This document summarizes the problems users experience when managing too many passwords. It describes the various approaches available to organizations to reduce the password burden on users and to
improve the security of their authentication systems.
Given this background information, this document goes on to describe the basic architecture of traditional enterprise single sign-on (E-SSO) systems. It describes their strengths, along with their security, usability
and cost issues.
Finally, a new approach is presented, to deliver most of the same advantages of a traditional E-SSO system but without any of the traditional issues. The new approach replaces a database of stored passwords with a password synchronization process. This is the approach embedded in Hitachi ID Login Manager.
17. Successful Enterprise Single Sign-on: Addressing Deployment Challenges
9 Summary
Hitachi ID Login Manager, a module included with Hitachi ID Password Manager, is an enterprise single
sign-on solution. It automatically signs users into applications where the ID and/or passwords are the same
ones users type to sign into Windows on their PC.
Login Manager leverages password synchronization instead of stored passwords. This means that it does
not require a wallet and that users can continue to sign into their applications from devices other than their
corporate PC – such as a smart phone or tablet – for which a single sign-on client may not be available.
Login Manager does not require scripting or a credential vault, so has a much lower total cost of ownership
(TCO) than alternative single sign-on tools.
The reduced sign-on process used by Login Manager has several advantages over traditional E-SSO tech-
niques:
• There is no global directory or database with user credentials:
– There is no target for a would-be attacker.
– There is no single point of failure which could cause a widespread disruption to users who wish
to sign into applications.
– There is no need to enroll users by having them provide their passwords.
• There are no manually written scripts:
– No manual configuration is required.
– No infrastructure is required to distribute script files to PCs.
• Continued access to applications:
– Users sometimes need to sign into application from devices other than their work PC.
– Since passwords are synchronized and users know their own password, they can still sign in,
even without the SSO software.
– In contrast, with other E-SSO products, users may not know their own application passwords.
This disrupts application access using a smart phone, home PC, Internet kiosk, etc.
These advantages significantly reduce the cost and risk associated with deploying and managing Login
Manager.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: /home/idan/work/documents/ps-sso/hid-login-manager-2.tex
Date: 2009-04-07