Strengths: Large range of authentication methods; can add single sign-on
Weaknesses: Application and server support not as good as other products
Verdict: Great when combined with ESSO, but support could be better
The OneSign appliance from Imprivata is a 1U rack-mountable server with two fast ethernet ports. The first port connects to your network, while the second is used to link to a second appliance for redundancy.
The appliances can run both enterprise network authentication (ENA) for two-factor authentication to a network and enterprise single sign-on (ESSO), which requires a license upgrade and can be used to control access to a wide range of applications.
In this case we're focusing on the ENA. As it uses an appliance it is ready to run straight out of the box and all you have to do is apply an IP address using the front panel. Management from then on is performed through the web interface.
It's one of the easiest products we've come across in this test and very simple to set up. First, you need to select your user's data source, which can be any LDAP directory, including Active Directory. Once you have synchronised your user list, you can start applying security policies to each user or group.
A policy states the forms of authentication that each user has to use to log on, including finger print readers, proximity cards, Vasco tokens and smart cards.
You can also link OneSign to other token authorities, such as SecurID, but this is only going to be worth the money if you're trying to implement single sign-on with your existing infrastructure.
The second part of the puzzle is the OneSign agent, which sits on Windows PCs. You can make it available for installation or distribute it using your normal software.
If you use the built-in authentication methods, the first time your users log on, they'll have to register their token or fingerprints. This means there's very little management involved in getting your users up and running.
Where it falls down is that you can't extend its protection to other services, such as Outlook web access or remote VPN access, so you may need another system for this purpose. The upcoming version 3.5 will support Radius, we're told, and will facilitate such integration.
If you opt for ESSO as well, though, your users can apply the same authentication methods for logging onto your enterprise applications, as controlled by the policies you configure. It is with the combination of ENA and ESSO where OneSign excels, providing one simple management platform for network and application log-on.