Enterprise Single Sign-on

• Active Directory-based Single Sign-on: Base single sign-on and access control for the entire enterprise on the existing identities, groups and policies built into your existing Active Directory deployment, without requiring additional authentication methods or a metadirectory.
• Security & Access Policy Enforcement: Use established access policies and Active Directory rules to apply similar controls to client-based single sign-on for the entire enterprise-wide range of applications and systems to which a user may need access.
• Single Point of Strong Authentication: Provide a single point of user login/authentication to any system and application. This includes standard username/password logins as well as the entire range of strong authentication options, such as smart cards, biometrics or token-based two-factor authentication.
• IT & End-user Efficiency: Relieve IT staff of the burden of managing user access and resetting passwords across a wide range of applications. End-user productivity is enhanced by not having to remember passwords for multiple systems and applications.
• Compliance Support: Achieve common compliance requirements for access control, strong authentication and secure delegation of access rights by implementing a consistent, strong, Active Directory-based infrastructure for access policy enforcement.
• Audit Reporting: Generate audit reports from sign-on or LDAP data with the option to produce reports showing statistics as well.
• Drag-and-drop Configuration: Adapt applications to your unique environment with ease, without modification or custom connectors.
• Optional Fast User Switching:  Enable users to share a physical workstation using individual authentication and real-time context switching.
• Optional Password Reset: Enable users to manage their own network password resets by answering secret questions. This is available as a Web interface or via a Windows login interface.

Before installing Quest ESSO, ensure your system meets the following minimum hardware and software requirements:

Operating System Prerequisites

Agents Environment

Quest ESSO agents can be installed on the OS platforms detailed in the tables below. That concerns the following agents:

• Advanced Login
• SSOWatch
• Quest ESSO Console

Remarks:
Quest ESSO agents are not supported with virtualization software such as VMware Workstation or Microsoft Virtual PC.

Controllers Environment

Quest ESSO Controllers can be installed on the OS platforms detailed in the tables below:

Remarks:
Enterprise SSO Controllers are supported with the virtualization software such as VMware Workstation or Microsoft Virtual PC.

Citrix / Xenapp

Citrix XenApp (Citrix Presentation Server) 4.5 et 5.0 are supported and can be used with Internet Explorer 6.0, 7.0 or 8.0

Hardware Prerequisites

• Enterprise SSO, Advanced Login
  The Quest ESSO agents do not require significant resources on modern computers. The recommended minimal configuration on Windows XP, Vista and Windows 7 is the following:
  • 1 GHz Intel processor
  • 512 MB RAM
• Quest ESSO Console and controller
  The Quest ESSO Console and controller must run on a recent configuration in order to access the audit base with satisfactory performance. The recommended minimal configuration is the following:
  • Intel Core 2 Duo processor
  • 2 GB RAM
    The size of the hard drive hosting the audit base depends on how long you want to keep the log on-line before archiving it. (The audit base does not need to reside on the Enterprise SSO server itself.). For a rough estimate use the following:
    • One log entry = 1000 bytes (including database index and other overhead)
    • Typical log activity = 20 log entries per user per day

LDAP Directories and Databases Versions

LDAP Directory Versions

Quest Enterprise SSO can access user information located in LDAP directories and use these directories to store SSO and security data. The directories supported by Quest Enterprise SSO are:

Enterprise SSO can use Microsoft AD LDS or ADAM to store SSO and security data.
Enterprise SSO requires at least ADAM version 1.1 (SP1) or later.

Using Enterprise SSO with Samba

Enterprise SSO can be installed in an environment where Samba is used as an authentication server and domain controller. The prerequisites are:

• Samba must be in version 3.0.x
• Samba must use OpenLDAP (see version above)

Database Versions

Quest ESSO controller can store a “master” audit base on a relational database. Enterprise SSO has been validated with the following database versions running on Windows 2003/2008 Server Enterprise Edition:

• Oracle from 8.1.7.4
• Microsoft SQL Server 2000 and 2005
• MySQL Server 5.0
• IBM DB2 version 9.0

The audit cache base can also be one of the database types listed here.

If you want to use another type of relational database, please contact Quest for the feasibility and a cost evaluation.

Supported Authentication Devices

Smart Cards and USB Tokens

The following middleware and authentication devices are compatible with these specific Enterprise SSO modules:

• Advanced Login can use the devices for user authentication
• Quest ESSO Console can manage these devices and use them for the administrators’ authentication

Please note that when using smart cards, you must use PC/SC smart card readers that are compatible with both the cards and the middleware detailed above.

The only Certification Authority that is supported at the moment is the Microsoft Windows 2000/2003/2008 Certification Authority in an Active Directory configuration. Other Certification Authorities can be used via the PKCS import feature of the Quest ESSO Console.

Biometric Devices

Using Precise Biometrics

Biometrics support requires that you purchase from Precise Biometrics™ a license of Precise BioMatch Pro Toolkit 2.3.0 for each workstation where biometric authentication will be performed.

The list of biometric devices supported by Precise BioMatch™ Pro Toolkit 2.3.0 is currently the following

Warning:
Some of these devices require a specific license of the Precise Biometrics software. Determine with the vendor which license is appropriate

• Precise 100 A/AX/SC/MC/XS/BioKeyboard/PC-Card
• Precise 200 MC
• Precise 250 MC
• IRIS BCR100T
• IRIS Mobile SmartTerm St4E
• AuthenTec AES4000 API-based readers
• AuthenTec AES2501 API-based readers
• Cherry FingerTIP Keyboards
• UPEK ST1
• UPEK ST2
• Silex FUS-200N
• Silex MUSB-200COMBO
• Silex COMBO-Mini

Warning:
For an up-to-date list, contact your Quest representative

Using UPEK

Advanced Login uses BSAPI 3.6. This API supports:

• All UPEK swipe sensors. An exhaustive list doesn’t exist. Some models are listed at http://www.upek.com/solutions/rsa/se_notebooks.asp, but this list is not complete. This offers compatibility with select laptop models from Lenovo, Toshiba, Panasonic, Dell, Acer, Asus, NEC and other notebook makers. Also, UPEK is the only fingerprint sensor supplier for all Sony laptops.
• Cherry ID mouse with a UPEK area sensor: http://www.cherrycorp.com/english/keyboards/Security/M_4200/index.htm
• the Eikon (TCRD4C) and Eikon To Go (TCRG4C)

Using BIO-Key

Advanced Login can use the BIO-key Biometric Service Provider (BSP) version 01.09.290 or later.

Install the BSP 01.09.290 and see on the BIO-Key web site, the list of supported devices you can use with this provider.

RFID/HID devices

XyLoc support requires that you obtain from Ensure Technologies the Software

Development Kit in order to deploy on each workstation the ETSecure.dll.

Warning:
Xyloc devices are not supported with Microsoft RDP

Advanced Login has been tested with the following MIFARE components:

• SAGEMYpsid S1-IAS
• Sagem Ypsid MatchOnCard
• Classic TPC
• Oberthur
• Cyberflex 64k
• Crypto.NET v2+
• CPS3

These tests have been done with the following reader: CardMan 5321, these RFID devices are natively supported (no middleware needed)

Advanced Login is pre-configured with the following ATR (Answer To Reset):

Enterprise SSO Plug-in Requirements

Plug-ins are extensions of Enterprise SSO. They provide SSO authentication methods for specific types of applications.

These plug-ins are delivered with Enterprise SSO. Plug-ins are available for:

• Microsoft Internet Explorer (for Internet Explorer 5.5, 6.0, 7.0, 8.0 and 9.0)
• Firefox 1.5, 2.0, 3.04 and higher (warning, due to an issue Firefox 3.0.0 to 3.0.3 are not supported) and 4.0
• Sun Java SE Runtime Environment (JRE) 1.4, 1.5 and 1.6
• Lotus Notes versions 4.x, 5.x and 6.5
• Microsoft Telnet
• HLLAPI (see 4.7 “Configuring the HLLAPI plug-in” for supported emulators).

Script environment for Windows and HTML applications that are not covered by the standard Enterprise SSO process.

SAP R/3 Plug-in Requirements

The table below shows the supported versions of SAP R/3 components:

Warning:
The SAP web-based Start Center is compatible with Enterprise SSO, but you need to upgrade to SAPGUI Version 6.40 with Patch level 23

Remark:
The SAPLogin and SAPExpired window types defined in version 3.71 of SSOWatch remain available to ensure the continuity of deployed configurations.

Configuring the HLLAPI plug-in

The HLLAPI plug-in communicates with a terminal emulator through a DLL. Each emulator provides a different DLL for that purpose.

To tell Enterprise SSO how to communicate with your terminal emulator, you need to edit the Microsoft Windows Registry and enter three values located under

HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HLLAPI

• HllLibrary – the name of the emulator’s DLL (file name or full path) that gives access to the HLLAPI feature.
• HllEntryPoint – the name of the relevant function in the DLL file.
• HLLAPI-32bit – indicates whether the HLLAPI is in 32-bit mode (value=1) or not (value=0)

Warning:
The Registry entry and associated values are not created during installation. You need to manually create the Registry entry:

“HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\HLLAPI”

and the three values “HllLibrary”, “HllEntryPoint” and “HLLAPI-32bit"

• Product Demo

  vWatch the Demo »

• Quest on the Board: Single Sign-On

  Todd Peterson presents this white board session which examines the four types single sign-on offerings from Quest.

  Watch the White Board Session »