International
Home - E-SSO Manager Features View flash movie Online Demo Download free trial E-SSOM Forum Request support System requirements Request price quote

Detailed features

Block building concept Architecture Scalability High availability Security Integration Several user accounts Delegation of application Offline portable mode

Documentation

Installation guide Configuration guide Scripting guide

We help you!

Want to know more? A price quote or online demo?

Call us +852 - 2512 8491 sales@logon-int.com Give me an online demo

Testimonial

User Management Resource Administrator is an extremely powerful tool that has for me, proved itself capable of performing any task connected with the creation and management of users in windows networks, whether or not you are using Active Directory - the significance of this, is that the tasks can be applied to many users at one go. The tool is saving me enormous amounts of time and I would recom...

Charlie Markwick

Read more...

E-SSO Features



Block building concept
Architecture
Scalability
High availability
Security
DPAPI Security
Integration with other solutions
Several user accounts per employee
Delegation of application
Offline portable mode

E-SSO-M Block building concept


Enterprise SSO Manager is revolutionary Single Sign-On solution, based on a building block concept that no other comparable product can match. This concept allows 100% guaranteed support of the application landscape and allows easy manipulation of both users and their applications.

Adding building blocks to a template is done via a user-friendly GUI drag-and-drop interface. After adding a building block to a template, several parameters of that building block can be defined.

Future E-SSO-M options will include new actions to make templates more intelligent. The script actions allow several types of function: saving information in a database, applying extra access security (Smart Card), sending e-mail, etc. Since the building blocks have a modular structure, Tools4ever can easily add extra functionality to E-SSO-M. Development of building blocks can also be requested. If you are interested, please contact your nearest Tools4ever office.

E-SSO-M Architecture


E-SSO-M is designed as a high-level enterprise solution to support very large networks that necessitate a reliable SSO solution. The diagram below shows an overview of the relationship between the various E-SSO-M modules.

SSO architecture supports a service that works as a central information point for all local SSO services, which can be found on each work station. At the E-SSO-M level, the system administrator can make central adjustments via the E-SSO-M Admin Console. This console defines and allocates application templates to employees or a group of employees. Specific settings, such as load balancing, high availability, delegation of control, etc., can also be defined.

SSO user-client software is available on any work station and allows the end user to adjust E-SSO-M to his or her personal settings. For example, E-SSO-M can be switched off (temporarily), user credentials can be erased for specific applications, applications can be delegated for defined periods etc.

A link to Windows and Browser applications is made via a Windows Hook and a Browser Helper Object. This mechanism allows the SSO User Client Service to know exactly which dialogues are shown to which end users. This type of link is based on the published Microsoft standard, which guarantees correct functioning on any platform in any situation. Therefore a network may consist of a hybrid environment of a terminal server, Citrix, XP, Vista, IE6 or Firefox, etc. All platforms are supported by E-SSO-M.



E-SSO-M Scalability


Peak hour for SSO applications is in the morning, when most employees start working and log into the network. During this period, the central E-SSO-M engine needs to supply data for all end users and applications. Measurements have indicated that 96.5% of the entire load of an E-SSO-M application takes place during the first 30 minutes of the work day. In order to process this load, E-SSO-M has a feature that allows division of login requests over several Microsoft Windows Services. The license model allows for an unlimited number of E-SSO-M services. Networks of up to 250,000 work stations can be supported through this services model.

E-SSOM-M High availability


Users will increasingly depend on the SSO solution. Therefore, E-SSO-M availability is crucial. E-SOM-M guarantees, via various mechanisms, that end users can always utilize E-SSO-M software. It guarantees high availability through these mechanisms:

  • Replication User account credentials have been stored in a relational database. In order to guarantee safe storage of this data, standard means are available, such as placing the database on a cluster server and/or database replication. E-SSO-M supports both features.
  • Multiple services The central engine of E-SSO-M is Microsoft Windows Service. E-SSO-M has a feature that allows multiple services. Information with respect to user credentials of end users and configuration data (settings in E-SSO-M) are exchanged via a (replica) database. E-SSO-M on a workstation automatically selects a service that is available. The license model allows an unlimited number of E-SSO-M services.
  • Local caching If a work station cannot connect to a central E-SSO-M service, E-SOM-M has a feature that utilizes local workstation caching, a so-called offline mode. This feature fully supports laptop users who do not always connect to the company network, yet require E-SSO-M. The offline mode is also available in the unlikely event that the central E-SSO-M services are not available.


E-SSO-M Security


In an SSO application, all usernames and passwords of all employees need to be stored. It is crucial that this data is well secured. E-SSO-M has been specifically designed to ensure the integrity of user account data.
  • Communication. All exchange of information between E-SSO-M parts is encrypted. As a result no readable text is exchanged between work stations and the central service.
  • Caching. In case of laptop use, usernames/passwords are stored locally on the hard disk of the work station in question. This data is encrypted.
  • Database. The central database stores a copy of every username/password. This data is encrypted.
  • Logging. All activities of end users are stored in the central E-SSO-M database, except for the username/password of the application in question. E-SSO-M has been designed by Tools4ever security experts so that sensitive information is exchanged and stored only when required.

The encrypted algorithm in E-SSO-M is based on DPAPI Security. Other encrypted algorithms may be applied in order to meet the required company security standard.

DPAPI Security


DPAPI provides an essential data protection capability that ensures the confidentiality of protected data while allowing recovery of underlying data in the event of lost or changed passwords. The password-based protection provided by DPAPI is excellent for a number of reasons.
  • It uses proven cryptographic routines, such as the strong Triple-DES algorithm in CBC mode, the strong SHA-1 algorithm, and the PBKDF2 password-based key derivation routine.
  • It uses proven cryptographic constructs to protect data. All critical data is integrity protected cryptographically, and secret data is wrapped using standard methods.
  • It uses large secret sizes to greatly reduce the possibility of brute-force attacks to compromise the secrets.
  • It uses PBKDF2 with 4000 iterations to increase the work factor of an adversary trying to compromise the password.
  • It sanity checks MasterKey expiration dates.
  • It protects all required network communication with Domain Controllers by using mutually authenticated and privacy protected RPC channels.
  • It minimizes the risk of exposing any secrets by never writing them to disk and minimizing their exposure in swappable RAM.
  • It requires Administrator privileges to make any modification to the DPAPI parameters in the registry.
  • It uses Windows File Protection to help protect all critical DLLs from online changes even by processes with Administrator privileges.

E-SSO-M Integration with other solutions


The central E-SSO-M engine supports integration with external systems and applications. E-SSO-M offers a COM object as an interface, but also has an open standard SPML (Service Provisioning Markup Language). SPML is based on SOAP/XML messages and E-SSO-M supports web services. E-SSO-M allows integration with:
  1. Password reset applications, such as password synchronization or helpdesk applications. If a password is reset for a certain user and a certain application, integration allows processing of this reset in E-SSO-M. As a result, password changes are transparent to the end user.
  2. User Provisioning. In case of a new employee, user accounts and passwords are created in various systems and applications. If this process is automatically taken care of by a User Provisioning application (such as UMRA, Idm3, ILM, Sun Identity Manager, etc.), integration can be set up between the User Provisioning application and E-SSO-M. This integration allows end users to be recognized immediately in E-SSO-M, creating several benefits: 1) the end user does not need to create various passwords, nor do they need to be remembered; 2) the end user does not need to make himself or herself known within E-SSO-M and has direct access to the application landscape of the organization.
  3. Reporting. All data related to end users accessing applications is stored in an SQL database. The data model of E-SSO-M is published and can be accessed by reporting tools.

E-SSO-M Several user accounts per employee


An employee sometimes needs access to an application via more than one username. Think of system administrators with a “normal” account and an admin account or the need to access applications in various environments, such as development, testing or production. In these cases, E-SSO-M shows an extra dialogue that allows selection of a username and/or environment when an application starts up. After this initial selection, E-SSO-M ensures that the application starts up in the right environment using the correct username/password.

E-SSO-M Delegation of application


During holiday or sick leave, it may be necessary to provide another user access to an application to cover the period of leave. This requires changes to the network security in order for the covering user to have the correct access rights, or the usernames/passwords are simply exchanged. Both approaches have a negative effect on security policy: access rights are often not returned to the original settings, nor are passwords changed at the end of the period.

E-SSO-M has a unique feature that allows user credentials of an absent employee to be delegated to a different employee (the delegate) for a certain application for a defined period of time. When starting up the application in question, the delegate receives a popup that allows selection of the user credentials to be used for the application.

The absent employee can define to whom and for which period the user credentials can be delegated. Once the period has finished, the rights of the delegate to use the user credentials automatically ends.

E-SSO-M Offline portable mode


E-SSO-M has a feature that allows local workstation caching, a so-called offline mode, in case a workstation fails to connect to a central E-SSO-M service. This feature is primarily meant for laptop users who do not always connect to the company network, yet want to make use of E-SSO-M.