Imprivata OneSign Single Sign-On Benefits
Broad Support for Strong Authentication
OneSign Authentication Management provides native support for a broad range of authentication options. Customers can offer their users choices that best suit their roles. Strong authentication methods are available stand-alone or can be achieved by mix and match use of access cards with finger biometrics or passwords –including native integration with VASCO Digipass. Users can even take advantage of pre-existing, low cost passive access cards as a familiar, easy authentication option without reissuing cards to users.
Application Profile Generator (APG)
The OneSign Single Sign-On Application Profile Generator™ (APG) enables secure and seamless single sign-on and password change support for ALL enterprise applications - without requiring any modifications to existing code. With
OneSign’s APG, the arduous task of writing login scripts, or building connectors to each application in order to enable single sign-on is completely eliminated. OneSign’s APG “learns” the behavior of any application’s authentication processes and then generates a single sign-on application profile that stores these attributes in XML. Applications can be single sign-on enabled within minutes. These profiles, together with their corresponding policies, are automatically uploaded to the OneSign appliance by the APG and are ready for deployment and automatic distribution to users at runtime.
With OneSign’s APG, even the most challenging of application password change behaviors and login processes can be learned. The powerful technology can capture and proxy for applications like custom Terminal Emulators, SAP, Oracle Forms, JAVA clients, etc. – all of which have complex or hidden controls that have previously required IT staff to write 'workarounds' or custom scripts to successfully configure single sign-on.
Automated Password Changes
OneSign Single Sign-On allows administrators to implement a clear, straightforward, and secure password policy across all target applications based on users’ primary authentication. For additional security measures, OneSign Single Sign-On has the ability to cycle complex application passwords behind-the-scenes on users’ behalf, enabling realistic enforcement of a strong password policy from one central location.
Self-Service Password (SSPW)
Management Many OneSign Single Sign-On customers will use MS Domain or Novell passwords as a primary authentication mechanism for single sign-on. OneSign Single Sign-On users can reset their primary domain password by adding this optional self-service mechanism. SSPW management requires the user to enroll shared secret information using personalized questions and answers.
Enrollment consists of providing answers to a set of personal questions drawn from a central list. The Administrator decides how many questions must be selected from a list presented to the user and answered during enrollment. The Administrator also decides how many questions must be answered correctly during a SSPW services request. These two settings are part of the security policy and are applied to users.
Provisioning Interface
Using OneSign Single Sign-On’s new standards-based Service Provisioning Markup Language (SPML) interface, third party User Provisioning systems can provision and update user accounts, applications and application credentials within OneSign Single Sign-On, eliminating the need to distribute application passwords to end users. Imprivata provisioning partners who have developed out-of-the-box connectors to OneSign Single Sign-On include Courion and Fischer International.
Monitoring and Reporting
OneSign Single Sign-On records all user and application events in a centralized log file, providing a reporting trail accessible to the administrator. User events pertaining to SSO services - including data on which users accessed what applications and when - are collected and consolidated by OneSign Single Sign-On for centralized viewing and reporting. In addition, event logs capture information on user switching and password changes with time stamps and computer attributes that verify authentication and lockout incidents.