client, which uses it in every communication with the SSO server.) In the new version of SSO, the ticket size has been reduced to about 200 bytes.

Can this architecture be used in a pure Client/Server environment on a LAN? Are there any other necessary components and particular arrangements?

eTrust SSO is a completely open product, able to accommodate any site environment. The product forces no particular configuration on the customer site. The implementation can be phased, starting from a basic SSO environment with a simple authentication method, developing gradually according to the customer's needs and design.

What are skill sets needed by people at the customer site? How many people would we need?

The exact skill set is truly dependent on the applications and hardware that SSO will manage. Generally, a team of UNIX system administrations with good network skills and understanding as well as NT and/or Windows administrators with good understanding of distributed architecture would suffice for technical support. What is also needed is an "implementation manager" who will address the business issues of interfacing with all the internal groups. The Implementation Manager also needs to set a strategy for implementation and the organization of groups. In addition, the Implementation Manager should formulate internal policies that will be followed for all change control and implementation issues. One or more persons should be dedicated to writing the SSO login dialogs. TCL scripting is quite straightforward, and will be included in the on-site SSO training.

How long will it take to implement SSO? How many resources will I need?

eTrust Single Sign-On can be implemented in phases to provide benefits to the user immediately. Because the implementation of SSO depends greatly on the number of applications and systems in the single sign-on environment, the phased approach is most often preferred. The phased implementation can support additional targets as well as a migration to a more secure method of login. The design of Single Sign-On allows customers to adopt emerging standards and adapts to the growing needs of a distributed environment, hence allowing the customer to transparently transition to a more secure environment. For further information, please consult with a Computer Associates representative.