Strengths: Swift agent-deployment tools, strong policy-based security, systems lockdown feature, good reporting and alerting
Weaknesses: Application enrolment takes a while; can be costly for large user bases
Verdict: Imprivata's OneSign eases password management and support issues with a sophisticated SSO solution
Passwords are an essential part of any business security strategy and yet can be so difficult and costly to manage. The human element is always the weakest link and where access to different applications requires multiple logon credentials, they are all too often written down by users and left in obvious places.
The single sign-on (SSO) concept aims to do away with such problems, as users authenticate once, and all further login prompts are intercepted and the details automatically supplied. OneSign from Imprivata provides a complete SSO answer and is implemented as an appliance-based solution that supports authentication client/server, web and legacy applications.
The 1U rack-mount appliance offers a good specification, with a 3GHz Core 2 Duo in the driving seat, along with 2GB of memory plus a pair of 250GB mirrored SATA drives. High availability is available, as you can configure a pair of appliances for failover.
All clients joining the SSO scenario require an agent utility installed locally. The standard agent is provided for users that have their own dedicated system - which can be locked while the user is away from their desk.
The Workstation Agent is used on systems provided for multiple users and those authenticated only by the OneSign appliance. A third agent, for Citrix MetaFrame and Microsoft Terminal Services, is deployed on the server.
The OneSign database synchronises with a directory server and support includes NT Domain, Active Directory and Novell NDS/eDirectory. OneSign supports multiple authentication methods, including ID tokens and fingerprint scanners, and can function as a Radius server for authenticating remote users.
Imprivata's Physical/Logical feature is designed to work with access systems for buildings. Each user is mapped to a connector and OneSign support includes AMAG, Honeywell and Lenel.
Essentially, this ties in network access with the physical presence of the user. If the building hasn't registered their entry, they won't be allowed network access. It also effectively stops tailgating and if an ex-employee has their pass revoked, this automatically locks them out of the network as well.
During installation, you run through a wizard-based routine on the well-designed web interface and then you can start adding users and creating security policies. You get a default policy, but it's easy enough to create more, for example where you decide how many failed login attempts will be allowed and apply a lock-out which blocks the SSO process and forces users to log in to each individual application.
An offline mode is available, that uses cached encrypted credentials when a link to the OneSign server is not available. You can also issue authentication challenges at regular intervals or if an account has been inactive.
Two methods of agent installation are offered, where you can send the MSI file using a third party software deployment tool or notify selected users with an email containing a link on the appliance. We found the second option easy enough to use and had the standard agent loaded on our test systems in a few minutes.
The Windows login prompt is modified by the agent and offers choices for using a password, a fingerprint scanner, token, smartcard or proximity card. We were provided with a Vasco fingerprint scanner and DigiPass tokens, which worked fine.
Profiles also define challenges, where you can set inactivity periods after which users have to re-authenticate. We also defined a hot-key for workstation lockdown and pressing it at the client system immediately logged them off and presented OneSign's login screen.
That's the easy bit, as you now have to define applications to OneSign. Imprivata's APG (application profile generator) handles this function and takes you through a learning process. After the chosen application is loaded, you drag a target from the APG window and drop it onto the login screen. APG recognises the fields presented by the application and creates a form for them.
Once completed, you can drop another target onto the entire form, to confirm that the APG has correctly learnt all the fields. The new profile needs to be deployed and users can force the client to update itself immediately, or it can be left to a default contact interval.
We tested using access to our web mail server, where we successfully enrolled the application. Once the profile had been deployed, OneSign required users to log in to their applications as normal, after which their credentials were captured, stored on the appliance and proxied. The next time they loaded the login screen, their details were entered automatically by the agent.
Report and event logging are good, with a wide range of predefined reports to easily keep track of new enrolments, failed or successful logins and lockouts. For notifications, you can choose from a wide range of events and decide which users are to be monitored, with an email sent to one address whenever the event is triggered.
For large sites with numerous applications, the enrolment process can take a while and users will need to be trained. Once configured, OneSign worked well. It is capable of providing an easily managed SSO solution that scales well with demand.